L A RESTAURACIÓN DEL TIEMPO D E C OTIDIANO EN

Corporate governance comprises two important aspects, namely, directing and controlling (King Report, 2002; Solms et al., 2006). The first aspect, directing, is the process of providing strategic guidance on the way corporations should operate which normally happens via corporate policies, standards and procedures. The second aspect, controlling, is the process of ensuring corporations achieve their business goals, policies and procedures and comply with the country’s laws and industrial regulations. Any form of security planning must reflect corporate governance characteristics.

The two aspects of governance, direction and control, can be used effectively to minimise the IS/IT risk (Solm, 2006). The Information Security Governance model by Solm (2006) explains that significant Direct and Control actions occur at all management levels including the Strategic Level, Tactical and Operational Level. However, as mentioned before in Solms (2006) paper there was no exploration on experience gained from the field to prove the said model.

Corporate governance practice within IS/IT security implementation is in demand. These were justified by the following IS/IT security researchers (Kizirian et al. 2004, Knapp et al. 2006, Posthumus et al. 2005). IS/IT security today has attracted a great deal of attention from corporation boards and senior management in directing and controlling IS/IT assets and resources.

Kizirian (2004) conducted case studies to investigate the security controls and management tone in the firm’s IS audit working papers, Kizirian has confirmed that management sets the tone and direction of an organisation.

A combination of qualitative and quantitative methods was used by Knapp et al (2006) to investigate if the management has an effect on security culture and policy. Two hundred and twenty certified IS security professionals had answered the open-ended questions for the theory grounding part of their research. After the qualitative survey was conducted, sixty-eight certified IS security professionals answered the web survey. It was evidenced in Knapp’s study that senior management support is a significant predictor for cultivating a security culture and enforcing policies.

A framework for the governance of information security developed by Posthumus et al.(2005) addresses how information security should be handled at senior management level. Posthumus has clearly defined the scope and characteristics of business information risk. Due to e-business demands,

the scope of business information risk has been extended to private networks and the Internet, to secure the line of communication between the organisation and its customer, suppliers and business alliances. The characteristics of business information risk which were confidentiality, integrity and availability have been incorporated into their Information Security Governance model but the model was not proved within a real world environment.

As IS/IT security is part of IT governance, the board and senior management are responsible for directing and controlling the IS/IT assets and business data. According to the IT Governance Institute report in 2003, IT governance has five major strategic domains, namely, 1) IT strategic alignment, 2) IT value delivery, 3) IT resource management, 4) IT risk management and 5) IT performance management (ITGI, 2003). This research study is focused on the fourth domain, IT risk management, specifically looking into IS/IT security.

IS/IT security governance underlies the IT governance concept by aligning the investment in IS/IT business directions with the risk associated with IS/IT security of IS/IT assets. In IT governance, the responsibilities and authorities are exercised by the board, senior management and IT management in the formulation and the implementation of IT strategy (Van Grembergen, 2002). It is presumed that IS/IT security governance holds similar responsibilities and authorities as well to IT governance. The alignment among business directions and IT needs is crucial in IT Governance.

An integration of skills is needed because IS/IT are driven by people across the corporation. In overseeing the interests of the stakeholders, IS/IT security requirements of IS/IT should be recognised at the corporation’s board level.

The report published by the IT Governance Institute relating to IS/IT security governance presents some essential guidelines for boards to follow (ITGI, 2006). For example, these are, first, to place IS/IT security on the board’s agenda, second, to identify an accountable and supportive IS/IT security leader, third, to review and approve IS/IT security policy and last, to assign IS/IT security responsibility to a key committee. However, without a proper direction in risk management and internal controls within the organisation, particularly to IS/IT security, no matter how good the guidelines provided by the IT Governance Institute they would not be successful and effective. This is because the interactions such as the Formal and Technical, Formal and Informal and Formal and Informal relationships have not been comprehensively explored by IS/IT security researchers. Lack of this

interaction would lead to poor implementation in risk management and internal controls relating to IS/IT security.

There are two key personnel involved in IS/IT security governance, the Chief Executive Officer (CEO) and Chief Information Officer (CIO). In corporations, the CEO is an agent of the board and, therefore, the shareholders. The CEO has a broad responsibility for steering the corporation in making profits, driving revenue and building shareholder value through achieving business objectives and goals (Bassett, 2006). According to the Corporate Governance Task Force (2004), the CEO is responsible for reporting compliance issues to the board and advising the level of acceptable risk. The CEO must also report on weaknesses of current practices and suggest IS/IT security plans for improvements. A CIO is, however, responsible for addressing the business and legal perspectives in the entire IS/IT security function. For example, the CIO advises the CEO on strategic planning efforts in preserving confidentiality, integrity and the availability of information bases in corporations. In conclusion, IS/IT security governance requires clear responsibilities and roles for a range of personnel.