ebook img

Information Security governance and the adoption of Best Practice Frameworks in the Social ... PDF

132 Pages·2015·1.63 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Information Security governance and the adoption of Best Practice Frameworks in the Social ...

Information Security governance and the adoption of Best Practice Frameworks in the Social Housing Sector Helen McMorran Submitted in partial fulfilment of the requirements of Edinburgh Napier University for the degree of Master of Science in Strategic ICT Leadership School of Computing August 2015 Helen McMorran – 40117163 ii MSc Strategic ICT Leadership, 2015 Authorship Declaration I, Helen McMorran, confirm that this dissertation and the work presented in it are my own achievement. 1. Where I have consulted the published work of others this is always clearly attributed; 2. Where I have quoted from the work of others the source is always given. With the exception of such quotations this dissertation is entirely my own work; 3. I have acknowledged all main sources of help; 4. If my research follows on from previous work or is part of a larger collaborative research project I have made clear exactly what was done by others and what I have contributed myself; 5. I have read and understand the penalties associated with Academic Misconduct. 6. I also confirm that I have obtained informed consent from all people I have involved in the work in this dissertation following the School's ethical guidelines Signed: Date: Matriculation no: 40117163 Helen McMorran – 40117163 iii MSc Strategic ICT Leadership, 2015 Data Protection Declaration Under the 1998 Data Protection Act we cannot disclose your grade to an unauthorised person. However, other students benefit from studying dissertations that have their grades attached. Please sign your name against one of the options below to state your preference. The University may make this dissertation, with indicative grade, available to others. The University may make this dissertation available to others, but the grade may not be disclosed. The University may not make this dissertation available to others. Helen McMorran – 40117163 iv MSc Strategic ICT Leadership, 2015 Abstract The aim of this dissertation was to evaluate the approach taken to information security governance within the Housing sector and whether adopting best practice frameworks would assist implementation. The von Solms model for information security governance was selected from literature for evaluation purposes. In addition to the five components of the chosen model, external compliance and cultural factors were also considered. Research was carried out among thirteen housing associations, motivated by two research questions: 1. What are the business drivers for the implementation of information security governance? 2. What factors help or hinder the adoption of information security?, to test if an adapted best practice framework for information security governance is of benefit to housing associations and will help to promote implementation of good information security governance. Data was gathered from six interviews, an online questionnaire and a document review using triangulation of research methods to help provide a fuller picture and more complete findings. The results show housing associations have been reactive in implementing information security governance through the necessity to comply with various regulating bodies. There has been a shift in information security awareness due to high profile cases of data protection incidents and this is helping improve information security overall. Best practice implementation is not consistent but the housing associations that have knowledge in this area all have staff that have taken part in recent vocational training and have used this new found knowledge to adapt relevant best practice frameworks around business need. This work offers insight into the implementation of information security best practice principles within the housing sector by identifying the business drivers and factors which help or hinder the adoption of information security governance. Helen McMorran – 40117163 v MSc Strategic ICT Leadership, 2015 Contents 1. Introduction ................................................................................................ 11 2. Literature Review ....................................................................................... 14 2.1 Corporate governance .......................................................................... 14 2.2 Information Security governance .......................................................... 18 2.3 Housing Sector ..................................................................................... 26 2.3.1 Background .................................................................................... 26 2.3.2 Third Sector governance ................................................................ 27 2.3.3 Characteristics of SMEs ................................................................. 28 2.3.4 Information Security Risks – data protection, customer privacy ..... 29 2.4 Chapter Conclusion .............................................................................. 31 3. Research Methods .................................................................................... 35 3.1 Introduction ........................................................................................... 35 3.2 Quantitative Research .......................................................................... 35 3.3 Qualitative Research ............................................................................ 36 3.4 Mixed Methods Approach ..................................................................... 36 3.4.1 Project Sampling ............................................................................ 37 3.5 Triangulation ......................................................................................... 38 3.6 Chosen Approach ................................................................................. 39 3.6.1 Advantages of Chosen Approach ................................................... 40 3.7 Data Collection Methods....................................................................... 41 3.7.1 Interviews ....................................................................................... 41 3.7.2 Survey Questionnaire ..................................................................... 42 3.7.3 Documents ..................................................................................... 43 3.8 Ethics .................................................................................................... 43 3.9 Data Analysis ........................................................................................ 