initiation of egit through the security review …...[19]. furthermore, the security review process,...

http://www.iaeme.com/IJARET/index.asp 244 [email protected]

International Journal of Advanced Research in Engineering and Technology (IJARET) Volume 11, Issue 7, July 2020, pp. 244-265, Article ID: IJARET_11_07_026

Available online athttp://www.iaeme.com/IJARET/issues.asp?JType=IJARET&VType=11&IType=7

ISSN Print: 0976-6480 and ISSN Online: 0976-6499

DOI: 10.34218/IJARET.11.7.2020.026

© IAEME Publication Scopus Indexed

INITIATION OF EGIT THROUGH THE

SECURITY REVIEW PROCESS: A CASE STUDY

OF KT&G CORPORATION

Kwansoon Park, Boyoung Kim

Seoul Business School, Seoul School of Integrated Sciences and Technologies (aSSIST),

Seoul 03767, Korea

ABSTRACT

Within the rapidly changing technology environment, companies are under strong

pressure to create a paradigm shift to technology-based management methods and

new business models. Accordingly, the Enterprise Governance of IT (EGIT) is

changing beyond the aspects of IT management and operation activities into priority

activities of corporate business strategies. For this, various establishment approaches

are being tried, but top-down forms of approaches, which are de facto best practices,

are forming the mainstream in terms of effective control while, on the other hand,

bottom-up EGIT approaches, which build a system step by step, are hard to find. Thus,

the authors conducted a case study on KT&G Corporation, a Korean manufacturer

that triggered a successful EGIT system by establishing a bottom-up EGIT system.

According to the analysis, a “bottom-up EGIT System with a leverage of the security

review process” designed by KT&G’s information security manager and IT control

manager was delivered from sub-organizations (departments) of the governance

structure to higher organizations (institutions) to effectively structure the realization

of EGIT across the enterprise through process control and communication. This

approach also had the advantage that the company’s entire organizations, including

the security and control organization, could gradually understand EGIT and rapidly

proceed with independent EGIT projects. Through the case analysis, four essential

requirements for bottom-up EGIT system establishment are going to be presented.

Key words: EGIT, IT Governance, ISMS, Security review process

Cite this Article: Kwansoon Park, Boyoung Kim, Initiation of EGIT through the

Security Review Process: A Case Study of KT&G Corporation, International Journal

of Advanced Research in Engineering and Technology, 11(7), 2020, pp. 244-265.

http://www.iaeme.com/IJARET/issues.asp?JType=IJARET&VType=11&IType=7

1. INTRODUCTION

After the modern concept of corporate governance was established in the 1970s [1], the

importance of EGIT, the concept of IT governance, began to emerge as IT's role in corporate

Initiation of EGIT through the Security Review Process: A Case Study of KT&G Corporation


management as expanded in the early 1990s [2,3]. EGIT can be defined as part of enterprise-

wide governance activities to link the value of the information technology aspect to the values

of enterprises and businesses in solving the management problems or building business

strategies [4-8]. Within today's rapidly changing technology environment, especially,

companies are strongly required to shift their paradigm to technology-based management

methods and create new business models. As a result, EGIT is shifting beyond the aspects of

IT management and operation activities to priority activities of corporate business strategies

[3,9-12].

Although information technology has an indirect impact on a company's competitive

advantage [13], it is sometimes led by IT such as game business, FinTech, e-commerce, and

cloud services, depending on the nature of the business [14,15]. In addition, the phenomenon

that companies develop fields of applications after a technology is implemented first, such as

the artificial intelligence field [16], and that adding innovation by digitalizing traditional

business formats through IT like digital transformation come out [17]. Moreover, in these

changes in the corporate environment, the information security issues emerge as a significant

risk management item since the information assets of companies include the information

assets of their partners and the personal information of their customers [18]. With the increase

of information security issues, various regulations and laws are being created in the market

[19]. Furthermore, the security review process, which can be applied as a security safeguard

to an enterprise's overall business activities, has emerged as an important activity in

establishing an Information Security Management System (ISMS) in terms of risk

management and preventive control [20-22].

However, contrary to the emergence of a variety of new EGIT-related concepts and

approaches, corporate activities for EGIT are not linked to enterprise-wide governance, or

they fail in continuous management and operation [5]. In this respect, a Global status report in

2011 on the governance of enterprise IT pointed out the reasons as follows: communication

issues, trying to do too much at once, lack of senior management commitment and support

[23]. Control Objectives for Information and Related Technology (COBIT) 2019, the most

typical implementation framework of EGIT, also pointed out that the success of EGIT

requires active support from the management and board of directors [24]. Also, although a

holistic approach to implementing EGIT has been highlighted in many studies, [3,25] there is

a lack of prior research from the same point of view to be a detailed guide to actual

establishment and application.

This study, therefore, aims to present a bottom-up EGIT establishment method using the

security review process, which is part of the enterprise information security process. To this

end, the Security Review Process was established first through the case of KT&G, a large

Korean manufacturing company, with a new EGIT method, which approaches ISMS and

EGIT by stages, was analyzed. KT&G's case had the distinction of attempting the security

review process from the perspective of information security manager (ISM) and IT control

manager, out of the form of a top-down approach [10,11,24,26]. In addition, it is significantly

meaningful that the KT&G has built a successful information security strategy by overcoming

the low interests and indifference of management and stakeholders that most companies

experience in the early stages of EGIT [23].

2. RERATED WORK

2.1. Enterprise Governance of Information Technology

In 2016, The term IT governance was used first by Loh and Venkatraman (1992) [2]. The

concept of “IS governance frameworks” was then discussed by Brown (1997) [27]. From

reviewing the prior studies of IT governance, it is understandable that early studies focused on



the form and structure of IT governance [28-31]. In 1996, the Information System Audit and

Control Association (ISACA) issued the ITG Framework Control Objectives for Information

and Related Technology (COBIT), which began to be used as a standard framework for IT

governance that was actually applicable to enterprises [3]. Since the 2000s, with the advent of

frameworks such as COBIT and ISO38500, researches have begun in earnest into processes

and relational mechanisms needed to establish IT governance [4,32,33]. Typically, De Haes

(2015) argued that the purpose of EGIT is to create value by linking business with IT and, for

this, establishing EGIT within an enterprise should be carried out in terms of a “holistic

approach” point of view. This explains that the roles of IT have now been expanded and

redefined as roles of EGIT, such as the combination of sharing economy and platform

business, digital transformation, blockchain, Internet of Things (IoT), FinTech, cloud

services, and artificial intelligence, beyond the past IT’s roles as an operational and

administrative support department for companies [14-17,34-41].

The existing prior studies show that the importance of an enterprise-wide approach to

EGIT is emphasized. [24,42,43] This means that EGIT should be linked to the enterprise-wide

governance, be structured as one, and be applied to all information processing and technology

systems of a company. This also means that EGIT should be implemented as an extension of

a company’s activities to establish and maintain ownership, management, use, and

responsibility [44].

Aspects of approaches for EGIT can be divided into traditional organization structures and

project leading agents. First, in terms of organizational structures, dichotomous initial studies

on centralized and decentralized forms were published by King (1983), Chervany (1980),

Tavakolian (1989), and Zmud (1984) [28-31], while studies were conducted on choices that

fit the conditions of efficiency of centralization and flexibility of decentralization [27,45,46].

