M ISTERIO DE A MOR

Research Question 2: How can directing and monitoring actions in the technical, formal and informal components of IT/IS security governance in corporations be implemented efficiently and effectively?

To answer Research Question 2, a single-case analysis of the interactions of components was conducted to determine if any data support the components interaction.

6.4.2.1 Component Interaction

In the IS/IT Security Governance Model, the inter-relationships among the three components of Formal, Technical and Informal are important to achieve good practice of IS/IT Security. Understanding the reciprocal requirements among the components enables the board and senior management to consider the factors involved in the implementation of the IS/IT Security Governance Model. The factors include the organisational culture, business vision and goals, management strategy, technological fit and employee values and beliefs.

6.4.2.1.1 The relationship between Formal and Informal components, Relationship Type 1

The following presents information disclosed on how the Formal component has an impact on the Informal component, as identified by one larger capitalisation company. The educational aspect is one of the formal elements in the IS/IT security governance model. The educational aspect may increase the organisational values and employee values. The example of this relationship (Formal/Informal) can be illustrated in the case of Company A6 (p. 127). The statements of Company A6 (p.127) have been presented in an earlier section, ‘Education and Training relating to IS/IT security’, but they were limited to the role of education and training within the formal component. However, the statements by Company A6 (p.127) are now represented, the main goal is to analyse the interaction between formal and informal components.

“The Group maintains a strong knowledge of and continues to refine its mitigation strategies against Information Technology threats by participating in specific forums on Information Security and industry dialogues such as the Internet Banking Task Force. These initiatives contribute towards a systematic methodology to ensure the confidentiality, integrity, availability and non-repudiation of information and Information Systems against current or any potential threats prevalent in the evolving and changing internet world. This enables the Group to retain its customer trust and maintain high rates of utilisation for the Group’s products and services”. (P. 127, Company A6”.

In the case of Company A6, the Formal components like Information Security Forums and Dialogues were crucial for the development of the Informal component. The mitigation strategies provided in the Formal component had influenced the way employees should work and interact with each other in achieving IS/IT security governance. For example, the systematic methodology was

identified as the organisational values of the Informal component on how the employees should practise to maintain confidentiality, integrity, availability and non-repudiation of IS/IT assets and business data in their organisation. Indirectly, the good IS/IT Security Governance practices could

increase the confidence level of potential investors and maintain the trust of customers towards the organisation’s services and products.

Interestingly, the IS/IT Security Management Strategies of the Formal component such as training and forums are important for the development of Organisational Values of the Informal component. The enforcement of formal educational aspects may reinforce informal values; all employees including the board, senior management including supervisors of the responsibility and holders of responsibility may begin to be responsible and accountable to their responsibilities, roles and separation of duties in IS/IT security.

The following is an example of the Formal/Informal relationship.

“The Directors have attended such trainings and forums in areas that would enable them to effectively discharge their duties to the Group and/or that are relevant to the Group’s business activities (P. 70, CA8)”.

6.4.2.1.2 The relationship between Formal and Technical components, Relationship Type 2

The Formal component is important to the Technical component because it provides strategic directions, strategies and policy for the implementation of technological resources and IS/IT security procedures. The IS/IT Security Policy is developed to ensure employees maintain the security over IS/IT assets and business data such as:

“The Group also formulated and implemented the ICT Policy and Guidelines to ensure proper protection of ICT resources, data integrity and security (p. 63, CB3)”.

The objective of the IS/IT Security Policy is mainly to state basic guidelines on the acceptable use of IS/IT systems and the way of handling business data.

“The Corporate Information Security Policy (CISP), which was developed and communicated to all staff, covers the management of information, data security and provides guidelines on the acceptable use of Company B4 IT resources. The CISP also provides basic guidance on operational controls related to information security at Company B4 Group of Companies (p. 62, Company B4)”.

