Governance Of Information Security: New Paradigm Of Security Management

Governance refers to the process whereby elements in society wield power and authority, and influence and enact policies and decisions concerning public life, and economic and social development [13]. There are three kinds of governance concept which should be considered in corporate environments: enterprise governance, IT governance, and security governance. The success factors of the governance are summarized: Adequate participation by business management; Clearly defined governance processes; Clarify stakeholders' roles; Measure the effectiveness of governance; Facilitate the evolution of governance; Clearly articulated goals; Resolution of cultural issues.The approaches of security management, which manage an organization's security policy by monitoring and controlling security services and mechanisms, distribute security information, and report security events, are related with the purpose of security governance. However, studies on enterprise governance or IT governance, and security management lack in the provision of detailed framework and functionalities when considering the success factors of the governance described above. For example, BS7799, which is one of the most famous standards of security management in the world, provides general guidance on the wide variety of information security. Nevertheless, it takes the broad-brush approach. Accordingly, BS7799 does not provide definitive or specific materials on any topic of the security management and certainly could be useful as a high-level overview of information security topics that could help senior management to understand the basic issues involved in each of the topic areas.This chapter provides a structured approach of security governance to corporate executives. Previous studies on the governance and security management are summarized to explain the components and requirements of a governance framework for corporate security. Finally, a governance framework for corporate security, which consists of four domains and two relationship categories, is provided. The domains have several objects respectively. The objects consist of components that should be resolved or provided to govern the issues of corporate security. The domains include a community (shareholder and management; media and customer; employee and supplier; government), security (control; enterprise strategy), performance (resource; competitive value), and information (owner; value; risk). The relationship among the objects of the security governance framework has two categories of harmonization and flywheel. The harmonization category governs the relationship among a community, performance, and security domain. The harmonization category deals with the problems of social, organizational, and human factors of corporate security. The flywheel category governs the relationship between a performance domain and security domain. The flywheel category deals with the virtuous cycle of corporate security. With this framework, corporate executives could create greater productivity gains, cost efficiencies, and a safer business community internally, for their customers and others interconnected throughout the critical infrastructure.