Abstract
Nowadays, information security is a main organizational concern that aims to control and protect business assets from existing threats. However, the lack of mechanisms to direct and control the increasing incorporation of Information Technology (IT) assets to support new security solution architectures creates additional security threats. We created a method to identify the hidden implications that exist after implementing IT assets of different solution architectures. This method comprises two artifacts. The first artifact is a metamodel that characterizes three domains: IT governance, enterprise architecture, and dependencies between IT assets of solution architectures. The second artifact is a model to specify value dependencies, which identify the business impact related to interoperability relations between the aforementioned assets. The application of this method in a Latin American central bank led to rationalize IT assets and to obtain a suitable security solution architecture from two existing architectures.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
von Solms, R., von Solms, S.B.: Information security governance: a model based on the direct-control cycle. Comput. Secur. 25, 408–412 (2006)
Ohki, E., Harada, Y., Kawaguchi, S., Shiozaki, T., Kagaya, T.: Information security governance framework. In: First ACM Workshop on Information Security Governance, pp. 1–6. ACM, New York (2009)
Kusumah, P., Sutikno, S., Rosmansyah, Y.: Model design of information security governance assessment with collaborative integration of COBIT 5 and ITIL (casestudy: INTRAC). In: 2nd International Conference on ICT for Smart Society, pp. 1–6. IEEE, Danvers (2014)
Tillquist, J., Rodgers, W.: Using asset specificity and asset scope to measure the value of IT. Commun. ACM 48, 75–80 (2005)
González Rojas, O.: Governing IT services for quantifying business impact. In: Matulevičius, R., Dumas, M. (eds.) BIR 2015. LNBIP, vol. 229, pp. 97–112. Springer, Heidelberg (2015)
IEEE Architecture Working Group: Std 1471–2000. Recommended Practice for Architectural Description of Software-intensive Systems. Technical report, IEEE (2000)
The Open Group: TOGAF Version 9.1 - Enterprise Edition. Van Haren Publishing (2011)
Euting, T., Weimert, B.: Information security. In: Bullinger, H.-J. (ed.) Technology Guide: Principles - Applications - Trends, pp. 498–503. Springer, Heidelberg (2009)
Weill, P., Ross, J.: IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Harvard Business School Press, Boston (2004)
IEEE Computer Society: IEEE Standard Computer Dictionary: A Compilation of IEEE Standard Computer Glossaries. IEEE Press, Piscataway (1991)
Hevner, A.R., March, S.T., Park, J., Ram, S.: Design science in information systems research. MIS Quart. 28(1), 75–106 (2004)
Coetzee, M.: Towards a holistic information security governance framework for SOA. In: 7th International Conference on Availability, Reliability and Security, pp. 155–160. IEEE Computer Society (2012)
Burkett, J.S.: Business security architecture: weaving information security into your organization’s enterprise architecture through SABSA. Inf. Secur. J. Glob. Perspect. 21, 47–54 (2012)
Davern, M.J., Kauffman, R.J.: Discovering potential and realizing value from information technology investments. J. Manage. Inf. Syst. 16(4), 121–143 (2000)
International Organization for Standardization: ISO/IEC 27000:2016: Information technology - Security techniques - Information security management systems - Overview and vocabulary. Technical report, ISO (2016)
Bowen, P., Hash, J., Wilson, M.: Information Security Handbook: A Guide for Managers. Technical report, National Institute of Standards & Technology (2006)
ISACA: COBIT 5 for Information Security. Technical report, Information Systems Audit and Control Association (2013)
ISACA: COBIT 5 for Risk. Technical report, Information Systems Audit and Control Association (2013)
Parent, M., Reich, B.H.: Governing information technology risk. Calif. Manage. Rev. 51(3), 134–152 (2009)
González-Rojas, O., Lesmes, S.: Value at risk within business processes: an automated IT risk governance approach. In: Rosa, M.L., Loos, P., Pastor, O. (eds.) BPM 2016. LNCS, vol. 9850. Springer, Heidelberg (2016, in press)
Herrmann, A., Morali, A., Etalle, S., Wieringa, R.: Risk and business goal based security requirement and countermeasure prioritization. In: Niedrite, L., Strazdina, R., Wangler, B. (eds.) BIR Workshops 2011. LNBIP, vol. 106, pp. 64–76. Springer, Heidelberg (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
González-Rojas, O., Ochoa-Venegas, L., Molina-León, G. (2016). Information Security Governance: Valuation of Dependencies Between IT Solution Architectures. In: Řepa, V., Bruckner, T. (eds) Perspectives in Business Informatics Research. BIR 2016. Lecture Notes in Business Information Processing, vol 261. Springer, Cham. https://doi.org/10.1007/978-3-319-45321-7_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-45321-7_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-45320-0
Online ISBN: 978-3-319-45321-7
eBook Packages: Business and ManagementBusiness and Management (R0)