engleski

Exploring the Responsibilities and Practices Behind Information Security Governance

Companies collect large amounts of various types of sensitive data e.g. user profiles, financial data, contracts, etc. Such a large amount of data and information is becoming increasingly difficult to manage, and even harder to protect against information security threats. Studies show that the gap between the existing security threats and associated response from companies is becoming larger and more over grows at an exponential rate. In other words, information security risks increase significantly as illustrated by the growing numbers and types of security incidents and data breaches. Managing different domains of information security has been in the focus of IT professionals for couple of decades now, resulting in the definition and adoption of international standards in this area. The first standards were created as a compilation of approaches and measures to minimize information security risks. They have been amended since, due to the development of modern technological and organizational solutions providing high level of information security in business settings. Nevertheless, information security initiatives do not require complex technological solutions, but need real leadership commitment and governance. Efficient and effective information security management is not possible without clear delegation of roles and responsibilities, good planning, systematic analyses and risk assessment, as well as determining adequate controls and measures for information security protection, followed by continuous review and performance evaluation of information security related efforts. Many companies have organizational and technological solutions (policies, standards, firewalls, etc.) for managing information security in place, but they are usually fragmented within various departments and on different levels. In such cases, the management is not truly involved, and information security goals are not aligned with corporate strategy. In line with that, this paper explores the importance of information security governance in modern business environment. Namely, the emphasis will be on positioning information security governance to corporate governance in general. Then, modes for implementing information security in corporations will be discussed along with detailing out information security roles and responsibilities across a company. Central part of the paper will analyze ISO/IEC 27001, the most commonly used standard i.e. a best practice approach for managing information security in corporations to ensure confidentiality, availability and integrity of sensitive information.

Information Security; Information Security Governance; Standards

nije evidentirano