Search results

As businesses continue to automate their activities and establish electronic links with trading partners the IT security problem becomes both more important to solve and more difficult to deal with. Virtually all companies have inadequacies in their present IT security arrangement, and suffer growing losses as a result. There is much that individual companies can, and should, do to eliminate these inadequacies, but some aspects of the problem are beyond the capacity of an individual company to solve. New initiatives, such as Coopers & Lybrand′s European Security Forum, have been established to address these issues.

Information security is no longer a domestic issue. In this age of electronic commerce, one company’s information security certainly affects their business partners. For this reason it became imperative that business partners demand an acceptable level of information security from one another. Information security management standards should certainly play a major role in this regard. In this paper, some information security management standards and their applicability will be discussed and put into context.

This is a theme editorial written exclusively by the guest editor for this special issue. This opinion piece demonstrates the impact of technology convergence on the internal control mechanism of an enterprise. It is important for an auditor to be aware of the security hazards faced by financial or the entire organizational information system. Author attempts to bring security systems design and the organizational vulnerabilities in the context of the convergence of communication and networking technologies with the complex information technology in business processes.

This editorial is mostly conceptual analysis of the current state of affairs.

Being an editorial, there are no specific findings presented in this piece.

Theme editorials, being conceptual expositions of a particular current issue generally lack support of data analysis. However, advantage can be obtained by the future researchers by designing a study around the theme propounded in it here.

Its conceptual contribution is mostly knowledge enhancement and skill building for the professional external, internal or information systems auditor and budding researchers in the field of internal controls, new technologies and security.

It is an original piece written with a purpose of presenting the importance of convergence of technology vis‐à‐vis its impact on the internal controls in an organization and the matters of security.

IT security breaches plague organizations worldwide, yet there continues to be a paucity of comprehensive research models for protective technologies. This study aims to develop an IT security user behavior model focusing on the protective technology anti-spyware which includes organizational climate, a theory of planned behavior (TPB) background variable and elicited salient user beliefs.

A multimethod approach, including interviews and a survey, is used to elicit salient user beliefs and test hypotheses of the influences of perceived IT security climate on those user beliefs and ultimately user behavioral intentions. Primary data were collected through interviews following the prescribed TPB methodology and an offline survey method with 254 valid responses recorded. Partial least squares was used to investigate the hypotheses.

The authors found that attitudinal beliefs – protecting organizational interests for data/privacy, preventing disruptions to work and control beliefs – monetary resources and time constraints mediate significant relationships between IT security climate and attitude and perceived behavioral control, respectively. Implications are discussed.

This study is the first, to the best of the authors’ knowledge, that uses both interviews and a survey to examine the relationships among IT security climate, elicited user beliefs and behavioral intentions in a TPB-based model for a protective technology.

This paper will highlight the legal aspects of information security and copyright laws, as well as global networking, remote access, single sign‐on and Internet security in an international environment.

The frequent and increasingly potent cyber-attacks because of lack of an optimal mix of technical as well as non-technical IT controls has led to increased adoption of security governance controls by organizations. The purpose of this paper, thus, is to construct and empirically validate an information security governance (ISG) process model through the plan–do–check–act (PDCA) cycle model of Deming.

This descriptive research using an interpretive paradigm follows a qualitative methodology using expert interviews of five respondents working in the ISG domain in United Arab Emirates (UAE) to validate the theoretical model.

The findings of this paper suggest the primacy of the PDCA Deming cycle for initiating ISG through a risk-based approach assisted by industry-wide best practices in ISG. Regarding selection of ISG frameworks, respondents preferred to have ISO 27K supported by NIST as the core framework with other relevant ISG frameworks/standards forming the peripheral layer. The implementation focus of the ISG model is on mapping ISO 27K/NIST IT controls relevant IT controls selected from ISG frameworks from a horizontal and vertical perspective. Respondents asserted the automation of measurement and control mechanism through automation to assist in the feedback loop of the PDCA cycle.

The validated model helps academics and practitioners gain insight into the methodology of the phased implementation of an information systems governance process through the PDCA model, as well as the positioning of ITG and ITG frameworks in ISG. Practitioners can glean valuable insights from the empirical section of the research where experts detail the success factors, the sequential steps and justification of these factors in the ISG implementation process.

Digital India, the flagship programme of Government of India (GoI) originated from National e-Governance Project (NeGP) in the year 2014. The programme has important aspect of information security and implementation of IT policy which supports e-Governance in a focused approach of Mission Mode. In this context, there is a need to assess situation of the programme which covers a study of initiatives and actions taken by various actor involved and processes which are responsible for overall e-Governance. Therefore, the purpose of this case study is to develop a Situation-Actor-Process (SAP), Learning-Action-Performance (LAP) based inquiry model to synthesize situation of information security governance, IT policy and overall e-Governance.

In this case study both systematic inquiry and matrices based SAP-LAP models are developed. Actors are classified who are found responsible and engaged in IT policy framing, infrastructure development and also in e-Governance implementation. Based on a synthesis of SAP components, various LAP elements were then synthesized then which further led to learning from the case study. Suitable actions and performance have also been highlighted, followed by a statement of the impact of the efficacy i.e. transformation of information security, policy and e-Governance on the Digital India programme.