44 3.10 Limitations of Methodology ................................................................. 45 Helen McMorran – 40117163 vi MSc Strategic ICT Leadership, 2015 3.11 Chapter Conclusion ............................................................................ 46 4. Findings and Discussion ............................................................................ 47 4.1 Introduction ........................................................................................... 47 4.2 What are the business drivers for implementation of information security governance? ............................................................................................... 50 4.2.1 Direct & Control Factors ................................................................. 50 4.2.2 Risk Factors .................................................................................... 54 4.2.3 External Compliance Factors .......................................................... 58 4.3 What factors help or hinder the adoption of information security governance? ............................................................................................... 61 4.3.1 Organisation Factors ...................................................................... 61 4.3.2 Awareness Factors ......................................................................... 65 4.3.3 Cultural Factors .............................................................................. 68 4.5 Chapter Conclusion .............................................................................. 71 5. Conclusions ............................................................................................... 72 5.1 What are the business drivers for implementation of information security governance? ............................................................................................... 72 5.2 What factors help or hinder the adoption of information security governance? ............................................................................................... 74 6. Critical Appraisal, Limitations and Further Work ........................................ 78 6.1 Critical Appraisal ................................................................................... 78 6.1.1 Model Evaluation ............................................................................ 78 6.1.2 Data Gathering ............................................................................... 79 6.1.3 Project Management....................................................................... 79 6.2 Limitations ............................................................................................ 80 6.3 Further Work ......................................................................................... 81 Bibliography ................................................................................................... 83 Appendices .................................................................................................... 88 Appendix 1 – Initial Interview Questions ..................................................... 88 Helen McMorran – 40117163 vii MSc Strategic ICT Leadership, 2015 Appendix 2 – Interview Questions: Second Round ..................................... 90 Appendix 3 – Online Questionnaire ............................................................ 92 Appendix 4 - Ethics ..................................................................................... 98 Appendix 5 – Analysis of Findings from Housing Associations (HAs) ...... 100 Appendix 6 – Summary of Findings .......................................................... 102 Appendix 7 – Project Planning .................................................................. 105 Appendix 8 – Project Diaries .................................................................... 110 Appendix 9 – Project Proposal ................................................................. 124 Helen McMorran – 40117163 viii MSc Strategic ICT Leadership, 2015 List of Figures Figure 1: Corporate governance – the direct/control cycle……………...…….15 Figure 2: CoBIT and other IT Governance Frameworks………………………18 Figure 3: ISO/IEC 38500:2008 Model for corporate governance of IT....…....19 Figure 4: Relationship between Corporate governance, IT governance and Information Security governance ...…………………….………………..………20 Figure 5: Model for Information Security governance….………………...…….23 Figure 6: Sampling Strategies……………………………………….……..…….38 Figure 7: Mixed Methods and Triangulation – towards a more complete picture…………………………………………………………………………....….39 Figure 8: Positions of interviewees against whether completion of data achieved………………………………………………………………………...…..48 Figure 9: Positions of survey participants against whether completion of data achieved..........................................................................................................48 Figure 10: Results of Direct & Control factors within 13 HAs...................…...51 Figure 11: Results of Risk factors within 13 HAs……………..…….…..…..….55 Figure 12: Results of External Compliance factors within 13 HAs…..…...…..59 Figure 13: Results of Organisation factors within 13 HAs…………...……..…63 Figure 14: Results of Awareness factors within 13 HAs……...………….……67 Figure 15: Results of Cultural factors within 6 HAs……………………………69 List of Tables Table 2.1: Themes, Findings & Key Sources from literature review………..33 Table 2.2: Research questions and themes………….………………………..33 Helen McMorran – 40117163 ix MSc Strategic ICT Leadership, 2015 Table 4.1: Direct & Control factor results………………….…………………….51 Table 4.2: Risk factor results……………………………………………………..55 Table 4.3: External Compliance factor results……………………………...…..59 Table 4.4: Organisation factor results……………………………………………63 Table 4.5: Awareness factor results……………………………………………..66 Table 4.6: Cultural factor results (interviews only)…………………..…………69 Helen McMorran – 40117163 x MSc Strategic ICT Leadership, 2015 Acknowledgements First and foremost I would like to thank my supervisor, Peter Cruickshank, for his support, encouragement and sagely advice during the whole of this research project. I would also like to thank my second marker, Sally Smith, for helpful feedback. Thanks are also due to everyone who gave up their time to participate in this research project. Finally, thanks go to my family, Russell, Siobhan and Cameron for their patience and understanding throughout, you’re the best!

Description:
Related Technologies) and ISO 27002 (Hui Lin, 2012)(Disterer, 2013). Knowledge gained from studying the Security, Audit and Compliance module . Institute, 2012). CoBIT is wider in scope than the ISO standards and the framework not only covers IT but encompasses the entire company. One of.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.