There is a dearth of academic research literature on the practices and commitments of information security governance in organizations. Despite the existence of referential and standards of the security governance, the research literature remains limited regarding the practices of organizations and, on the other hand, the lack of a strategy and practical model to follow in adopting an effective information security governance. This chapter aims to discuss the information security governance and to address the weaknesses identified in the literature. Based on practices of information security management and governance, the authors propose ISGO, a practical maturity framework for the information security governance and management in organizations. The findings will help organizations to assess their capability maturity state and to address the procedural, technical, and human aspects of information security governance and management process.
TopIntroduction
Many organizations today are facing a global governance revolution that could have a direct impact on their information management practices. Information security has become an integral part of daily life, and organizations must ensure that their information security systems are an integral part of daily life.
In a distributed and dynamic services environment, security must not be limited to providing technological solutions but to finding a strategy taking into account business, organizational and technological dimensions (Nassar, Badr, Barbar, & Biennier, 2009). In addition, security must be seen as an ongoing process that aims to optimise security investments and ensure the sustainability of the security measures implemented (Lomas, 2010). However, reference service domain models and architectures have underestimated the definition of security needs, the assets to be protected and the identification of risks to these assets (Huang, Lee, & Kao, 2006; Williams, 2007). For that, we propose to approach the problem of security by a practical approach of governance allowing to identify the various axes of my IT security and to propose the most adequate security measures to the context. However, IT security governance is a real challenge in an open collaborative services environment. In fact, improving security has emerged as one of the top IT priorities across all business lines. So, while companies (R. von Solms & van Niekerk, 2013; Bowen, Chew, & Hash, 2007).
Areas such as the aerospace industry and strategic resources can be ideal targets for cyber espionage by nation-states, others managing financial assets or large-scale credit card information are equally attractive to international criminal groups (Posthumus & von Solms, 2004; Humphreys, 2008). These malicious actors no longer content themselves with thwarting the means of technical protection. Instead, they survey and exploit a variety of weaknesses detected in the targeted environment (Galliers & Leidner, 2014). These shortcomings are not only technological but also result from failures in protection procedures or gaps in vulnerability management practices. The best technology in the world, if misused will not provide an adequate defence against such threats (R. von Solms & van Niekerk, 2013).
In today’s rapidly changing and evolving environment, IT and security executives have to make difficult calculations and decisions about security with limited information (Dhillon, Syed, & Pedron, 2016). They need to make decisions that are based on analyzing opportunities, risks and security. In such an environment, information security governance ISG issues are at the forefront of any discussions for security organization’s information assets, which includes considerations for managing risks, data and costs. Organizations, worldwide, have adopted practical and applied approaches for mitigating risks and managing information security program (Y. Maleh, Sahid, Ezzati, & Belaissaoui, 2018; Yassine Maleh, 2018).
The problem is that the security governance framework is designed to guide organizations in there IS security governance strategy but does not define the practical framework for the engagement in this strategy. To address these concerns, some practice repositories (NIST, Cobit, ISACA, RiskIT) and international standards (ISO 27000 suite, ISO 15408) now include paragraphs on security governance. The first reports or articles in academic journals that evoke the governance of information security date back to the early 2000s. The proposed referential and best practices designed to guide organizations in their IT security governance strategy. However, does not define the practical framework to implement or to measure the organization engagement in term of IS security governance.
In this paper, we propose a practical framework to evaluate the organization in their maturity state and to improve their level of IS security governance according to their needs and resources. The article is structured as follows. Section 2 presents the theoretical framework. Section 3 describes the proposed capability maturity framework for information security governance ISGO. Section 4 discuss the results of the implementation of ISGO through a practical use case. Finally, section 6 presents the conclusion of this work.