Information Security Governance Framework

Information has become many corporations valuable asset in the digital arena. Many organisations are now more dependent on the information systems hence its malfunction may paralyse the whole organisation and cause a disastrous consequence at many levels for example financial loss or jeopardy, destruction of reputation leading to customers not willing to do business with the organisation. This paper sought to understand the use of information security governance framework as a tool to minimize risk and inculcates an acceptable level of information security culture in tertiary education in the context of Zimbabwean universities. An applied research design method was used because of the nature and the purpose of the study. The key participants of this study totalled 140 and included 5 board members, 6 IT directors, 25 security guards, 6 Human Resource Managers, 12 IT staffs and 6 administrators from the selected universities. The findings of this study were that most universities in Zimbabwe do not have the Information Security Governance (ISG) framework. Few universities have the framework only known to the limited individuals. The ISG is still a new and complicated field in Zimbabwe, many boards and top management do not understand the subject matter. It was also found that people are not always malicious but at times they are not aware of the security policies available within a given framework that is applicable to the organisation. The study recommends that every tertiary institution in Zimbabwe must adopt an information security governance framework in order to minimise risk and create a strong security culture within the employees that is acceptable in the information security governance. The ISG should be a regulatory framework for the use of the information technology within the universities to ensure that everyone in the organisation is aware on information security policies and the consequences or business risks of any breaches of these policies. The complexity and criticality of information security and its governance demand that it be elevated to the highest organizational levels to become the responsibility of the board.

Key words: information security, governance framework, minimizes risk, information security culture and tertiary education.

(The word board was used in this paper to refer to the SENATE and Executive Management to indicate Vice-Chancellors, Council members and Management Committees)

Information has become many corporations' valuable asset in the digital arena (Tipton & Krause, 2006). Many organisations are now more dependent on the information systems hence its malfunction may paralyse the whole organisation and cause a disastrous consequence at many levels for example financial loss or jeopardy, destruction of reputation leading to customers not willing to do business with the organisation. Khosrowpour (2000), states that technology is now the backbone of organisational growth and competitive advantage and it also facilitates cost reduction in business operations. According to Tashi & Helie (2011: 1), 'The technological explosion is nowadays forcing organisations to change their structures and ways of operating'. The change of structure has seen some organisation engaging the Chief Information Officers to comprehend the board's effort of Information Technology (IT) governance.

Background of the study
Today's world is a world of information explosion. This information explosion and revolution currently sweeping through the world has seen many tertiary institutions across the world adopting information systems as a teaching and learning tool (Castells, 2005). New methods of teaching and conducting research have been transferred to online platforms. It can be widely acknowledged that apart from being used to improve the quality of teaching and learning in any tertiary institution, ICT has helped many of these institutions to automate their processes which used to be conducted manually for example electronic libraries, online student registration, online payment of fees just to mention a few. Ekpo (2005: 44) states that 'ICTs are becoming natural part of man's daily life; thus their use in education by staff (academic and non-academic) and students is becoming a necessity. Certainly, the present and future academic global community will utilise ICTs to a higher degree'.

The need to provide open and distance learning, blended learning, research, smooth and effective administration and management, collaboration with other business entities in order to remain relevant to the market and keep pace with technological advancements has forced many universities in Zimbabwe to invest millions of dollars in ICT infrastructures. But for any investment to support the strategic plan of an organisation in order to achieve perceived benefits, it must be aligned with the strategic objectives that carry the vision and the mission of the organisation through governance.

Tashi & Helie (2011: 1), further cite that the use of Information Communication Technology (ICT), their role and importance are increasing daily thereby creating a new operating environment which requires that business organisations collaborate with other organisations, customers and their stake holders through technology. This collaboration has exposed the business enterprise to open and hostile environment. This then calls for the organisation to deal with the major aspects that have impact on information security; the need to remain competitive by providing extensive communication but in a more restrictive manner.

Recently they have been published and un-pushed reports on information security incidents that have been happening around the universities of Zimbabwe. These have seen both IT and non-technical staff being involved in information security breaches such as unauthorised log in through sharing of passwords, the alteration of student results in the data bases, production of degree certificates for non-attended students, viewing of students' results that will not have been paid up their fees at the time of publication, blocking of the student accommodation management system for it not to be accessible to those not paying kickbacks.

These security breaches have exposed the information systems to integrity degradation, availability and unacceptable level of information security culture in many universities which is a risk in business operations and calls for good information security governance framework that can be used to minimise risk and cultivate information security culture within the institutions. The risk associated with the breaches of security practises may include losing money, reputation and clients.

