initiation of egit through the security review …...[19]. furthermore, the security review process,...
TRANSCRIPT
http://www.iaeme.com/IJARET/index.asp 244 [email protected]
International Journal of Advanced Research in Engineering and Technology (IJARET) Volume 11, Issue 7, July 2020, pp. 244-265, Article ID: IJARET_11_07_026
Available online athttp://www.iaeme.com/IJARET/issues.asp?JType=IJARET&VType=11&IType=7
ISSN Print: 0976-6480 and ISSN Online: 0976-6499
DOI: 10.34218/IJARET.11.7.2020.026
© IAEME Publication Scopus Indexed
INITIATION OF EGIT THROUGH THE
SECURITY REVIEW PROCESS: A CASE STUDY
OF KT&G CORPORATION
Kwansoon Park, Boyoung Kim
Seoul Business School, Seoul School of Integrated Sciences and Technologies (aSSIST),
Seoul 03767, Korea
ABSTRACT
Within the rapidly changing technology environment, companies are under strong
pressure to create a paradigm shift to technology-based management methods and
new business models. Accordingly, the Enterprise Governance of IT (EGIT) is
changing beyond the aspects of IT management and operation activities into priority
activities of corporate business strategies. For this, various establishment approaches
are being tried, but top-down forms of approaches, which are de facto best practices,
are forming the mainstream in terms of effective control while, on the other hand,
bottom-up EGIT approaches, which build a system step by step, are hard to find. Thus,
the authors conducted a case study on KT&G Corporation, a Korean manufacturer
that triggered a successful EGIT system by establishing a bottom-up EGIT system.
According to the analysis, a “bottom-up EGIT System with a leverage of the security
review process” designed by KT&G’s information security manager and IT control
manager was delivered from sub-organizations (departments) of the governance
structure to higher organizations (institutions) to effectively structure the realization
of EGIT across the enterprise through process control and communication. This
approach also had the advantage that the company’s entire organizations, including
the security and control organization, could gradually understand EGIT and rapidly
proceed with independent EGIT projects. Through the case analysis, four essential
requirements for bottom-up EGIT system establishment are going to be presented.
Key words: EGIT, IT Governance, ISMS, Security review process
Cite this Article: Kwansoon Park, Boyoung Kim, Initiation of EGIT through the
Security Review Process: A Case Study of KT&G Corporation, International Journal
of Advanced Research in Engineering and Technology, 11(7), 2020, pp. 244-265.
http://www.iaeme.com/IJARET/issues.asp?JType=IJARET&VType=11&IType=7
1. INTRODUCTION
After the modern concept of corporate governance was established in the 1970s [1], the
importance of EGIT, the concept of IT governance, began to emerge as IT's role in corporate
Initiation of EGIT through the Security Review Process: A Case Study of KT&G Corporation
http://www.iaeme.com/IJARET/index.asp 245 [email protected]
management as expanded in the early 1990s [2,3]. EGIT can be defined as part of enterprise-
wide governance activities to link the value of the information technology aspect to the values
of enterprises and businesses in solving the management problems or building business
strategies [4-8]. Within today's rapidly changing technology environment, especially,
companies are strongly required to shift their paradigm to technology-based management
methods and create new business models. As a result, EGIT is shifting beyond the aspects of
IT management and operation activities to priority activities of corporate business strategies
[3,9-12].
Although information technology has an indirect impact on a company's competitive
advantage [13], it is sometimes led by IT such as game business, FinTech, e-commerce, and
cloud services, depending on the nature of the business [14,15]. In addition, the phenomenon
that companies develop fields of applications after a technology is implemented first, such as
the artificial intelligence field [16], and that adding innovation by digitalizing traditional
business formats through IT like digital transformation come out [17]. Moreover, in these
changes in the corporate environment, the information security issues emerge as a significant
risk management item since the information assets of companies include the information
assets of their partners and the personal information of their customers [18]. With the increase
of information security issues, various regulations and laws are being created in the market
[19]. Furthermore, the security review process, which can be applied as a security safeguard
to an enterprise's overall business activities, has emerged as an important activity in
establishing an Information Security Management System (ISMS) in terms of risk
management and preventive control [20-22].
