Abstract
Current security governance is often based on a centralized decision making model and still uses an ineffective 20th century risk management approach to security. This approach is relatively simple to manage since it needs almost no security governance below the top enterprise level where most decisions are made. However, while there is a role for more corporate governance, new regulations, and improved codes of best practice to address current weak organizational security practices, this may not be sufficient in the current dynamic security environment. Organizational information security must adapt to changing conditions by extending security governance to middle management as well as system/network administrators. Unfortunately the lack of clear business security objectives and strategies at the business unit level is likely to result in a compliance culture, where those responsible for implementing information security are more interested in complying with organizational standards and policies than improving security itself.
Chapter PDF
Similar content being viewed by others
Keywords
References
Humphreys, T.: How to implement an ISO/IEC 27001 information security management system. ISO Management Systems, 40–44 (2006), http://www.iso.org
Ruighaver, A.B.: Organisational Security Requirements: An agile approach to Ubiquitous Information Security. In: Proceedings of the 6th Australian Security management Conference, Australia (2008)
IT Governance Institute: Information Security Governance: Guidance for Boards of Directors and Executive Management 2nd edn. (2006), http://www.itgi.org
Tan, T.C.C., Ruighaver, A.B., Ahmad, A.: Incident Handling: Where the Need for Planning is often not Recognised. In: Proceedings of the 1st Australian Computer Network, Information & Forensics Conference, Australia (2003)
Tan, T.C.C., Ruighaver, A.B.: Understanding the Scope of Strategic Context in Security Governance, In: Proceedings of the 2005 IT Governance Int. Conf., New Zealand (2005)
Tan, T.C.C., Ruighaver, A.B.: A Framework for investigating the development of Security Strategic Context in Organisations. In: Proceedings of the 6th Aus Information Warfare & Security Conference: Protecting the Australian Homeland, Australia, pp. 216–226 (2005)
Computer Security Institute and FBI Survey, Results of CSI/FBI Computer Crime and Security Survey (2003), http://www.gocsi.com
AusCERT, Australian High Tech Crime Centre, AFP, NSW Police, NT Police, Queensland Police, SA Police, Tas Police, Vic Police, WA Police: 2004 Australian Computer Crime and Security Survey. Australian Computer Emergency Response Team (2004)
Wright, P.D., Liberatore, M.J., Nydick, R.L.: A survey of operations research models and applications in Homeland Security. Interfaces 36(6), 514–529 (2006)
Theunissen, D.: Corporate Incident Handling Guidelines. The SANS Institute (2001), http://rr.sans.org/incident/corp_guide.php
Pasikowski, G.T.: Prosecution: A subset of Incident Response Procedures. The SANS Institute (2001), http://rr.sans.org/incident/prosecution.php
Tan, T.C.C., Ruighaver, A.B.: Developing a framework for understanding Security Governance. In: Proceedings of the 2nd Australian Information Security Management Conference, Australia (2004)
D’Amico, E.: Cyber Crime is on the rise, but let’s keep it quiet. Chemical Week 164(17), 24–27 (2002)
Braid, M.: Collecting Electronic Evidence after a System Compromise. In: Australian Computer Emergency Response Team, AusCert (2001), http://www.auscert.org.au
Pultorak, D: IT Governance: Toward a Unified Framework Linked to and Driven by Corporate Governance. CIO Wisdom II, Prentice Hall Ptr. (2005)
Kaplan, R.S., Norton, D.P.: The Balanced Scorecard: Translating Strategy Into Action. Harvard Business School Press (1996)
McLane, G: IT Governance and its Impact on IT Mngt. MA dissertation, Sydney (2003)
Corporate Governance Task Force: Information Security Governance – A Call to Action. National Cyber Security Summit Task Force, USA (2004)
eSecure: Time to elevate IT Security to the Boardroom, South Africa (2000)
Proctor, P.: Sarbanes-Oxley security and risk controls: When is enough enough? Infusion: Security & Risk Strategies (2004), http://www.metagroup.com
Peterson, R., O’Callaghan, R., Ribbers, P.M.A.: Information Technology Governance by Design: Investigating Hybrid Configurations and Integration Mechanisms. In: Proceedings of the 20th International Conference on Information Systems, Australia (2000)
Ribbers, P.M.A., Peterson, R.R., Marylin, M.P.: Designing Information Technology governance processes: Diagnosing contemporary practices and competing theories. In: Proceedings of the 35th Hawaii International Conference on System Sciences, pp. 1–12. IEEE Computer Society, Los Alamitos (2002)
Weill, P., Woodham, R.: Don’t Just Lead, Govern: Implementing Effective IT Governance, Massachusetts Institute of Technology, Cambridge, Massachusetts (2002)
Vitale, M.: The dot.com Legacy: Governing IT on Internet Time. Information Systems Research Center, University of Houston (2001)
Weill, P., Ross, J.W.: IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Harvard Business School Press, Boston
Broadbent, M., Weill, P.: Management by Maxim: Creating Business Driven Information Technology Infrastructures. Melbourne Business School, University of Melbourne (1996)
Broadbent, M.: CIO Futures – Lead With Effective Governance. In: ICA 36th Conference, Singapore (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 IFIP International Federation for Information Processing
About this paper
Cite this paper
Tan, T.C.C., Ruighaver, A.B., Ahmad, A. (2010). Information Security Governance: When Compliance Becomes More Important than Security. In: Rannenberg, K., Varadharajan, V., Weber, C. (eds) Security and Privacy – Silver Linings in the Cloud. SEC 2010. IFIP Advances in Information and Communication Technology, vol 330. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15257-3_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-15257-3_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15256-6
Online ISBN: 978-3-642-15257-3
eBook Packages: Computer ScienceComputer Science (R0)