Understanding risks associated with information systems and the information security culture portrayed by all the people in the enterprise has a profound effect in the information security governance hence this study sought to understand information security governance framework as a tool to minimize risk and inculcates an acceptable level of information security culture in tertiary education.

This study was aimed at identifying and defining the security incidents experienced by different universities in Zimbabwe so as to come up with the recommendations that will be incorporated in the present ISG frameworks being used in order to minimize risk and cultivate the culture of being security conscious among the employees. The study was also guided by the following questions:
' Do universities in Zimbabwe have information security governance framework?
' What are the security incidents currently being experienced in Zimbabwean universities?
' What are the reporting procedures of the security incidents happening within the organisation?
' What is the level of ISG implementation within the university?
' Are the board and senior executive involved in the governance of information security?
' Does the board understand the risk associated with poor governance of information within the tertiary institution?
' What is the level of security culture within the employees?
' What causes the employees to commit IT crimes?

Overview of Governance
The primary purpose of any governance within a corporation is to hold management accountable to stakeholders; therefore the information security governance must have a purpose of holding management accountable for the protection and ethical use of information assets available in the corporation in order to minimise business risks associated with information security breaches (Tipton & Krause, 2006). Governance whether it is financial, business, legal, or IT is about getting people to do the right thing at the right time. In other words, it is about encouraging the behaviour that will achieve the goals of the business.

In this study it is important to understand the two major terms governance and information security. The term governance means exercising control or authority over the actions of the subject; system of regulation (Oxford English Dictionary). It has become more importance in many areas of public, private and semi-public enterprise and it means responsible, transparent and comprehensive leadership and control of the organisation and the alignment of standards, regulations and ethical principles (JoGo, 2007: 1). Its relevance to information security is still not yet obvious as most managers are still in the dark about the subject. They are still trying to understand the IT governance; the fact that ISG is an extension of ITG makes it complicated to the board of directors and executive management whom most of them grew up in the traditional way of doing business. They are still viewing it as a technical exercise which has been the norm since the crafting of the IT province.

Information security is the process of protecting information from a wide range of threats in order to ensure business continuity, minimize business damage, and maximize return on investment, and business opportunity by preserving confidentiality, integrity and availability of information (Tashi & Helie, 2011). 'An organization's information is among its most valuable assets and is critical to its success. The board of directors, which is ultimately accountable for the organization's success, is therefore responsible for the protection of its information. The protection of this information can be achieved only through effective management and assured only through effective board oversight.' (IT Governance Institute, 2006).

According to the King Report 3 on Corporate Governance, it is ultimately the responsibility of the Board of Directors to oversee how all risks are analysed and managed in an organization. From an information protection perspective, the term risk management is used interchangeably to describe both how the IT discipline deals with the risks to information and how the Board of Directors deals with all information related risks.

History of Information Security Governance (ISG)
Information security issues have been around long before but its traction and thoughts into the business has come over the past 10 years (Fitzgerald, 2011). The need for IT governance which is a superset of ISG was born from the Cadbury report (1992) and the Turnbull report (1999), but the ISG came as a result of code practise such as COBIT and other ISO standards. These two reports influenced the maturation of IT governance which has remained a cause for concern in the business organisations swimming in a digital ocean. The management and the employees need to understand their roles in the governance and use of the IT assets that is using these assets responsible and ethical in order to minimise business risk.

In December 2003, The Corporate Governance Task Force was formed to develop and promote a coherent governance framework to drive implementation of effective information security programs. It has developed a comprehensive governance framework to guide the implementation of effective information security programs and help organizations in the creation of an ISG structure. The framework can be adapted to a wide variety of entities, including corporations of all sizes in different industry sectors, as well as education and non-profit institutions (National Cyber Security Summit Task Force, 2004).