However, contrary to the emergence of a variety of new EGIT-related concepts and
approaches, corporate activities for EGIT are not linked to enterprise-wide governance, or
they fail in continuous management and operation [5]. In this respect, a Global status report in
2011 on the governance of enterprise IT pointed out the reasons as follows: communication
issues, trying to do too much at once, lack of senior management commitment and support
[23]. Control Objectives for Information and Related Technology (COBIT) 2019, the most
typical implementation framework of EGIT, also pointed out that the success of EGIT
requires active support from the management and board of directors [24]. Also, although a
holistic approach to implementing EGIT has been highlighted in many studies, [3,25] there is
a lack of prior research from the same point of view to be a detailed guide to actual
establishment and application.
This study, therefore, aims to present a bottom-up EGIT establishment method using the
security review process, which is part of the enterprise information security process. To this
end, the Security Review Process was established first through the case of KT&G, a large
Korean manufacturing company, with a new EGIT method, which approaches ISMS and
EGIT by stages, was analyzed. KT&G's case had the distinction of attempting the security
review process from the perspective of information security manager (ISM) and IT control
manager, out of the form of a top-down approach [10,11,24,26]. In addition, it is significantly
meaningful that the KT&G has built a successful information security strategy by overcoming
the low interests and indifference of management and stakeholders that most companies
experience in the early stages of EGIT [23].
2. RERATED WORK
2.1. Enterprise Governance of Information Technology
In 2016, The term IT governance was used first by Loh and Venkatraman (1992) [2]. The
concept of “IS governance frameworks” was then discussed by Brown (1997) [27]. From
reviewing the prior studies of IT governance, it is understandable that early studies focused on
Kwansoon Park, Boyoung Kim
http://www.iaeme.com/IJARET/index.asp 246 [email protected]
the form and structure of IT governance [28-31]. In 1996, the Information System Audit and
Control Association (ISACA) issued the ITG Framework Control Objectives for Information
and Related Technology (COBIT), which began to be used as a standard framework for IT
governance that was actually applicable to enterprises [3]. Since the 2000s, with the advent of
frameworks such as COBIT and ISO38500, researches have begun in earnest into processes
and relational mechanisms needed to establish IT governance [4,32,33]. Typically, De Haes
(2015) argued that the purpose of EGIT is to create value by linking business with IT and, for
this, establishing EGIT within an enterprise should be carried out in terms of a “holistic
approach” point of view. This explains that the roles of IT have now been expanded and
redefined as roles of EGIT, such as the combination of sharing economy and platform
business, digital transformation, blockchain, Internet of Things (IoT), FinTech, cloud
services, and artificial intelligence, beyond the past IT’s roles as an operational and
administrative support department for companies [14-17,34-41].
The existing prior studies show that the importance of an enterprise-wide approach to
EGIT is emphasized. [24,42,43] This means that EGIT should be linked to the enterprise-wide
governance, be structured as one, and be applied to all information processing and technology
systems of a company. This also means that EGIT should be implemented as an extension of
a company’s activities to establish and maintain ownership, management, use, and
responsibility [44].
Aspects of approaches for EGIT can be divided into traditional organization structures and
project leading agents. First, in terms of organizational structures, dichotomous initial studies
on centralized and decentralized forms were published by King (1983), Chervany (1980),
Tavakolian (1989), and Zmud (1984) [28-31], while studies were conducted on choices that
fit the conditions of efficiency of centralization and flexibility of decentralization [27,45,46].
These studies on structural form led to the recognition that dichotomous approaches were not
suitable for all organizations, and various IT governance was proposed, such as the federal
form of Jacobs (1986) and the hybrid form of Brown (1997) [27,47]. The argument of Brown
and Grant (2005), in which conclusionally in terms of organizational structures, there is no IT
governance structure that satisfies all general organizations as an extension of the
Contingency theory, has begun to draw attention.
