Information security in the form of IT governance is part of corporate governance. Corporate
governance requires that structures and processes are in place with appropriate checks and
balances to enable directors to discharge their responsibilities. Accordingly, information
security must be treated in the same way as all the other components of corporate
governance. This includes making information security a core part of executive and board
responsibilities.
Critically, corporate governance requires proper checks and balances to be established in an
organisation; consequently, these must be in place for all information security
implementations. In order to achieve this, it is important to have the involvement of three
key role players, namely information security professionals, ICT security auditors and
regulatory officials (from now on these will be referred to collectively as the ‘role players’).
These three role players must ensure that any information security controls implemented
are properly checked and evaluated against the organisation’s strategic objectives and
regulatory requirements.
While maintaining their individual independence, the three role players must work together
to achieve their individual goals with a view to, as a collective, contributing positively to the
overall information security of an organisation. Working together requires that each role
player must clearly understand its individual role, as well the role of the other players at
different points in an information security programme. In a nutshell, the role players must
be aligned such that their involvement will deliver maximum value to the organisation. This
alignment must be based on a common framework which is understood and accepted by all
three role players.
This study proposes a South African Information Security Alignment (SAISA) framework to
ensure the alignment of the role players in the implementation and evaluation of
information security controls. The structure of the SAISA framework is based on that of the
COBIT 4.1 (Control Objectives for Information and Related Technology). Hence, the SAISA framework comprises four domains, namely, Plan and Organise Information Security (PO-IS),
Acquire and Implement Information Security (AI-IS), Deliver and Support Information
Security (DS-IS) and Monitor and Evaluate Information Security (ME-IS).
The SAISA framework brings together the three role players with a view to assisting them to
understand their respective roles, as well as those of the other role players, as they
implement and evaluate information security controls. The framework is intended to
improve cooperation among the role players by ensuring that they view each other as
partners in this process. Through the life cycle structure it adopts, the SAISA framework
provides an effective and efficient tool for rolling out an information security programme in
an organisation / Computer Science / M. Sc. (Computer Science)
Identifer | oai:union.ndltd.org:netd.ac.za/oai:union.ndltd.org:unisa/oai:umkn-dsp01.int.unisa.ac.za:10500/9300 |
Date | 02 1900 |
Creators | Basani, Mandla |
Contributors | Loock, Marianne |
Source Sets | South African National ETD Portal |
Language | English |
Detected Language | English |
Type | Dissertation |
Format | 1 online resource (157 p. :|bill.) |
Rights | University of South Africa |
Page generated in 0.0021 seconds