Fundamentals of Information Security governance
The fundamental of security means assurance of safety or absence of danger and it incorporates the notion of safety and preservation of the organisation (Brotby, 2009). In the context of IT, this can be seen as security that is related to technology hence the scope of ISG must be looked beyond IT or IS security. Today's environment of highly interconnected and interdependent systems has necessitated the requirements to understand the linkage between information technology and the meeting of business values. Tashi & Helie (2011: 1), cite that information security governance should provide the basis of operating in today's interconnected and technological complex world. According to the Board Briefing on IT Governance (2005:6) 'In today's corporate environment, where the value and importance of information assets are significant, boards must be seen to extend the core governance principles to information and IT.'
Research found from Brotby (2009), indicate that over 90% of organisation who loses their information asset will not survive and information assets and other intangibles comprise more than 80% of the value of the organisation. Brotby (2009), further states that, failure to effectively implement ISG will result in the chaotic and increasing expensive and marginal firefighting mode hence information security is an aspect that is vital to IT governance.
Information and systems that handle it are critical to the operation of virtually all organisations. Access to reliable information has become an indispensable component of conducting business; indeed, in a growing number of organisations, information is the business. This increasing dependence on information was apparent more than a decade ago when Drucker (1994: 234) stated that 'The diffusion of technology and the commodification of information transform the role of information into a resource equally importance to the traditional important resources of land, labour and capital'.
Organizations today face a global revolution in governance that directly affects their information governance practices. As can be seen in Vallabhaneni (2008), following the high-profile organizational failures of the past decade, legislatures, statutory authorities and regulators have created a complex array of new laws designed to force improvement in organizational governance, security, controls and transparency.

Information security governance defined
Information Security Governance (ISG) is to establish and uphold a culture of IT security to provide assurance that the business objectives and stakeholder requirements for the protection of information are continually met (Auscert, 2006). Information security governance is a subset of enterprise governance that provides strategic direction, ensures that objectives are achieved, manages risk appropriately, uses organisational resources responsibly and monitors the success or failure (Vallabhaneni, 2008). It is an exposition on the rationale and necessity for senior management to integrate information security into overall organizational governance at the highest levels. This study will adopt the latter definition as it emphasises that ISG should establish and uphold culture to ensure business objectives and information protection is met. Its concept has even become more enmeshed in the universities by the ubiquitous adoption of the computing technology.

There is no single leading practice model defined for security governance. Each organisation's security risk profile will differ and each organisation's business objectives and practices will differ (even within the same industry). Therefore, it is important to recognise that any model must be adapted and tailored to the individual organisational needs in order to deliver the five basic outcomes ; (1) Strategic alignment of information security with business strategy to support organisational objectives, (2) Risk management by executing appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to an acceptable level, (3)Resource management by utilising information security knowledge and infrastructure efficiently and effectively, (4) Performance measurement by measuring, monitoring and reporting information security governance metrics to ensure that organisational objectives are achieved, (5) Value delivery by optimising information security investments in support of organisational objectives.

Information security governance frameworks
Several frameworks have been developed by various organisations to help organisations to assess risk and implement the necessary controls (Olson & Desheng, 2012). These include the international information management standards ISO 17799 with ten security domains, COBIT which is now on COBIT 5 and Ellof's security governance framework. The main thrust of this study is to look at the framework that balances the management of risk and security culture within the institution. The study will look at the Ellof's security governance framework which contains the seven levels that gives a nested set of elements to provide organisational information security. The framework is divided into three main levels; strategic which involves leadership and governance stressing a point that it the responsibility of the board to ensure that ISG is in place, managerial and operational which include organisation and security policies and programs , technical which include system development and incident management.

Seven levels of Ellof's Information security governance framework
Level 1-security leadership: strategy and metrics
Level 2-security program: structure, resources and skills sets required
Level 3- security policies: standards and procedures
Level 4-security management: monitoring procedures to include privacy protection
Level 5- user management: developing aware users and security culture
Level 6- information Asset security: Meta security, protection of the network and host
Level 7- technology protection and Continuity: protection of the physical environment to include continuity planning

Principles of ISG
The need for ISG came as a result to ensure that there is confidentiality, integrity and availability. It is critical to ensure that information security program fit into the company' vision and mission
Confidentiality- is the concealment of the information or resources. This is a requirement whose purpose is to keep sensitive information from being disclosed to unauthorised recipients (White, 2011). It is a characteristic of information whereby only those with sufficient privileges and demonstrated need may access it. It is violated when unauthorised individuals or systems can view the information.
Integrity ' deals with the accuracy and validity of data. This is the state of being whole, complete and uncorrupted. The principle state that only authorised users can change information. Data that lacks integrity is not valid and accurate; therefore it is of no use to the intended party. It deals with the two major aspects that are data in motion and data at rest (Kim & Michael, 2002). Tertiary education deals with statistics of students and transaction therefore they need data that is valid and accurate all the times.
Availability- the ability to use information and resources as desired. E-Government act of 2002 defines availability 'as ensuring timely and reliable access to and use of information'. This is the ability of the legitimate users to access data or information as they need it. If such things are caused by the outsiders it is referred to as the denial of service (dos) attack.

