Article Preview
TopIntroduction
Information Security is now a strategic issue for business leaders and several institutions and communities have launched numerous initiatives to encourage business leaders to ensure good stewardship in this area (WEF, 2015). The associated compliance obligations and the increase in security breaches have made many business leaders aware of its impact on the business continuity (Cashwell, Jackson, Jickling, & Webel, 2004), civil and legal liabilities (Fox-IT, 2011) reputation (Walsh et al., 2009; Peters, 2012), employability and financial position (Ishiguro et al., 2011; Cavusoglu et al., 2002). This is why Von Solms (2009) has argued that Information Security Management (ISM) is part of Information Security Governance (ISG). The IT Governance Institute (ITGI) states that ownership of data and its information risks are the responsibility of businesses and their owners (ITGI, 2005) as well as the IT department (Solms, 2005). The IT department might own the physical hardware and software assets, but not the data. To define security requirements in critical value chains and business processes, such as segregation of duties or use cases for logging, business involvement is required (S. Von Solms & R. Von Solms, 2009). Within this multidisciplinary context of Information Security we therefore use the term “Business Information Security” (V. Solms, 2005). Managing Business Information is a prerequisite for improving Business Information Security maturity (Allen, 2007). The International Federation of Accountants (IFAC) (IFAC, 2004) and ISACA (ISACA, 2012) describe information security as an integrated enterprise activity requiring proper governance of the work done in this area by the board and executive management.
Basie and Rossouw von Solms differentiate three levels: the strategic level (Board of Directors and Executive Management), the tactical level (Senior and middle management) and the operational level (lower management and administration). All directive setting and controlling activities (including monitoring and evaluating) are seen as part of the strategic level of governance (R. Von Solms & B. Von Solms, 2006). An example is the adoption of Information Security Control Frameworks such as the Information Security Forum (ISF) Standard of Good Practice. All activities designed to put these directives into practice take place at the tactical management level. The tactical level involves formulating policies and guidelines, for example establishing minimum standards that the organisation needs to adhere to, such as incident management and supply chain management. The level below the tactical level is where these policies and guidelines are translated into procedures and working methods. For example, this is the level where monitoring software is configured which triggers incident response processes or imposes stricter guidelines for suppliers. This paper focuses on defining artefact requirements for the strategic level which are substantiated by tactical and operational data.