ABSTRACT
In order to achieve the goals of IS security management, each organization must establish and maintain organizational structures and governance procedures that will ensure the execution of the firm’s security policies and procedures. This chapter presents the problem and the framework for ensuring that the organization’s policies are implemented over time. Since many of these policies require human involvement (employee and customer actions, for example), the goals are met only if such human activities can be influenced and monitored and if positive outcomes are rewarded while negative actions are sanctioned. This is the challenge of corporate governance and IT governance. A central issue in the context of IT security governance is the degree to which IT security controls should be centralized or decentralized. This chapter utilizes a comparative case study in which IT security controls are considered within both a centralized and a decentralized IT governance environment.
