Implementing IT Governance: An IT security Perspective

International Journal of Information Management, 1992

Information security has bmn recog&ed as drte &the major issues af importance in the management of organizational information systems. Losses resulting from computer abuse and errors ~8 substantial, and information systems managers continue to cite security rend control as a key management iwue. This paper presents the various dimensions of the problem, suggests specific steps that can be taken to improve tha management of information security, and points to several research directions. The rapid progress in ~on~puter and ~mmuu~~atious te~hno~ogjes in the fast two decades has rendered most organizations vulnerable to misuse or abuse of computer-based information systems QS)." While information systems provide opportunities to improve an organization's functioning and enhance its products or services, they can &XI expose organizations to significant risks as organizations become increasingly dependent on information resources.* Therefore, important concerns that accompany the use of information technology arc how much security is needed to protect computing facilities and information resources and how to obtain this level of security." Evidence for the ~n~~~~ta~~~~ of IS security is provided by the frequency with which security and control are cited as a key management issue by IS rnanag~~s.~~ Sptague and ~~~~nrljn further suggest that security and integrity are one of the six hjgh-priority concerns of IS managers in the future." Information security can be viewed from two aspects: technological and managerial. While much attention is given to the technological isues, only little attention is given, both in literature and the real world, to the managerial side," The purpose of this paper is to review the managerial aspects of information security, and to point to practical recommendations in these aspects. The f&owing sections provide a brief overview of IS security, discuss the di~~~~ltje~ of managing ~nformatjon security, and address the i,ssues of attack and defence. managerial issues ~~n~er~ing 1S security are then defined and some basic recommendations are drawn. 'The paper concludes with a summary of managemen~~s security. What is information security? Information security is concerned with the protection of role in IS computing _L. facilities from deliberate or accidental threats that may exploit vulnerabilities of a computing system. ' The target of a crime involving computers may be any portion of a computing facility: hardware, /nformation systems security continued from page 105 WILKES. M.V. (1990). Conmuter security in the husks world.'Communications ofthe

Communications of the ACM, 2000

This study provides a short literature review in information systems security (ISS) approaches either technical or non-technical in nature. Although, the benefits and uses of the technical information systems security approaches are valuable, there is still a need to investigate the alternative non-technical approaches or at least, to find a way to combine them in a more appropriate and thus, successful way. In doing so, this paper presents the available methods and techniques in information systems security in an attempt to shed some light into how these alternative approaches could be used in benefit of information systems security. managing security, Siponen (2001) supports the need for IS security approaches to provide a holistic modelling support which can be integrated into modern IS development approaches, and the lack of approaches which focus on socio-organizational roles of IS security.

2012

has more than twelve years of experience in information systems, security policies, and technologies. He has published 4 books in the area of information security, ethics, and assurance. He has published more than 50 research articles in leading journals, conference proceedings, and books including DSS, ACM Transactions, IEEE, and JOEUC. He serves in editorial boards of several international journals including Journal of Electronic Banking and International Journal of Liability and Scientific Enquiry (IJLSE), and has served in program committees of several international conferences. He holds several professional designations including CISSP, CISA, CISM, ISSPCS, CIW Security Analyst, and PMP. He is a member of Sigma Xi, Beta Gamma Sigma, ISACA, and ISC2. He received prestigious 2008 ISC2 information security scholarship (awarded on to only 7 researchers around the world) from ISC2 and also received PhD Student Achievement Award from SUNY Buffalo.

— Information Security (IS) is increasingly becoming an integrated business practice instead of just IT. Security breaches are a challenge to organizations. They run the risk of losing revenue, trust and reputation and in extreme cases they might even go under. IS literature emphasizes the necessity to govern Information Security at the level of the Board of Directors (BoD) and to execute (i.e. plan, build, run and monitor) it at management level. This paper describes explorative research into IS-relevant Governance and Executive management practices. Answering the main research question: " Which practices at the level of Governance are relevant for Business Information Security Maturity " The initial phase of this research consists of a review of academic and practice-oriented literature on these relevant practices. This list of practices is then examined and validated through expert panel research using a Group Support System (GSS). The paper ultimately identifies a list of 22 core principles. This list can function as frame of reference for Boards of Directors and Management Teams in order to increase their level of Business Information Security (BIS) Maturity.

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation's measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL's responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems. The Special Publication 800-series reports on ITL's research, guidelines, and outreach efforts in information system security, and its collaborative activities with industry, government, and academic organizations.

Security is a topic that is gaining more and more interest by organizations and government agencies. The amount of data which organizations daily have to deal with, the increasing number of on-line transactions and the lack of computer security awareness are greater motivations not only to exploit software vulnerabilities but to exploit human vulnerabilities. In general, users tend to accept new technologies with complete disregard of their security vulnerabilities, if they get sufficient benefits from them. Fostering and continuously encourage a security culture and recognizing that people still are, and will always be the weakest link, will certainly assist organizations to achieve their adequate levels of security and thus becoming closer to their business goals. Moreover, monitoring and early detection also play an important role, as it enables organizations and governmental agencies to react more quickly to events that are harder to find and understand, from the security management point of view. The rapid response to the security events and the establishment of preventive actions to manage security are starting to become a competitive strategy to organizations. In this paper we highlight some information security concepts and principles, to deliver actionable information for decision makers for managing their corporate assets and ensure their resilience.

2011

Every day, thousands of businesses rely on the services and information ensured by information and communication networks. As the dependence on information systems grows, so the security of information networks becomes ever more critical to any entity, no matter if it is a company or a public institution. The asymmetrical threat posed by cyber attacks and the inherent vulnerabilities of cyberspace constitute a serious security risk confronting all nations. For this reason, the cyber threats need to be addressed at the global level. Given the gravity of the threat and of the interests at stake, it is imperative that the comprehensive use of information technology solutions be supported by a high level of security measures and be embedded also in a broad and sophisticated cyber security culture.

Information Technology …

Electronic commerce and the Internet have enabled businesses to reduce costs, attain greater market reach, and develop closer partner and customer relationships. However, using the Internet has led to new risks and concerns. This paper provides a management perspective on the issues confronting CIO's and IT managers: it outlines the current state of the art for security in e-commerce, the important issues confronting managers, security enforcement measure/techniques, and potential threats and attacks. It develops a scheme for probabilistic evaluation of the impact of security threats with some illustrative examples. This methodology may be used to assess the probability of success of attacks on information assets in organizations, and to evaluate the expected damages of these attacks. The paper also outlines some possible remedies, suggested controls and countermeasures. Finally, it proposes the development of cost models which quantify damages of these attacks and the effort of confronting these attacks. The construction of one such cost model for security risk assessment is also outlined. It helps decision makers to select the appropriate choice of countermeasure(s) to minimize damages/losses due to security incidents. Finally, some recommendations for future work are provided to improve the management of security in organizations on the whole.