رویکر دی جهت تجزیه و تحلیل فضای کسب و کار در راستای حکمرانی امنیت اطلاعات

نوع مقاله : مقاله پژوهشی

نویسندگان

1 دانشجوی دکتری مدیریت فناوری اطلاعات، گروه مدیریت صنعتی، واحد تهران مرکزی، دانشگاه آزاد اسلامی، تهران، ایران. f63akhavan@gmail.com

2 استادیار گروه مدیریت صنعتی، واحد تهران مرکزی، دانشگاه آزاد اسلامی، تهران، ایران )نویسنده مسئول) saa.mousavi@iau.ac.ir

3 استادیار گروه مدیریت فناوری اطلاعات، دانشگاه تربیت مدرس،تهران،ایران. a.sarabadani@modares.ac.ir

چکیده

داده‌ها و اطلاعات نگهداری شده در ‌سامانه‌های فناوری اطلاعات برای کسب و کار سازمان ارزشمند و حیاتی هستند، زیرا ارزش یک کسب و کار در ارزش اطلاعات آن متمرکز است و علاوه بر ایجاد ارزش افزوده برای سازمان، ‌خطر ازدست رفتن سرمایه و اعتبار ‌به‌دست آمده از اعتماد مشتریان، از طرق مختلف سازمان را تهدید می‌کند و سو استفاده از رایانه و حوادث امنیتی اطلاعات نیز رو به رشد است که تاثیر مستقیم بر فرایندها و عملیات ‌شرکت‌ها و سازمان‌ها  دارد. مدیریت دارایی اطلاعات یکی از عناصر اصلی و راهبردی کسب و کار است‌. لذا نقش فزاینده امنیت اطلاعات در اداره سازمان‌ها و نهادها  مشهود و  تأمین زیرساخت‌های لازم برای تحقق این امر مهم می‌باشد. در این مقاله  با استفاده از روش فراترکیب  و بررسی پژوهش‌های انجام شده در این حوزه  و تجزیه و تحلیل نتایج حاصله از تحقیقات کیفی، رویکردی براساس حوزه‌های تمرکز حکمرانی امنیت اطلاعات(شامل همسویی استراتژیک؛ مدیریت ‌خطر؛ مدیریت منابع؛ اندازه‌گیری عملکرد وتحویل ارزش) ارائه شده است که  به درک درست از حکمرانی امنیت اطلاعات کمک می‌کند.

کلیدواژه‌ها


عنوان مقاله [English]

An approach to analyzing the business environment for information security governance

نویسندگان [English]

  • Fatemeh Akhavan 1
  • Amin Mousavi 2
  • Abolghaasem Abolghaasem Sarabadani 3
1 The Student of Ph.D, Information Technology Management, Islamic Azad University, Central Tehran Branch, Tehran, Iran. Email: f63akhavan@gmail.com
2 Assistant Professor, Industrial Management Dept, Information Technology Management, Islamic Azad University, Central Tehran Branch, Tehran, Iran. Responsible Author, Email: saa.mousavi@iau.ac.ir
3 Assistant Professor, Information Technology Management Dept, Tarbiat Modares University, Tehran, Iran. Email: a.sarabadani@modares.ac.ir
چکیده [English]

Information technology is the most powerful technology of the present age that affects life and everything around us. Data and information stored in information technology systems are valuable and vital for the business of the organization, because the value of a business is focused on the value of its information and in addition to creating added value for the organization, the risk of losing capital and credibility Also follows. It threatens the trust of customers in various ways, and computer misuse and information security incidents are increasing, which has a direct impact on the processes and operations of companies and organizations. Information asset management is one of the main and strategic elements of business. Therefore, the increasing role of information security in the management of organizations and institutions is evident and the provision of the necessary infrastructure to achieve this is important. An approach based on the areas of focus of information security governance (including strategic alignment, risk management, resource management, performance measurement and value delivery) that helps to understand information security governance.

