دانلود رایگان مقاله انگلیسی یک مدل فرآیند برای اجرای سیستم های اطلاعاتی دولتداری امن - امرالد 2017

Abstract

Purpose The frequent and increasingly potent cyber-attacks due to lack of an optimal mix of technical as well as non-technical IT controls, has led to increased adoption of security governance controls by organizations. The paper thus seeks to construct and empirically validate an information security governance process model through the Plan-Do-Check-Act cycle model of Deming Design/methodology/approach This descriptive research using an interpretive paradigm follows a qualitative methodology using expert interviews of five respondents working in the information security governance (ISG) domain in United Arab Emirates to validate the theoretical model. Findings Our findings suggest the primacy of the Plan-Do-Check-Act Deming cycle for initiating ISG through a risk-based approach assisted by industry-wide best practices in ISG. Regarding selection of ISG frameworks, respondents preferred to have ISO 27K supported by NIST as the core framework with other relevant ISG frameworks/standards forming the peripheral layer. The implementation focus of the ISG model is on mapping ISO 27 K/NIST IT controls relevant IT controls selected from ISG frameworks from a horizontal and vertical perspective. Respondents asserted the automation of measurement and control mechanism through automation to assist in the feedback loop of the PDCA cycle. Originality/value The validated model helps academics and practitioners gain insight into the methodology of the phased implementation of an information systems governance process through the PDCA model, as well as the positioning of ITG and ITG frameworks in ISG. Practitioners can glean valuable insights from the empirical section of the research where experts detail the success factors, the sequential steps, and justification of these factors in the ISG implementation process.

6. Conclusion and Future Research

This study, primarily conducted to empirically validate the ISG process model derived from the extant literature confirms the relevance of integrating IT governance controls into IS security resulting in a phased methodology to implement ISG. First, the paper confirms the role of the Plan-Do-Check-Act Deming cycle in ISG where concepts of IS security and IT governance were conspicuous throughout the ISG process model. Second, the study provides guidelines/best practices to consider in each phase of the PDCA cycle. Third, the relevance of an automated feedback mechanism using appropriate metrics throughput the cycle was methodologically demonstrated. Fourth, the research affirms the relevance of inculcating an IT security as well as IT governance culture in any organization prior and during the process of ISG. Finally, the guidelines provided in the study aid in continuously updating the model to align with the highly dynamic nature of information security threats.

The validated model helps academics, and practitioners gain insight into the methodology of the phased implementation of an information systems governance process through the PDCA model, as well as the positioning of ITG and ITG frameworks in ISG. Practitioners can glean valuable insights from the empirical section of the research where experts detail the critical success factors, the subsequent steps, and justifications of each factor on the ISG implementation process. This can assist practitioners in incrementing and building an ISG knowledge base to apply the steps outlined in each of the four phases of PDCA.