Information governance may refers to a set of multi-disciplinary policies, processes, structures, controls and procedures that are implemented to manage information at the organizational level, supporting the present and future legal, environmental, operational and regulatory risks associated with the organization. Information technology or IT governance refers to the process of maintaining and establishing a framework that assures that the information security strategies are arranged in a manner that supports to the objectives of a business organization. The organization must ensure that such information security strategies comply with the regulations and laws in force, adhere to the internal policies, and control with an aim to mitigate the risk (Black, 2016).
Information Security Governance
IT security governance is a fundamental responsibility of the Board of Directors and the senior executives of the organization, which must be consistent with the IT governance framework (Peltier, 2013). The Board is accountable for making the information security an integral part of the governance and incorporating it with other process that already exists in the organization. This will enable the Board to govern or regulate other serious and vita organizational resources. The senior executives, on the other hand, are responsible for considering and responding to the sensitivities and concerns that are results from the information security.
IT security governance encompasses organizational structures, leadership and processes that purports to safeguard the information of organizations. The factors responsible for the success of the processes and structures are a common language, common commitments and effective communication that are based on constructive relationships. Organizations may have special security requirements or objectives that arise from customer contractual arrangements and partnership arrangements. It is therefore, essential that management ensure these considerations are consistent with enterprise procedures and policies and that there is sufficient availability of adequate resources.
Characteristics of effective IT security governance
Effective IT security governance is fundamental for a successful and established organization. The most essential characteristics of IT security governance must be present to ensure safety of the organizational information. (1) The leaders must be held responsible; (2) it is a well-planned measure; (3) it requires a development life cycle; (4) it must be addressed and enforced in an organizational policy; (5) it segregates the roles and responsibilities in an organization; (6) it is a fundamental to secure the organizational policies and information.
The IT security governance purports to support the organization by providing levels of service and quality of service that is essential to fulfill the requirements of the business organizations and include both present and future requirements. It complies all the mandatory regulations and legislations and ensures that the policies and practices are clearly defined, enforced and implemented to achieve the organizational goals and objectives (Tallon, 2013).
The information security deals with information handling and other aspects of information as opposed to IT security that deals with security of information within the boundaries of the technological domain of network infrastructure. In order to attain effective information security governance, the organizational management must establish a framework that purports to guide the maintenance and development of a comprehensive information security program.
Possible Outcomes of IT Security Governance
Effective IT security governance may result in certain essential outcomes in the context of global governance. Firstly, it would be an effective risk management strategy, as it would implement appropriate measures for mitigating, managing risks and reducing potential impact on the information resources to a certain level that is acceptable. Secondly, it enables to align strategic information security with business strategy that purports to support organizational objectives (Baskerville, Spagnoletti & Kim, 2014). Thirdly, it enables to use the information security infrastructure and knowledge effectively and efficiently, thus, establishment an effective resource management. Fourthly, an effective IT security governance values delivery by maximizing the information security investments with the help of the organizational objectives. Lastly, it enables performance measurement by monitoring, measuring and reporting IT security governance metrics for ensuring attainment of the organizational objectives.
In US, the National Association of Corporate Directors (NACD), which is considered the leading membership organization for the Board of Directors, identifies the significance of information security. The organization recommends four fundamental practices that should be adopted by organizations globally. These essential practices are based on the practical operations of the boards of organizations (AlHogail, 2015). Firstly, information security should be placed as a fundamental matter on the Board’s agenda. Secondly, identification of information security leaders who shall be held responsible and ensure they are provided support. Thirdly, the effectiveness of the organizational information related to the security policy of the company should be ensured through approval and review.
Advantages of Information Security Governance
There are certain advantages associated with effective IT Security Governance. Firstly, an organization that practices good governance leads to an increase in share value for organizations. Secondly, an effective information security reduces uncertainty and enhances assurance of business operations by reducing the security-related risks to acceptable and definable levels. Thirdly, it safeguards the growing likelihood of legal and civil legality which may arise from information inaccuracy and lack of due care.
Thirdly, there is an assurance of policy compliance and effective IT security policy of an organization. Fourthly, it provides a framework and structure to maximize allocation of limited security resources. Fifthly, it provides a level of assurance that complicated decisions are not decided based on inaccurate and disputed information. Sixthly, it provides an assurance of effective IT Security policy and further ensures compliance with organizational policy. Seventhly, it provides a firm foundation for effective and efficient risk management, rapid incident response related to the securing information and process improvement in business organizations (Safa, Von Solms & Furnell, 2016).