These studies on structural form led to the recognition that dichotomous approaches were not

suitable for all organizations, and various IT governance was proposed, such as the federal

form of Jacobs (1986) and the hybrid form of Brown (1997) [27,47]. The argument of Brown

and Grant (2005), in which conclusionally in terms of organizational structures, there is no IT

governance structure that satisfies all general organizations as an extension of the

Contingency theory, has begun to draw attention.

The internal approaches to establish EGIT are divided into top-down and bottom-up

approaches. The objective of EGIT to create values for stakeholders and corporations requires

an accurate understanding of stakeholders' needs and to set these needs as goals. The

decisions on this are finally discussed and judged by shareholders, the board of directors, and

the management. Thus, the top priority to do in COBIT frameworks and many researchers’

assertion is to set goals through an understanding of the enterprise context and strategy. This

can naturally be structured relatively clearly in top-down approaches. In addition, the

corporate strategies and risks viewed by unit departments at the bottom of the EGIT structure

may differ from those of management.

Furthermore, the role of unit departments from a departmental point of view can be

limited to the microscopic range. Understanding and implementing EGIT at the member and

departmental unit levels are essential for the enterprise-wide settlement of a robust

governance system through top-down approaches. The lack of understanding of EGIT in this

level of the working group is a failure factor in establishing the EGIT system [48] and, in a

similar vein, it can be seen that many IT systems are abandoned although they were

developed by management's decisions. [36]. This may be caused by top-down EGIT systems

that are built and operated without sufficient communication between IT departments and

management.



On the other hand, bottom-up EGIT systems are relatively difficult to get support from

and to find communication with management. However, since bottom-up EGIT systems are

chosen in an environment where management has a low understanding of EGIT or has no

framework of its necessity, there is no alternative other than bottom-up EGIT systems. At a

time when technological change and paradigm shift are accelerating as it is now, bottom-up

EGIT approaches show the value that applying IT strategy to corporate strategies is effective

by enabling companies to implement IT technology-led businesses. From the establishment

perspective, bottom-up EGIT systems are highly dependent on internal staff’s EGIT expertise

and should be implemented, gradually expanding the relevant departments’ influencer to its

base. In the case of bottom-up EGIT systems, therefore, the presence or absence of

individuals with knowledge and amicable communication skills affects the success or failure

of the smooth establishment [38].

Although conceptually there is a distinction between top-down and bottom-up in EGIT

systems, Yannick (2014) once argued that for a successful establishment of EGIT, those two

methods must be implemented in combination [49]. In the federal, decentralized, and hybrid

forms of the aforementioned structural aspects, bottom-up approaches must always be

accompanied for successful establishment. Despite the advantages of top-down approaches,

bottom-up approaches should be considered simultaneously because they are capable of

holistic approaches in terms of EGIT drivers and are effective in establishing an end-to-end

governance system that encompasses all parts of an organization [50]. Finally, one of the

reasons why studies on bottom-up approaches are difficult to find is that when an enterprise

starts with top-down approaches in its initial EGIT establishment, it tends not to be discussed

in a large framework even if bottom-up approaches are included within the establishment

process [51].

2.2. Enter Security Review Process and Enterprise Governance of IT

Information security came at a point of great transformation in 1989 when Tim Berners-Lee

invented the World Wide Web and computer systems easily connected to each other over a

network to store, transmit, and process data [52]. This radical paradigm shift in information

and management forms led to the need for the management system development for

systematic information security, with it drawing attention beginning in 1995 when the BSI

Group introduced the first information security management system (ISMS) framework,

BS7799 [53]. Since then, the ISMS frameworks have continued to refine to date, leading to

ISO:17799 and ISO27001, and have evolved into frameworks that can apply new

technologies [53].

In particular, ISO IEC 27001:2013, which has the highest public confidence and is

adopted by 31,910 companies worldwide as of 2018, uses the principle of plan-do-study-act

(PDSA) as its basic process [54-56]. In addition, risk management, a key domain, is heavily

managed by a separate ISO27005 [57]. This has the same orientation as all the management

system frameworks of ISO, including a risk assessment item [58,59]. Furthermore, ISO31000,

which is the body of ISO27001 risk management, classifies the risk assessment among the

processes of PDCA risk management in three stages: risk identification, risk analysis, and risk

evaluation. As for ISO27001, many studies and success stories have been introduced, and

certification is officially available if certification authorities’ external audits are passed, so

many countries and industries are using it as a scale of the level of information security.

In addition to the ISMS frameworks, a number of studies have been done on the risk

assessment techniques in terms of security perspective. As Albakri (2014) and Kong (2018)

point out, the risk assessment techniques have evolved into frameworks and risk management



process perspectives to effectively manage various types of risks in accordance with rapidly

changing business environments and new technologies [60]-[61].

The security review process (SRP) is a concept derived from the concept of security risk

assessment. It is a process that is included in security risk management. The control item that

best describes this is ISO27001:2013 A.18.2 Information Security Review, which was newly

added in 2013. The security review process can serve as a part of risk management in a large

range, but it is an independent control item. In other words, although the security review

process can be carried out by inclusion in the security risk management area according to

corporate environment and convenience, the security review process cannot be excluded from

control items or replaced by risk assessment [62]. It is in fact the software source code review

area that has become a catalyst for security review.

In the late 1990s, the concept of application security began to emerge [63], and the

security frameworks for application development began to be introduced. Typical examples

included Microsoft’s Security Development Lifecycle (SDL) [64], Sammy Migues’ Building

Security In Maturity Model (BSIMM) [65], and OWASP’s Software Assurance Maturity

Model (SAMM) [64]. These frameworks have been expanded not only to application areas

but also to other areas needed for services and have become the foundation for the security

review process [66].

The importance of the security review process in enterprise security is in line with the

importance of Boehm’s “continuous risk management” (1989) following the success of

software projects [67]. In the same year, the four benefits of continuous risk management

which, Charette claimed, 1) can prevent problems in advance, 2) can improve the quality of

products and services, 3) can use resources more appropriately, and 4) “can increase

stakeholders ties by sharing project problems together, are in line with the philosophy of the

security review [68].

Ultimately, the security review has evolved into a key process for enterprises to

implement continuous risk management, the most ideal method of risk management being

from the information security project perspective [69]. Also, the relationship between

systematic construction of enterprise security and EGIT can be described as the relationship

between ISMS frameworks and EGIT frameworks, which include the security review, with

various studies on it being conducted. Mataracioglu (2011) and Rafael (2018) proposed

matters needed to be considered and [70,71] benefits in implementation of ISMS and EGIT at

the same time, while Sheikhpour (2012) suggested how to map and use the ISMS frameworks

in EGIT establishment [72]. In addition, the use of the details of ISO27001 (2) and NIST 800

as external link frameworks for information security areas was directly mentioned in the

COBIT, the most commonly used EGIT framework in companies [9,10,24,73-78]. To achieve

corporate information security, the ISMS frameworks for establishing a systematic

information security system are essential. The security review process is a means to

implement the risk management portion, a key area of the ISMS frameworks, in the ideal

form of “continuous risk management.”

