Abstract
Any organisation using the internet to conduct business is vulnerable to violation of security. Currently security in most organizations relates to protection of data and the management of their business information systems. Hence, security is often defined as the protection of information, the system, and hardware; that use, store and relocates that information. Governing information and the secure use of Information Technology (IT) is essential in order to reduce the possible risks and improve an Organisation’s reputation, confidence and trust with its customers. One of the importance success factors for an organization to adopt and use the cloud effectively is information security governance (ISG). As a consequence, this chapter clarifies the concept of governance and the necessity of its two factors IT governance (ITG) and ISG.
Enterprise governance is directing and controlling the organization by the board of directors and executive management in order to ensure the success of the organization. ITG and ISG are integral part of corporate governance. ITG is about the structure that links IT processes, resources and information to support organisation’s objectives. IT brings several risks and threats that need to be considered. Therefore, Information security should not be considered as just a technical issue but governance challenge that needs proactive approach. ISG consists of leadership, organisational structure, processes, compliance and technology. In order to promote the adoption of cloud computing, it is important to recognize that an important and specific issue related to cloud computing is the potential and perceived security risks posed by implementing such technology. Adopting the cloud has several risks such as malicious insider threats and data breaches. An example of cloud risk is virtualization that is one of the concepts used for constructing cloud computing, which has its own security risks, but they are not specific to the cloud. Virtualization is related to open-source shared application server, database, and middleware components. The multi-tenancy model has introduced security problems as it is based on virtualization and sharing resources (hard disk, application software, and virtual machine) on the same physical machine. This chapter will present an overview of information security governance, the risks and vulnerabilities when moving to the cloud.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abd, S.K., Salih, R.T., Hashim, F.: Cloud computing security risks with authorization access for secure multi-tenancy based on AAAS protocol. In: IEEE Region 10 Conference TENCON, pp. 1–5 (2015)
Abu-Musa, A.: Exploring information technology governance (ITG) in developing countries: an empirical study. Int. J. Digit. Account. Res. 7(13), 71–120 (2007)
Alharthi, A., et al.: An overview of cloud services adoption challenges in higher education institutions (2015)
Ali, M., Khan, S.U., Vasilakos, A.V.: Security in cloud computing: opportunities and challenges. Inf. Sci. 305, 357–383 (2015). http://linkinghub.elsevier.com/retrieve/pii/S0020025515000638
Aljahdali, H., Townend, P., Xu, J.: Enhancing multi-tenancy security in the cloud IaaS model over public deployment. In: Proceedings of the 2013 IEEE 7th International Symposium on Service-Oriented System Engineering, SOSE 2013, pp. 385–390 (2013)
Avram, M.G.: Advantages and challenges of adopting cloud computing from an enterprise perspective. Procedia Technol. 12, 529–534 (2014). http://www.sciencedirect.com/science/article/pii/S221201731300710X
Bowen, P., Hash, J., Wilson, M.: Information Security Handbook: A Guide for Managers. NIST Special Publication 800-100, National Institute of Standards and Technology, Gaithersburg (2006)
Bouchnez, L.: Principles of corporate governance: the OECD perspective. Eur. Co. Law 4(3), 109–115 (2007)
Buyya, R., et al.: Cloud computing and emerging IT platforms: vision, hype, and reality for delivering computing as the 5th utility. Future Gener. Comput. Syst. 25, 17 (2009). http://portal.acm.org/citation.cfm?id=1528937.1529211
Cadbury, A.: The Financial Aspects of Corporate Governance, p. 90 (1992)