On developing the SAP-LAP framework, it was found that actors like the Ministry of Electronics and Information Technology of the Govt. of India secures a higher rank in implementing various initiatives and central sector schemes to accelerate the agenda of e-Governance. Actions of other preferred actors include more investments in IT infrastructure, policy development and a mechanism to address cyber security threats for effective implementation of e-Governance. It was found that actors should be pro-active on enhancing technical skills, capacity building and imparting education related to ICT applications and e-Governance. Decision making should be based on the sustainable management practices of e-Governance projects implementation to manage change, policy making and the governmental process of the Indian administration and also to achieve Sustainable Development Goals by the Indian economy.

The SAP-LAP synthesis is used to develop the case study. However, few other qualitative and quantitative multi criteria decision making approaches could also be explored for the development of IT security based e-Governance framework in the Indian context.

The synthesis of SAP leads to LAP components which can bridge the gaps between information security, IT policy governance and e-Governance process. Based on the learning from the Situation, it is said that the case study can provide decision making support and has impact on the e-Governance process i.e. may enhance awareness about e-services available to the general public. Such work is required to assess the transparency and accountability on the Government.

Learning based on the SAP-LAP framework could provide decision making support to the administrators, policy makers and IT sector stakeholders. Thus, the case study would further help in addressing the research gaps, accelerating e-Governance initiatives and in capturing cyber threats.

The SAP-LAP model is found as an intuitive approach to analyze the present status of information security governance, IT policy and e-Governance in India in a single unitary model.

The purpose of the study is to explore the factors associated with the extent of security/cybersecurity audit by the internal audit function (IAF) of the firm. Specifically, the authors focused on whether IAF/CAE (certified audit executive [CAE]) characteristics, board involvement related to governance, role of the audit committee (or equivalent) and the chief risk officer (CRO) and IAF tasked with enterprise risk management (ERM) are associated with the extent to which the firm engages in security/cybersecurity audit.

For analysis, the paper uses responses of 970 CAEs as compiled in the Common Body of Knowledge database (CBOK, 2015) developed by the Institute of Internal Auditors Research Foundation (IIARF).

The results of the study suggest that the extent of security/cybersecurity audit by IAF is significantly and positively associated with IAF competence related to governance, risk and control. Board support regarding governance is also significant and positive. However, the Audit Committee (AC) or equivalent and the CRO role are not significant across the regions studied. Comprehensive risk assessment done by IAF and IAF quality have a significant and positive effect on security/cybersecurity audit. Unexpectedly, CAEs with security certification and IAFs tasked with ERM do not have a significant effect on security/cybersecurity audit; however, other certifications such as CISA or CPA have a marginal or mixed effect on the extent of security/cybersecurity audit.

This study is the first to describe IAF involvement in security/cybersecurity audit. It provides insights into the specific IAF/CAE characteristics and corporate governance characteristics that can lead IAF to contribute significantly to security/cybersecurity audit. The findings add to the results of prior studies on the IAF involvement in different IT-related aspects such as IT audit and XBRL implementation and on the role of the board and the audit committee (or its equivalent) in ERM and the detection and correction of security breaches.

Sees security awareness promotion as part of the overall organization – its culture, philosophy and vision. Presents a case study of a major Australian organization. Traces the history of computer security, how commitment was built and the security awareness initiatives which were rolled out.

The purpose of this paper is to critically examine the vulnerabilities of the cloud platform affecting businesses trading on the internet. It aims to examine the appropriateness of the cloud computing, its benefits to the industry and helps to identify security concerns for businesses that plan to deploy one of the cloud platforms. It helps to identify areas where businesses should focus before choosing an appropriate Cloud Service Provider (CSP).

This paper presents the findings of an original research survey (200 IT professionals working both in the public and private sectors) undertaken to examine their privacy, and data security concerns associated with the cloud platform. Views of those who have yet to deploy cloud were analysed to detect the patterns of common security issues. Cyber fraud and trust concerns of the organisations are addressed and deployment of the secured cloud environment is outlined.

The survey analysis highlighted that the top concerns for organisations on cloud were security (93.8 per cent), governance (61.1 per cent) and a lack of control over service availability (56.6 per cent). The survey highlighted that the majority of IT professionals were not aware that some CSPs currently control the decryption keys that enable them to decrypt their client's data. This should be considered as a major security concern and it is one of the factors that should be looked into while vetting the service level agreement (SLA). Data loss and leakage (73.5 per cent) were voted as the top threat to cloud computing by respondents; this was followed by account, service and traffic hijacking (60.8 per cent). The paper examines various types of cloud threats companies have encountered.

The vast majority of the data are drawn from IT professionals with businesses mainly in the UK and the USA.

The paper advocates a proactive and holistic cloud‐cyber security prevention typology to prevent e‐crime, with guidance of what features to look for when choosing an appropriate cloud service provider.

This is the first analysis done that includes IT auditors, physical security personnel as well as IT professionals. The paper is of value to companies considering adoption or implementation of a cloud platform. It helps to assess the cloud by evaluating a detailed comparison of benefits and risk associated with the platform.