3. RESEARCH METHOD

3.1. Case Selection

In In this study, KT&G Corporation, Korea’s leading manufacturer, was selected as the target

of case studies, as it has been carrying out successful EGIT projects by structuring the

Information Security Management System (ISMS) in a top-down manner and the EGIT

system in a bottom-up manner throughout the enterprise. KT&G was a traditional tobacco

manufacturer, but with the advent of electronic cigarettes, it has been gradually pursuing a

digital innovation strategy focused on technology products.



According to the KT&G Sustainability Report, its R&D investment has been gradually

increasing to KRW 122.4 billion, 160.8 billion, and 178.9 billion, respectively, over 2016,

2017, and 2018. Additionally, technology strategies are being further strengthened according

to digital innovation strategies. Intensive investing in the electronic cigarette sector(a core

strategic technology), continuing IT infrastructure and information security, building new

organizations such as the next generation product (NGP) department and information security

department, and performing projects like the establishment of next-generation computer

centers and next-generation information security systems are being actively promoted.

These things were triggered by the “Security Level and IT Organization Diagnosis

Consulting” conducted in first and second rounds in 2017. Based on reports submitted by

outside experts, the management made decisions on establishing the appropriate level of the

security environment, manpower, and obsolete IT infrastructure’s renovation. Accordingly,

the company recruited a number of experts in hardware, software, IT service management

(ITSM), DevOps, and information security from the second half of 2017 to 2018. Since then,

as the expertise of new professionals affected the corporate organization, requirements for

systematic IT management and information security began to emerge from the on-the-job

divisions, and the need for EGIT was reviewed at the level of the IT control managers and

information security managers, who were experts in EGIT.

However, the aforementioned first and second rounds of consulting reports consisted of

product-oriented methods that could meet each control item on the premise that ISO27001

and K-ISMS certifications were obtained from the information security management system

(ISMS) perspective. This means that the goals of internal and external stakeholders who led

the corporate diagnosis project, including the consulting firm that performed the diagnosis at

the time, were far from EGIT. In addition, the diagnosis team included a number of

information security and infrastructure technical personnel because the diagnosis was focused

on technical computer audits and simulated hacking. The direction, therefore, was naturally

set toward information security projects centered on the information security management

system (ISMS) and the replacement of outdated infrastructure equipment.

The task force team (TFT), which was finally assigned missions based on this

background, strategically needed to readjust the existing master plan in consideration of

EGIT. The TFT, which consisted of newly reinforced professionals, formed a consensus to

properly utilize opportunities that were at an appropriate level, and relatively large-scale

investments were available. In addition to the net security aspects resulting from the

diagnosis, various topics were discussed in TFT, including organizational systems, Business

Continuity Planning (BCP), EGIT, Korean International Financial Reporting Standards (K-

IFRS), internal control, and ITSM. In this discussion, the TFT concluded that it was

unreasonable to carry out various missions at the same time with a low understanding of

EGIT throughout the enterprise.

The final conclusion within the TFT for EGIT was that the EGIT establishment was an

essential item for corporate governance and was necessary in any form, so a bottom-up

approach accessible to unit departments was decided. In the bottom-up approach, the

principles of the TFT were five things: 1) The scope of EGIT should not be over-set. 2) The

EGIT framework is not limited to COBIT, COSO, and ISO27001, but rather to selecting

mainly the most necessary control items and proceed with them. 3) ISO27001 and K- ISMS

[79] certifications, which are determined to obtain, are used as leverage. 4) Information

security governance to promote IT governance should be enabled. 5) A way to reduce

organizational resistance as much as possible should proceed. In conclusion, the TFT

introduced a step-by-step plan, expanding an EGIT establishment that is centered on the

security review process.



3.2. Analysis Framework and Process

This study, therefore, was intended to successfully trigger EGIT centered on a bottom-up

approach rather than on EGIT enterprise activities in the existing frameworks and top-down

approaches, and to analyze the case of KT&G, which is establishing EGIT by stages

especially based on a previously untapped security review process, to present successful ways

to overcome the limitations of EGIT establishment in various business environments and

circumstances. To do this, two stages of research procedure were designed.

First, to review the EGIT establishment process based on KT&G’s security review

process, the EGIT structural model, which consists of three areas such as Structures,

Processes, and Relational Mechanisms (Figure 1) presented by De Haes & Van Grembergen

(2009) was used. This model presents how KT&G was able to structure the bottom-up

security review process inside the company in each area.

Figure 1 Research Framework to EGIT Building (De Haes and Van Grembergen, 2009)

Based on the model of the components of the COBIT 2019 governance system like Figure

2, it was intended to identify impacts of KT&G’s security review process on EGIT and key

success factors that led to a successful EGIT establishment.

Figure 2 Research Framework to Finding the Critical Factors (COBIT, 2019)



4. CASE STUDY

4.1. Building the SRP-based EGIT

KT&G made a TF team to establish a security review process in 2018 and built a three-stage

business plan intending to build ISMS in the first stage, operating ISMS in the second stage,

and EGIT initiation in the third stage. (see Figure 3). Initially, the EGIT and COBIT 2019

frameworks were unfamiliar to the management, but they agreed that the importance of

information security in the competitive market was emphasized and that information security

management was needed from the perspective of enterprise-wide governance and the

governance for geographically separated overseas branches and affiliates. Above all, the main

reason for agreeing to this need was certification. This is because certification acquisition can

easily be linked to corporate performance and can be used as a key performance indicator

(KPI) for the management. Accordingly, the company aimed at officially acquiring both

ISMS ISO27001 certification and K-ISMS framework through the Korea Internet Security

Agency (KISA), a public-reliable certification agency. Specific security processes were

established by subdividing the unit security activities contained in the control items in

compliance with these certification acquisition criteria.

Figure 3 Building Process of KT&G’s SRP-based EGIT

4.1.1. Planning Phase

Accordingly, the TF team defined the security measures of the project planning stage in the

planning stage review of the security review process and proceeded with the project after

requesting the information security department to review the security level of the planning

stage and after its reviewing was completed. The following pre-information security

requirements were analyzed through the proposal request requirements inspection: whether

the project conforms to law, internal and external regulations, and service level agreement

(SLA); whether development security requirements are included if application development is

included in the project; and whether the hardware and network architectures meet internal

requirements. Particularly, if the planning stage review was required or decided after the

request for proposal and the orders were already distributed to businesspersons or internal

parties, it was important to ensure that there would be no issues after sufficient

communication through prior consultation with the business departments because the

direction of the project could change depending on the outcome of the review.



4.1.2. Design Phase

During the design phase, it was discussed if the project could conform to the company’s

internal information security standards and guidance, and the outputs to be submitted at the

inspection phase were defined. In the case of security guides, they were written in detail by

type to reduce friction between the project implementation teams and related departments.

This is because the project could not be distributed due to a lack of security unless final

approval from the information security department was obtained at the inspection phase in

accordance with the principles of security review. Furthermore, these issues could be directly

linked to financial or legal problems with project contractors or to the performance of related

departments. For this reason, building clear standards and consultation processes were

essentially required in the security review process establishment.

In this context, KT&G has flexibly approved its policies by describing technical control

items in its guidance to maintain consistency with other internal instructions and guidance,

defining items for security review as mandatory in its guidelines. Generally, the guidance was

not mandatory, but if some parts of it required compliance due to the nature of the processes,

they were defined separately by the parent policy and security policies only for the contractors

who had to follow them.