کلیدواژه‌ها [English]

  • Information Technology
  • Information Security
  • Information Technology Governance
  • Information Security Governance
  • الف. منابع فارسی

    • آفتابی ، نوید (1397). یک الگوی مدیریت امنیت اطلاعات برای کاهش ‌خطرهای احتمالی در سازمان‌های مبتنی بر فناوری اطلاعات. پایان نامه کارشناسی ارشد گرایش ‌سامانههای اقتصادی و اجتماعی-دانشکده مهندسی صنایع دانشگاه صنعتی شریف. بازیابی از https://ganj.irandoc.ac.ir
    • جعفر نژاد ثانی، سهیلا (1392). نقش پیاده‌سازی ITIL و ISMS در تداوم خدمات فناوری اطلاعات. پایان نامه کارشناسی ارشد مدیریت فن آوری اطلاعات، گرایش ‌سامانه‌های اطلاعاتی پیشرفته-دانشکده مدیریت و حسابداری دانشگاه علامه طباطبایی. بازیابی از پژوهشگاه علوم و فناوری اطلاعات ایران (ایرانداک): https://ganj.irandoc.ac.ir
    • سازمان ملی استانداردایران (1392). استاندارد ایران-ایزو-آی ای سی 27014‌:فناوری اطلاعات – فنون امنیتی -حاکمیت امنیت اطلاعات.
    • فقیهی، ابوالحسن و علیزاده، محسن (1384). روایی در تحقیق کیفی. فرهنگ مدیریت 1384 شماره 9.

