FRAMEWORK FOR BISG PRACTICES

The research question formulated at the beginning of this project - “What is a framework for Business Information Security Governance practices, according to the academic literature on the subject and the views of experts?” - can now be answered in a dual way. Firstly, the framework for Business Information Security Governance consists of all the relevant literature on the topic, which has been examined and elaborated on throughout this section of the thesis. Secondly, this framework consists of three components: structures, processes and relational mechanisms. With the help of the expert panel research, through GSS team collaboration, the researchers organised, ranked and captured the most relevant and effective ones, per component in the theoretical framework visualised in Figure 33. This framework can serve as a theoretical departure for further research on the basis of the following important questions:

Which factors influence the acceptance of Governance practices in an organisation? These factors include budgets, knowledge, innovation, culture, demographics and so on.

Do these practices address the major business risks inherent to the current security problems? Figure 32: Top 20 Practices for BISG according to the Literature and Experts Validation.

- 2,00 4,00 6,00 8,00 10,00 12,00 ……—  —Ž ƒ– ‡† … ‘”‡ ‘ ˆˆ ‡…– ‹˜ ‡‡ •• ǡ  ’Ž ‡ ‡–ƒ–‹‘ ǡ ‡• ‹‰ ƒ †  ƒ‹ –‡ ƒ …‡

5.4 CONCLUSIONS

This research contributed in the delivery of a set of practices that contribute the conceptual framework for BIS. The final result of this research part is reflected in a top 20 Business Information Security Governance (BISG) practices. The top 10 is listed in Table 9. And the entire data set can be accessed via https://easy.dans.knaw.nl/ui/datasets/id/easy- dataset:77502

The use of GSS enables the researcher to objectively examine practices by making use of an objective facilitator. This objectivism is a safeguard to avoid the personal bias of the researcher, as referred to in Chapter 2. The hypothesis that other Governance practices than IT and Security would deliver relevant practices for BISG has been confirmed. Half (50%) of the top twenty Governance practices for Business Information Security come from either Corporate Governance or Risk Governance. As a result of our findings, a highly significant core set of Business Information Security Governance and Executive Management practices could be established. In the next phase of this research project, this core set must be tailor- made for specific (organisational) environments by:

1. Analysing the influencing factors mentioned in the framework section;

2. Testing the acceptance on the part of the executive management of organisations;

3. Investigating whether these practices can be evaluated, directed and monitored, according to ISO38500 Governance within the organisation.

Figure 33: Framework for BISG research Literature

Research

GSS research Business Information Security Governance _Framework

Processes Structures

Relational Mechanisms

In this further research, the researchers present the core set and the influencing factors (i.e. large data sets) to an organisation, to small groups of BoD and MT’s within this organisation. And ask them to participate in the collaboration process as to what works for them and how organisations organise and measure their state per top practice (e.g. roles, risk appetite, incident response) and formulate follow-up actions (monitor, evaluate, direct) in order to maintain a certain level of Business Information Security maturity. This practice-oriented research will contribute to organisations since the latter can adopt the core set of governance practices. In this way a socially justified method (due to team collaboration on a large set of predefined data (i.e. top 20)) of practical Business Information Security consultancy will “encompass social and adaptable security methods that are rigorously developed along

with practice” [151]. The result of this research is the design of a conceptual framework

to monitor, evaluate and direct business information security governance. According to Hevner’s design science research method [138], the next phase will consist of the implementation of the framework in the design artefact.

# TOP 10 BISG PRACTICES SCORE LEVEL SPRM

1 Determine Roles. Accountability and responsibility

for Business Information Security at Board and Executive management level. Including the role of the stakeholders.

11.25 Governance Structure

2 Corporate internal communication on cyber

downside. e.g. cybercrime, fraud, theft, forgery, piracy, bullying. Internal communication channels such as intranet. HRM letters. Workshops can be used to educate employees.

11.25 Management Relational

Mechanism

3 Awareness at level of Boards of Directors.

A certain level of awareness about business risks. Business critical information. Level of information (IT) dependency. Kinds of threats from outside and inside.

11.00 Management Relational

Mechanism

4 Board and Senior Management Leadership. Lead by

good example. Clean desk policy. Limited personal web exposure (personal blogging. video). Software piracy. Shred confidential papers, etc.

11.00 Governance Relational

Mechanism

5 Lessons learned. Sessions after security

incidents. Document and report incidents that occur. Also what kind of response to the stakeholders was made and how such an event can be prevented. Take these in consideration for the formulation of strategy.

11.00 Governance Process

6 Transparency. The company should also consider

the need for a confidential reporting process (whistle-blowing) covering fraud and other risks.

10.75 Governance Process

7 Determine risk appetite. The level of risk and

exposure a company is willing to take when it comes to Information Security Risks. To justify decision-making on investments/insurance.

10.25 Governance Process

8 Internal control. Regularly review processes

and procedures to ensure the effectiveness of its internal systems of control. so that its decision-making capability and the accuracy of its reporting and financial results are maintained at a high level at all times.

10.00 Management Process

9 Regular reporting on security adequacy and

effectiveness. Requiring regular reports from management on the programme's adequacy and effectiveness.

10.00 Management Process

10 Ensuring the integrity of the corporation.

Accounting and financial reporting systems. Including independent audits. Ensure that appropriate systems of control are in place. In particular, systems for risk management, financial and operational control and compliance with the law and relevant standards.

DESIGNING AND