Information security governance framework as tool to minimise risk
The widespread use of internet, handled devices, computers, mobile and wireless technologies have made access to data and information easy and affordable. This easy access has witnessed the increase of security incidents that continue to cause financial and reputational damage to enterprises (Whitman & Mattord, 2007). Nowadays organisations are taking a closer look at their IT and the frameworks available for IT governance in order to minimise risk. The organisation of either size needs to take action to deal with information security threats. The action should be appropriate and apportionment to risk and risk appetite. Therefore, the chosen framework should provide the guide lines for defining a risk, assessing risk and coming up with appropriate matching control measures to manage or mitigate risk caused by information security incidents.
In dealing with ISG, organisations may choose to adopt the existing frameworks and make some improvements basing on experience of other organisations or they may develop own frameworks that are specifically enforceable at their individual organisations all with the aim of achieving a good ISG. According to Pathak (2005) 'IT should be governed by the practises that help to ensure that the enterprise's IT resources are used responsible, its risks are managed appropriately, and its information and related technology supports business objectives'. Information security as a method of preserving information confidentiality, integrity and availability should be aimed at providing business continuity, legal compliance and competitive advantage.
In order to maintain IT-related risk at an acceptable level, optimise the cost of IT services and technology any framework needs to be comprehensive enough to deal with different stages of development and further facilitate movement upwards to better levels of security (Olson & Desheng, 2010). The models of ISG framework should take a view of people, process and technology factors to achieve the proposed oversight and management function hierarchy, establish IT security governance as a core function alongside other key corporate governance functions, such as financial and operational risk management; and provide a reference guide for those implementing IT security governance within a corporate governance environment.

Inculcating an acceptable level of information security culture through ISG
According to Wilson (2009), internal security threats from the employees are one area of risk that the management fears most. Lacey (2009) posited that insiders represent such a risk to information security because the human factor is the one element in the enterprise which cannot be totally controlled by management, governance, or technology, but the changes in behaviour through adoption of certain culture can minimise the occurrences of risk.
Every organisation has a unique culture which is a product created by the top management through a set of rules. Organisational culture affects the entire enterprise system and is a key factor in the governance of information. According to ISACA (2010), cultivating a culture that is truly intentional to the approach of information security governance requires that the management examines and understand the culture that exists within the corporate.
Information security culture is the shared values related to information security (Corriss, 2010). These values govern the information security behaviour in workplaces, the employees then internalise them so that they become habitual to them. Information security culture portrays the security oriented employee behaviour accepted and encouraged by the organisation where employees understand their share of responsibility for information security, support the security technologies already implemented and are conscious about the security consequences their actions might render (Martins & Ellof, 2002).
Cultural values have great influence in security compliance, security behaviour, security awareness and security effectiveness. Therefore it is important for the leadership to create culture that embeds information security into its day to day operations. The culture of information security culture should be aimed at supporting all the security activities such that they become the natural aspect in the employee's daily conduct.
Information security culture develops in an organization due to certain actions taken by the organization. Management implements information security components, such as policies and technical security measures with which employees interact and include them in their working procedures. Through ISG frame work, employees can develop certain perceptions and exhibit behaviour, such as the reporting of security incidents or sharing of passwords, which could either contribute or be a threat to the securing of information assets. To inculcate an acceptable level of information security culture, the organization must govern information security effectively by implementing all the required information security components.

People are viewed as a consistent important of information protection. ISACA (2010), further states that, all the people that makes up the enterprise ranging from the board of directors, executive management and staff at all levels and the organisations that the enterprise has third party relationship in business has the ability to improve or weaken information security within the organisation. People should always behave with security in mind and incorporates information security practices in their daily activities.

An applied research design method which covers both qualitative and quantitative methods was used in this study because of the nature of the research and its purpose. The researcher was expected to understand a phenomenon by reviewing ISG frame works used in different institutions, include participants to conduct a case study and come up with solutions to solve the current problems. This method also helped to triangulate the study by backing up the other methods. Also because of the sensitive of the subject matter (information security governance) many participants were not willing to divulge more information about the security incidents happening in their organisation hence they preferred anonymity which can be achieved through the use of questionnaires.

