The research utilises an Action Research methodology, it is therefore foreseeable that there will be numerous versions of the guidelines. The current version is as at 6 August 2012, and is available upon request. Please Contact Rachel:


Suggested Governance Review Meetings
This section describes how the information security governance review process could be undertaken.


Practices’ should schedule three, two hour information security governance review meetings per annum. A range of four or more appropriate practice staff should be identified and invited to participate in these governance review meetings, including a representative from ICT.

At the initial governance review meeting, an information security governance baseline should be established by completing the first iteration of the Information Security Governance Guidelines (Figure 1 below). The meeting achieves this by considering each activity row in the Information Security Governance Guidelines and selects the most appropriate measure relevant to the practice’s security performance (see Measuring Information Security Governance below) . It should take no more than one meeting to complete the initial baseline assessment.

At subsequent governance review meetings, the meeting reviews the baseline, discusses the practices information security performance based on the baseline performance, including all incidents which have occurred over the period since the last meeting. The meeting should discuss whether some information security governance performance criteria should be adjusted up, or down, a level within the guidelines based on having met the stated criteria. Response to, and handling of any technical and/or governance incident/s should further be considered. In this way, incremental and measured improvement in information security governance practice is achievable.

Next, the governance meeting should identify criteria from the guidelines, most in need of attention. A reasonable number of activities requiring attention from the guidelines should be allocated to appropriate staff to action by the next governance meeting. Some reasonable degree of time may be needed to complete each task, for example preparing an information security awareness training needs analysis.

The meeting should then discuss the overall progress that the general practice is making with respect to information security governance. Is the practice improving its security performance? What areas are deficient and why? What can be done to correct any deficiencies? Questions relating to how many meetings a practice will have annually, who should attend, who is responsible for what, what are the lines of authority and responsibility etcetera, all have to be workable within the practice. If not, they need to be reviewed and changed. All of these inputs would drive the discussion. This exercise may assist the practice in focusing on information security priorities.

Some issues arising may well have implications for disaster recovery and business continuity. For instance what if it was discovered that the backups are corrupt? The role of the governance meeting then is to ensure that the governance guidelines and its processes are working, rather than to necessarily resolve specific technical problems at the meeting itself. Technical issues requiring resolution, would be logged as an IT service desk request. Identified issues should be allocated to appropriate staff for resolution, and added to the agenda for the next governance meeting to be further actioned, or closed.

When a major change in the general practice information security environment occurs, the governance review meeting should revise and update the guidelines. This should include, but is not limited to, changes in applicable legislation or regulations; changes in practice priorities; emerging information security issues, such as changes in the threat environment; or when new technologies are introduced into the practice.


Measuring Information Security Governance
The software capability maturity model (CMM) approach seeks systematic improvement in capabilities to demonstrate attainment of higher levels of capability maturity (Software Engineering Institute, 2009; Williams, 2007b). Maturity models provide an organisation with the ability to benchmark their current capability, outline proposed strategies and to measure security progress over time (Poole, 2006). This maturity model approach is increasingly becoming evident in corporate governance with reporting based on the CobiT Security Baseline guidance which allows organisations to establish the minimum security requirements in line with the IOS/IEC 27002 standards (Poole, 2006). CMM has previously been successfully used to establish a clinical governance baseline assessment tool (Department of Health, 1999).

There are five capability maturity model (CMM) levels as defined by the Software Engineering Institute (2009), ISM3 (2007) and Williams (2008). They are as follows:

• Level 1: Initial – the process is used but it remains undefined;
• Level 2: Repeatable – the process is documented and used;
• Level 3: Defined – the process is defined and the results of the process are used to inform and update the processes;
• Level 4: Managed – the process is managed and evidence of accurate prediction of resource needs and security milestones exists;
• Level 5: Optimised – the process is controlled and improvement leads to savings in resources. Best practice is followed and automated.

For each activity row in of the Information Security Governance Guidelines (Figure 1), the practice selects the appropriate minimum level performance applicable to the practice from the range 1. Initial through to 5. Optimised. The practice cannot move to the next higher maturity level without having fulfilled all the conditions of the lower levels (ISACA’s CobiT 4.1, 2004). By selecting a level for each activity goal (row) in the guidelines, a performance measure of that activity is established.

After the first iteration of assigning a CMM level for each activity within the guidelines, an information security governance baseline is established. The practice should aim for incremental performance improvement from the established baseline to a higher level until the Level 4 - Managed measure, or above, for each information security governance activity in the guidelines has been achieved.

The measurement outcome, the level/s attained, is a capability summary which identifies information security governance competence (Beveridge, 2008). Further, a comparative assessment can be undertaken of different practices where the Information Security Governance Guidelines are the common basis for comparison. The completed guidelines assessment can be used to compare performance with other general practices and establish industry performance. Further, an industry benchmark standard could be established (Software Engineering Institute, 2009).



The preliminary Information Security Governance Guidelines (Figure 1) are organised into three main headings, that of Accountability, Governance Planning and Resource Management. Within these three main headings are a total of nine functional areas. Each functional area has governance control activities associated with it. The practice maps its information security performance against these governance control activities.

Figure 1: Information Security Governance Guidelines (Current version available upon request)

This work is licensed under a copyright license: © 2012 Rachel J Mahncke All Rights Reserved