Advertisement

Abstract

Information is a fundamental asset of any organization and needs protection. Consequently, Information Security Governance has emerged as a new discipline, requiring the attention of Boards of Directors and Executive Management for effective information security. This paper investigates the literature on Corporate Governance, IT Governance and Information Security Governance to identify the components towards a definition of Information Security Governance. The paper concludes by defining Information Security Governance and discussing the definition, identifying and addressing all important issues that need to be taken into account to properly govern information security in an organization.

Key words

Corporate Governance IT Governance Information Security Governance Information Security 

10. References

  1. ANAO (2003). Public Sector Governance Volume 1 Better Practice Guide Framework, Process and Practices. Australian National Audit Office. (online) (cited 05 May 2005). Available from Internet: URL http://www.anao.gov.au/WebSite.nsf/0/957e55a69b1050724a256d73001dfd1c/$FILE/Volume%201,%20Framework,%20Processes.pdfGoogle Scholar
  2. BSA (2003). Information Security Governance: Toward a Framework for Action. Business Software Alliance. (online) (cited 05 May 2005). Available from Internet: URL http://www.bsa.org/resources/loader.cfm?url=/commonspot/security/getfile.cfm&pageid=5841&hitboxdone=yesGoogle Scholar
  3. CGTF (2004). Information Security Governance: A Call To Action. Corporate Governance Task Force. (online) (cited 05 May 2005). Available from Internet: URL http://www.cyberpartnership.org/InfoSecGov4_04.pdfGoogle Scholar
  4. CIMA (2004). Enterprise Governance Getting the Balance Right Executive Summary. Chartered Institute of Management Accountants. (online). (cited 05 May 2005). Available on Internet: URL http://www.cimaglobal.com/cps/rde/xbcr/SID-0AAAC56430AB5F4F/live/enterprise_governance_summary_2004.pdfGoogle Scholar
  5. COSO (1992). Internal Control-Integrated Framework Executive Summary. The Committee of Sponsoring Organizations of the Treadway Commission. (online). (cited 05 May 2005). Available from Internet: URL http://www.coso.org/publications/executive_summary_integrated_framework.htmGoogle Scholar
  6. FISMA (2002). Federal Information Security Management Act of 2002. U.S. Congress. (online). (cited 05 May 2005). Available from Internet: URL http://csrc.nist.gov/policies/FISMA-final.pdfGoogle Scholar
  7. Hamaker, S. (2003). Spotlight on Governance. Information Systems Control Journal, Volume 1, 2003. (online). (cited 05 May 2005). Available on Internet: URL http://www.shamrocktechnologies.com/Journal_article2.pdfGoogle Scholar
  8. ISACF (2001). Information Security Governance: Guidance for Boards of Directors and Executive Management. Information Systems Audit and Control Foundation. (online). (cited 05 May 2005). Available on Internet: URL http://www.isaca.org/Content/ContentGroups/ITGI3/Resources1/Information_Security_Governance_Guidance_for_Boards_of_Directors_and_Executive_Management/infosecurity.pdfGoogle Scholar
  9. ISO 17799. ISO / IEC 17799: Code of Practice for Information Security Management. International Standards Organisation, Geneva, Switzerland.Google Scholar
  10. IT Governance Institute (ITGI) (2003). Board Briefing on IT Governance, 2nd Edition. IT Governance Institute. (online). (cited 05 May 2005). Available on Internet: URL http://www.itgi.org/Template_ITGI.cfm?Section=ITGI&Template=/ContentManagement/ContentDisplay.cfm&ContentFileID=4667Google Scholar
  11. Melnicoff, Richard M., Shearer, Sandy G. & Goyal, Deepak K. (2005). Is There a Smarter Way to Approach IT Governance ? (online). (cited 05 May 2005). Available from Internet: URL http://www.accenture.com/xdoc/en/ideas/outlook/1_2005/pdf/it_gov.pdfGoogle Scholar
  12. OECD (2004). OECD Principles of Corporate Governance. Organisation For Economic Co-operation and Development. (online). (cited 05 May 2005). Available on Internet: URL http://www.oecd.org/dataoecd/32/18/31557724.pdfGoogle Scholar
  13. Shleifer, Andrei and Vishny, Robert W. (1996). A Survey of Corporate Governance. NBER Working Paper No. W5554. (online). (cited 05 May 2005). Available on Internet: URL http://papers.nber.org/papers/w5554.pdfGoogle Scholar
  14. Van Grembergen, W. (2002). Introduction to the Minitrack: IT governance and its mechanisms. Proceedings of the 35 th Hawaii International Conference on System Sciences (HICCS), IEEE, (online). (cited 05 May 2005). Available on Internet: URL http://www.hicss.hawaii.edu/HICSS39/foscfp.htmGoogle Scholar
  15. von Solms, Basie (2001). Corporate Governance and Information Security. Computers & Security 20(3): 215–218 (2001).CrossRefGoogle Scholar
  16. von Solms, R., & Thomson, Kerry-Lynn (2003). Integrating Information Security into Corporate Governance. IFIP TC11, 18 th International Conference on Information Security (SEC2003), Athens, Greece. Kluwer Academic Publishers Group, Netherlands: pp. 169–180.Google Scholar
  17. Weill, Peter & Woodham, Richard (2002). Don’t Just Lead, Govern: Implementing Effective IT Governance. MIT Sloan Working Paper No. 4237-02. (online). (cited 05 May 2005). Available from Internet: URL http://ssrn.com/abstract=317319Google Scholar

Copyright information

© International Federation for Information Processing 2005

Authors and Affiliations

  • Rahul Rastogi
    • 1
  • Rossouw von Solms
    • 1
  1. 1.Nelson Mandela Metropolitan UniversitySouth Africa

Personalised recommendations