|
|
Type of Document Dissertation Author Luesebrink, Michael J. URN etd-07272011-164711 Title The Institutionalization of Information Security Governance Structures in Academic Institutions: A Case Study Degree Doctor of Philosophy Department Communication, School of; Communication Science and Disorders, School of; and the Library and Inform Advisory Committee
Advisor Name Title Gary Burnett Committee Chair Besiki Stvilia Committee Member Lawrence C. Dennis Committee Member David Paradice University Representative Keywords
- Information Security
- Governance
- Security Policy
- Academic Institutions
- Policy Development
Date of Defense 2011-05-03 Availability unrestricted Abstract This dissertation is a descriptive case study of information security governance in highereducation institutions. It is a qualitative study that describes, through institutional theoretical
constructs, the information security governance frameworks responsible for the protection of
sensitive personal information at three large public research universities. The objectives of the
study are 1) assess the impact of the regulative policy environment on security management
structures in higher education and specifically addresses the regulative initiative, the Gramm-
Leach-Bliley Act (GLBA) and the strategic initiative Information Security Governance: A Call
to Action. 2) Describe the information security governance structures in academic institutions in
terms of examining the roles and responsibilities of the security governance actors in the large
public research universities that participated in the case study. 3) Describe the impact of
information security governance on the institutionalization of information security enterprises in
higher education in terms of strategic security outcomes, namely strategic planning, security
policy development and security program development.
The study begins with a descriptive assessment of the regulative compliance policy
environment by first describing the historical background that led to the modern conceptual
framework of information security, which evolved from the inception of national security after
World War II. It laid the groundwork for describing the institutional regulative environment that
affects information security governance frameworks in the institutions that participated in the
study. The assessment examines the regulative initiatives that effect the protection of sensitive
personal information, which were addressed by the participants in the study that include: The
Family Educational Rights and Privacy Act (FERPA); the Health Insurance Portability and
Accountability Act (HIPAA); GLBA and related financial instruments including the Sarbanes-
Oxley Act, Fair and Accurate Credit Transactions Act (Red Flags Rule) and the Program
Compliance Industry (PCI) standard.
The security enterprises at three large public research universities agreed to participate in
the case study. At each institution, a set of three security governance actors from each
university, namely the Chief information Officer, Chief Security Officer and Chief Compliance
Officer or IT Auditor agreed to be interviewed for the study. Each participant was interviewed
regarding their roles and responsibilities within the institutional security enterprise at their
university, and they were asked to describe, from their perspective, their university’s institutional
security governance frameworks in terms of regulative compliance, strategic planning and
security policy and program development. After transcribing and evaluating the data from the
field site interviews, each institutional security governance structure was described using the
organizational narrative approach. The organizational narratives provided a story line on how
their information security governance structures developed within their institutional frameworks.
The three narratives are followed by a discussion based on a comparative analysis of the
security structures and mechanisms in place at each university. The results from the comparative
analysis indicate that the strategic initiative, Information Security Governance: A Call to Action,
a normative governance mechanism, did not have a direct impact on the development of any of
the institutional security enterprises that participated in the study, but do suggest that GLBA, a
coercive governance mechanism has had an indirect influence on the institutions by mandating
they have information security programs embedded within their governance frameworks and that
they designate institutional information security officers at their institutions. In each institution,
no antecedents to information security governance were identified, but at each university, the
information security enterprise reported directly to IT. The CIO, at each university, was the
institutional strategic security officer while the Chief Security Officer was responsible for
supervising security staff, managing operational and regulative compliance issues. The results
also suggest the role of the Chief Compliance Officer is still in the development stages in IT
security enterprises. The results also revealed two potentially important factors that require
further investigation. First, the results suggest that culture plays a pivotal role in the success of
information security governance frameworks in higher education. Second, the results suggest
that organizational maturity plays an important role in the robustness of information security
governance structures and security enterprises in academic institutions.
Files
Filename Size Approximate Download Time (Hours:Minutes:Seconds)
28.8 Modem 56K Modem ISDN (64 Kb) ISDN (128 Kb) Higher-speed Access Luesebrink_M_Dissertation_2011.pdf 1.15 Mb 00:05:20 00:02:44 00:02:24 00:01:12 00:00:06