Enterprise information security policy assessment : an extended framework for metrics development utilising the goal-question-metric approach

Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach.

IT governance in collaborative organizational structures

Organizations today engage in various forms of alliances to manage their existing business processes or to diversify into new processes to sustain their competitive positions. Many of today’s alliances use the IT resources as their backbone. The results of these alliances are collaborative organizational structures with little or no ownership stakes between the parties. The emergence of Web 2.0 tools is having a profound effect on the nature and form of these alliance structures. These alliances heavily depend on and make radical use of the IT resources in a collaborative environment. This situation requires a deeper understanding of the governance of these IT resources to ensure the sustainability of the collaborative organizational structures. This study reports on the first stage of this initiative. It suggest the types of IT governance structures required for collaborative organizational structures. Semi-structured interviews with senior executives who operate in such alliances reveal that co-created IT governance structures are necessary. Such structures include co-created IT-steering committees, cocreated operational committees, and inter-organizational performance management and communication systems. The findings pave the way for the development of a model for understanding approaches to governing IT and evaluating the effectiveness for such governance mechanisms in today’s IT dependent alliances.

Towards a Deeper Understanding of Information Technology Governance Effectiveness : A Capabilities-Based Approach

We examine the relationship between the effectiveness of IT steering committee-driven IT governance initiatives and firm’s IT management and IT infrastructure related capabilities. We test these relationships empirically by a field survey of 216 firms. Results of this study suggest that a firms’ effectiveness of IT steering committee-driven IT governance initiatives positively relate to the level of their IT-related capabilities. We also found positive relationships between IT-related capabilities and internal process-level performance, which positively relate to improvement in customer service and firm-level performance. For researchers, we demonstrate that the resourcebased theory provides a more robust explanation of the determinants of firms IT governance initiatives. This would be ideal in evaluating other IT governance initiatives effectiveness in relation to how they contribute to building performance-differentiating IT-related capabilities. For decision makers, we hope our study has reiterated the notion that IT governance is truly a coordinated effort, embracing all levels of human resources.

Health Workforce Governance: Improved Access, Good Regulatory Practice, Safer Patients

With increasing recognition of the international market in health professionals and the impact of globalism on regulation, the governance of the health workforce is moving towards greater public engagement and increased transparency. This book discusses the challenges posed by these processes, such as improved access to health services and how structures can be reformed so that good practice is upheld and quality of service and patient safety are ensured.

Towards an effective IT governance structure for organizations in developing economies

The pervasive use of IT is prominent amongst organizations in developing economies. However, there is growing evidence that these economies fail to capitalize on their IT investment to transform their organizations to be competitive both locally and globally. IT-related benefits are possible with appropriate governance of the IT-related resources, and we need to broaden our understanding on the IT governance mechanics suitable for organizations in the developing economies. In this study, we adopted an initial interpretive design to obtain a deeper understanding of the IT governance (ITG) environment and conceptions of the stakeholders on effective IT governance structures for the developing economies. We found that the presence of an IT Strategic Planning Committee, Multiple level of authority, and a Forum for informal discussions as the crucial components of an ITG structure in developing economies.

Corporate governance and misappropriation

This study examines the occurrence of misappropriation-type fraud within Australian listed firms and the relation between the incidence of this type of fraud and a firm's governance strength. We measure governance strength using factors relating to traditional corporate governance, such as board composition, CEO duality, and audit committee composition, as well as factors relating to information technology governance. In our study, we use actual dollar amount of fraud reported by listed companies responding to the 2004 KPMG Fraud Survey as one of three different misappropriation measures and publicly available firm-specific data to measure the other variables in the model. Our study found that where the chief executive officer (CEO) also holds the position of chairperson of the board of directors, the likelihood of fraud increases. We also find that the greater the number of independent directors on the audit committee, the lower the level of fraud. Taken together, these results are particularly encouraging as they provide support for regulatory bodies such as the Australian Stock Exchange (ASX) and the Australian Securities and Investment Commission (ASIC), which place considerable emphasis on the importance of establishing good corporate governance practices. The study provides empirical evidence that employing good corporate governance reduces the risk of the misappropriation of assets.

A risk simulation framework for information infrastructure protection

Information communication and technology (ICT) systems are almost ubiquitous in the modern world. It is hard to identify any industry, or for that matter any part of society, that is not in some way dependent on these systems and their continued secure operation. Therefore the security of information infrastructures, both on an organisational and societal level, is of critical importance. Information security risk assessment is an essential part of ensuring that these systems are appropriately protected and positioned to deal with a rapidly changing threat environment. The complexity of these systems and their inter-dependencies however, introduces a similar complexity to the information security risk assessment task. This complexity suggests that information security risk assessment cannot, optimally, be undertaken manually. Information security risk assessment for individual components of the information infrastructure can be aided by the use of a software tool, a type of simulation, which concentrates on modelling failure rather than normal operational simulation. Avoiding the modelling of the operational system will once again reduce the level of complexity of the assessment task. The use of such a tool provides the opportunity to reuse information in many different ways by developing a repository of relevant information to aid in both risk assessment and management and governance and compliance activities. Widespread use of such a tool allows the opportunity for the risk models developed for individual information infrastructure components to be connected in order to develop a model of information security exposures across the entire information infrastructure. In this thesis conceptual and practical aspects of risk and its underlying epistemology are analysed to produce a model suitable for application to information security risk assessment. Based on this work prototype software has been developed to explore these concepts for information security risk assessment. Initial work has been carried out to investigate the use of this software for information security compliance and governance activities. Finally, an initial concept for extending the use of this approach across an information infrastructure is presented.