The internal approaches to establish EGIT are divided into top-down and bottom-up
approaches. The objective of EGIT to create values for stakeholders and corporations requires
an accurate understanding of stakeholders' needs and to set these needs as goals. The
decisions on this are finally discussed and judged by shareholders, the board of directors, and
the management. Thus, the top priority to do in COBIT frameworks and many researchers’
assertion is to set goals through an understanding of the enterprise context and strategy. This
can naturally be structured relatively clearly in top-down approaches. In addition, the
corporate strategies and risks viewed by unit departments at the bottom of the EGIT structure
may differ from those of management.
Furthermore, the role of unit departments from a departmental point of view can be
limited to the microscopic range. Understanding and implementing EGIT at the member and
departmental unit levels are essential for the enterprise-wide settlement of a robust
governance system through top-down approaches. The lack of understanding of EGIT in this
level of the working group is a failure factor in establishing the EGIT system [48] and, in a
similar vein, it can be seen that many IT systems are abandoned although they were
developed by management's decisions. [36]. This may be caused by top-down EGIT systems
that are built and operated without sufficient communication between IT departments and
management.
Initiation of EGIT through the Security Review Process: A Case Study of KT&G Corporation
http://www.iaeme.com/IJARET/index.asp 247 [email protected]
On the other hand, bottom-up EGIT systems are relatively difficult to get support from
and to find communication with management. However, since bottom-up EGIT systems are
chosen in an environment where management has a low understanding of EGIT or has no
framework of its necessity, there is no alternative other than bottom-up EGIT systems. At a
time when technological change and paradigm shift are accelerating as it is now, bottom-up
EGIT approaches show the value that applying IT strategy to corporate strategies is effective
by enabling companies to implement IT technology-led businesses. From the establishment
perspective, bottom-up EGIT systems are highly dependent on internal staff’s EGIT expertise
and should be implemented, gradually expanding the relevant departments’ influencer to its
base. In the case of bottom-up EGIT systems, therefore, the presence or absence of
individuals with knowledge and amicable communication skills affects the success or failure
of the smooth establishment [38].
Although conceptually there is a distinction between top-down and bottom-up in EGIT
systems, Yannick (2014) once argued that for a successful establishment of EGIT, those two
methods must be implemented in combination [49]. In the federal, decentralized, and hybrid
forms of the aforementioned structural aspects, bottom-up approaches must always be
accompanied for successful establishment. Despite the advantages of top-down approaches,
bottom-up approaches should be considered simultaneously because they are capable of
holistic approaches in terms of EGIT drivers and are effective in establishing an end-to-end
governance system that encompasses all parts of an organization [50]. Finally, one of the
reasons why studies on bottom-up approaches are difficult to find is that when an enterprise
starts with top-down approaches in its initial EGIT establishment, it tends not to be discussed
in a large framework even if bottom-up approaches are included within the establishment
process [51].
2.2. Enter Security Review Process and Enterprise Governance of IT
Information security came at a point of great transformation in 1989 when Tim Berners-Lee
invented the World Wide Web and computer systems easily connected to each other over a
network to store, transmit, and process data [52]. This radical paradigm shift in information
and management forms led to the need for the management system development for
systematic information security, with it drawing attention beginning in 1995 when the BSI
Group introduced the first information security management system (ISMS) framework,
BS7799 [53]. Since then, the ISMS frameworks have continued to refine to date, leading to
ISO:17799 and ISO27001, and have evolved into frameworks that can apply new
technologies [53].
In particular, ISO IEC 27001:2013, which has the highest public confidence and is
adopted by 31,910 companies worldwide as of 2018, uses the principle of plan-do-study-act
(PDSA) as its basic process [54-56]. In addition, risk management, a key domain, is heavily
managed by a separate ISO27005 [57]. This has the same orientation as all the management
system frameworks of ISO, including a risk assessment item [58,59]. Furthermore, ISO31000,
which is the body of ISO27001 risk management, classifies the risk assessment among the
processes of PDCA risk management in three stages: risk identification, risk analysis, and risk
evaluation. As for ISO27001, many studies and success stories have been introduced, and
certification is officially available if certification authorities’ external audits are passed, so
many countries and industries are using it as a scale of the level of information security.
