Thông tin tài liệu
2144 A Model of Information Security Governance for E-Business United States, where the Sarbanes-Oxley (SOX) $FWRIDLPVWRUHVWRUHLQYHVWRUFRQ¿GHQFH in U.S. markets by imposing codes of conduct on corporations. The concept of corporate gov- HUQDQFHLVPXFKTXRWHGDV³WKHV\VWHPE\ZKLFK companies are directed and controlled” (Cadbury, 1992, p.15). The corporate governance structure, WKHUHIRUHVSHFL¿HVWKHGLVWULEXWLRQRIULJKWVDQG responsibilities among different participants in the corporation, such as the board of directors and management. By doing this, it provides the structure by which the company objectives are set and the means of attaining those objectives and monitoring performance. Corporate governance includes concerns for information technology governance because without effective information management, those charged with corporate responsibilities would not be able to perform effectively. eWeek (2004) make the case for IT professionals to take a leading role in corporate governance since they have control over the processes underpinning governance activities. They mention the example of the human resource database providing information about employees’ compensation which, if the information is properly monitored, could provide an early indication of malpractice. This means that IT functions need WREHVHFXUHVRWKDW³EXVLQHVVGDWDLVQRWDOWHUHG by unscrupulous hands” (eWeek, 2004, p. 40). With business increasingly utilising modern digital technology in a variety of ways, effective information security governance has, therefore, become a key part of corporate governance. In this chapter, the role of corporate gover- nance in relation to the security of information technology and information and communications technology (ICT) will be examined. Current developments and models such as those offered by the IT Governance Institute and Standards Australia will be outlined and the current lack of model development in extending the governance concept to information security in today’s world RIHEXVLQHVVZLOOEHLGHQWL¿HGDQGGLVFXVVHG7KH purpose of the chapter is thus to develop a model that aligns IT governance with security manage- ment in an e-business environment through a review of existing approaches and synthesis of concepts and principles. NEED FOR GOVERNANCE The case of Enron ® H[HPSOL¿HVWKHQHHGIRUHI- fective corporate governance. Enron ® ’s downfall was brought about, as described in broad terms by Zimmerman (2002) in USA TODAY ® E\³RYHU- aggressive strategies, combined with personal greed.” He believes that there were two main FDXVHVIRUWKLVIDLOXUH¿UVWEUHDNGRZQVFDXVHG E\LJQRUHGRUÀDZHGHWKLFVDQGVHFRQG³%RDUG of directors failed their governance.” He recom- mends that in order to keep this from happening again, corporate governance should no longer EHWUHDWHGDV³VRIWVWXII´EXWUDWKHUDVWKH³KDUG stuff” like product quality and customer service. He quotes Business Week ® of August 19-26, 2002 ZKHQKHFRQFOXGHVWKDW³DFRPSDQ\¶VYLDELOLW\ now depends less on making the numbers at any cost and more on the integrity and trustworthiness of its practices.” In other words, good corporate governance. The term corporate governance is often used synonymously with the term enterprise gover- nance since they are similar in scope as can be seen I UR PW KH IRO O R Z LQ J G H ¿ Q L W L R Q V 7 KH \ E R W K D S S O \ W R the role and responsibilities of management at the highest level in the organisation. An example of a framework for enterprise governance is one that i s p r ov i de d b y t he Chartered Institute of Manage- ment Accountants (CIMA) and the International Federation of Accountants (IFAC) (2004): [Enterprise governance is] the set of responsi- bilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are 2145 A Model of Information Security Governance for E-Business achieved, ascertaining that risks are managed appropriately and verifying that the organization’s resources are used responsibly. The term corporate governance is used by the Organisation for Economic Co-operation and Development (OECD) (Brand & Boonen, 2003) and understood to be: the system by which business corporations are directed and controlled. The corporate governance VWUXFWXUHVSHFL¿HVWKHGLVWULEXWLRQRIULJKWVDQG responsibilities, among different