Calder, A., Moir, S.: IT Governance, Implementing Frameworks and Standards for the Corporate Governance of IT (2009)
Carlin, S.: Cloud computing security. Artif. Intell. 3, 14–16 (2011)
Chang, V.: The business intelligence as a service in the cloud. Future Gener. Comput. Syst. 37, 512–534 (2014). http://dx.doi.org/10.1016/j.future.2013.12.028
Chang, V.: A proposed model to analyse risk and return for a large computing system adoption. Doctoral dissertation, University of Southampton (2013)
Chang, V., Kuo, Y.-H., Ramachandran, M.: Cloud computing adoption framework–a security framework for business clouds. Future Gener. Comput. Syst. 57, 24–41 (2015). https://doi.org/10.1016/j.future.2015.09.031
Chang, V., Walters, R.J., Wills, G.B.: Organisational sustainability modelling—an emerging service and analytics model for evaluating cloud computing adoption with two case studies. Int. J. Inf. Manag., 1–13 (2015). http://linkinghub.elsevier.com/retrieve/pii/S0268401215000882
Cherdantseva, Y., Hilton, J.: A reference model of information assurance and security. In: 2013 International Conference on Availability, Reliability and Security, pp. 546–555 (2013)
de Oliveira Alves, G., de Costa Carmo, L., de Almeida, A.: Enterprise security governance a practical guide to implement and control information security governance (ISG). In: Business-Driven IT Management, 2006, pp. 71–80 (2006)
Entrust: Information Security Governance (ISG): an essential element of corporate governance (2004). http://itresearch.forbes.com/detail/RES/1082396487_702.html
Elena, G., Johnson, C.W.: Factors influencing risk acceptance of c loud computing services in the UK. 5(2) (2015)
Espadas, J., et al.: A tenant-based resource allocation model for scaling Software-as-a-Service applications over cloud computing infrastructures. Future Gener. Comput. Syst. 29(1), 273–286 (2013)
Weng, F., Hung, M.-C.: Competition and challenge on adopting cloud ERP. Int. J. Innov. Manag. Technol. 5(4), 309–313 (2014). http://www.ijimt.org/index.php?m=content&c=index&a=show&catid=56&id=832
Gentzoglanis, A.: Risk, financial modeling and cloud computing: a new approach. Computer 9, 147–151 (2011)
Gonzalez, N., et al.: A quantitative analysis of current security concerns and solutions for cloud computing. In: 2011 IEEE Third International Conference on Cloud Computing Technology and Science, pp. 231–238 (2011)
Hashizume, K., et al.: An analysis of security issues for cloud computing. J. Internet Serv. Appl. 4(5), 1–13 (2013)
IFAC: International Information Technology Guidelines: Managing Security of Information, New York (1998)
IT Governance Institute: Board Briefing on IT Governance, 2nd edn. (2003)
IT Governance Institute: Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd edn. IT Governance Institute (2006)
ISO/IEC 17799: ISO/IEC 17799:2005 code of practice for information security management. In: International Organization for Standardization and the International Electrotechnical Commission, Geneva (2005). http://www.iso.org/iso/catalogue_detail?csnumber=39612
ISO/IEC 27014: ISO/IEC 27014 governance of information security. In: International Organization for Standardization and the International Electrotechnical Commission, Geneva (2013). http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=43754
Johnston, A.C., Hale, R.: Improved security through information security governance. Commun. ACM 52(1), 126 (2009)
Jones, I., Pollitt, M.: Understanding how issues in corporate governance develop: Cadbury report to Higgs review. Corp. Gov.: Int. Rev. 12(2), 162–171 (2004)
Jansen, W.A.: Cloud hooks: security and privacy issues in cloud computing. In: Proceedings of the Annual Hawaii International Conference on System Sciences, (iv), p. 42 (2011)
Kabbedijk, J., et al.: Defining multi-tenancy: a systematic mapping study on the academic and the industrial perspective. J. Syst. Softw. 100, 139–148 (2015)
Ko, D., Fink, D.: Information technology governance: an evaluation of the theory-practice gap. Corp. Gov. 10(5), 662–674 (2010)
Kshetri, N.: Privacy and security issues in cloud computing: the role of institutions and institutional evolution. Telecommun. Policy 37(4–5), 372–386 (2013)