There were cases of pure self-development for each project, the introduction of complete

product packages, software as a service (SaaS), and additional development for open-source

engines. In the case of packaged products and SaaS, prior coordination with the business

departments was needed when the introduction was made because customized development

was impossible and modification was difficult if it did not meet internal standards. For pure

self-development, the process of coordinating compliance with the system, software,

infrastructure, and security functional structures was included. In conclusion, the technical

and administrative security requirements necessary for final inspection, which were at the

core of the security review of the design phase, were finalized.

4.1.3. Final Inspection Phase

During In the final inspection phase, whether the inspection output requested in the design

phase was properly submitted was reviewed. In this phase, checks on items requested at the

design phase were performed for final inspection whereas assessments of step-by-step

inspection confirmation document, security function checklist, data flow diagrams, personal

information flow diagrams, personal information processing policy,

network/software/hardware block diagrams, simulated hacking reports, secure coding results,

CCE/CVE/CWE vulnerability check results report, final contracts, SLA agreements, NDA,

and other security-related project documents were included. The items that did not meet the

requirements in this phase were returned, and performance checks were carried out after the

actions were taken again. Specifically, the performance checks frequently included

performance checks of technical items such as CVE, CCE, CWE, simulated hacking, and

secure coding, and were operated in a structure in which repeated actions and performance

checks were carried out if the performance was not sufficient.

In particular, exception approval was possible only when the Chief Information Security

Officer (CISO) and Chief Information Officer (CIO) approved for exception handling items.

In addition, those items were recorded in the risk register and were reviewed again in the

regular risk assessment at a later date. In this exception process, a combination of technical

and administrative items occurred, and as many as 5 cases or less, or 20 cases or more per day

happened, depending on the security review target. The processes in the early stages of

process establishment required relatively large resources and were inefficient due to the

increased workload of CISO and CIO. Afterward, similar cases were classified and details of



exceptions were pre-defined, and then they were developed in a form that pre-reporting

separated only for high-risk cases. In other words, the level of acceptable risk in terms of risk

management was determined while risk response strategies, which were responses according

to the size of risks, were implemented.

4.1.4. EGIT Application of Security Review Process

The TFT attempted to identify interrelationships from an EGIT perspective and use them as

leverage in establishing the security review process. Based on COBIT 2019 control items, the

TFT identified items that the security review process could apply. It was decided that this

would be the basis for the foundation when the EGIT project was implemented. Through this

gap analysis, KT&G’s TFT concluded that the gradual increase in control items associated

with EGIT, while continuing to add formal security activities such as the security review

process, was meaningful in two aspects. The first aspect was that it was the process of

compliance of the actual EGIT control items in an agile fashion, and the other aspect was that

making the internal stakeholders understand and continuing to expose the organization to the

EGIT activities ultimately served as a foundation for their continuous support for the EGIT

implementation. This approach has internalized the risk management process based on the

security review process and has evolved into regular meetings of the information security

committee based on the corresponding risk management process. This led to an opportunity to

consult on regular information security agendas.

The TFT selected the security review process as the most critical security activity in the

establishment of EGIT. This is because the implementing security review process was judged

to be the most appropriate key process in terms of the perspectives of the ISMS construction

(the basic goal of the task), the security architecture set-up, and the EGIT establishment.

Notably, the security review process played a role to settle the IT risk management system

naturally in the organization. This is also meaningful in terms of continuous risk management,

which is emphasized by the EGIT [80]. In the periodic risk management process, it was

possible to manage the risk more actively by focusing on the risks of the organization and

system, and by detecting changes and risks in the organization in a short project time unit by

means of utilizing the security review process for the risks of the project units. This is directly

related to the management’s immediate awareness and decision-making action on security

risks. By confirming that there were 2 and 4 times of the information security committee held

in 2018 and 2019, respectively, it could be identified that a culture of risk management was

being built in the organization relatively quickly under.

Since then, KT&G has implemented the EGIT system in a hybrid format that manages in

the form of continuous risk management, through the security review process, and diagnoses

the entire organization in parallel with regular risk assessment activities. This resulted in an

average of 30 to as many as 50 combined security review tickets per month being handled.



Figure 4 Implication Structure of SRP based EGIT of KT&G

4.2. Critical Factors affecting the Implication Success

4.2.1. Process

In fact, tracking security review requests and completed processes resulted in 21 transactions,

on average, if processed in the primary request, and 37 transactions, if additional performance

checks were required, for one completed inspection phase security review ticket to be

processed. Upon initial request with internal approval from the relevant business department,

the information security department, depending on the circumstances, issued a sub-ticket of

the initial ticket and transferred a request to the core module. Those collected by each field

were fed back to the information security department and, if appropriate, the business

department shared approved contents, having approval notification, with the development

department and the infrastructure operation department. Also, the results of the technical

vulnerability check were stored in the SR core module by automatically performing the check

and performance inspection.

These were used not just for the security review, but as basic information for the regular

risk management activities and vulnerability management processes. In order to efficiently

control DevOps environments so that they were given the security review process works

effectively in a development environment mixed with traditional methods, the secure coding

plug-in is embedded in the developer’s Integrated Development Environment (IDE), which is

impossible to build if the application’s source codes do not meet the set security criteria. In

the KT&G case, when the initial security review process was set up, the stakeholders did their

jobs through various communication channels, ignoring the procedures.

This inconsistent request for work caused confusion and was beyond the scope of the

work resources that the information security department could handle. It was not until the

ticket management system using the Jira system was integrated into the IT service

management (ITSM) that normal operation became possible. The example confirmed that an

automation system was essential for establishing processes involving control. After that, all

processes were implemented based on automation.

As originally planned, the TFT expanded the concept so that the security review process, a

unit process of information security activities, could be linked to the ISMS’s information

security frameworks and finally implemented in EGIT; that is, a well-established process was

manageable as an extended concept in which the management and governance direction

systems of ISMS communicate. As shown in Figure 4, this led to a process in which



information security issues of business departments in the organization were passed over to

the board of directors beyond the management, centering around the information security

department that serves as a window for continuous communication with stakeholders.

Figure 5 Information Protection-centered Communication Process

4.2.2. Organizational Structures

The information security committee, in which the chief information security officer (CISO)

participates, has become a channel for the management to discuss security issues arising from

the enterprise’s overall departments through the security review process. The management

committee has become the highest management decision-making body that can be consulted

on IT, including information protection. The link between the information security committee

and the management committee is within the scope of the ISMS, and the final board reporting

and audit committee reporting are within the scope of direction required by the EGIT. As a

result, KT&G has an EGIT process structure through the security review process as intended.

In order to raise the information protection organization to the form of corporate-wide

activities, it was necessary, among other things, to upgrade the authority of the chief

information protection officer. The TFT in the case determined that this was important for the

implementation of the EGIT from information protection and IT control perspective.

Moreover, the restructuring of the security organization was spurred because the Enforcement

Decree of the Act on Promotion of Information and Communication Network Utilization and

Information Protection was set to be implemented in conjunction with the relevant period.

This enforcement decree required the mandatory designation of the CISO for assets of KRW

5 trillion or more and prescribed in detail the qualifications of the CISO. Thus, the company

became interested in actively qualified CISO designations and information protection

organization design.