In addition to the ISMS frameworks, a number of studies have been done on the risk
assessment techniques in terms of security perspective. As Albakri (2014) and Kong (2018)
point out, the risk assessment techniques have evolved into frameworks and risk management
Kwansoon Park, Boyoung Kim
http://www.iaeme.com/IJARET/index.asp 248 [email protected]
process perspectives to effectively manage various types of risks in accordance with rapidly
changing business environments and new technologies [60]-[61].
The security review process (SRP) is a concept derived from the concept of security risk
assessment. It is a process that is included in security risk management. The control item that
best describes this is ISO27001:2013 A.18.2 Information Security Review, which was newly
added in 2013. The security review process can serve as a part of risk management in a large
range, but it is an independent control item. In other words, although the security review
process can be carried out by inclusion in the security risk management area according to
corporate environment and convenience, the security review process cannot be excluded from
control items or replaced by risk assessment [62]. It is in fact the software source code review
area that has become a catalyst for security review.
In the late 1990s, the concept of application security began to emerge [63], and the
security frameworks for application development began to be introduced. Typical examples
included Microsoft’s Security Development Lifecycle (SDL) [64], Sammy Migues’ Building
Security In Maturity Model (BSIMM) [65], and OWASP’s Software Assurance Maturity
Model (SAMM) [64]. These frameworks have been expanded not only to application areas
but also to other areas needed for services and have become the foundation for the security
review process [66].
The importance of the security review process in enterprise security is in line with the
importance of Boehm’s “continuous risk management” (1989) following the success of
software projects [67]. In the same year, the four benefits of continuous risk management
which, Charette claimed, 1) can prevent problems in advance, 2) can improve the quality of
products and services, 3) can use resources more appropriately, and 4) “can increase
stakeholders ties by sharing project problems together, are in line with the philosophy of the
security review [68].
Ultimately, the security review has evolved into a key process for enterprises to
implement continuous risk management, the most ideal method of risk management being
from the information security project perspective [69]. Also, the relationship between
systematic construction of enterprise security and EGIT can be described as the relationship
between ISMS frameworks and EGIT frameworks, which include the security review, with
various studies on it being conducted. Mataracioglu (2011) and Rafael (2018) proposed
matters needed to be considered and [70,71] benefits in implementation of ISMS and EGIT at
the same time, while Sheikhpour (2012) suggested how to map and use the ISMS frameworks
in EGIT establishment [72]. In addition, the use of the details of ISO27001 (2) and NIST 800
as external link frameworks for information security areas was directly mentioned in the
COBIT, the most commonly used EGIT framework in companies [9,10,24,73-78]. To achieve
corporate information security, the ISMS frameworks for establishing a systematic
information security system are essential. The security review process is a means to
implement the risk management portion, a key area of the ISMS frameworks, in the ideal
form of “continuous risk management.”
3. RESEARCH METHOD
3.1. Case Selection
In In this study, KT&G Corporation, Korea’s leading manufacturer, was selected as the target
of case studies, as it has been carrying out successful EGIT projects by structuring the
Information Security Management System (ISMS) in a top-down manner and the EGIT
system in a bottom-up manner throughout the enterprise. KT&G was a traditional tobacco
manufacturer, but with the advent of electronic cigarettes, it has been gradually pursuing a
digital innovation strategy focused on technology products.
Initiation of EGIT through the Security Review Process: A Case Study of KT&G Corporation
http://www.iaeme.com/IJARET/index.asp 249 [email protected]
According to the KT&G Sustainability Report, its R&D investment has been gradually
increasing to KRW 122.4 billion, 160.8 billion, and 178.9 billion, respectively, over 2016,
2017, and 2018. Additionally, technology strategies are being further strengthened according
to digital innovation strategies. Intensive investing in the electronic cigarette sector(a core
strategic technology), continuing IT infrastructure and information security, building new
organizations such as the next generation product (NGP) department and information security
department, and performing projects like the establishment of next-generation computer
centers and next-generation information security systems are being actively promoted.