participants in the corporation such as board, managers, share- holders and other stakeholders and spells out the rules and procedures for making decisions on corporate affairs. By doing this, it also provides the structure by which the company objectives are set and the means of attaining those objectives and monitoring performance. (pp. 15-16) 7KHDERYHGH¿QLWLRQVQRWRQO\UHYHDOFRPPRQ- ality but also emphasize two dimensions, namely, conformance and performance. Conformance focuses on structure such as the existence of the board and executive management, who in turn communicate their perceptions of corporate objec- tives. Performance, on the other hand, provides expectations about the achievement of corporate objectives and is associated with activities such as risk management, resource utilisation, and performance measurement. It could be argued that the former has a greater corporate orientation as it has a leadership role, unlike the latter that is linked to the execution of business activities and has more an operational orientation and could be termed business governance. IT systems contribute to the performance dimension of the organisation as they support the organisational processes by delivering IT services. They are, therefore, most closely linked with the business governance component of the above di- c h o t o m y. H o w e v e r, a s I T i s i n c r e a si ng l y b e c o m i ng an integral part of business, the responsibility for IT becomes part of the responsibility of the board o f d i r e ct or s, a n d t h e r e b y a l s o v e r y m u c h p a r t o f t h e conformance aspects of governance. The latter is much broader in scope, implying greater strategic and diligence responsibilities on the part of the board and executive management. Figure 1 shows how the enterprise governance framework extends to IT governance through the LQÀXHQFHVRIFRUSRUDWHDQGEXVLQHVVJRYHUQDQFH as outlined above. The two levels interact with IT governance as follows: the key role for corporate governance is to provide strategic objectives and Figure 1. IT governance and enterprise governance 2146 A Model of Information Security Governance for E-Business their monitoring, while business governance pro- vides control and assessment of the operational activities of IT. Both are required to make IT play its intended role for the organisation. The following section provides a more detailed examination of IT governance by examining the perspectives of a professional, government, and research body. This will explain in more depth the interaction between IT governance with the higher levels of governance as well as the scope of IT governance itself. With regard to the lat- ter, attention will be given to IT security within IT governance in line with the objectives of the chapter. IT GOVERNANCE Perspectives on IT governance from three sig- QL¿FDQWLQVWLWXWLRQVLQWKLV¿HOGDUHH[DPLQHG below: they are the IT Governance Institute, Standards Australia (SA), and National Cyber Security Partnership. The analysis focuses on the activities of IT governance and the integration of IT security in the respective frameworks in order to synthesis these views later into a model of information security governance. ITGI ® (2 0 01) a r g u e d t h a t e x e c u t iv e s a r e g e t t i n g more and more dependent on information technol- ogy to run their businesses. Hence, IT governance LVGH¿QHGE\WKH,QVWLWXWHDV the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leader- ship and organisational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives. (p.10) According to ITGI ® , IT governance has as its main purposes the achievement of strategic alignment, value delivery, risk management, and performance management. The question of IT security is addressed by providing emphasis to risk management, as it is realised that with IT’s EHQH¿WV DQG RSSRUWXQLWLHV FRPHV JUHDWHU ULVN Mechanisms, therefore, are required to exercise control over the use of IT in order to cope with these risks. Risk management is perceived as the appropriate management of threats relating to IT, addressing the safeguarding of IT assets, disaster recovery, and continuity of operations. SA (2004), an Australian federal government department, recently developed a