Need and significance of Information Security in global governance
The purpose of information security is to secure organizational policies, programs and processes and reduce the negative impact on the organization to a certain level of acceptable risk. It safeguards the confidential and essential information of the organization against the risk of misuse, operational discontinuity, inaccessibility, unauthorized disclosure and damage (Williams, Hardy & Holgate, 2013).
Information security encompasses all necessary information procedures whether such information is electronic and physical or whether they involve technology and people, customers and third parties and relationships with the trading partners. The incline in the rate of information related crimes, which includes cyber-attacks and phishing, IT security, is undoubtedly, an essential and mandatory requirement in any business organization. Given the new malware/worms and incline in the loss of confidential customer information and intellectual property and the widespread use of networks, individuals and organization are more concerned with other risk relating to privacy of personal information and that of the organizations. IT security information not only safeguards the confidential information of an organization but also encourages electronic sources for carrying out business activities (Layton, 2016).
The processes and systems that include information of the companies have become invasive in nature universally. In the event of loss of assets, people, facilities, an organization may survive but with the loss of information, especially if such information is confidential, it becomes critical for an organization to carry out its business activities (Tricker & Tricker, 2015). Such essential information includes financial, accounting reports, process and operations knowledge, customer data and other company related information.
In order to ensure that all the relevant elements of security are addressed in organizational security strategies, several security standards have been introduced to ensure comprehensiveness and to provide guidance. Some of standards that are commonly used in the US include Control Objectives for Information and related Technology (COBIT), ISO 17799, NIST 800-53 and FIPS Publication 200. A formal security strategy is implemented partly by deploying and developing comprehensive security policies that demonstrate the objectives of an organization while aims at addressing every element of strategy (Black, 2016). In order to provide effective governance, an acceptable set of organizational standards are to be developed for each policy to describe boundaries for acceptable processes and procedures along with the assigned responsibilities and roles. It is imperative to ensure that effective awareness, training, education is provided to al the personnel of an organization as part of a continuing process for sole purpose to secure reliable business operations.
The strength of the physical security of the nation and the critical organizational infrastructure that constitutes global commerce is equal to the information security that completely supports the present, networked environment. Information security, which is perceived as a set of technical issues, must be considered an essential aspect of corporate social responsibility that includes training and testing, risk management, report controls and other executive responsibility (Duffield, 2014). It requires active involvement of the Board of Directors and the Executive members of the organization. This is because management has the sole responsibility to safeguard the interests of the stakeholders in an organization and ensure that the issues are addressed adequately from the perspective of governance. In order to address such risks, it is imperative to manage risks, which includes information security risks and integrating information security governance within the entire enterprise governance framework of any organization.
AlHogail, A. (2015). Design and validation of information security culture framework. Computers in human behavior, 49, 567-575.
Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered information security: Managing a strategic balance between prevention and response. Information & Management, 51(1), 138-151.
Black, D. R. (2016). A decade of human security: Global governance and new multilateralisms. Routledge.
Duffield, M. (2014). Global governance and the new wars: The merging of development and security. Zed Books Ltd..
Flores, W. R., Antonsen, E., & Ekstedt, M. (2014). Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture. Computers & Security, 43, 90-110.
Joseph, J., Ocasio, W., & McDonnell, M. H. (2014). The structural elaboration of board independence: Executive power, institutional logics, and the adoption of CEO-only board structures in US corporate governance. Academy of Management Journal, 57(6), 1834-1858.
Layton, T. P. (2016). Information Security: Design, implementation, measurement, and compliance. CRC Press.
Peltier, T. R. (2013). Information security fundamentals. CRC Press.
Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. computers & security, 56, 70-82.
Tallon, P. P. (2013). Corporate governance of big data: Perspectives on value, risk, and cost. Computer, 46(6), 32-38.
Tricker, R. B., & Tricker, R. I. (2015). Corporate governance: Principles, policies, and practices. Oxford University Press, USA.
Williams, S. P., Hardy, C. A., & Holgate, J. A. (2013). Information security governance practices in critical infrastructure organizations: A socio-technical and institutional logic perspective. Electronic Markets, 23(4), 341-354.