In this regard, the company commissioned a consulting firm a case analysis service for an

information protection organization and, based on the results of the service, the strengths and

weaknesses of internal qualified persons and external experts were compared and reviewed in

various ways and an internal person was designated under the judgment of the management

committee. The appointed CISO took the role of supervising the overall information

protection management across the company, including the establishment and operation of an

information protection management system, internal vulnerability assessment and

management, and computer asset risk assessment. Accordingly, the department concerned

was reorganized into a new organization under the management support HQs’ Chief

Operations Officer (COO), which is a parallel structure. Originally, it was the information

management department, a subdivision belonging to the IT office.

The revision was carried out to ensure consistency and to obtain executive power within

the organization through changes in information protection policies and guidelines by



processing practical security tasks through recruiting an additional security expert at the

managerial level and placing an internal influential person for decision-making while

managing internal and external interests. In the course of a series of reorganizations, the

security review process was identified as a risk in the review of the aforementioned

requirements for designating the CISO of the Enforcement Decree of the Act on Promotion of

Information and Communication Network Utilization and Information Protection, leading to

the role of a viable trigger.

4.2.3. Principles, Policies, Procedures

KT&G’s security review process includes technical security conditions, development security

conditions, forms of service contracts with external companies, application of SLA, periodic

outsourcing company audits, ownership of works, outsider security training, and personal

information’s collection, use, storage, and disposal. Since failure to meet the legal compliance

and the ISMS control items that were chosen by the company would not result in approval for

the security review, three-dimensional revision work was involved. This is also the result of

poor compliance and cultural resistance due to non-compulsory operations during the

guidance period for the security review process for the first two months of 2018.

Consequently, this security review process has resulted in an organization-wide essential

impact as intended by the TFT through the process of amending policy guidelines. The impact

of the security review process has enabled the revision of internal policy guidelines, directly

or indirectly, in accordance with laws and compliance. It has been confirmed that the

information protection-related compliance requirements for the company were continuously

improved in line with the PDCA cycle, the basic philosophy of ISMS, and that the value of

EGIT, which reflects the risk assessment results and interconnects the requirements of

stakeholders, has been met.

As an indirect effect, the security review process has also become a role model for

existing law compliance monitoring, auditing, personnel management and purchasing

guidance. As the results of each committee, such as the audit committee and the personnel

committee, are reflected in policies and guidelines, the security review process has become a

driver for organizational impact on the overall implementation of corporate governance.

4.2.4. Information

Before the introduction of the security review process, business and infrastructure

departments are judged on a project-by-project basis whether to connect to a central

management database or to organize information in a separate database. Therefore, relatively

diverse cloud platform choices and inconsistent database creation were allowed. After the

security review process was established, however, it was managed in a concise manner,

obtaining security and taking into account the importance of information, the status of

inclusion of corporate information and personal information, the network connectivity

section, and the interface and architecture. Above all things, control over the collection and

utilization of unnecessary excessive information and sensitive information has been enabled,

while the business departments’ arbitrary storing of data on external cloud platforms or

hosting services has been preventable.

This information management was also applied to external data generated prior to the

establishment of the security review process, with those data were included within the

governance scope, forcing a security review at the time of change. In this case of KT&G, data

stored independently in external Internet Data Center (IDC) was unified internally through the

operation of the security review process while the existing system was discarded after the ad

hoc application service was transferred from the cloud platform to the internal network.



This corresponds to the objectives of EGIT COBIT 2019, namely APO014—Managed

Data; DSS03—Managed Problems; MEA03—Managed Compliance With External

Requirements; and EDM03—Ensured Risk Optimization. Furthermore, new and unregistered

assets were included in the risk management scope for two months in 2018 through a

reinvestigation project of unidentified assets which were confirmed as risks in the security

review. This was a great driver for executing the asset identification process, which was the

most fundamental part of risk management, from an EGIT perspective and which led to the

establishment of the Configuration Management Database (CMDB) at the end of 2019 and

provided a foothold for the detailed management of the computerized assets that

systematically contained the information.

4.2.5. Culture, Ethics and Behavior

The security review process has affected this culture as follows: The security review requires

a collaborative coordination process and if agreed-upon requirements are not met, the project

will not be terminated. This type of uncompleted project and delay in opening the service time

shall be the responsibility of all relevant departments. Due to the security review process,

therefore, the organization gradually accepted the security process as part of the project and

has officially conducted coordination with other departments.

In addition, although the newly created information protection department was not

culturally supported, security activities gained momentum, while security compliance rates

increased relatively as the security review was recognized as official processes. Additionally,

culture was created to seek prior advice for each project in the review of changes in the

policies of major departments such as personnel, finance, human resources development

institute, overseas sales, marketing, and sales department. Such advice was relatively more

about internal and external information protection, customer personal information, and laws

and compliance than on security technologies. This prior advice culture became a factor that

led to the continuous increase of inter-departmental contacts and this phenomenon naturally

served to increase security recognition and a sense of ethics. This was an improvement in the

organizational culture that intended to reduce project risk through the gradual increase in the

number of security review requests and the increasing number of security review requests for

items unrelated to the security review.

It has been also gradually internalized that the legal team in charge of the legal review

process, which was established before the security review process, provided collaborative

opinions through a security review when it determined that corresponding cases related to

items associated with personal information or information protection. This change in the

organization’s internal culture was also seen in the case of Web-vulnerability removal

collaboration. Many Web-vulnerabilities that were first derived in 2017 and those newly

added and neglected in 2018 were found. Prior to the establishment of the security review

process, the person-in-charge carried out various promotions and coordination meetings to

encourage the development departments and infrastructure departments to improve their

vulnerabilities, but an extremely low elimination rate of less than 10% has resulted.

To solve these problems, the information security department presented the agenda to the

information security committee. The information security committee decided that those

problems were a matter of appropriate education and ordered to implement three times of

half-day collective education and to make 1 simulated hacker and 1 secure-coding expert

reside in the developer’s office twice a week for three months. This helped to provide the

information and education needed to deal with vulnerabilities in the same physical space for

immediate resolution. This method supported organizational culture in two aspects. First, the

understanding of secure coding and Web vulnerability handling of the developers was



actually increased and, second, through the process of mutual respect and understanding,

communication between departments became smoother and it motivated a culture of mutual

cooperation. Subsequently, the support of the infrastructure departments to address CVE and

CCE vulnerabilities was achieved by deploying system security specialists in the

infrastructure operation room during the vulnerability removal period through the lessons

learned in this example [66].

Additionally, these internal success stories were reported to the information security

committee again to inform that the decision-makers’ results were properly maintained, thus

providing momentum of a virtuous cycle for actively informing them of the success of the

process. This is meaningful because, in terms of governance, it is the part that connects to the

governing body the core philosophy of EGIT, which are Monitor, Evaluate, and Assess

(MEA) and Evaluate, Direct, and Monitor (EDM).

4.2.6. People, Skills, and Competencies

With the security review enabled, more resources were needed compared to the initial

establishment of the process. As the security review process matured, the number of review

requests for various and new forms of cases increased. Consequently, the information security

department decided that it needed experts who could fully analyze technical, administrative,

and physical security. In response, the KT&G information security manager analyzed the

number of requests for the security review over six months and calculated the budget estimate

for the IT portfolio approved for the project, presenting necessary professionals to the

information security committee.

The recruitment plan has been approved through this process. This confirmed the results

that the security review process had a positive effect on the recruitment of professionals and

the training of internal personnel, and that the actual review results and figures made it easier

for the management to understand. In the case of KT&G, the personnel were assigned to each

specialized area and the outsourcing and internal personnel were combined to increase

efficiency.