detailed ap- SURD FK IRU ,& 7 JRYH U QD QFHWRJ X LGHVHQ LRURI ¿F H - holders in evaluating, directing, and monitoring WKHRSHUDWLRQVRI,&7V\VWHPV7KH\GH¿QHGWKH governance of ICT as: the system by which the use of ICT is controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to maintain that plan. It includes the strategy and policies for using ICT within an organisation. (p. 6) 6$LGHQW L ¿HGVHYH QNH\S U L QF LSOH V RIICT gov- ernance, namely establishing clearly understood responsibilities for ICT, planning ICT to best support the organisation, acquiring ICT in a cost- E H Q H ¿F L D O P DQ QH U H Q VX U L QJ , & 7 L V RI W KH U H TX L U H G quality, performs when required, conforms with formal rules, and respects human factors. 7KHSULQFLSOH³HQVXUH,&7LVRIWKHUHTXLUHG quality” refers to different tasks that are part of IT security management, such as ensuring system availability and security from attack, theft, and m i s u se o f c r u c i a l b u s i ne s s d a t a . T h i s a l s o i n cl u d e s the preparation of disaster recovery plans to ensure business continuity. Additionally, it is suggested that the organisation is able to monitor and report all security breaches, including attacks and fraud. Finally, accurate procedures for the measurement of the effectiveness of security measures have to be in place. SA advocates risk management PHWKRGV IRU WKH LGHQWL¿FDWLRQ RI VHFXULW\ ULVN its evaluation, and mitigation. It is essential for 2147 A Model of Information Security Governance for E-Business the well-being and legal compliance of the or- ganisation that upper management is informed about security risks and their implications while making decisions. The Corporate Governance Task Force of the National Cyber Security Partnership (2004) a r g u e d t h at a l t ho u g h i n fo r m a t i o n s e c u r i t y i s o f t e n considered a technical issue, it is also a gover- nance challenge that involves risk management, reporting, and accountability and, therefore, requires the active engagement of executive management. The managerial aspect of security PDQDJHPHQWLVGH¿QHGDVinformation security governance (ISG), a subset of an organisation’s overall governance program. Within ISG, risk management, reporting, and accountability are considered key policies. The National Cyber Security Partnership (NCSP) made the topic of IT security contem- porary by including cyber security for effective ISG. It made a number of recommendations for the adoption of ISG in the U.S. using the IDEAL framework (initiating, diagnosing, establishing, acting, and learning). Appendices of the NCSP report provide extensive information on functions and responsibilities, organisation and processes for implementation, and ISG assessment tools. While the above approaches provide an over- view of IT governance and an acknowledgment of its responsibilities with respect to information security, they do not go as far as providing prescrip- tions on how best to integrate security issues into governance. Guidance in this respect is desirable as IT security has become more complex with the emergence of the e-business phenomenon. E-BUSINESS AND SECURITY (EXVLQHVV KDV EHHQ GH¿QHG E\ 0F.D\ DQG Marshall (2004) as: a business that creatively and intelligently utilises and exploits the capabilities of IT and Internet WHFKQRORJLHV WR FUHDWH HI¿FLHQFLHV WR DFKLHYH HIIHFWLYHQHVVJDLQVVXFKDVÀH[LELOLW\DQGUHVSRQ- siveness, and to create strategic opportunities through competitive uses of IT to alter markets and industry structures. (p. 5) This type of business is a development of e-commerce, a system that uses the Internet to provide a new channel to conduct trade with cus- tomers and suppliers. Further integration of ICT into the business itself enabled value chains to be developed with customers and suppliers. Inside the organisation, enterprise resource planning (ERP) software provided integration with new ap- plications, such as supply chain management, and between existing applications, such as accounting DQG¿QDQFH:LWKHEXVLQHVVRUJDQLVDWLRQVKDYH become even more dependent on the utilisation of ICT to create and maintain business advantages, albeit using technologies that are different from previous ones (e.g., the Internet). The e-business environment