The Formal component such as the IS/IT Security Policy does not only provide technological guidelines to an organisation’s employees but also demonstrates the credibility and high reputation of the organisation in securing the business data such as business strategies, accounting and financial information and customer data. The good IS/IT Security Governance practices may attract more investors and increase share market value. As disclosed by a large capitalisation company,

“In 2008, a comprehensive Corporate Security Policy was prepared to review and improve CA13’s security management. The policy is based on international standards and reflects industry best practices. It applies to all CA13’s assets, including means of handling, storing and processing information, and gives CA13 an edge over its competitors in terms of financial exposure and reputation for reliable and secure business practices (p. 97, CA13)” .

6.4.2.1.3 The relationship between Technical and Informal components, Relationship Type 3

IS/IT Security issues are not only technological issues but also social problems. Both components, the Technical and Informal need to be aligned. To achieve IS/IT Security, the implementation of the Technical component is associated with the Informal values held by workers such as organisational values and employee values. The organisational values relate to the responsibility of employees in achieving business processes, while the employee values concern the personal and ethical values held. Lacking any of these informal values, the implementation of the Technical component such as IS/IT Security Procedures may reveal discrepancies and unexpected behaviour. The following disclosure provides an example of the Technical/Informal relationship.

“the special - purpose Cryptographic Coprocessor and zIIP Specialty Processor of the new mainframes provide high speed data encryption/decryption to facilitate tape encryption and end-to-end network protection using standard industry security protocols such as IP Security and Secure Socket Layer. The implementation of tape encryption will eliminate the risk of unauthorised disclosure of data should any backup media be lost or stolen in transit (p. 170, CA9)”.

The next example shows how the Technical component such as IS/IT Security Procedures is important to the Informal component in preventing threats and vulnerabilities.

“Two- factor authentication was also introduced to safeguard e-Banking customers against unauthorized access. The enhanced security system incorporates a Public Key Infrastructure based hardware token which must be used in tandem with a Personal Identification Number to thwart key logging and phishing frauds (p. 170, CA9)”.

An effective Technical component like IS/IT Security Procedures may have had an impact in controlling and minimising the security threats by employees. Effective Technical component refers to the capability and ability in controlling and monitoring the activities of employees using particular IS/IT systems if any suspicious activities are detected the Technical component will inform the Informal component. The following statements illustrate how security counter-measures/controls such as web-surfing monitoring, e-mail transmissions, logs were used to control/minimise human actions.

“In 2008, the Group continued to improve its Information Architecture with efforts in prevention, detection and response against internal threats, such as misuse of privileges, leakage of confidential data and external threats, such as third-party phishing websites and continued threats from aggressive malware. New and improved systems have been installed to closely monitor the usage of Information Technology (IT) resources for staff. The monitoring occurs at the desktop level, such as web-surfing monitoring and email transmissions, and also at server and network level, where additional logs are centrally collated and monitored for suspicious activity (p. 127, CA6)”.

6.4.2.2 Summary

The interactions of three components, formal, technical and informal are significant in the IS/IT security governance model. The component interaction had three types, first, the Formal/Informal relationship (RT1), second, the Formal/Technical relationship (RT2) and third, Technical/Informal relationship (RT3). From the website analysis, the component interaction happened due to the reciprocal requirements among the components.

The relationship between Formal and Informal components, Relationship Type 1

From the website data, the educational aspect was an example of formal components. In the IS/IT security governance model, the educational aspect was recognised as an example of IS/IT security management strategy within the formal component. The formal component had interaction with the informal component through the educational aspect. The educational aspect, if effectively implemented, may improve the organisational values and employee values.

The relationship between Formal and Technical components, Relationship Type 2

The website analysis had provided an example of the formal component which was IS/IT security policy. IS/IT security policy had interactions with the technical component in two ways, technological resources and security procedures. The technological resources focused on the IT vision and the security procedures were concerned with security counter-measures/solutions. The existence of the formal component including policy may encourage the employees to implement the security procedures efficiently and effectively.

The relationship between Technical and Informal components, Relationship Type 3

It was found that the technical component had an impact on the informal component. From the website analysis, the automatic security counter-measures/controls had been used to control and minimise the actions of humans. Some of the automatic security controls to which attention was drawn were tape encryption and two-factor authentication. The website analysis also revealed that the non- automatic security counter-measures/controls affected the informal component. The non-automatic security counter-measures/controls highlighted were web-surfing monitoring, e-mail transmissions and logs.