Finally, the security review team consisted of the general manager of security review, the

director of security review and personal information, the specialist for secure coding, the

simulated hacker, and the expert for infrastructure vulnerabilities. This team was also

designed to assess and relocate the number of security review processes and the adequacy of

resources each year. These staffing arrangements met the COBIT 2019 objectives in terms of

EGIT DSS02-Managed Service Requests and Incidents. Also, for effective resource

management, additional outsourcing SLA contracts provided flexible support to additional

personnel when the workload increased and, if regular work is reduced, those personnel were

placed in process upgrading tasks, enabling stable operation.

On another instance, the establishment of the security review process led to the IT

department’s demand to understand the overall security frameworks and, in 2019, the

ISO27001 examiner training for the IT department was conducted for over five days. This is a

virtuous cycle triggered by the security review, which has become an opportunity to

internalize security within the company.

4.2.7. Services, Infrastructure, and Applications

KT&G was an organization with less understanding of information security so that it needed a

strategic approach to change its organizational structure through limited authority and

resources. From the EGIT perspective, the primary objective of the security review process

was to gain the understanding and support of the management and the board of directors

through these activities. From the structural point of view, the security review process



embodied continuous risk management on the security side and played a key process role in

the EGIT as an intermediate filter in the core areas of the EGIT COBIT as in Figure 6.

Figure 6 COBIT 5 Governance and Management Key Areas

An automated ticket processing system was needed to implement smooth procedures in

this structure. This automated system reduced the resources required for the unnecessary

interdepartmental assignment of work, enabling fair review without being affected by human

emotions. In particular, due to the nature of the security review, this automated system serves

as a filter for internal and external regulations and control items, and it is difficult to apply fair

and consistent standards when interests between the responsible personnel and the

departments affect it. In conclusion, a well-implemented security review management system

adds administration and governance elements from a security perspective to all systems

included in the review. Specifically, the systems affected by the security review process were

the source code configuration management system and DevOps system. In the case of the

source code configuration management system, it was reorganized to suit the security

conditions and unified and managed the source code that had been autonomously stored in the

developer PCs or unauthorized systems. As regards DevOps, changes that were not approved

for security review were systematically prevented by the distribution management system,

Jenkins. If the secure coding solution is internalized in the integrated development

environment and does not meet a certain level of secure coding, the process applied makes it

impossible to build. Although there were initial loads, relatively small amounts of

vulnerabilities were finally found during regular simulated hacking and vulnerability checks,

which in the long run had a positive impact on source security and resource efficiency.

5. CONCLUSION

The bottom-up EGIT system, based on the security review process designed by KT&G, is

characterized by the efficient implementation of seamless communication and enterprise-wide

information security transferring from the lowest level (i.e., the information security manager)

to the highest level (e.g., the IT control manager of the governance structure). It has also been

confirmed that within the organization, security departments have the advantage of actively

pursuing the digitalization of the company because they can understand the EGIT and present

a direction to facilitate future independent EGIT projects. KT&G’s case is the first successful

project showing that the structure of bottom-up IT governance can be more effective than

typical top-down IT governance and its key implications are as follows:

First, a bottom-up EGIT approach requires in-house experts. In the TFT of the KT&G

case, the overall project was designed by the information security manager and IT control

manager who joined in the late 2018 with an understanding and expertise in EGIT. By the



time the project was approved, internal stakeholders had no awareness of EGIT and through

persuading the stakeholders on active collective education and its needs, EGIT goals and

objectives could be internalized in the project. As a matter of fact, even after the project was

launched, a clear understanding of the needs began to take place later in 2018 when the

security review process was established and the frameworks of ISMS were met. This

approach corresponds to the S7 IT governance function/officer and S8

Security/Compliance/Officer of IT governance structure, which is one of the EGIT

components suggested by De Haes and, as he claimed, is relatively easy to implement in the

organization and highly effective. Even though this was not a theory that was presented with a

bottom-up approach in mind, it was also confirmed to be an important item for an EGIT

bottom-up approach.

Second, an automated management system that can run the entire security review process

is essential. Particularly, the system is more emphasized in large organizations because, as

shown by the KT&G case, it was found that the security review was handled only by instant

messages, e-mails, telephone calls, and meetings without systematization during the initial

process operation phase and, due to this, the systematical management was hard when

workloads were managed and highly complicated tasks’ transferring and approval were

handled. There was also a problem that the security review request department did not

recognize the security review process as a required process. The process, however, gradually

settled down after the automated system was established. As can be seen in the case analysis,

the best way is, therefore, to link to the IT service management system (ITSM) already

established in the company and if there is no systematized ITSM, separate ticket management

systems should be considered.

If automated CVE, CCE, and CWE inspection tools, secure coding tools, and Application

Program Interface (API) are linked when the system is established, more systematic

management is possible. Doing this in the same vein as identifying technical vulnerabilities

physically is impossible without the aforementioned automation solutions. In conclusion,

KT&G established a security review management system to automate the entire process and

to manage technical and administrative risks in conjunction with an automated vulnerability

management system. As the technical importance was highlighted in previous studies, this

study, as a real-world example, shows once again that it is important to adopt and utilize

technologies in order to succeed modern EGIT based on the security review process

presented.

Third, continuous communication with management is important in the construction of all

intra-company processes. Communication channels with management are key points for

ISMS and EGIT establishment [9,21,26]. These activities can only be effective if they are

performed regularly and repeatedly. The additional lesson learned from this study is that in

communication with the management and board of directors, approaching in the form of

compliance can make successful results. ISO27001:2013 and K-ISMS make management

review and information security committee mandatory, while COBIT 2019 prescribes one of

the four domains of management objectives as Monitor, Evaluate, and Assessment (MEA).

For newly established processes applied across the enterprise, cultural resistance arises

although there are differences in degree. If the leadership's understanding is low, it is difficult

for IT, the core of EGIT, to reach the stage where it mutually affects corporate decision-

making. Thus, as shown in the KT&G case, it is necessary to create a formal and significant

environment as much as possible. This is because when compliance or obtaining certifications

is determined to be one of the company’s goals, the procedure itself is difficult to be ignored

and must be implemented to achieve the goals measured by performance. The information



security committee has become a communication channel that is regularly discussed at the

management meetings.

Communication is essential even among horizontal departments. Active communication,

support, and education are needed, as can be seen in the case of the on-site deployment of

experts in the vulnerability removal project. The lack of a clear understanding of technical

measures tended to delay action activities for vulnerabilities found in applications and

infrastructure systems. Also, it was found that these issues caused frequent misunderstandings

between departments during initial operations after the process was established. This can be

perceived as a task that is added to the existing works from the perspective of the responsible

personnel, so it was important to increase understanding through continuous education and

not to be delayed due to individual technical capabilities. It was confirmed that smooth

communication between departments is as important as vertical communication to resolve this

conflict structure. This proved that “R9 corporate internal communication addressing IT on a

regular basis item” and “APO-08 Managed Relationship, a requirement of COBIT 2019,”

highlighted by De Haes et al. (2010), are important parts of the bottom-up EGIT

establishment through the security review process.

