People, process and technology are three things which are involved in information security. Biometrics, passwords and firewalls are some of the technical measures and these are not enough in justifying threats to information. In order to protect information from destruction and to secure systems, a blend of different procedures is required. While deploying information security some factors need to be considered for instance processes like de-registration and registration and people aspects like teaching, observance, leading etc. With the evolvement of information security, the focus has been transferred toward a governance-orientated and people-oriented approach (Baggett, 2003).
The so-called initial stage of information security was characterized by a scientific approach in securing the environment of Information Technology. With the passage of time it was realized by the "technical people" working in an organization that the role of management in information security is imperative and it is essential to involve the top management (Von Solms, 2000). This realization became the basis for the second stage where organizations incorporated themselves with the information security facility. Both of the phases continued in parallel and they are termed as management involvement and technical protection mechanisms. Firms then realized that in past, some other essentials of information security have been ignored. They said that what is immediately required is to address human element that poses the most dangerous threat of information security to every firm (Von Solms, 2000, 1997, Da Veiga, Martins, & Eloff, 2007) and inside the organization extra concentration needs to be given to the culture of information security (Von Solms, 2000). It is included in the third segment of information security that employees should build in their daily routine the culture of information security. In fact it should be adopted as a culture within the organization. Acceptance of information security as a culture means the adoption of an approach which promotes the inclusion of information security in a manner that all the activities being conducted within an organization take place in its presence (Martins & Eloff, 2002).
It is the foremost duty of the executives to inculcate within the organization a proper culture relating to information security. Not only communicating the relevant content to the employees is important but also a complete controlling framework should be in existence (Cobit security Baseline, 2004). The next section goes ahead with the explanation of governance in relation to information security. This governance mechanism teaches the general approach under which information security is used to diminish threats (Von Solms, 2006).
The next section focuses on the ways to avoid threats of deception and social engineering. Survey conducted by Price Waterhouse Coopers (PWC, 2004) regarding the breaches of information security state that there have been quite a few technology breakdowns, like system failures or corruption, of important information but still the proportion of human error is considered to be the greatest as far as breaches are concerned. Price Waterhouse Coopers have given a suggestion of embedding a security-aware culture within the organization to solve the problem of human error. According to the management, if the employees are allowed to make interaction with the technical controls then there is likely to be a chance of deception to occur. It is emphasized by Von Solms (2006) that for mitigating the chances of threats, the governance mechanism of information security must be present.
The sole objective behind this paper work is to asses to assess the existing approach which is being followed in the framework of information security governance, so that the upcoming updated governance could be more wide-ranging and much better than the previous one. The new governance structure is relying on technological, practical and individuals' behavioral mechanism to reach a particular spot of indication for governing information security. Four approaches, which are approaches that are being assessed in this paper are as follows; PROTECT (Eloff & Eloff, 2005), ISO 17799 (2005), the Information security Architecture (ISA) (Tudor, 2000), and the Capability Maturity Model (McCarthy & Campbell, 2001). The next section presents a list of components that are based on the four approaches mentioned above. The information security governance is constructed on the basis of information security components. Within the last section, the information security governance is discussed in detail.
Significance of problem or concern
The risks that an organization faces can be reduced when executives start following the governance framework of information security very strictly, and not only these, they should even monitor sternly the behavior of the employees. To promote the culture of information security, the entity should make provisions relating to employees behavior within their information security program. It would not be wrong to say that organization is looking for a governance structure which does not only work on the technological and procedural reins of the previous sessions but also takes account of the human behavior. A framework with such qualities would be able to mitigate threats from the organizations culture up to an acceptable level (Baggett, 2003).
Analysis of current solutions in the marketplace
ISO/IEC 177995 and ISO/IEC 27001
The technique-code for Information security management (ISO/IEC 17799, 2005) as stated in Information Security Organization (ISO) is a complete guidance for the organizations in the shape of a suggestion point which helps them recognize the controls that they would be needing in situations where information systems are used. Slowly and gradually, with the passage of time ISO/IEC 17799 (2005) has gained popularity as a very important standard as far as information security is concerned (ISO / IEC, 2005). There are 11 control segments mentioned in relation to this in the study.
ISO 27001 (2005), an officially recognized standard, is taken as the second part of ISO/IEC 17799 (2005). ISO/IEC 17799 (2005) suggests adopting a continuous development approach. Such an approach can be obtained when organizations start to establish, implement, operate, monitor, review, maintain and improve the entity's information security management system. The previous standards were built around a single approach, where as now ISO/IEC 17799 (2005) gives detailed mechanism of information security, while ISO/IEC 27001 (2005) sketches the executing and supervision strategies.
The research introduced by Eloff and Eloff (2005) consists of a program which is related to information security and is named as PROTECT. PROTECT is basically a short form of Policy, Risk, Objective, Technology, Executive, Compliance and Team. The aim of PROTECT is to tackle all the problems relating to information security. It comprises of schemes which ensure that well incorporated controls are present within the organization, which aim to reduce the chances of risks and guarantee efficacy and competitiveness. PROTECT has seven components and all these components aim to provide an efficient information and security program. The efficiency of the program is not limited to technological perspective but also deals with people.
Capability Maturity Model
The Capability Maturity Model (McCarthy & Campbell, 2001) presents a set of controls, which are aimed to prevent chances of illegal access, alteration or demolition of data. The study describes the seven major control points demonstrated by the holistic view of the model based on information security.
Security leadership is the first stage and lays stress on the significance of a security agent at the executive level and even on information security strategy. For both long and short-term security strategies within an entity, this should be taken as the origin. Second stage defines the duties which should be undergone for the development and execution of information security program. The responsibilities of many individuals need to be defined, like for instance the roles of security officer, network whiz, anti-virus expert, database professional and Helpdesk specialist. The third stage encompasses guidelines which need to be assembled in order to express and execute the information security program. These policies provide guidance on technological, procedural as well as the human part of information security. Security management can then turn out to be a division of routine operations. This comprises of operations regarding the monitoring of users and the technology organized. The organizations have to make sure that the employees are aware of their policies and the user reports are managed. In the end, the approach focuses on the technological aspects of information security, such as the arrangement of a safe firewall, network and database. Technology protections not only focus on IT environment but also embrace business stability and disaster revival (McCarthy & Campbell, 2001).
Capability Maturity Model follows the approach which begins from the strategic level and goes down to technology levels. The technology levels operate by the instructions or rather guidance given by the authorities at the strategic level. This model is used in executing information security. The model evaluates the information security program, identifies its risks and even gives solutions to reduce the effect of risks. The solutions given by the model are the implemented into the current procedures (McCarthy & Campbell, 2001).
Information Security Architecture (ISA)
A very flexible and competitive approach, Information security Architecture (ISA), is given by Tudor (2000) to prevent the organizations' assets from all sorts of threats. ISA highlights…