Please enable JavaScript.
Coggle requires JavaScript to display documents.
Information Security Governance: When Compliance Becomes more Important…
Information Security Governance:
When Compliance Becomes more Important than Security
4) The case study
The case study reported in this paper took place in an Asian subsidiary of a large international corporation I.T US Inc
Has two fundamental missions:
1) To lead in the creation, development and manufacture of the IT industry’s most advanced information
technologies
To translate these advanced technologies into value for their customers through their professional solutions,
services and consulting businesses worldwide
It is a highly agile and highly creative company with a high focus on teamwork, diversity, success and, of course, like any other.
Company, profits, profits.
Maintain, establish and distribute security protocols, practises, standards and advice to the entire ITU organisation.
5 Case analysis and discussion
Using the frameworks described earlier as a guide for this research and as a lens in its review, an empirical study was conducted to examine Enterprisewide Security Governance in both large and medium-sized organisations.
Involved various sources of data, gathered in a organised way.
5.1 Limited Diversity in Decision Making
The Security Strategic Background was determined by the Corporate Security Department at the executive level of the company.
Security decision-making at this stage is a low-level simplicity decision that focuses mainly on enforcement, monitoring and auditing.
At ITUM, this condition has contributed to the segregation of decision-makers and thus represents a lack of diversity in their decisions.
5.2 Corporate Level Security Mission Statements Provide Little Guidance.
In an attempt to map ITUM 's security activities using the Spectrum of Security Strategic Context Research System, it is evident that there is strong security coverage at ITUM.
In each of these fields, minimal depth was found in the security strategic sense.
Intensity results in a restricted comprehension of the goals that these techniques are seeking to accomplish.
Security related activities at ITUM are performed at the ‘Security Architecture’
and ‘Security Application(s) Needed’ level with only a few activities being performed at the ‘Security Strategies &
Infrastructure’ level
The objectives listed by participants such as “Protection from virus attacks” and “protect assets & protect information
in those assets”
Participants were communicated to them by
higher management or just reflect what they believe they are doing
5.3 A Bottom up Approach to Security Strategic Context Development.
Organizations also need to understand that, just like IT, the field of information security is a complex and vital component to their organisation's success.
Severe lack of strategic directions for information security. At ITUM, aside from the policy of enforcing standards and requiring business units to 'pass' audits, protection is an add-on and not a driver in any way whatsoever.
ITUM did have dozens of security applications installed
There is also software available to track processes, to compare incidents, to prioritise severity, to warn IT staff or to take the prescribed action to fix a problem.
ITUM did not obtain any information on the bottom-up strategy of the organisation's security policies to establish its own compliance-based goals and strategies.
6 Conclusions
A clear distinction is made between
1) Corporate security governance
It can be seen as governance at the executive or board level, the key responsibility of which is to ensure that proper security governance is facilitated, supported and regulated at the enterprise level and below.
The main downside to this centralised model, however, is the possible development of a culture of enforcement in the field of corporate information security.
This centralised strategy has yet another big downside.
Centralized decision-making would minimise the flexibility and adaptability of the security role of the organisation, making it difficult for the organisation to respond rapidly and in a timely manner to changes in its security climate.
A more decentralised approach to security decision-making is required to build a dynamic and scalable (or agile) security stance. However, a decentralised solution would involve good governance of protection at all levels of the organisation.
2) Enterprise-wide security
governance
the necessary enterprise-wide security governance structures and processes are
developed and put in place.
This ensures that adequate security priorities and security plans are established and efficiently communicated to personnel and committees participating in the decision-making process on security infrastructure and the selection of security applications.
Current research on security objectives and strategies is still scarce and will need to increase dramatically to facilitate
this change in security governance