Identifying Factors Contributing Towards Information Security Maturity in an Organization

Edwards, Madhuri M.

01 January 2018

Information security capability maturity (ISCM) is a journey towards accurate alignment of business and security objectives, security systems, processes, and tasks integrated with business-enabled IT systems, security enabled organizational culture and decision making, and measurements and continuous improvements of controls and governance comprising security policies, processes, operating procedures, tasks, monitoring, and reporting. Information security capability maturity may be achieved in five levels: performing but ad-hoc, managed, defined, quantitatively governed, and optimized. These five levels need to be achieved in the capability areas of information integrity, information systems assurance, business enablement, security processes, security program management, competency of security team, security consciousness in employees, and security leadership. These areas of capabilities lead to achievement of technology trustworthiness of security controls, integrated security, and security guardianship throughout the enterprise, which are primary capability domains for achieving maturity of information security capability in an organization. There are many factors influencing the areas of capabilities and the capability domains for achieving information security capability maturity. However, there is little existing study done on identifying the factors that contribute to achievement of the highest level of information security capability maturity (optimized) in an organization. This research was designed to contribute to this area of research gap by identifying the factors contributing to the areas of capabilities for achieving the highest level of information security capability maturity. The factors were grouped under the eight capability areas and the three capability domains in the form of an initial structural construct. This research was designed to collect data on all the factors using an online structured questionnaire and analyzing the reliability and validity of the initial structural construct following the methods of principal components analysis (PCA), Cronbach Alpha reliability analysis, confirmatory factor analysis (CFA), and structural equation modeling. A number of multivariate statistical tests were conducted on the data collected regarding the factors to achieve an optimal model reflecting statistical significance, reliability, and validity. The research was conducted in four phases: expert panel and pilot study (first phase), principal component analysis (PCA) and reliability analysis (RA) of the factor scales (second phase), confirmatory factor analysis (CFA) using LISREL (third phase), and structural equation modeling (SEM) using LISREL (fourth phase). The final model subsequent to completing the four phases reflected acceptance or rejection of the eleven hypotheses defined in the initial structural construct of this study. The final optimized model was obtained with the most significant factors loading on the capability areas of information integrity, information security assurance, business enablement, security process maturity, security program management, competency of security team, security conscious employees, and security leadership, including the most significant factors loading the three capability domains of security technology trustworthiness, security integration, and security guardianship. All the eleven hypotheses were accepted as part of the optimal structural construct of the final model. The model provides a complex integrated framework of information security maturity requiring multi-functional advancements and maturity in processes, people, and technology, and organized security program management and communications fully integrated with the business programs and communications. Information security maturity is concluded as a complex function of multiple maturity programs in an organization leading to organized governance structures, multiple maturity programs, leadership, security consciousness, and risk-aware culture of employees.

Capability Maturity

Information Security

Information Systems Audit

Risk Management

Security Maturity

Security Process Maturity

Computer Sciences

Využití podpory auditu IS ve finančním auditu / Utilization of the support of audit IS in the financial audit

Pleskačová, Barbora

January 2013

Diploma thesis aims to clarify necessity of the use of IS audit in the financial audit and to identify the main areas of IS audit, which are necessary to focused during the financial audit. IS Audit is a developing area, but it is not always taken as a natural part of the financial audit. The first part summarizes the theoretical knowledge of the financial audit and the audit of information systems. The second part describes the links between these two types of audit, the reasons why i tis necessary to involve the IS audit into the financial audit and the method of tis involving. In the end, there is an output of IS audit performed within the financial audit on the basis of the identified areas.

Auditoria de tecnologia da informação na administração pública no âmbito dos Municípios do Estado do Rio de Janeiro

Monteiro, Gustavo Bastos

January 2008

Submitted by Thalita Cristine Landeira Portela Faro (thalita.faro@fgv.br) on 2011-06-21T17:40:53Z No. of bitstreams: 1 1418003.pdf: 4115702 bytes, checksum: a2c362a5c36ca9073d7d964295740909 (MD5) / Approved for entry into archive by Thalita Cristine Landeira Portela Faro(thalita.faro@fgv.br) on 2011-06-21T17:41:19Z (GMT) No. of bitstreams: 1 1418003.pdf: 4115702 bytes, checksum: a2c362a5c36ca9073d7d964295740909 (MD5) / Approved for entry into archive by Thalita Cristine Landeira Portela Faro(thalita.faro@fgv.br) on 2011-06-21T17:43:11Z (GMT) No. of bitstreams: 1 1418003.pdf: 4115702 bytes, checksum: a2c362a5c36ca9073d7d964295740909 (MD5) / Made available in DSpace on 2011-06-21T17:44:38Z (GMT). No. of bitstreams: 1 1418003.pdf: 4115702 bytes, checksum: a2c362a5c36ca9073d7d964295740909 (MD5) Previous issue date: 2010 / The diffusion of results-oriented management doctrines has been leading the public organizations to make important investments in information technology as a component of transparency for government actions and support for decisionmaking by public administrators. The intensive use of information technology in an increasingly interconnected world exposes the government to new forms of threats and vulnerabilities. In this context, the Courts of Accounts must expand the scope of their acting, performing more stringent controls through specific technics in information technology (IT) audit to ensure the integrity and security of data that travei across networks and information systems. The purpose of this research consisted to identify main improprieties associated with the use of computers in the local public administrations under the jurisdiction of TCE-RJ, by means of the case study of its experience in the accomplishment of performance audit in information technology. The research is based on the literature and analysis of findings from systems audits, showing that this kind of audit has contributed to making local public administration more efficient, effective and transparent. / A difusão das doutrinas de gerenciamento orientadas para resultados no Brasil tem levado as organizações públicas a realizarem investimentos relevantes em tecnologia da informação como um componente de transparência para as ações governamentais e como suporte para a tomada de decisões pelos gestores públicos. O uso intensivo da informática em um mundo cada vez mais interconectado expõe a administração pública a novos tipos de ameaças e vulnerabilidades. Nesse contexto, as entidades de fiscalização devem ampliar sua forma de atuação, realizando controles mais rigorosos por meio de técnicas próprias de auditorias de tecnologia da informação, que visam assegurar a integridade e segurança dos dados que trafegam pelas redes e sistemas de informação. O objetivo da presente pesquisa consistiu em identificar as principais impropriedades associadas ao uso da informática nas administrações municipais sob a jurisdição do TCE-RJ, por meio do estudo de caso de sua experiência na realização de auditorias operacionais em tecnologia da informação. A pesquisa foi realizada com base na literatura e na análise dos achados das auditorias de sistemas, mostrando que este tipo de auditoria tem contribuído para tornar a gestão pública municipal mais eficiente, eficaz e transparente.

Information technology audit

Systems audit

Performance audit

Court of accounts

New public management

Auditoria de tecnologia da informação

Auditoria de sistemas

Auditoria operacional

Tribunal de contas

Nova administração pública

Administração de empresas

Auditoria interna - Estudo de casos

Audit IS/IT v menších podnicích / Audit IS/IT in smaller enterprises

Šaroch, Miroslav

January 2012

The diploma work summarizes in the first section the common knowledge in the audit field of information systems and technologies theory as well as common state of knowledge in the field of marketing in small and medium-sized enterprises and market research as well. In the second section, the tools summarized in the first part are used for designing marketing research project on "The audit of information systems and technology in smaller businesses." The aim of the research was to seek the experience and customer feedback from the segment of smaller businesses to audit information systems. The research was designed as a qualitative one. As technique implementation of research was elected a research interview with looser structure. The work is divided to three parts -- designing of marketing research methodology, as well as conducting this research and it's evaluation.