A survey was carried out at the University of Zimbabwe (UZ), Midlands State University (MSU), National University Science and Technology (NUST), Great Zimbabwe University (GZU) , Chinhoyi University of Technology (CUT) and Bindura University to determine the use of the respective ISG frameworks available in these institutions in minimising risk and cultivating information security culture. The targeted population was comprised of the board of directors, directors of IT, security guards, university administrators, HR manager, IT staff and students. Participants were selected in a stratified random sampling manner in order to obtain a representative sample.

The participants were selected basing on their significance and relevance to the study. The people chosen to participate in the study were those who have served in the organisation for 3 years and above. This was because these have better experience in the use of information technologies available in the organisation and sense of organisational culture hence they could understand the problems being experienced in the implementation of information security governance issues.

The board members were chosen because these are the people responsible for planning and setting the direction of all governance with organisation and are the custodian of enterprise governance which IT and information security governance falls under. They also provide visible support and commitment for the implementation of governance issues within the corporate and also approve all the outcomes of the IT governance programmes and they are also responsible for the management of risk within the corporate. The directors of IT were involved because they are the ones who provide expertise and leadership on the implementation of IT related policies and procedures.

The study also involved the security guards because they have a better experience understanding of the application of physical since most of them have served to retirement at the uniformed forces which include Army, Police, Prison services and Air force of Zimbabwe. The IT staffs was chosen because they are the one who execute the end to end IT governance programme from the identification of objectives and requirements to the evaluation the programme against business case objectives and the identification of new triggers and objectives for further implementation or improvements as a feedback to the Board. The HR managers were also part of this study as they are responsible for getting the right skills for the organisation, conducting exit interviews where security issues can be highlighted to the employee terminating the contract with the organisation and for cultivating organisational culture to the employees. The university administrators were included because they are the overseers of all academic affairs within the faculties.

The method of information gathering included the review of literature from publications, books and news-papers which were the source of secondary data and also gave birth of this study while primary data was collected through questionnaires and face to face interviews.

During the study, questionnaires which had both closed and open ended in order to gain more views were sent to the participants through emails which were provided to the researcher after engaging to telephone arrangements. The questionnaire survey targeted 6 senate members from the universities under study, 6 IT directors from the selected universities, 25 security guards, 6 HRM, 12 IT staffs and 6 administrators from each university respectively. After being completed by the respondents at the respective work places, the questionnaires were then forwarded to the researcher's email for data analysis. For the targeted participants of 156, only 140 questionnaires were successful returned. 7 questionnaires could not be sent to the participants because the emails bounced as a result of the addresses being obtained over the telephone and 5 withdrew from the survey citing security issues and 4 could not meet the deadline. A total of 20 interviews were successfully conducted with students from various faculties at the Midlands State University on 28 April 2014 at Hellenics library and main campus.

A descriptive statistics was used to present data that was obtained from the interview and questionnaire survey for the purpose of analysis in the form of pie charts. The percentages were rounded off to the nearest decimal point and as a result the total percentage were either slightly less than or exceeded 100% by a few numbers.

This section presents the information that was gathered from the questionnaires and interviews during the study. The statistics of respondents' knowledge about the presence of the ISG framework is given in table 1 below. Most respondents were not sure whether the framework exist or don't exist as indicate by the respective percentages (63%, 66%, 50%, 65%, 62%, and 57%)

Table 1: Knowledge about the presence of ISG framework in the institution (as a % n=140)
UZ 10 63 29 102
NUST 2 66 33 101
MSU 6 50 36 92
CUT 4 65 31 100
GZU 2 62 32 96
BINDURA 3 57 40 100

Table 2 below shows the ratings of the implementation of ISG framework in tertiary education in Zimbabwe. In most Universities the level of implementation is below average (15%, 16%, 18%, 13%, 11%, 12%) respectively. The low level of implementation may be as a result of the board not understanding the governance of IT more the security of the information or those at the low echelons not being aware of the existences of the framework hence one cannot implement what he/she does not known to exist. The implementation of any policy or procedures especially the security policies will depend on the culture of the employees.