Fourth, in the case of the security review process, new IT systems cannot be released

unless approved, so it has a strong tendency to control. This coercion is necessary for

successfully operating the security review process. This is because in the initial stages of the

establishment of the process there was no active cooperation between the relevant

departments during the guidance period and, therefore, the TFT carried out the work of

amending policy guidelines for coercion. Clear coercion prevented the unnecessary waste of

resources due to inter-departmental interests or environmental variables and culturally

increased awareness of compliance with information protection. This is not emphasized in the

top-down EGIT because, in the top-down case, the processes established by management

decisions are generally supported within the organization and have a tendency of coercion. As

can be seen in the case, however, it is emphasized as a key element in a bottom-up approach

that has relatively low management interest.

After all, it is a premise that is emphasized or inherent in traditional top-down EGIT

implementations but relatively emphasized in bottom-up EGIT implementations through the

security review process. As the results of the case show, the modern process-oriented bottom-

up governance approach is evolving into an inoperable form without digitization. This is

because the information security activity itself, called security review, contains technical

items and is not manageable without automated database processing. Real-time

communication is likewise required based on data extracted from the database, and it is

impossible to detect and act on violations without the technical implementation of devices for

control. This automation is also more meaningful because it is systemically applicable to

establishing processes that require coercion.

REFERENCES

[1] Morck, R.; Steier, L. The global history of corporate governance: An introduction. In A history

of corporate governance around the world: Family business groups to professional managers,

University of Chicago Press: 2005; pp. 1-64.

[2] Loh, L.; Venkatraman, N. Diffusion of information technology outsourcing: influence sources

and the Kodak effect. Information systems research 1992, 3, 334-358.

[3] Van Grembergen, W.; De Haes, S. Enterprise governance of information technology:

achieving strategic alignment and value; Springer Publishing Company, Incorporated: 2020.



[4] Weill, P.; Ross, J.W. IT governance: How top performers manage IT decision rights for

superior results; Harvard Business Press: 2004.

[5] Pereira, R.; da Silva, M.M. IT governance implementation: The determinant factors.

Communications of the IBIMA 2012, 2012, 1.

[6] Elizabeth Abraham, S. Information technology, an enabler in corporate governance.

Corporate Governance: The international journal of business in society 2012, 12, 281-291,

doi:10.1108/14720701211234555.

[7] Gregory, R.W.; Kaganer, E.; Henfridsson, O.; Ruch, T.J. IT Consumerization and the

Transformation of IT Governance. MIS Quarterly 2018, 42, 1225-1253.

[8] De Haes, S.; Haest, R.; Van Grembergen, W. IT governance and business-IT alignment in

SMEs. ISACA Journal: the source for IT governance professionals/ISACA (= Information

Sytems Audit and Control Association)-Place of publication unknown 2010, 6, 38-44.

[9] ISACA. COBIT 2019 Framework: Introduction and Methodology. ISACA Journal 2019.

[10] ISACA. COBIT 5 : A Business Framework for the Governance and Management of

Enterprise IT. ISACA Journal 2012.

[11] Alreemy, Z.; Chang, V.; Walters, R.; Wills, G. Critical success factors (CSFs) for information

technology governance (ITG). International Journal of Information Management 2016, 36,

907-916.

[12] Cervone, H.F. Implementing IT governance: a primer for informaticians. Digital Library

Perspectives 2017, 33, 282-287, doi:10.1108/DLP-07-2017-0023.

[13] Neumann, S.; Ahituv, N.; Zviran, M. A measure for determining the strategic relevance of IS

to the organization. Information & Management 1992, 22, 281-299.

[14] Vithayathil, J. Will cloud computing make the I nformation T echnology (IT) d epartment

obsolete? Information Systems Journal 2018, 28, 634-649.

[15] Petruch, K.; Stantchev, V.; Tamm, G. A survey on IT-governance aspects of cloud computing.

International Journal of Web and Grid Services 2011, 7, 268-303.

[16] Pan, Y. Heading toward artificial intelligence 2.0. Engineering 2016, 2, 409-413.

[17] Valentine, E.; Stewart, G. Enterprise business technology governance: Three competencies to

build board digital leadership capability. In Proceedings of 2015 48th Hawaii International

Conference on System Sciences; pp. 4513-4522.

[18] Lutz, C.; Hoffmann, C.P.; Bucher, E.; Fieseler, C. The role of privacy concerns in the sharing

economy. Information, Communication & Society 2018, 21, 1472-1492.

[19] Urban, T.; Tatang, D.; Degeling, M.; Holz, T.; Pohlmann, N. The unwanted sharing economy:

An analysis of cookie syncing and user transparency under GDPR. arXiv preprint

arXiv:1811.08660 2018.

[20] Shameli-Sendi, A.; Aghababaei-Barzegar, R.; Cheriet, M. Taxonomy of information security

risk assessment (ISRA). Computers & Security 2016, 57, 14-30.

[21] Technical Committee : ISO/IEC JTC 1/SC 27 Information security, c.a.p.p. ISO/IEC

27001:2013 [ISO/IEC 27001:2013] Information technology — Security techniques —

Information security management systems — Requirements. 2013.

[22] Radack, S. NIST SP 800-115 Guide to Information Security Testing and Assessment; National

Institute of Standards and Technology: 2008.

[23] ISACA, I. Global Status Report on the Governance of Enterprise IT (GEIT)—2011. Available

on line at http://www. isaca. org/Knowledge-Center/Research/Documents/Global-Status-

Report-GEIT-10Jan2011-Research. pdf 2011.



[24] ISACA. COBIT 2019 implementaion guide : Implementing and Optimizing an Information

and Technology Governance Solution. ISACA Journal 2018.

[25] IV, J.W.L. Holistic IT Governance, Risk Management, Security and Privacy: Needed for

Effective Implementation and Continuous Improvement. ISACA JOURNAL 2016, Volume 5

[26] ISO. ISO/IEC 38500:2015. 2015.

[27] Brown, C.V. Examining the emergence of hybrid IS governance solutions: Evidence from a

single case site. Information systems research 1997, 8, 69-94.

[28] Zmud, R.W. Design alternatives for organizing information systems activities. Mis Quarterly

1984, 79-93.

[29] Tavakolian, H. Linking the information technology structure with organizational competitive

strategy: A survey. MIS quarterly 1989, 309-317.

[30] Olson, M.H.; Chervany, N.L. The relationship between organizational characteristics and the

structure of the information services function. Mis Quarterly 1980, 57-68.

[31] King, J.L. Centralized versus decentralized computing: organizational considerations and

management options. ACM Computing Surveys (CSUR) 1983, 15, 319-349.

[32] Peterson, R. Crafting information technology governance. Information systems management

2004, 21, 7-22.

[33] De Haes, S.; Van Grembergen, W. An Exploratory Study into IT Governance

Implementations and its Impact on Business/IT Alignment. Information Systems Management

2009, 26, 123-137, doi:10.1080/10580530902794786.

[34] Malhotra, A.; Van Alstyne, M. The dark side of the sharing economy… and how to lighten it.

Communications of the ACM 2014, 57, 24-27.

[35] Morgan, B.; Kuch, D. Radical transactionalism: legal consciousness, diverse economies, and

the sharing economy. Journal of law and society 2015, 42, 556-587.

[36] Nwogugu, M.C. The Case Of Apple, Inc., and Fintech: Managerial Psychology, Corporate

Governance and Business Processes. Corporate Governance and Business Processes 2015.

