INFORMATION SECURITY GOVERNANCE OBJECTIVES
According to literature (Moreira et al., 2008; Solms and von Solms, 2009) an effective ISG program, has six objectives summarized in the next bullets:
• Strategic Alignment: Aligning security activities with business strategy to support organizational objectives.
• Risk Management: Actions to manage risks to an acceptable level.
• Business Process Assurance/ Convergence: Integrating all relevant assurance processes to maximize the effectiveness and efficiency of security activities.
• Value Delivery: Optimizing investments in support of business objectives.
• Resource Management: Using organizational resources efficiently and effectively.
• Performance Measurement: Monitoring and reporting on security processes.
In this section, we will consider the most reputed methods used to describe the ISG objectives. Therefore, in our quest for which approach can “better” define objectives for ITSG, there are a number of approaches (Table 3) available to help define a desired state of ISG. Here “better” means “in a more holistic way.” Reputed approaches to ISG objectives described in (Da Veiga and Eloff, 2007; Brotby, 2009; Koons and Minoli, 2010) are summarized.
Table 3. Security content application protocol (SCAP) components 
Figure 3. Information security governance framework
Source: Adoptedfrom Da Veiga and Eloff, 2007
Sherwood Applied Business Security Architecture (SABSA)
Given the increasing complexity that surrounds the e-banking environment, the variety of cyber risks, the increasing regulatory pressures, and the ever more problematic security administration, one solution calls for the function of a “security architecture” as a tool of modern business capable to provide a framework within which complexity can be managed successfully.
Particularly, it can offer simplicity and clarity through layering and modularization of business functions. Therefore, it is concerned with what the institution wants to achieve along with the environmental factors that will influence those achievements. A sound example of a “security architecture” is the Sherwood Applied Business Security Architecture (SABSA), which has been developed to address issues such as the design, management, implementation, and monitoring of business activities against security incidents. The approach is a framework that is compatible with and can utilize other IT Governance frameworks such as CobiT as well as ITIL and ISO/IEC 27001. The SABSA Model comprises of six layers each layer representing the view of a different player in the process of specifying, designing, constructing, and using business systems such as the Contextual Security Architecture - The Business View and the Conceptual Security Architecture - The Architect's View. The “security architecture” concept is closely related to the “enterprise architecture” concept that typically provides a layered organized view of the IT assets. Such models include the Zach- man Framework for Enterprise Architectures, The Open Group Architecture Framework (TOGAF) and the Federal Enterprise Architecture (FEA).CobiT
CobiT (Control Objectives for Information and Related Technology) is an IT governance framework that allows managers to bridge the gap between control requirements, technical issues, and business risks as defined by the IT Governance Institute (ITGI, 2007). CobiT is developed by the Information Systems Audit and Control Association (ISACA) and enables policy development and good practice for IT control (Heschl, 2004). CobiT 4.0 was released in November 2005, CobiT 4.1 in 2007 and CobiT 5 is the latest strategic improvement towards enterprise governance of IT and address governance and management of information and related technology to achieve the business objectives of stakeholders.
CobiT defines 34 high level control objectives under four domains namely1. Plan and organize
2. Acquire and implement
3. Deliver and support
4. Monitor and evaluate.
CobiT also aims to fulfill the COSO requirements for the IT control environment. CobiT also supports Risk Management principles from ISO 27002, specifically, in the “PO 9 Control Objective” CobiT focuses on the assessment of risk for the scope to reduce them to an acceptable level. This framework can be used in ensuring proper control and governance over information and the systems that create, store, manipulate, and retrieve it. CobiT 4.1 is organized with 34 IT processes, giving a complete picture of how to control, manage, and measure each process. CobiT is, therefore, clear on the aspect of monitoring and ensuring compliance as part of ISG. CobiT appeals to different users namely from Executive management (to obtain value from IT investments and balance risk and control investment), to auditors (to validate their opinions and provide advice to management on internal controls). In particular, high level processes such as ME 1 and ME 4 and DS 5 are referring to Monitoring, Surveillance and Evaluating respectively.