    ب. منابع انگلیسی

    • Al-Ahmad, W., & Mohammad, B. (2012). CAN A SINGLE SECURITY FRAMEWORK ADDRESS INFORMATION SECURITY RISKS ADEQUATELY? International Journal of Digital Information and Wireless Communications (IJDIWC) 2(3), 222-230.
    • Allen, J. (2005). Governing for Enterprise Security, Technical Note. Pittsburgh.
    • Awasthi, A. (2019). IT Infrastructure & Enterprise Applications - Organizations Strategy and Planning. International Journal of Science and Research (IJSR)Volume 9 Issue 4, April 2020, 1517-1523.
    • Bergeron, F., & et al. (2017). A framework for research on information technology governance in SMEs. در Strategic IT Governance and Alignment in Business Settings. doi:10.4018/978-1-5225-0861-8.ch003
    • Blakley, B., & et al. (2001). Information security is information risk management. NSPW '01: Proceedings of the 2001 workshop on New security paradigms. doi:10.1145/508171.508187
    • (2022). https://casp-uk.net/casp-tools-checklists/. Retrieved from www.casp-uk.net.
    • Day, G. S., & Schoemaker, P. (2000). Avoiding the Pitfalls of Emerging Technologies. California Management Review 42(2), 8-33. doi:10.2307/41166030
    • de Oliveira Alves, G. d. (2006). Enterprise Security Governance; A practical guide to implement and control Information Security Governance (ISG).
    • Dewhurst, M., & Willmott, P. (2014). Manager and machine: the new leadership equation. McKinsey Quarterly,. Retrieved from https://www.mckinsey.com/featured-insights/leadership/manager-and-machine
    • Dixon, B. (2009). Understanding the FAIR risk assessment. Nebraska CERT conference.
    • Dor, D., & Elovici, Y. (2016). A model of the information security investment decision-making process. Computers & Security 63, 1-13.
    • Erwin, E. J., & et al. (2011). Understanding Qualitative Metasynthesis: Issues and Opportunities in Early Childhood Intervention Research. Journal of Early Intervention 33(3), 186-200.
    • Gashgari, G., & et al. (2017). A Proposed Best-practice Framework for Information Security. IoTBDS 2017 - 2nd International Conference on Internet of Things, Big Data and Security (pp. 295-301). SCITEPRESS – Science and Technology Publications, Lda.
    • George, T. (2013). Risk and Compliance-For Better or Worse? ISACA Journal - 2013 Volume 4, 12-15. Retrieved from https://www.isaca.org/resources/isaca-journal/past-issues/2013/risk-and-compliance-for-better-or-worse
    • Haes, S., & Grembergen, W. (2008). Analysing the Relationship Between IT Governance and Business/IT Alignment. Proceedings of the 41st Hawaii International Conference on System Sciences. Waikoloa, HI, USA: IEEE. doi:10.1109/HICSS.2008.66
    • Haufe, K., & al, e. (2016). A process framework for information security management. International Journal of Information Systems and Project Management, 27-47. doi:10.12821/ijispm040402
    • (2018). COBIT 2019 FRAMEWORK: INTRODUCTION & METHODOLOGY. Retrieved from www.isaca.org/COBITuse
    • (2006). Information Security Governance: Guidance for Boards of Directors and Executive Management (2nd ed.). IT Governance Institute
    • (2007). CobiT4.1. The IT Governance Institute. Retrieved from (www.itgi.org)
    • (2008). Information Security Governance-Guidance for Information Security Managers. IT Governance Institute. Retrieved from www.itgi.org
    • Joshi, C., & Singh, U. K. (2017). Information security risks management framework – A step towards mitigating security risks in university network. Elsevier;Journal of Information Security and Applications, 128-137. Retrieved from https://www.sciencedirect.com/science/article/abs/pii/S2214212616301806?via%3Dihub
    • Kiesling, E., & et al. (2016). Selecting security control portfolios: a multi-objective simulation-optimization approach. EURO Journal on Decision Processes Volume 4, Issues 1–2, 85-117.
    • Kvale, S. (1996). Interview Views: An Introduction to Qualitative Research Interviewing. Thousand Oaks, CA: Sage Publications.
    • Kraus, A. (2018). Developing an Information Security Strategy. The St. Pölten University of Applied Sciences. Retrieved from http://www.fhstp.ac.at/en
    • Loeffen, F. (2019). ICT in Business-The development of an information security governance maturity model for Dutch hospitals. Leiden Institute of Advanced Computer Science (LIACS).
    • Love, P., & et al. (2010). GTAG Information Security Governance. The Inistitute of Internal Auditors, 134.
    • National Cyber Security Summit Task Force (2004). Information Security Governance : a Call To Action, Coroprate Governance Report
    • Nazareth, L., & Choi, J. (2015). A system dynamics model for information security management. Information & Management Volume 52, Issue 1, 123-134.
    • Nicho, M. (2018). A Process Model for Implementing Information Systems Security Governance. Information and computer security [online], 26(1), 10-38. Retrieved from https://openair.rgu.ac.uk
    • Noblit, G., & Hare, R. (1988). Meta-ethnography: synthesizing qualitative studies.
    • (2019). LIFE INSIDE THE PERIMETER - Understanding the modern CISO. NOMINET CYBER SECURITY.
    • Ohki, E., & et al. (2007). Information Security Governance Framework. Information Systems Management 24(4), 361-372. doi:10.1145/1655168.1655170
    • Pereira, T., & Santos, H. (2014). Challenges in Information Security Protection. 13th European Conference on Cyber Warfare and Security (ECCWS-2014). The University of Piraeus, Piraeus, Greece.
    • Rastogi, R., & von Solms, R. (2006). Information Security Governance-A Re-Definition, Security Management, Integrity, and Internal Control in Information Systems, 193, 223–236.
    • Rebollo, O., & et al. (2011). Comparative Analysis of Information Security Governance Frameworks: A Public Sector. 1th European Conference on e-Coverment (ECEG’11), Ljubljani, Slovenia, 16 – 17, (pp. 482 - 490).
    • Sandelowski, M. (2007). Handbook for Synthesizing Qualitative Research. Springer Publishing Company.
    • Schinagl, S., & Shahim, A. (2019). What do we know about information security governance?“From the basement to the boardroom”:towards digital security governance. Information & Computer Security ,Vol. 28 No.2, 2020, 261-292. doi:10.1108/ICS-02-2019-0033
    • Selig, G. (2016). IT Governance-An Integrated Framework and Roadmap: How to Plan, Deploy and Sustain for Improved Effectiveness. Journal of International Technology and Information Management Volume 25- Issue 1, 55-76.
    • Silva, H., & et al. (2019). INFORMATION TECHNOLOGY GOVERNANCE IN SMALL AND MEDIUM. Journal of Information Systems and Technology Management – Jistem USP-Vol. 17, 2020, e202017001. doi:10.4301/S1807-1775202017001
    • Simonsson, M., & Johnson, o. (2006). Assessment of IT Governance- A Prioritization of Cobit. Proceedings of the Conference on Systems Engineering Research.
    • Usman, S. (2019). MIT Governance Implementation in Enterprise: A Review. IJRECE (INTERNATIONAL JOURNAL OF RESEARCH IN ELECTRONICS AND COMPUTER ENGINEERING)VOL. 7 ISSUE 2 Apr-June 2019, 3129-3134.
    • Whitman, M. E., & Mattord, H. J. (2012). Information Security Governance for the Non-Security Business Executive. Journal of Executive Education, 11(1) (2012), 97-111.
    • Williams, P. (2001).Information Security Governance. Information Security Technical Report 6(3), 60–70. doi:10.1016/S13634127(01)003090
    • Williams, S., & et al. (2013). Information security governance practices in critical infrastructure organizations: A socio-technical and institutional logic perspective. Electron Markets (2013) 23, 341–354. doi:10.1007/s12525-013-0137-3
    • Zimmer, L. (2006). Qualitative meta-synthesis: a question of dialoguing with texts. Journal of Advanced Nursing53(3), 311-318. doi:10.1111/j.1365-2648.2006.03721.x