can be contrasted from the traditional IT environment in three major ways (Fink, 2004). First, under the new approach, systems are open while previously they were considered closed. In other words, globally networked systems are more accessible and open to attack than systems kept strictly in-house without Internet access. Second, assets are now PRUHYLUWXDOWKDQWDQJLEOHDQGPRUHGLI¿FXOWWR track as networks of cooperating organisations emerge. The assets of such organisations largely OLHLQLQWHOOHFWXDOSURSHUW\UDWKHUWKDQLQ³EULFNV and mortar.” Third, in the past, emphasis was placed on developing systems with the objective of meeting users’ expectations, while now opera- tions are critical since organisations are dependent on the continued functioning of their IT systems. For example, business is lost should the Web site on the Internet cease to function and customer may never return to the site. The new environment has created new sets of technological risks. Technological risks, despite the name, are largely brought about by the actions 2148 A Model of Information Security Governance for E-Business of humans. They attract the greatest attention when brought about maliciously. Methods of at- tack are numerous and include viruses that can be introduced through data obtained from the Internet. The opportunity for hacker attacks is provided since the Internet enables others shar- ing the network to penetrate information systems in an unauthorised manner. Data and messages being forwarded on this network are potentially VXEMHFWWRLQWHUFHSWLRQDQGPRGL¿FDWLRQZKLOH being transmitted. Systems themselves can be brought down by denial-of-service attacks de- VLJQHG WR SUHYHQW VHUYLFHV UHTXHVWV WR VSHFL¿F services such as accessing a Web application on the Internet. In response to these concerns, e-business should implement a system of security measures. These measures include those that ensure the availability of systems (to prevent system out- ages), integrity (so that data can be relied upon IRUGHFLVLRQPDNLQJFRQ¿GHQWLDOLW\WRSUHYHQW unauthorised disclosure of information), and authenticity (verifying that users are who they claim to be). In addition, an organisation should implement broad security approaches, including the use of security policy, contingency planning, and disaster recovery. These will ensure that the HEXVLQHVV FRQWLQXHV WR RSHUDWH HI¿FLHQWO\ DQG effectively. MODEL FOR INFORMATION SECURITY GOVERNANCE The preceding sections provided an overview of enterprise governance and highlighted the Figure 2. Integration of IT governance and e-business security management 2149 A Model of Information Security Governance for E-Business importance of IT governance at the corporate (conformance) and business (performance) levels. An overview was also provided of three perspectives on IT governance itself. The three approaches describe IT governance as an execu- tive management task in which IT activities at the highest level are strategically managed in order to gain maximum alignment between IT and business. At a more operational level, the role of IT is perceived to be one of generating value for the organisation, ameliorated by the need to practice effective risk management in order to secure the organisation from new and complex technological and human threats. This section proposes a model for information s e c u r i t y g o ve r n a nc e , s h o w n i n F i g u r e 2 . I t c o n si s t s of two major components, namely, information security governance and e-business security management. Within the former are strategic high-level processes (e.g., setting objectives) as well as lower-level operational processes (e.g., IT YDOXHGHOLYHU\WKDWZHUHLGHQWL¿HGLQSUHYLRXV discussions. However, it does not include risk management, which performs the special function of integrating the two major components as seen in Fig ure 2. The e-busi ness secu rit y ma nage me nt component deals with security issues, again at a high level (e.g., developing a security policy) and at a lower level (e.g., implementing security to ensure system availability). The approach adopted to develop the above model was a methodical and structured one since the objective was to achieve overall effec- tive information security management as part