[37] Copie, A.; Fortis, T.-F.; Munteanu, V.I.; Negru, V. From cloud governance to iot governance.

In Proceedings of 2013 27th International Conference on Advanced Information Networking

and Applications Workshops; pp. 1229-1234.

[38] Haffke, I.; Kalgovas, B.; Benlian, A. Options for Transforming the IT Function Using

Bimodal IT. MIS Quarterly Executive 2017, 16.

[39] Tallon, P.P.; Ramirez, R.V.; Short, J.E. The information artifact in IT governance: toward a

theory of information governance. Journal of Management Information Systems 2013, 30,

141-178.

[40] Horlach, B.; Drews, P.; Schirmer, I. Bimodal IT: Business-IT alignment in the age of digital

transformation. Multikonferenz Wirtschaftsinformatik (MKWI) 2016, 1417-1428.

[41] Dafoe, A. AI governance: A research agenda. Governance of AI Program, Future of Humanity

Institute, University of Oxford: Oxford, UK 2018.

[42] ISO, I. IEC 38500: 2008. Corporate governance of information 2008.

[43] ISO/IEC. ISO/IEC 38500:2015(en) Information technology — Governance of IT for the

organization ISO/IEC 2015.

[44] Weill, P.; Ross, J.; Governance, I. How top performers manage IT decision rights for superior

results. Harvard Business School Press, Boston, MA 2004.

[45] Brown, A.E.; Grant, G.G. Framing the frameworks: A review of IT governance research.

Communications of the Association for Information Systems 2005, 15, 38.



[46] Sambamurthy, V.; Zmud, R.W. Arrangements for information technology governance: A

theory of multiple contingencies. MIS quarterly 1999, 261-290.

[47] Zmud, R.W.; Boynton, A.C.; Jacobs, G.C. The information economy: A new perspective for

effective information systems management. ACM SIGMIS Database: the DATABASE for

Advances in Information Systems 1986, 18, 17-23.

[48] Lessig, L. Remix: Making art and commerce thrive in the hybrid economy; Penguin: 2008.

[49] Bartens, Y.; Schulte, F.; Voss, S. E-business IT governance revisited: An attempt towards

outlining a Novel Bi-directional business/IT alignment in COBIT5. In Proceedings of 2014

47th Hawaii International Conference on System Sciences; pp. 4356-4365.

[50] Baumard, P. A Brief History of Hacking and Cyberdefense. In Cybersecurity in France,

Springer: 2017; pp. 17-30.

[51] Henderson, J.C.; Venkatraman, H. Strategic alignment: Leveraging information technology

for transforming organizations. IBM systems journal 1993, 38, 472-484.

[52] Schmidt, W.C. World-Wide Web survey research: Benefits, potential problems, and solutions.

Behavior research methods, instruments, & computers 1997, 29, 274-279.

[53] Barnard, L.; von Solms, R. The evaluation and certification of information security against BS

7799. Information Management & Computer Security 1998.

[54] Charlet, L. The ISO Survey of Management System Standard Certifications 2018.

Recuperado: 2018.

[55] Moen, R. Foundation and History of the PDSA Cycle. In Proceedings of Asian network for

quality conference. Tokyo. https://www. deming.

org/sites/default/files/pdf/2015/PDSA_History_Ron_Moen. Pdf.

[56] Wang, C.-H.; Tsai, D.-R. Integrated installing ISO 9000 and ISO 27000 management systems

on an organization. In Proceedings of 43rd Annual 2009 international carnahan conference on

security technology; pp. 265-267.

[57] Bahtit, H.; Regragui, B. Risk Management for ISO27005 Decision Support. International

Journal of Innovative Research in Science, Engineering and Technology 2013.

[58] Standardization, I.O.f. ISO 31000: 2009: Risk Management: Principles and Guidelines;

International Organization for Standardization: 2009.

[59] Purdy, G. ISO 31000: 2009—setting a new standard for risk management. Risk Analysis: An

International Journal 2010, 30, 881-886.

[60] Albakri, S.H.; Shanmugam, B.; Samy, G.N.; Idris, N.B.; Ahmed, A. Security risk assessment

framework for cloud computing environments. Security and Communication Networks 2014,

7, 2114-2124.

[61] Kong, H.-K.; Hong, M.K.; Kim, T.-S. Security risk assessment framework for smart car using

the attack tree analysis. Journal of Ambient Intelligence and Humanized Computing 2018, 9,

531-551.

[62] Technical Committee : ISO/IEC JTC 1/SC 27 Information security, c.a.p.p. ISO/IEC

27002:2013 [ISO/IEC 27002:2013] Information technology — Security techniques — Code

of practice for information security controls. 2013.

[63] McGraw, G. Automated code review tools for security. Computer 2008, 41, 108-111.

[64] Howard, M.; Lipner, S. The security development lifecycle; Microsoft Press Redmond: 2006;

Vol. 8.

[65] McGraw, G.; Chess, B. The Building Security in Maturity Model ({BSIMM}). 2009.



[66] Kwansoon Park, B.K. Building the Security Function Point Method for Web Application

Vulnerability Remediation. International Journal of Recent Technology and Engineering

(IJRTE) 2019, Volume-8 Issue-4, 5962-5968, doi:DOI:10.35940/ijrte.D8948.118419.

[67] Boehm, B.W.; Ross, R. Theory-W software project management principles and examples.

IEEE Transactions on Software Engineering 1989, 15, 902-916.

[68] Charette, R.N. Software engineering risk analysis and management; Intertext Publications

New York: 1989.

[69] Dorofee, A.J.; Walker, J.A.; Alberts, C.J.; Higuera, R.P.; Murphy, R.L. Continuous Risk

Management Guidebook; Carnegie-Mellon Univ Pittsburgh PA: 1996.

[70] Mataracioglu, T.; Ozkan, S. Governing information security in conjunction with COBIT and

ISO 27001. arXiv preprint arXiv:1108.2150 2011.

[71] Almeida, R.; Lourinho, R.; da Silva, M.M.; Pereira, R. A model for assessing COBIT 5 and

ISO 27001 simultaneously. In Proceedings of 2018 IEEE 20th Conference on Business

Informatics (CBI); pp. 60-69.

[72] Sheikhpour, R.; Modiri, N. An approach to map COBIT processes to ISO/IEC 27001

information security management controls. International Journal of Security and Its

Applications 2012, 6, 13-28.

[73] ISACA. COBIT 5 for Information Security. 2012.

[74] ISACA. COBIT 5 Enabling Information. ISACA Journal 2013.

[75] ISACA. COBIT 5 Enabling Processes. ISACA Journal 2012.

[76] ISACA. COBIT 5 Implementation ISACA Journal 2012.

[77] ISACA. COBIT 2019 : Governance and Management Objectives. ISACA Journal 2019.

[78] De Haes, S.; Van Grembergen, W.; Joshi, A.; Huygh, T. COBIT as a Framework for

Enterprise Governance of IT. In Enterprise governance of information technology, Springer:

2020; pp. 125-162.

[79] Agency, K.I.S. K-ISMS : Information Security and Pravacy management system certification

gudie. Korea Internet & Security Agency 2019, 252.

[80] Alleman, G.; Coonce, T.; Price, R. Increasing the Probability of Program Success with

Continuous Risk Management. The Measurable News 2018, 27.