General Drawing of the Integrated Framework for Security Governance

  • Heejun Park
  • Sangkyun Kim
  • Hong Joo Lee
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4251)


To provide the structured approach of the security governance to corporate executives is the purpose of this paper. Previous studies on the governance and security management including international standards, methods for risk analysis, guideline for security policy were reviewed to design the components and requirements of the framework of the security governance. Finally, the framework for the security governance, which consists of four domains and two categories of relationship, is suggested considering the requirements of the framework including three perspectives of an architecture, domain, and presentation. It is believed that, with this framework, corporate executives could create greater productivity gains and cost efficiencies from information security.


Corporate Governance Information Security Integrate Framework Governance Institute Security Management 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    GDRC: The Global Development Research Center (2005)Google Scholar
  2. 2.
    Appel, W.: Redefining IT Governance Readiness. META Group (2005)Google Scholar
  3. 3.
    Dallas, S., Bell, M.: The Need for IT Governance: Now More than Ever. Gartner Inc., Stamford (2004)Google Scholar
  4. 4.
    Solms, B.V.: Corporate Governance and Information Security. Computers & Security 20(3) (2001)Google Scholar
  5. 5.
    Conner, F.W., Coviello, A.W.: Information Security Governance: A Call to Action. National Cyber Security Summit Task Force (2004)Google Scholar
  6. 6.
    Solms, B.V.: Information security governance: CobiT or ISO 17799 or both? Computers & Security 24(2) (2005)Google Scholar
  7. 7.
    Swindle, O., Conner, B.: The Link Between Information Security and Corporate Governance. Computerworld (2004)Google Scholar
  8. 8.
    IT Governance Institute: Information Security Governance. IT Governance Institute (2004) Google Scholar
  9. 9.
    IT Governance Institute: Board Briefing on IT Governance ITGI. IT Governance Institute (2001) Google Scholar
  10. 10.
    OECD: OECD Principles of Corporate Governance, Organization for Economic Co-operation and Development. Organisation for Economic Co-operation and Development (1999) Google Scholar
  11. 11.
    Neela, A.M., Mahoney, J.: Work With, Not Against, Your Culture to Refine IT Governance. Gartner Inc., Stamford, CT (2003)Google Scholar
  12. 12.
    Allen, J.: An Introduction to Governing for Enterprise Security. Software Engineering Institute, Carnegie Mellon University in Pittsburgh (2005)Google Scholar
  13. 13.
    IT Governance Institute: Information Security Governance: Guidance for Boards of Directors and Executive Management. IT Governance Institute (2001) Google Scholar
  14. 14.
    Moulton, R., Coles, R.S.: Applying Information Security Governance. Computers & Security 22(7) (2003)Google Scholar
  15. 15.
    Dallas, S.: Six IT Governance Rules to Boost IT and User Credibility. Gartner Inc., Stamford, CT (2002)Google Scholar
  16. 16.
    Gerrard, M.: Creating an Effective IT Governance Process. Gartner Inc., Stamford, CT (2003)Google Scholar
  17. 17.
    Kim, S., Leem, C.S.: An Information Engineering Methodology for the Security Strategy Planning. In: Gervasi, O., Gavrilova, M.L., Kumar, V., Laganá, A., Lee, H.P., Mun, Y., Taniar, D., Tan, C.J.K. (eds.) ICCSA 2005. LNCS, vol. 3482, Springer, Heidelberg (2005)Google Scholar
  18. 18.
    Kim, S., Leem, C.S.: Decision Supporting Method with the Analytic Hierarchy Process Model for the Systematic Selection of COTS-based Security Control. Lecture Series on Computer Scienceand on Computational Science, vol. 1 (2004)Google Scholar
  19. 19.
    Kim, S., Leem, C.S.: Information Strategy Planning Methodology for the Security of Information Systems. In: ICCIE 2004, Cheju (2004)Google Scholar
  20. 20.
    ISO, ISO13335-1: Information Technology - Guidelines for the Management of IT Security - Part 1: Concepts and Models for IT Security. International Organization for Standardization Google Scholar
  21. 21.
    NIST: An Introduction to Computer Security: The NIST Handbook. NIST, Gaithersburg, MD (1995) Google Scholar
  22. 22.
    Henze, D.: IT Baseline Protection Manual. UK (2000)Google Scholar
  23. 23.
    Kim, S., Choi, S.S., Leem, C.S.: An Integrated Framework for Secure E-business Models and Their Implementation. In: INFORMS 1999, Seoul(1999)Google Scholar
  24. 24.
    Geer, D.E.: Making Choices to Show ROI. Secure Business Quarterly 1(2) (2001)Google Scholar
  25. 25.
    Scott, D.: Security Investment Justification and Success Factors. Gartner Inc., Stamford, CT (1998) Google Scholar
  26. 26.
    Blakley, B.: Returns on Security Investment: An Imprecise But Necessary Calculation. Secure Business Quarterly 1(2) (2001)Google Scholar
  27. 27.
    Malik, W.: A Security Funding Strategy. Gartner Inc., Stamford (2001)Google Scholar
  28. 28.
    Power, R.: CSI/FBI Computer Crime and Security Survey, Computer Security Issues & Trends (2002)Google Scholar
  29. 29.
    Bates, R.J.: Disaster Recovery Planning. McGraw-Hill, New York (1991)Google Scholar
  30. 30.
    Witty, R.J., Girard, J., Graff, J.W., Hallawell, A., Hildreth, B., MacDonald, N., Malik, W.J., Pescatore, J., Reynolds, M., Russell, K., Wheatman, V., Dubiel, J.P., Weintraub, A.: The Price of Information Security, Gartner Inc., Stamford, CT (2001)Google Scholar
  31. 31.
    Harris, S.: CISSP All-in-One Exam Guide, 2nd edn. McGraw-Hill, New York (2003)Google Scholar
  32. 32.
    Roper, C.A.: Risk Management for Security Professionals. Butterworth-Heinemann, Boston (1999)Google Scholar
  33. 33.
    SEI: A Systems Engineering Capability Maturity Model, Version 2.0. Software Engineering Institute, Carnegie Mellon University in Pittsburgh, PA (1999) Google Scholar
  34. 34.
    Rex, R.K., Charles, S.A., Houston, C.H.: Risk Analysis for Information Technology. Journal of Management Information Systems 8(1) (1991)Google Scholar
  35. 35.
    Kim, S., Leem, C.S.: Implementation of the Security System for Instant Messengers. In: Zhang, J., He, J.-H., Fu, Y. (eds.) CIS 2004. LNCS, vol. 3314, Springer, Heidelberg (2004)Google Scholar
  36. 36.
    Kim, S., Leem, C.S.: Security of the Internet-based Instant Messenger: Risks and Safeguards. Internet Research: Electronic Networking Applications and Policy 15(1) (2005)Google Scholar
  37. 37.
    Ron, W.: EDP Auditing: Conceptual Foundations and Practice. McGraw-Hill, New York (1988)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Heejun Park
    • 1
  • Sangkyun Kim
    • 2
  • Hong Joo Lee
    • 3
  1. 1.Department of Information and Industrial EngineeringYonsei UniversitySeoulSouth Korea
  2. 2.Somansa Co., Ltd.SeoulSouth Korea
  3. 3.The Liberal Arts SchoolDankook UniversitySeoulSouth Korea

Personalised recommendations