Article Preview
TopIntroduction
Increasingly, the advantages of information technology (IT) governance are being recognized. Good IT governance can promote empowerment and control of IT professionals. Decision making authority as an area of IT governance has been examined by some researchers (e.g., Grover, Henry, & Thatcher, 2007; Weill, 2004; Weill & Ross, 2004). However, more scrutiny is needed of the extension of governance concepts to information security. For instance, Grover et al. (2007) do not specifically address security and Weill and Ross (2004) treat “security and risk” simply as a cluster in “IT infrastructure services.” This classification reflects the traditional view of information security as a mere technical issue. Fresh considerations of information security call for a more fine-grained treatment of governance of security decisions. In particular, while some decisions have a clear technology orientation, others must address strategic, business-oriented goals. Still others lie somewhere in between. None can be ignored.
To aid the study and practice of information security governance, we propose a conceptual governance framework (Figure 1). It specifically deals with security decision rights and is based on the synthesis of a number of relevant concepts, principles, and taxonomies: (a) The concept of “structures of responsibilities” in information security (Backhouse & Dhillon, 1996); (b) The principle of harmonizing responsibility (accountability) with commensurate decision authority (Grover et al., 2007); (c) The principle of giving decision authority to the organizational unit with the best information for the decision (Galbraith, 1973, 1993; Simon, 1960); (d) A taxonomy of IT decision types (Weill, 2004; Weill & Ross, 2004); (e) A taxonomy of key domains in information security derived from Da Veiga and Eloff (2007) and two high-level information security documents published by the National Institute of Standards and Technology (NIST), SP 800-35 and SP 800-100; and (f) The tested practice of applying patterns to recurrent problems (Schumacher, Fernandez-Buglioni, Hybertson, Buschmann, & Sommerlad, 2006; Weill, 2004; Weill & Ross, 2004).
Figure 1. Information Security Governance Model
In the following sections, we elaborate on each of these as we build our information security governance framework. Tables 1 and 2 summarize its major components.
Table 1.
Weill and Ross (2004) Governance archetypes
Archetype | Decision Rights Allocation Mechanisms | Interaction Pattern Between Business Management and IT Departments |
Business monarchy | Senior business executives make IT decisions for the entire enterprise. The IT executive is considered as one voice in the decision making. | Business executives make decisions about IT. The enterprise IT head, the CIO, is an equal partner with other executives. |
IT monarchy | IT professionals make the IT decisions. | IT monarchy may be implemented in different flavors, involving IT professionals at enterprise IT function or business unit IT function to variable degrees. |
Feudal | Business unit management makes IT decisions. | IT function may implement these decisions at the enterprise or business unit level. |
Federal | Both the enterprise and business unit leaders are involved in making IT decisions. | Either enterprise IT function or business unit IT function or both can be involved in decision making. |
IT duopoly | Decisions are made by the duo of IT executives and either enterprise business executives or business unit leaders. | This archetype also incarnate in one of these two forms: (a) “Bicycle wheel” with the enterprise IT function sitting at the hub. Sitting at the rim are the business units, each of which forms a spoke together with the hub; or (b) “T” arrangement, with the enterprise IT head having overlapping memberships in an executive committee and an IT committee. |
Anarchy | No IT governance. | |