Table 2: Ratings for the level of implementation of ISG (as a % n=140)

UZ 8 11 15 25 40 99
NUST 4 10 16 26 45 101
MSU 7 13 18 21 33 92
CUT 5 7 13 28 47 100
GZU 6 9 11 32 38 96
BINDURA 3 7 12 35 43 100

According to the survey carried out by the researcher, it was found that many respondents were not sure whether their institutions have the frame work or not and some did not know whether the frame exist. The few who knew about the presence of the ISG frame had the appointment of either the top management or worked in the IT department. In some instances even those who worked in the IT department were also not aware about the existence of the ISG framework. This is an indication that the ISG in most tertiary education institutions is not cascaded down to the lower levels of organisation and in some organisations the board is not actively involved in the governance of information systems when it should also be treated as a governance issue. They view it as a technical field hence they delegate the responsibility to the IT management staff while the Laws such as Sarbanes-Oxley are creating a legal obligation at the CEO and board level to pay attention to information security.

The study reveal that people are not always malicious but at times they are not aware of the security policies available within a given framework that is applicable to the organisation, they are not even sure how to put these policies into practice or they are not willing to follow the policies and procedures because they do not see any business value in their implementation. Therefore universities should ensure that everyone in the organisation is aware on information security policies and the consequences or business risks of any breaches should spelt out clearly.

The study can also reveal that security incidents have prompted many organisations to implement controls in a reactive nature without the benefit of a planned governance framework that will guide security investment. ISG is still a 'young' subject in Zimbabwe were the board is yet to understand its ancestors that is the corporate governance and IT governance respectively.

ISG must be seen an essential component of the success of the organisation. The fragile state of information security demands that immediate steps be taken to ensure that data are not compromised and that information systems remain secure, reliable, and available and maintains integrity. Its governance must be the responsibility of the board of directors and senior executives that is from the board of directors to the management level or form the boardroom to the key board. It must be an integral and transparent part of enterprise governance and should be aligned with the IT governance framework.

But in order to exercise effective enterprise and information security governance, boards and senior executives must have a clear understanding of what to expect from their enterprise's information security programme. They need to know how to direct the implementation of an information security programme, how to evaluate their own status with regard to an existing security programme and how to decide the strategy and objectives of an effective security programme.

Although information security governance is often viewed as a technical issue, it is also a governance challenge that involves risk management, reporting and accountability. As such, it requires the active engagement of executive management. It should consists of the management commitment and leadership, organizational structures, user awareness and commitment, policies, procedures, processes, technologies, and compliance enforcement mechanisms, all working together to ensure that information is never compromised.

Furthermore, information security has many technical components, it depends on the human behaviour and it is influenced by the presence of many players: management, staff, internal and external auditors, legal counsel, external interested parties and stakeholders. There are also those who are interested in breaking the organisation's information and access information and data. (Gelbstein & Kamal, 2002). In some universities students undertaking ICT programmes have been accused of tempering with e-learning accounts of other students and some creating the virus so as to attack the university information system. In universities the ISG policies should be enlightened to the students also so as to instil security culture.

Changing culture requires activities that are consistent and constant to the desired outcomes and should involve all the people in the organisation. This will evoke a desirable behaviour that will transform the employee behaviour from unwritten to written norms. Security culture matures as the patterns of behaviours adjust to the enterprise culture so that security becomes engraved into daily activities. As training and awareness expands, awareness is enhanced and employees begin to work together to achieve a common goal that is changing behaviours, beliefs and attitudes that will help to transfer these to the newly recruited employees as norms and values since culture it's something that develops over a long period. When enforcing security policies, too many organisations focus on punishing those who break the rules but behaviour can be modified by reward rather than punishment (McIlwraith).

Finally, the ISG frame should ensure that the leadership and employees are aware of the ISG policy in conformity; Effective information security governance cannot be established overnight and requires continuous improvement. Information security has become an integral part of daily life, and organizations need to ensure that their information is adequately secured (Saint-Gemain, 2005). It is argued that the assurance of protecting information as a valuable asset should not be left to the chief information officer of an organization, but should be treated as a governance issue.

This paper recommends that all universities should adopt a ISG frame work like the one proposed by Ellof as it provides a road map in dealing with the risk associated with information and the cultivation of culture and modify it by including the following recommendations:

Password creation and change procedure
Although many universities seems to have a policy to create and change the password on a regular basis, the information system in use must support the creation of strong passwords for example password that contains special characters, a password that is not linked to any name. The information system must also support password recovery procedures; that is if the user forgets the password they must be a way to recover the password hence this will discourage the staff from the culture of having to do with weak passwords and recycling of the password for example an employee can play around with these two passwords for the whole of his or her service (Maxwell or mawxell2).
Risk Awareness and security programs- should conduct annual security awareness training to the employees so as to remind them how to handle security issues within the institution. The training must be conducted at the vacation period of the University so that all members will attend. And a register must be kept as a check list so that those who did not attend may be schedule for the other time because people especially academic staffs have a tendency of not attending programs that do not bear any academic award. An education program to raise competence and awareness should also be implemented across all levels of management to ensure that the requirements for effective security governance are well understood. The implementation program should be review and monitored using the available feedback loops.
Database manipulation- the data base administrator should also have limited privileges on the activities to be performed on the database. One of the IT steering committee members should core log the data base for major changes. Any major changes to the database should require two passwords; this will improve the involvement of the board members on ISG.
Security policy- put an IT security framework policy in place which will act as an instruction manual for security controls. The document must be available to all administrative faculties and departments for academic and non- academic staff. The document should also be read to the newly recruited employs and they should sign as a way of acknowledgement.
Physical security- the security of physical asset in most universities is put on the entrance and exit points. The study recommends that IT infrastructure such as the server rooms, computer labs must be part of the physical security plan and should be guarded.
Information audit trails- the systems should have information audit trail so that it can be tracked on who accessed what and what did he / she do. The information system must also have an SMS functionality that will notify the board member on IT steering committee on any unauthorised transaction about to take place.
Outsourcing- the study also recommends that the universities should outsource the information systems, since most information systems in universities are developed in-house, they leave the IT experts with more rights and privileges to manipulate the system for personal interest. Therefore an outsourced information system is likely to come with limited privileges.
Activities- conduct information a yearly information systems audit with a reputable audit company, conduct an annual security evaluation, review the evaluation results with staff, and report on performance to the board of directors, conduct periodic risk assessments of information and IT assets as part of a risk management program, conduct threat and risk assessments (TRAs) for any new IT systems or major changes to existing systems.

An information security governance framework is important because it provides a roadmap for the implementation, evaluation and improvement of information security practices. An organization that builds such a framework can use it to articulate goals and drive ownership of them, evaluate information security over time, and determine the need for additional measures. One of the most important features of a governance framework is that it defines the roles of different members of an organization. By specifying who does what, it allows organizations to assign specific tasks and responsibilities.

Various information security governance frameworks have been developed by different bodies to deal with the security issues, risk of attacks or hijacking and the misuse of ICT resources by the employees. The road to information security governance should go through corporate governance and IT governance (Mears & Solms, 2005). Organisations cannot solve its information security challenges by delegating them to IT personnel or CIOs. The best way to strengthen an organisation's information security is to treat it as a corporate governance issue that requires the attention of Boards and CEOs. To achieve effective information security governance, management must establish and maintain a framework to guide the development and maintenance of a comprehensive information security programme that will enable accountability to shareholders, compliance with legal requirements, setting of well-planned security policies, spearheading security awareness and education, defining roles and responsibilities within the organizational structure, contingency planning, and instituting best practice standards.

One of the challenges in implementing information security is that it is often treated solely as a technology issue, when it should also be treated as a governance issue. The CIO alone cannot remedy the problem; the board of directors and executive management must also be actively engaged. A primary and critical aspect of any governance framework is that much of the challenge lies with the management of, in this case, the general practice. It is how the structures within the practice are set up and maintained, the lines of reporting, decision-making, participation of staff and so on that will largely determine how effective a framework is in bringing about change.

Lastly, good information security governance can improve reputation, confidence, and trust from others with whom business is conducted, and can even improve efficiency by avoiding wasted time and effort recovering from a security incident. Organizations need to protect themselves against the risks inherent in the use of information systems while simultaneously recognising the benefits and the value that can accrue from having secure information systems. Thus, as dependence on information systems increases, so too does the criticality of information security, bringing with it the need for effective information security governance. The complexity and criticality of information security and its governance demand that it be elevated to the highest organizational levels. As a critical resource, information must be treated like any other asset essential to the survival and success of the organization.