These things were triggered by the “Security Level and IT Organization Diagnosis
Consulting” conducted in first and second rounds in 2017. Based on reports submitted by
outside experts, the management made decisions on establishing the appropriate level of the
security environment, manpower, and obsolete IT infrastructure’s renovation. Accordingly,
the company recruited a number of experts in hardware, software, IT service management
(ITSM), DevOps, and information security from the second half of 2017 to 2018. Since then,
as the expertise of new professionals affected the corporate organization, requirements for
systematic IT management and information security began to emerge from the on-the-job
divisions, and the need for EGIT was reviewed at the level of the IT control managers and
information security managers, who were experts in EGIT.
However, the aforementioned first and second rounds of consulting reports consisted of
product-oriented methods that could meet each control item on the premise that ISO27001
and K-ISMS certifications were obtained from the information security management system
(ISMS) perspective. This means that the goals of internal and external stakeholders who led
the corporate diagnosis project, including the consulting firm that performed the diagnosis at
the time, were far from EGIT. In addition, the diagnosis team included a number of
information security and infrastructure technical personnel because the diagnosis was focused
on technical computer audits and simulated hacking. The direction, therefore, was naturally
set toward information security projects centered on the information security management
system (ISMS) and the replacement of outdated infrastructure equipment.
The task force team (TFT), which was finally assigned missions based on this
background, strategically needed to readjust the existing master plan in consideration of
EGIT. The TFT, which consisted of newly reinforced professionals, formed a consensus to
properly utilize opportunities that were at an appropriate level, and relatively large-scale
investments were available. In addition to the net security aspects resulting from the
diagnosis, various topics were discussed in TFT, including organizational systems, Business
Continuity Planning (BCP), EGIT, Korean International Financial Reporting Standards (K-
IFRS), internal control, and ITSM. In this discussion, the TFT concluded that it was
unreasonable to carry out various missions at the same time with a low understanding of
EGIT throughout the enterprise.
The final conclusion within the TFT for EGIT was that the EGIT establishment was an
essential item for corporate governance and was necessary in any form, so a bottom-up
approach accessible to unit departments was decided. In the bottom-up approach, the
principles of the TFT were five things: 1) The scope of EGIT should not be over-set. 2) The
EGIT framework is not limited to COBIT, COSO, and ISO27001, but rather to selecting
mainly the most necessary control items and proceed with them. 3) ISO27001 and K- ISMS
[79] certifications, which are determined to obtain, are used as leverage. 4) Information
security governance to promote IT governance should be enabled. 5) A way to reduce
organizational resistance as much as possible should proceed. In conclusion, the TFT
introduced a step-by-step plan, expanding an EGIT establishment that is centered on the
security review process.
Kwansoon Park, Boyoung Kim
http://www.iaeme.com/IJARET/index.asp 250 [email protected]
3.2. Analysis Framework and Process
This study, therefore, was intended to successfully trigger EGIT centered on a bottom-up
approach rather than on EGIT enterprise activities in the existing frameworks and top-down
approaches, and to analyze the case of KT&G, which is establishing EGIT by stages
especially based on a previously untapped security review process, to present successful ways
to overcome the limitations of EGIT establishment in various business environments and
circumstances. To do this, two stages of research procedure were designed.
First, to review the EGIT establishment process based on KT&G’s security review
process, the EGIT structural model, which consists of three areas such as Structures,
Processes, and Relational Mechanisms (Figure 1) presented by De Haes & Van Grembergen
(2009) was used. This model presents how KT&G was able to structure the bottom-up
security review process inside the company in each area.
Figure 1 Research Framework to EGIT Building (De Haes and Van Grembergen, 2009)
Based on the model of the components of the COBIT 2019 governance system like Figure
2, it was intended to identify impacts of KT&G’s security review process on EGIT and key
success factors that led to a successful EGIT establishment.
