A process framework for information security management

Haufe, Knut; Colomo‐Palacios, Ricardo; Dzombeta, Srdan; Brandis, Knud; Stantchev, Vladimir

doi:10.12821/ijispm040402

Cited by 15 publications

(5 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, there is no common and general view on what and how it should be done to ensure unimpeded and resilient processes of security (Kauspadiene et al , 2017). Although researchers have answered the long-heard call for more empirical and validated models (Knapp et al , 2009; Maleh et al , 2017; Haufe et al , 2016; Nicho, 2018), most of the ISG models created up until now still lack theory and empirical validation, are generic or universal in scope, are static and do not acknowledge the importance of social and behavioural factors (McFadzean et al , 2007; Siponen and Willison, 2009; Williams et al , 2013; Flores et al , 2014; Mishra, 2015). This leads to two main general issues that hinder ISG in the digital business context.…”

Section: Definitions Perspectives and Modelsmentioning

confidence: 99%

“…3.3.1 Information security governance models in practice. Well-known ISG practical frameworks include ISO standards such as the 27001 and 38500 series, multiple standards from the National Institute of Standards and Technology (NIST), the Control Objectives for Information and related Technology methodology for IT controls and Information Technology Infrastructure Library practices for managing IT operations (Haufe et al, 2016;Bobbert, 2018). Many of these good practices are well established and are supported by a wide range of industry solutions.…”

Section: Information Security Governance Modelsmentioning

confidence: 99%

“…Knapp et al (2009) focus on the IS policy process by showing a larger organisational context that includes key external and internal influences that can materially impact organisational processes. Haufe et al (2016) suggest a process framework to help focus on the operation of an Information Security Management System instead of focusing only on measures and controls. Carcary et al (2016) explain that approaches to ISG must be fluid and responsive to the changing IS landscape.…”

Section: Information Security Governance Modelsmentioning

confidence: 99%

See 2 more Smart Citations

What do we know about information security governance?

Schinagl

Shahim

2020

ICS

View full text Add to dashboard Cite

Purpose This paper aims to review the information security governance (ISG) literature and emphasises the tensions that exist at the intersection of the rapidly changing business climate and the current body of knowledge on ISG. Design/methodology/approach The intention of the authors was to conduct a systematic literature review. However, owing to limited empirical papers in ISG research, this paper is more conceptually organised. Findings This paper shows that security has shifted from a narrow-focused isolated issue towards a strategic business issue with “from the basement to the boardroom” implications. The key takeaway is that protecting the organisation is important, but organizations must also develop strategies to ensure resilient businesses to take advantage of the opportunities that digitalization can bring. Research limitations/implications The concept of DSG is a new research territory that addresses the limitations and gaps of traditional ISG approaches in a digital context. To this extent, organisational theories are suggested to help build knowledge that offers a deeper understanding than that provided by the too often used practical approaches in ISG research. Practical implications This paper supports practitioners and decision makers by providing a deeper understanding of how organisations and their security approaches are actually affected by digitalisation. Social implications This paper helps individuals to understand that they have increasing rights with regard to privacy and security and a say in what parties they assign business to. Originality/value This paper makes a novel contribution to ISG research. To the authors’ knowledge, this is the first attempt to review and structure the ISG literature.

show abstract

Section: Definitions Perspectives and Modelsmentioning

confidence: 99%

Section: Information Security Governance Modelsmentioning

confidence: 99%

Section: Information Security Governance Modelsmentioning

confidence: 99%

See 1 more Smart Citation

What do we know about information security governance?

Schinagl

Shahim

2020

ICS

View full text Add to dashboard Cite

show abstract

“…Knapp et al (2009) focus on the IS policy process by showing a larger organisational context that includes key external and internal influences that can materially impact organisational processes. Haufe et al (2016) suggest a process framework to help focus on the operation of an Information Security Management System (ISMS) instead of focusing only on measures and controls. Carcary et al (2016) explain that approaches to ISG must be fluid and responsive to the changing IS landscape.…”

Section: Process-orientedmentioning

confidence: 99%

“…However, there is no common and general view on what and how should be done to ensure unimpeded and resilient processes of security (Kauspadiene, 2017). Although researchers have answered the long-heard call for more empirical and validated models (Knapp et al, 2009;Maleh et al, 2017;Haufe et al, 2016;Nicho et al 2018), most of the ISG models created up until now still lack theory and empirical validation, are generic or universal in scope, are static and do not acknowledge the importance of social and behavioural factors Siponen & Willison 2009;Williams et al, 2013;Mishra, 2015). This leads to two main general issues that hinder ISG in the digital business context.…”

Section: Isg Model Flawsmentioning

confidence: 99%

Digital Security Governance

Schinagl

View full text Add to dashboard Cite

This dissertation focuses on the phenomenon of Digital Security Governance (DSG), highlighting how “digital security” has emerged as an ongoing strategic concern for contemporary organizations. The objective of this dissertation is to provide theoretical and empirical understanding of the currently under-researched aspects of the DSG phenomenon, i.e., what goes on in the implementation of DSG, how DSG can learn from related fields, and how DSG can be governed to become effective in countering the increasing occurrence of cyber failures. The research aggregated in this dissertation advances knowledge and understanding regarding DSG in multiple ways. The literature review in Chapter 2 reveals a fundamental call for a need for change "from the basement to the boardroom." In an ever-increasing digital and technology-driven world, DSG is a strategic concern that affects the long-term success of organizations at the organizational-wide level. Chapters 3 and 4 provide a thorough understanding of "why" organizations fail to establish successful security governance. Chapters 3-5 together provide direction for answering the research question on "how" organizations can effectively implement and govern security governance approaches in today's ever-changing digital landscapes.

show abstract

ISO 31000‐based integrated risk management process assessment model for IT organizations

Barafort

Mesquida

Mas

2018

J Software Evolu Process

View full text Add to dashboard Cite

Governance, Risk management, and Compliance activities are key challenges faced by organizations. Process Models and Capability Process Assessments are governance instruments that can help organization in assessing and improving their processes. Several ISO standards propose process models for Management System Standards based on ISO 9001, ISO/IEC 20000‐1, and ISO/IEC 27001, and for project management with ISO 21500. The ISO 31000 standard provides guidance for Risk management with a process approach and systemic perspective. This paper presents an ISO 31000‐based Integrated Risk Management Process Assessment Model (PAM) for IT organizations enabling to integrate on an easy way several ISO process‐oriented standards which are often targeted by IT organizations. This PAM integrates risk management dimensions with ISO 9001, ISO 21500, ISO/IEC 20000‐1, and ISO/IEC 27001. It offers a centralized and integrated risk management approach which provides the basis to improve, coordinate, and interoperate risk management activities.

show abstract

A process framework for information security management

Cited by 15 publications

References 26 publications

What do we know about information security governance?

What do we know about information security governance?

Digital Security Governance

ISO 31000‐based integrated risk management process assessment model for IT organizations

Contact Info

Product

Resources

About