1. AusCERT (2006) Computer Crime and Security Survey IT Security and Governance for Board of Directors and CEO.[Online] 6 (June) Page Available from' [Accessed: 02 April 2014]
2. Brotby, K. (2009) Information Security Governance: A Practical Development and Implementation Approach. [Online] New Jersey: John Wiley & Sons Page Available from [Accessed: 07 March 2014]
3. Brotby, K. (2009) Information Security Management Metrics: A Definitive Guide to Effective Monitoring and measurements.[Online] Boca Raton: Aurebach publications Page Available from [Accessed: 14 April 2014]
4. CANADA. E-Government act of 2002: Cyber security. Chapter 45. (2002) [Online] New Brunswick: The Government publications. Page Available
from [Accessed: 05 March 2014]
5. Castells, B. (2005) Concept of Information, Communication And Educational Technology [Online] 6 (2005) p. 26 Page Available from'[Accessed: 05 March 2014]
6. Durkin, P. & Weiner, E. (eds.) (2014) The Oxford Reference Dictionary. Oxford: Oxford University Press. McGraw-Hill. Page Available from' [Accessed: 20 April 2014]
7. Ekpo, D. (2005) the African Symposium: An On Line Journal of African Educational Research Network [Online] 5 (2) Page Available
from [Accessed: 05 March 2014]
8. Fitzgerald, T. (2011) Information Security Governance Simplified: From the Boardroom to the Keyboard. [Online]Boca Raton: CRC press Page Available from [Accessed: 12 March 2014]
9. Gelbstein, E. & Kamal, A. (2002) Information Insecurity: A Survival Guide to the uncharted territories of cyberspace and security. Volume 198, United Nations ICT task force 2nd edition. [Online] New York: CRC press Page Available
from [Accessed: 28 April 2014]
10. ISACA (2010) The Business Model for Information Security.[Online] Meadows: ISACA Page Available from [Accessed: 10 March 2014]
11. IT Governance Institute (2006) Information Security Governance: Guidance for Boards of Directors and executive management, 2nd edition.[Online]Meadows: IGI Page Available from [Accessed: 17 March 2014]
12. JoGo, V.E. (2007) The Age of Turbulence: Adventures in a New World.[Online] Berlin: John Wiley & Sons Page Available
from [Accessed: 03 March]
13. Khosrowpour, M. (2000) Challenges of Information Technology Management in the 21st Century.[Online] London :Idea group publishing Page Available from [Accessed: 23 March 2014]
14. Kim, D. & Solomon, M. (2002) Fundamentals of Information Systems Security. [Online] London Jones and Bartley Learning Internationals Page available from [Accessed: 25 March 2014]
15. Lacey, P. (2009) Handbook of Information Security, Information Warfare, Social, Legal, and International issues; Security foundations. [Online] New Delhi: Lancer Publishers Page Available from
16. McIlwraith, A. (2012) Information Security and Employee Behaviour: How to Reduce Riskthrough ISG. [Online]Burlington: Gower Publishing Co. Page Available from [Accessed: 23 March 2014]
17. Olson, L. D. & Desheng, W. (2010) Enterprise Risk Management Models.[Online] Berlin: Springer Page available from [Accessed: 27 March 2014]
18. Pathak, J. (2005) Information Technology Auditing: An Evolving Agenda. [Online] Berlin: Springer Page Available from [Accessed: 06 March 2014]
19. Streeten, P. (2004)The Alliance for Enterprise Security Risk Management: Governance Task Force Report, National Cyber Security Summit Task Force, [Online] New York: National Academy Press Page Available
from' [Accessed: 02 April 2014]
20. Tashi, I & Helie, S (2011) Information Security Evaluation: A Holistic Approach. [Online] Lussanne: EPFL press Page Available from [Accessed: 15 March 2014]
21. Tipton, H. & Krause, M. (eds). (2006) Information Security Management Handbook, 5th Edition, Volume 3. [Online] Bica Raton: Auerbach publications Page Available from' [Accessed: 12 March 2014]
22. Vallabhaneni, R. (2008) Corporate Management, Governance, and Ethics Best Practice.[Online] New Jersey: John wisely and Sons Page available from
23. Whitman, P & Mattord, F. (2007) Security and Loss Prevention: An Introduction.[Online] London Amy: Pederson Page Available from [Accessed: 15 March 2014]
24. White, R. (2011) Computers at Risk: Safe Computing in the Information Age .[Online]Washington: National Academy Press, Page Available
from http// [Accessed: 02 April 2014]
25. Wilson, F. (2009) Security and Privacy Assurance in Advancing Technologies: New Developments [Online]

Source: Essay UK -

About this resource

This Information Technology essay was submitted to us by a student in order to help you with your studies.

Search our content:

  • Download this page
  • Print this page
  • Search again

  • Word count:

    This page has approximately words.



    If you use part of this page in your own work, you need to provide a citation, as follows:

    Essay UK, Information Security Governance Framework. Available from: <> [25-05-20].

    More information:

    If you are the original author of this content and no longer wish to have it published on our website then please click on the link below to request removal: