Information security governance framework

Abstract

Many companies, especially Japanese companies, have implemented information security with bottom up approach, starting from implementing piece by piece security controls. As increase the number of information security incidents and spread its impact, companies have implemented many measures in the wide spectrum, from technical counter measure systems (firewalls to protect internal network) to security management. Japanese government has introduced compliance schemes for protecting privacy data and computers from illegal access. In addition, Ministry of Economics, Trade and Industry (METI) proposed private companies to enhance information security governance capabilities with the tools such as "Information Security Report Model" (here after IS for 'Information Security'), "IS Management Benchmarking" and "Business Continuity Planning Guide (BCP)".IS Management System (ISMS) certification, IS Auditing and IS Rating scheme are also introduced to assure the implementation of security. Then, there are so many measures existing separately. Corporate Executives (CEO and board of directors including CIO, CRO, and CISO etc.) have come to know the amount of investment for security measures is too large to pay. This paper propose Information Security Governance (here in after, ISG) Framework which combines and inter-relates many existing information security schemes. With this ISG framework, Corporate Executives can direct, monitor, and evaluate IS related activities in a unified manner. Copyright 2009 ACM.