of IT governance. The random introduction of security software, tools, and techniques is likely to be ineffective, as information can not be pro- tected without considering all the activities that impinge on security. The holistic point of view that is required is within the broad objectives of ,7JRYHUQDQFHVLQFH³,7JRYHUQDQFHSURYLGHV the processes to develop, direct, and control IT resources” (Korac-Kakabadse & Kakabadse, 2001, p. 1). Therefore, effective IT governance processes and mechanisms are seen as the enablers of a structured approach to IT management and thus are a precondition to effective information security governance for e-business. IT Governance At the highest level, IT governance does not differ from what would be expected to take place within enterprise governance. The governance process starts with setting objectives for the enterprise’s IT, thereby providing the initial direction. From then on, a continuous loop is established for mea- suring IT performance, comparing outcomes to objectives, and providing redirection of activities where necessary and a change to objectives where appropriate. To be effective, an iterative process is most appropriate (ITGI ® , 2003). At the more detailed level, the key missions of IT need to be accomplished. The IT Gover- nance Institute (2003) states that the purpose of IT governance is to direct IT endeavours and to ensure that IT’s performance meets the following objectives: strategic alignment, value delivery, risk management, and performance measurement. Strategic alignment refers to the leveraging of IT into business activities, while value delivery is the exploitation of business opportunities and WKH PD[LPL]DWLRQ RI EHQH¿WV E\ WKH XVH RI ,7 The two activities are closely connected (ITGI ® , VLQFHEHQH¿WVZLOOHPHUJHLI,7LVVXF- cessfully leveraged into business activities. The performance of IT has to be managed according WKHPRWWR³:KDW\RXFDQQRWPHDVXUH\RXFDQ not manage,” and hence a system of performance measurement metrics is required. As discussed in a later section, risk manage- PHQWSOD\VDVLJQL¿FDQWLQWHJUDWLQJUROHLQWKH proposed model, as shown in Figure 2. Basically, risk management integrates the management of security measures in the governance processes of an organisation, and consequently it can be seen as the connecting link between IT governance and e-business security management. 2150 A Model of Information Security Governance for E-Business E-Business Security Management To mitigate risk at the highest level requires the establishment of an information security policy, contingency planning, and the development of a disaster recovery plan (Hong, Chi, Chao, & Tang, 2003). The purpose of a security policy is to articu- late management’s expectations of good security throughout the organisation. Polices should be achievable and encourage employees to follow them rather than viewing them as another odious task to be performed. Contingency planning and the disaster recovery plan should prevent an IT disaster from becoming catastrophic. The latter ensures that there is an arrangement to resume QRUPDORSHUDWLRQVZLWKLQDGH¿QHGSHULRGRIWLPH after a disaster has struck. Underpinning the high-level management approach is a system of security measures that s h o u l d e n s u r e t h a t t h e o r g a n i s a t io n’s a s s e t s — p a r- ticularly its information — are protected against loss, misuse, disclosure, or damage (ITGI ® , 2001). 0RUHVSHFL¿FDOO\%UDLWKZDLWHVWDWHV E-business security represents an accumulation and consolidation of information processing threats that identify the need to protect the integrity DQGFRQ¿GHQWLDOLW\RILQIRUPDWLRQDQGWKHQHHGWR secure the underlying support technologies used in the gathering, storage, processing, and delivery of that information. (p. 1) Measures are required to assure high levels of DYDLODELOLW\LQWHJULW\FRQ¿GHQWLDOLW\DQGDXWKHQ- ticity of business critical information (Halliday, Badenhorst, & v. Solms, 1996). • Availabilit y: this implies a number of requirements, such as ensuring continuing access to systems by users and the continued RSHUDWLRQRIWKHV\VWHPV7KHXVHRID¿UH- wall gateway will ensure that the internal, trusted systems are secured from attacks originating in outside, untrusted systems. • Integrity: measures to ensure the com- pleteness and unaltered form of data be- ing processed in the organisation. Strong organisational controls, such as the hiring of competent staff and their supervision, and application controls, such as reconcil- ing balances between different business applications as transactions are processed, are required. • &RQ¿GHQWLDOLW\: this ensures that data can be read only by authorized people. In an e-business environment, all sensitive and FRQ¿GHQWLDOGDWDVKRXOGEHHQFU\SWHGZKLOH it is being transmitted over networks and as it is stored in the organisation’s databases. • Authenticity: e-business systems enable participants of the extended organisation (like suppliers, employees and customers) to be connected (Rodger, Yen, & Chou, 8VHU LGHQWL¿FDWLRQDQG DXWKHQWLFD- WLRQYLDGLJLWDOVLJQDWXUHVDQGFHUWL¿FDWHV DUHWKHUHIRUHDVSHFL¿FUHTXLUHPHQWIRUWKLV networked business environment (Wright, 2001). When aligning governance with security, a number of issues emerge. They essentially focus on incorporating governance practices into security via effective risk management and reconciling WKHFRQÀLFWLQJREMHFWLYHVRIYDOXHGHOLYHU\DQG security. Risk Management As observed in the preceding discussions, ef- fective risk management is a key objective of IT governance (ITGI ® , 2004; Standards Australia, 2004) and is required to minimise the IT risks associated with operating an e-business. In the proposed model, it can furthermore be seen as an integrating force, linking IT governance processes with e-business security management. It can also be viewed as a way of integrating security into the 2151 A Model of Information Security Governance for E-Business processes of an organisation — an important but also a very challenging task (McAdams, 2004). * U H HQ V W H L Q D QG 9D V D UK H O\ L S G H ¿ QH ULVNDV³WKHSRVVLELOLW\RIORVVRULQMXU\´DQGULVN management as a methodology, which assesses ¿UVW³WKHSRWHQWLDORIIXW X UHHYHQWVWKDWFDQFDXVH adverse affects,” and second, the implementation of strategies that mitigate these risks in a cost-ef- ¿FLHQWZD\(ORII/DEXVFKDJQHDQG%DGHQKRUVW (1993) propose a risk management life cycle and G H ¿ QH L W D VD S U R F H V V RI U LV N L G H QW L ¿F D W L R Q D QD O \ V L V assessment, resolution, and monitoring. The elements of the traditional risk manage- ment life cycle are important for e-business, but GXHWRHEXVLQHVV¶LQKHUHQWQHHGVIRUÀH[LELOLW\ and responsiveness (e.g., to react to emerging customer demands), an ongoing and more dynamic risk management approach is required (Mann, 2004). This implies the capability to quickly adapt IT structures, including security, to busi- ness conditions while being able to adequately monitor the changing risk environment. Further- more, Internet-based technologies are subject to rapid change in an increasingly complex threat landscape. This may require the deployment of a real-time risk management approach in which ULVNVDUHLGHQWL¿HGDQGUHSRUWHGDVWUDQVDFWLRQV are processed in real-time (see Labuschagne & Eloff, 2000). Fink (2004) reviewed existing risk manage- ment methodologies as to their suitability for WKH,QWHUQHWHQYLURQPHQWDQGIRXQGVLJQL¿FDQW shortcomings among some well-known products. He recommended that an effective methodology should be able to meet the following criteria: • Comprehensive: the methodology must cover both the technological (e.g., Internet) and business (trading partners) scenarios of an e-business. • Inclusive: the methodology must cover all types of assets (physical and virtual) and all types of vulnerabilities and threats that can be encountered in an e-business environ- ment. • Flexible: it must offer a variety of techniques (quantitative and qualitative) that can be ap- plied across all types of e-business models (e.g., supply chain management, ERP). • Relevant: the application of the methodology V K R X OG O H D GW R W KH L G H Q W L ¿ F D W LR Q D Q G V X F F H V V - ful implementation of security measures relevant to e-business (e.g., digital signatures DQGFHUWL¿FDWHVIRUWUDGLQJSDUWQHUV A key aspect of risk management is making trade-offs. For example, the greater the desired level of security, the more administration and control are required and the greater the tendency to reduce the ability to access data and