Figure 2 Research Framework to Finding the Critical Factors (COBIT, 2019)
Initiation of EGIT through the Security Review Process: A Case Study of KT&G Corporation
http://www.iaeme.com/IJARET/index.asp 251 [email protected]
4. CASE STUDY
4.1. Building the SRP-based EGIT
KT&G made a TF team to establish a security review process in 2018 and built a three-stage
business plan intending to build ISMS in the first stage, operating ISMS in the second stage,
and EGIT initiation in the third stage. (see Figure 3). Initially, the EGIT and COBIT 2019
frameworks were unfamiliar to the management, but they agreed that the importance of
information security in the competitive market was emphasized and that information security
management was needed from the perspective of enterprise-wide governance and the
governance for geographically separated overseas branches and affiliates. Above all, the main
reason for agreeing to this need was certification. This is because certification acquisition can
easily be linked to corporate performance and can be used as a key performance indicator
(KPI) for the management. Accordingly, the company aimed at officially acquiring both
ISMS ISO27001 certification and K-ISMS framework through the Korea Internet Security
Agency (KISA), a public-reliable certification agency. Specific security processes were
established by subdividing the unit security activities contained in the control items in
compliance with these certification acquisition criteria.
Figure 3 Building Process of KT&G’s SRP-based EGIT
4.1.1. Planning Phase
Accordingly, the TF team defined the security measures of the project planning stage in the
planning stage review of the security review process and proceeded with the project after
requesting the information security department to review the security level of the planning
stage and after its reviewing was completed. The following pre-information security
requirements were analyzed through the proposal request requirements inspection: whether
the project conforms to law, internal and external regulations, and service level agreement
(SLA); whether development security requirements are included if application development is
included in the project; and whether the hardware and network architectures meet internal
requirements. Particularly, if the planning stage review was required or decided after the
request for proposal and the orders were already distributed to businesspersons or internal
parties, it was important to ensure that there would be no issues after sufficient
communication through prior consultation with the business departments because the
direction of the project could change depending on the outcome of the review.
Kwansoon Park, Boyoung Kim
http://www.iaeme.com/IJARET/index.asp 252 [email protected]
4.1.2. Design Phase
During the design phase, it was discussed if the project could conform to the company’s
internal information security standards and guidance, and the outputs to be submitted at the
inspection phase were defined. In the case of security guides, they were written in detail by
type to reduce friction between the project implementation teams and related departments.
This is because the project could not be distributed due to a lack of security unless final
approval from the information security department was obtained at the inspection phase in
accordance with the principles of security review. Furthermore, these issues could be directly
linked to financial or legal problems with project contractors or to the performance of related
departments. For this reason, building clear standards and consultation processes were
essentially required in the security review process establishment.
In this context, KT&G has flexibly approved its policies by describing technical control
items in its guidance to maintain consistency with other internal instructions and guidance,
defining items for security review as mandatory in its guidelines. Generally, the guidance was
not mandatory, but if some parts of it required compliance due to the nature of the processes,
they were defined separately by the parent policy and security policies only for the contractors
who had to follow them.
There were cases of pure self-development for each project, the introduction of complete
product packages, software as a service (SaaS), and additional development for open-source
engines. In the case of packaged products and SaaS, prior coordination with the business
departments was needed when the introduction was made because customized development
was impossible and modification was difficult if it did not meet internal standards. For pure
self-development, the process of coordinating compliance with the system, software,
infrastructure, and security functional structures was included. In conclusion, the technical
and administrative security requirements necessary for final inspection, which were at the
core of the security review of the design phase, were finalized.
