A Framework for the Governance of Information Security: Can it be Used in an Organization

Abstract

The purpose of this research paper was to test the validity of the research Information Security Governance Framework developed by Posthumus and Solms (2004) seminal research paper for its consistency and adequacy in covering the major aspects of Information Security Governance and in turn to understand the influences that different factors might have in inhibiting effective Information Security Governance in organizations. An interpretive qualitative small pilot case study was conducted in an organization in North America using open ended questions and face to face interviews or teleconferences with senior level management. With reported information security breaches, compromises and incidents in organizations on the increase, effective Information Security Governance is expected to become a major issue in organizations. Thus, information security should be a priority of executive management, including the Board of Directors and Chief Executive Officer and therefore commence as a corporate governance responsibility. Within many organizations an important barrier to effective information security is the lack of framework for action, inclusion and integration into governance. In addition, information security can no longer be viewed as just a technical issue and to be left to the Information Technology department to handle. Rather, it is a Corporate Governance issue that must be addressed by CEOs and Boards of Directors, then implemented and enforced across all levels of the organization. The global revolution in governance regulation, brought about by high-profile corporate scandals and failures of the past decade, is impacting most companies. As a result of these scandals and failures complex laws and regulations have been implemented to force improvement in governance, information security and organizational transparency. These corporate scandals and failures, coupled with legislation such as Sarbanes-Oxley, California SB 1386, Gramm-Leach-Bliley (GLBA), and Health Insurance Portability and Accountability Act (HIPAA), have prompted shareholders to demand better accountability from public firms. Accordingly, the information security governance has become a legitimate high-level concern and responsibility of the board of directors, executive management and senior IT management. Ensuring proper Information Security Management is one of the critical functions of good corporate governance in organizations. Properly governed, information security takes the larger view that the organization's information - and the knowledge based on it - must be adequately protected regardless of how it is handled, processed, transported or stored. It addresses the business risks, benefits and processes involved with all information resources. Information security, as with other critical organizational resources, must be addressed at the enterprise governance level.