information. Consequently, more security comes along with an increased cost and a reduction in the initiatives that employees are allowed to use in creating op- portunities for their organisation. Hence, e-busi- QHVVVHFXULW\PLJKWFRQÀLFWZLWKWKHREMHFWLYHRI value delivery in IT governance. Some, however, have argued that security can be seen as value itself. McAdams (2004, p. IRU H[DPSOH VWDWHV WKDW ³DQ RUJDQL]DWLRQ could embrace security as a core value much like customer service rather than merely as an adjunct support activity.” Indeed, the previously discussed objectives of e-business security man- DJHPHQW DYDLODELOLW\ FRQ¿GHQWLDOLW\ LQWHJULW\ and authenticity) are connected with positive outcomes for the organisation. However, the YDOXHUHVXOWLQJIURPVHFXULW\PHDVXUHVLV¿QLWH as eventually additional efforts for security are not rewarded with additional value for the business. Hence, it is important to determine the required level of security during risk management so as to ensure that costs of security are balanced by UHVXOWDQWEHQH¿WV ,QSUDFWLFHWKLVWDVNLVGLI¿FXOWDVWKHFRVWRI V H FX U L W \L V H LW K H U X Q N QRZ QR U G LI ¿F X OW W R P H D V X UH This problem is demonstrated by a recent study 2152 A Model of Information Security Governance for E-Business RI)RUUHVWHU5HVHDUFK7KHVXUYH\³+RZ much security is enough” was conducted in August 2003 among 50 security executives at organisa- tions with more than $1 billion in revenue. The results are illustrative of the problem: 40% of the respondents stated that their organisation’s secu- rity spending was improperly focused, and 42% stated that it was inadequate for 2003. However, 60% of respondents said that they did not even know how much security incidents cost their businesses every year. Thus, determining the ULJKWOHYHORIVHFXULW\LVGLI¿FXOWEXWFUXFLDOLQ R U G H U W R D FK L H Y H E H QH ¿ W VI UR P , 7 Z K LO H D G H T X DW HO \ managing security. GUIDELINES FOR IMPLEMENTATION While the above discussions provide the theo- retical background and rational for the proposed information security model, this section provides guidelines for the organisation on how such a model can best be implemented. • A clear understanding needs to exist within the organisation on the responsibilities of governance at the enterprise level and how IT governance integrates into this. The ap- proach recommended for the information security model is two-pronged, namely, ensuring conformance via corporate gov- ernance and performance through business governance. • For an e-business, information security has become an important consideration. The organisation has to understand the QDWXUHDQGVLJQL¿FDQFHRIFXUUHQWDQGSRV- sible future threats and risks as well as the counter measures that are available to an e-business. Risk in this environment can be of a business nature (e.g., unresponsive trading partners) and technological nature (e.g., malicious attacks via the Internet). Risk is complex and specialist advice may be required from professionals such as IT security analysts and IT auditors. • Risk management plays the key role in EDODQFLQJ ZKDW DSSHDUV WR EH FRQÀLFWLQJ objectives when applying ICT, namely, value realisation and security. A suitable risk management methodology needs to be acquired that recognises these two compet- ing functions of ICT and takes into account the characteristics of e-business. The criteria for such a methodology were outlined in an earlier section. • A program of education to raise competence and awareness should be implemented across all levels of management to ensure that the requirements for effective information security governance are well understood. Such a program should be delivered in stages, as the concepts are complex, and regularly reviewed in response to changes in technology and the business environment. By being systematic and structured, organic management behaviour is encouraged. • It is recommended that an adaptable and ÀH[LEOHDWWLWXGHEHDGRSWHGGXULQJLPSOH- mentation in that the model needs to integrate i n t o t he e x i s t i ng I C T, a nd o r g a n i s a t io n a l a n d management structures. Current organisa- tional culture and resource constraints need to be taken into account to achieve the best ¿WSRVVLEOHDQG WR PDQDJH DQ\UHVLVWDQFH to change successfully. For example, a new ethos in support of governance may have to emerge. • Lastly, implementation progress should be reviewed and monitored on a regular basis applying the well accepted feedback loop. It is recommended that a project sponsor IURP VHQLRU PDQDJHPHQW EH LGHQWL¿HG WR guide implementation and to ensure that the model receives strong commitment from executive management. 