The Capability Maturity Model (CMM)
This model is used to measure two things: The maturity of processes (specific functions) that produce products (e.g., identified vulnerabilities, countermeasures, and threats) and the level of compliance as a process with respect to the IATRP (InfoSec Assurance Training and Rating Program) methodology. In other words, a CMM is a measurement of the level of assurance that an organization can perform a process consistently. In this respect, a CMM identifies nine process areas related to performing information security assurance services. For each of the nine process areas, the CMM defines six levels of process maturity from Level 0 to Level 5. The higher the maturity levels, the more likely the process will be performed consistently.
ISO/IEC 27001:2005 and ISO/IEC 27002:2005
These are ISO standards suited to develop a management approach. Both using the ISMS processes and control objectives in ISO 27001; and the code of practice and controls in ISO 27002, these standards can support useful governance guidance and can be effectively used to establish the current state of security for an organization. Specifically, the ISO 27001 was published in October 2005 and as a standard defines the requirements for ISMS. An ISMS is a management system for dealing with IS risk exposures namely, a framework of policies, procedures, physical, legal, and technical security controls forming part of the organization’s overall Risk Management processes. ISO 27001 incorporates Deming’s Plan-Do-Check-Act (PDCA) cycle have to be continually reviewed and adjusted to incorporate changes in the security threats, vulnerabilities and impacts of information security failures. The organization who adapts ISO 27001 can receive certification by an accredited certification body. ISO 27002 (aka ISO 17799) is used to describe two distinct documents: ISO 27002, which is a set of security controls (a code of practice), and ISO 27001 (formerly BS7799-2), which is a standard ‘‘specification’’ for an Information Security Management System (ISMS). This standard and code of practice can serve to provide an approach to ISG, although, to some extent by inference. That is, ISO 27001 is a management system with a focus on control objectives, not a strategic governance approach. The linkage between control objectives and strategic business objectives is not explicitly addressed. CobiT shares similarities with ISO 27001 and ISO 27002 regarding the depth of functional territory, although organized differently. In this respect, CobiT covers IT governance extensively. ISO 27002 is concerned with the security of information assets as a group and in its view this is well beyond just the IT systems. Therefore the standard implicitly view that the IT domain has the majority proportion of the organization’s information assets and is charged with securing them.
However, there is also a vast quantity of information that resides outside IT such as financial information. ISO 27002 identifies 133 security controls to satisfy 39 security objectives in order to address IS risk exposures in the area of confidentiality, integrity, and availability. ISO 27002 is an advisory document, not a formal specification. In particular, Clause 15 of ISO 27002 is totally dedicated to compliance and ISG objectives specifying controls related with legal requirements (control 15.1), security policies (control 15.2) and information systems audit compliance (control 15.3). ISO 27002 sees Risk Management as an essential part of Best Practices in IT and as a process to ensure Information Security Governance (Pretorius and Solms, 2004).The National Cyber Security Summit Task Force Corporate Governance Framework (CGTF)
This is an ISG framework, formed in 2003, to promote global, regional and local corporate governance (CG) reform initiatives, improve institutional framework for good CG and facilitate improved CG practices in developing countries towards organizational compliance. In particular, item 3 in the framework refers to the security responsibilities for the Board, senior management and workforce towards compliance and governance objectives. The details described in the framework can be used to identify whether the security conditions exist, to what extend and how can the organization reach a higher level of compliance. CGTF supports that information security is not only a technical issue but also a governance challenge that involves Risk Management, reporting and accountability. As such, it requires the active engagement of executive management. (CGTF, 2004). CGTF has developed CG codes of best practice as generic recommendations with the aim to improve and guide the governance practices of corporations within a country’s specific legal environment and business context.