An analysis of Information Security Governance in the Universities in Zimbabwe
The complexity and criticality of information security and its governance demand that it be elevated to the highest organizational levels. Within a university setup, information assets include student and personnel records, health and financial information, research data, teaching and learning materials and all restricted and unrestricted electronic library materials. Security of these information assets is among the highest priorities in terms of risk and liabilities, business continuity, and protection of university reputations. As a critical resource, information must be treated like any other asset essential to the survival and success of the organization. In this paper the writer is going to discuss the need for implementing Information Security Governance within institutions of higher education. Further than that, a discussion on how to best practice Information Security governance within the universities in Zimbabwe followed by an assessment on how far the Zimbabwean universities have implemented Information Security Governance. A combination of questionnaires and interviews is going to be used as a tool to gather data and some recommendations are stated towards the end of the paper.
Governance, as defined by the IT Governance Institute (2003), is the “set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.” Information security governance is the system by which an organization directs and controls information security (adapted from ISO 38500). It specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated as well as ensuring that security strategies are aligned with
References: Drucker, P. ‘Management Challenges for the 21st Century’, Harpers Business , 1993. Corporate Governance Task Force, Information Security Governance: Call to Action, USA, 2004. IT Governance Institute, Board Briefing on IT Governance, 2nd Edition, USA, 2003, www.itgi.org. IT Governance Institute, Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition, USA, 2006. ISO/IEC 38500: Corporate Governance of Information Technology, 2008. IT Governance Institute, COBIT 4.0, USA, 2005, www.itgi.org IT Governance Institute, COBIT® Security Baseline, USA, 2004, www.itgi.org National Association of Corporate Directors, ‘Information Security Oversight: Essential Board Practices’, USA, 2001 John P Rutsito, T. (2005) ‘IT governance, security define new era’ The Herald, 07 November. Kaitano, F. (2010) ‘Information Security Governance: Missing Link In Corporate Governance’ TechZim. http://www.techzim.co.zw/2010/05/information-security-governance-missing-link-in-corporate-governance [accessed 02 May 2013]. Horton, T.R., Le Grand, C.H., Murray, W.H., Ozier, W.J. & Parker, D.B. (2000). Information Security Management and Assurance: A Call to Action for Corporate Governance. United States of America: The Institute of Internal Auditors. Hostland, K, Enstad, A. P, Eilertsen, O, Boe, G. (2010). Information Security Policy: Best Practice Document. Corporate Governance Task Force, (2004). Information Security Governance: Call to Action, USA