2153 A Model of Information Security Governance for E-Business CONCLUSION This chapter has shown the need for governance and suggested a concept for the integration of IT governance with enterprise governance. It then LGHQWL¿HGWKUHHPDMRUDSSURDFKHVWR,7JRYHUQDQFH and their management of IT security. The latter was shown to be critical for the operation of an e-business. Hence, a framework was developed in which IT governance and e-business security operate together in an integrated, structured, yet holistic manner. The proposed model recognises that IT governance aims to optimise the value delivery of ICT while e-business security ensures WKDWLGHQWL¿HGULVNVDUHFRQWUROOHGLQDQHI¿FLHQW manner. This model emphasizes the importance of risk management as the method that links IT governance and e-business security and thereby U H V RO Y H V W KH R I W H Q F R Q À L F W L Q J R EM H F W LY H VRI V H F X U LW \ and value delivery. REFERENCES Braithwaite, T. (2002). Securing e-business sys- tems: A guide for managers and executives. New York: John Wiley & Sons. Brand, K., & Boonen, H. (2004). IT governance - A pocket guide based on COBIT. The Netherlands: Van Haren Publishing. Cadbury, A. (1992). Report of the committee on WKH¿QDQFLDO DVSHFWV RIFRUSRUDWHJRYHUQDQFH. London: The Committee on the Financial Aspects of Corporate Governance. CIMA/ IFAC. (2004). Enterprise governance: Getting the balance right. Retrieved January 3, 2005, from http://www.cimaglobal.com/down- loads/enterprise_ governance.pdf Eloff, J. H. P., Labuschagne, L., & Badenhorst, K. P. (1993). A comparative framework for risk analysis methods. Computers & Security, 12(6), 597-603. eWeek (2004). The governance edge. 21(42), 40. Fink, D. (2004). Identifying and managing new forms of commerce risk and security. In M. Khosrow-Pour (Ed.), E-commerce security advice from experts (pp. 112-121). Hershey, PA: CyberTech Publishing. Forrester Research. (2004). How much security is enough. Retrieved September 6, 2004, from http://www.forrester.com/ Greenstein, M., & Vasarhelyi, M. A. (2002). Elec- tronic commerce: Security, risk management, and control (2 nd ed.). Boston: McGraw-Hill. Halliday, S., Badenhorst, K., & v. Solms, R. (1996). A business approach to effective informa- tion technology risk analysis and management. Information Management & Computer Security, 4(1), 19-31. Hong, K S., Chi, Y P., Chao, L. R., & Tang, J H. (2003). An integrated system theory of informa- tion security management. Information Manage- ment & Computer Security, 11(5), 243-248. ITGI ® - IT Governance Institute. (2001). Informa- tion security governance. Retrieved September 6, 2004, from www.ITgovernance.org/resources. htm ITGI ® - IT Governance Institute. (2003). Board EULH¿QJRQ,7JRYHUQDQFH. Retrieved September 6, 2004, from www.ITgovernance.org/resources. htm ITGI ® - IT Governance Institute. (2004). IT con- trol objectives for Sarbanes-Oxley. Retrieved September 6, 2004, from www.ITgovernance. org/resources.htm Korac-Kakabadse, N., & Kakabadse, A. (2001). IS/IT governance: Need for an integrated model. Corporate Governance, 1(4), 9-11. Labuschagne, L., & Eloff, J. H. P. (2000). Elec- tronic commerce: The information-security . information technology and information and communications technology (ICT) will be examined. Current developments and models such as those offered by the IT Governance Institute and Standards Australia. governance and consists of the leader- ship and organisational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives establishing, acting, and learning). Appendices of the NCSP report provide extensive information on functions and responsibilities, organisation and processes for implementation, and ISG assessment
Ngày đăng: 07/07/2014, 10:20
Xem thêm: Electronic Business: Concepts, Methodologies, Tools, and Applications (4-Volumes) P222 pps