Lessambo, F.I.: The International Corporate Governance System, p. 488 (2013)
Love, P., et al.: GTAG Information Security Governance, p. 134 (2010)
Mallin, C.: The relationship between corporate governance, transparency and financial disclosure. Corp. Gov.: Int. Rev. 10(4), 253–255 (2002)
MĂĽller, K.: Corporate governance and globalization: the role and responsibilities of investors. In: Selected Issues in Corporate Governance: Regional and Country Experiences, New York, Geneva, United Nations. Publication No. UNCTAD/ITE/TEB/2003/3 (2003)
Modi, C., et al.: A survey on security issues and solutions at different layers of cloud computing. J. Supercomput. 63(2), 561–592 (2013)
Moulton, R., Coles, R.S.: Applying information security governance. Comput. Secur. 22(7), 580–584 (2003). http://www.sciencedirect.com/science/article/pii/S0167404803007053
Nist: Cloud computing: a review of features, benefits, and risks, and recommendations for secure, efficient implementations. ITL (2012)
National Cyber Security Summit Task Force: Information security governance: a call to action. Corporate Governance Task Force Report CS1/05-0037 (2004). www.technet.org/resources/InfoSecGov4_04.pdf0
OECD: Principles of Corporate Governance. Organization for Economic Co-operation and Development (1999). http://www.oecd.org/officialdocuments/publicdisplaydocumentpdf/?cote=C/MIN(99)6&docLanguage=En
OECD: Principles of Corporate Governance. Organization for Economic Co-operation and Development (2004). http://www.oecd.org/corporate/ca/corporategovernanceprinciples/31557724.pdf
Pearson, S.: Privacy and Security for Cloud Computing, pp. 3–42. Springer, London (2013)
Posthumusa, S., Von Solms, R.: IT oversight: an important function of corporate governance. Comput. Fraud Secur. 2005(6), 11–17 (2005)
Rashdi, A., et al.: Cloud Security Standards (2013)
Rau, K.G.: Effective governance of IT: design objectives, roles, and relationships. Inf. Syst. Manag. 21(4), 35–42 (2004)
Sabahi, F.: Virtualization-level security in cloud computing. In: 2011 IEEE 3rd International Conference on Communication Software and Networks, pp. 250–254 (2011)
Sen, J.: Security and privacy issues in cloud computing. In: Architectures and Protocols for Secure Information Technology, (iv), p. 42 (2013)
Sylvester, D.: ISO 38500—Why Another Standard? Cobit Focus, 2 (2011). https://www.isaca.org/Knowledge-Center/Documents/COBIT-Focus-ISO-38500-Why-Another-Standard.pdf
Sunil Rao, K., Santhi Thilagam, P.: Heuristics based server consolidation with residual resource defragmentation in cloud data centers. Future Gener. Comput. Syst. 50, 87–98 (2015)
Vander Wal, K., Lainhard, J., Tessin, P.: A COBIT 5 overview. ISACA (2012). www.isaca.org
Von Solms, R., van Niekerk, J.: From information security to cyber security. Comput. Secur. 38, 97–102 (2013). http://www.sciencedirect.com/science/article/pii/S0167404813000801
von Solms, B.: Corporate governance and information security. Comput. Secur. 20, 215–218 (2001)
Von Solms, R., von Solms, S.B.: Information security governance: a model based on the direct-control cycle. Comput. Secur. 25(6), 408–412 (2006)
Weill, P., Ross, J.W.: IT governance on one page. Cisr Wp No 349, p. 18, March 2004
Wu, R., et al.: Information flow control in cloud computing. In: 2010 6th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), pp. 1–7 (2010)
Weill, P.: Don’t just lead, govern: how top-performing firms govern IT. MIS Q. Exec. 3(1), 1–17 (2004b)
Zhang, F., Chen, H.: Security-preserving live migration of virtual machines in the cloud. J. Netw. Syst. Manag. 21, 562–587 (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Alassafi, M.O., Hussain, R.K., Ghashgari, G., Walters, R.J., Wills, G.B. (2017). Security in Organisations: Governance, Risks and Vulnerabilities in Moving to the Cloud. In: Chang, V., Ramachandran, M., Walters, R., Wills, G. (eds) Enterprise Security. ES 2015. Lecture Notes in Computer Science(), vol 10131. Springer, Cham. https://doi.org/10.1007/978-3-319-54380-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-54380-2_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-54379-6
Online ISBN: 978-3-319-54380-2
eBook Packages: Computer ScienceComputer Science (R0)