Governing Information System Security: Review of Approaches to Information System Security Assurance and Auditing

摘要

Over the past decade information system security issues has been treated mainly from technology perspective. That model of information security management was reactive, mainly technologically driven and rarely aligned to business needs. This paper goes a step further and considers it from the governance view, mainly aligning it with the risk management activities and stressing the necessity for a holistic approach in which the executive management should be involved. The main objective of the paper is to stress the importance of implementing information system security governance model as a proactive and holistic approach which aligns security mechanisms, procedures and metrics with governance principles, business drivers and enterprise strategic objectives. Information system security governance model is constructed, explained and discussed. Approaches to for information system security assurance are analysed and the phases and processes of its regular reviews (audits) explained in further details. The standards and legislation activities that help in that sense are evaluated. The holistic model of governing information system security risks as business risks is explained and discussed.