Abstract
The purpose of this paper is to propose an IS security governance model to enhance the security of information systems in an organisation by viewing security from a holistic perspective of encompassing information security, information assurance, audit, governance, and compliance. This is achieved through the strategic integration of appropriate frameworks, models, and concepts in information governance, IS service management, and information security. This involves analysing the relevant frameworks, models, and concepts used in the above domains, extracting the best practices for implementing them from the literature and mapping these into an integrated standard. The frameworks identified are Control Objectives for Information and related Technology (COBIT), Information Technology Infrastructure Library (ITIL), ISO 27002, Risk IT, and Payment Card Industry Data Security Standard (PCI DSS). While it is evident that each of these five frameworks serve different purpose of information systems, such as information auditing and governance, facilitating the delivery of high-quality IT services, providing a model managing an Information Security Management System, providing a risk focus, and protection of cardholder data, all of these frameworks have the common objective to secure the IS assets in an organisation. Hence, extraction of the best practices in each of these framework can provide effective security of organisational IS assets rather than adequate security.
TopIntroduction
IS security has become a critical concern facing modern organisations today considering the fact that organisations are fully dependent on IT for survival. This is compounded by the fact that more confidential information is stored in remote servers on the Internet. During the first half of 2011, there had been a number of high profile and persistent IS security breaches in organisations namely Sony, the data-security firm RSA, Lockheed Martin, the email wholesaler Epsilon, the Fox broadcast network, NASA, PBS, the European Space Agency, the FBI, the British and French treasuries, the banking and insurance giant Citigroup, along with dozens of other companies and government agencies (Liebowitz, 2011).An analysis of these reveal that if a few non-technical procedures were followed in most of these breaches (RSA, Sony and Epsilon see Exhibit 1) these breaches could have been avoided. The data breach at RSA, Sony and Epsilon occurred due to spear phishing rather than highly sophisticated hacking. According to a key manager at RSA technological advances in IS security and the use of IS security controls/frameworks, and compliance on IS security regulations could have prevented the IS security breaches to a great extent. Despite these improvements over the years, there has been no reduction in the rate of attacks on information systems. According to the Identity Theft Resource Center (ITRC, 2011), hacking accounted for the largest number of breaches in the first quarter of 2011 as almost 37% of breaches were due to malicious attacks on computer systems which is more than double the amount of targeted attacks (17.1%) reflected in the 2010 ITRC Breach List. This necessitates a review of IS security controls available and employed, analyse the gaps in the IS security frameworks to propose a holistic perspective of information security governance. The high profile breaches during the first half of 2011 (see Exhibit 1) necessitate the need for information systems security to diverge from technical information security focus to broader information technology governance incorporating security governance.