4.1.3. Final Inspection Phase
During In the final inspection phase, whether the inspection output requested in the design
phase was properly submitted was reviewed. In this phase, checks on items requested at the
design phase were performed for final inspection whereas assessments of step-by-step
inspection confirmation document, security function checklist, data flow diagrams, personal
information flow diagrams, personal information processing policy,
network/software/hardware block diagrams, simulated hacking reports, secure coding results,
CCE/CVE/CWE vulnerability check results report, final contracts, SLA agreements, NDA,
and other security-related project documents were included. The items that did not meet the
requirements in this phase were returned, and performance checks were carried out after the
actions were taken again. Specifically, the performance checks frequently included
performance checks of technical items such as CVE, CCE, CWE, simulated hacking, and
secure coding, and were operated in a structure in which repeated actions and performance
checks were carried out if the performance was not sufficient.
In particular, exception approval was possible only when the Chief Information Security
Officer (CISO) and Chief Information Officer (CIO) approved for exception handling items.
In addition, those items were recorded in the risk register and were reviewed again in the
regular risk assessment at a later date. In this exception process, a combination of technical
and administrative items occurred, and as many as 5 cases or less, or 20 cases or more per day
happened, depending on the security review target. The processes in the early stages of
process establishment required relatively large resources and were inefficient due to the
increased workload of CISO and CIO. Afterward, similar cases were classified and details of
Initiation of EGIT through the Security Review Process: A Case Study of KT&G Corporation
http://www.iaeme.com/IJARET/index.asp 253 [email protected]
exceptions were pre-defined, and then they were developed in a form that pre-reporting
separated only for high-risk cases. In other words, the level of acceptable risk in terms of risk
management was determined while risk response strategies, which were responses according
to the size of risks, were implemented.
4.1.4. EGIT Application of Security Review Process
The TFT attempted to identify interrelationships from an EGIT perspective and use them as
leverage in establishing the security review process. Based on COBIT 2019 control items, the
TFT identified items that the security review process could apply. It was decided that this
would be the basis for the foundation when the EGIT project was implemented. Through this
gap analysis, KT&G’s TFT concluded that the gradual increase in control items associated
with EGIT, while continuing to add formal security activities such as the security review
process, was meaningful in two aspects. The first aspect was that it was the process of
compliance of the actual EGIT control items in an agile fashion, and the other aspect was that
making the internal stakeholders understand and continuing to expose the organization to the
EGIT activities ultimately served as a foundation for their continuous support for the EGIT
implementation. This approach has internalized the risk management process based on the
security review process and has evolved into regular meetings of the information security
committee based on the corresponding risk management process. This led to an opportunity to
consult on regular information security agendas.
The TFT selected the security review process as the most critical security activity in the
establishment of EGIT. This is because the implementing security review process was judged
to be the most appropriate key process in terms of the perspectives of the ISMS construction
(the basic goal of the task), the security architecture set-up, and the EGIT establishment.
Notably, the security review process played a role to settle the IT risk management system
naturally in the organization. This is also meaningful in terms of continuous risk management,
which is emphasized by the EGIT [80]. In the periodic risk management process, it was
possible to manage the risk more actively by focusing on the risks of the organization and
system, and by detecting changes and risks in the organization in a short project time unit by
means of utilizing the security review process for the risks of the project units. This is directly
related to the management’s immediate awareness and decision-making action on security
risks. By confirming that there were 2 and 4 times of the information security committee held
in 2018 and 2019, respectively, it could be identified that a culture of risk management was
being built in the organization relatively quickly under.
Since then, KT&G has implemented the EGIT system in a hybrid format that manages in
the form of continuous risk management, through the security review process, and diagnoses
the entire organization in parallel with regular risk assessment activities. This resulted in an
average of 30 to as many as 50 combined security review tickets per month being handled.
Kwansoon Park, Boyoung Kim
http://www.iaeme.com/IJARET/index.asp 254 [email protected]
Figure 4 Implication Structure of SRP based EGIT of KT&G
4.2. Critical Factors affecting the Implication Success
4.2.1. Process
In fact, tracking security review requests and completed processes resulted in 21 transactions,
on average, if processed in the primary request, and 37 transactions, if additional performance
checks were required, for one completed inspection phase security review ticket to be
processed. Upon initial request with internal approval from the relevant business department,
the information security department, depending on the circumstances, issued a sub-ticket of
the initial ticket and transferred a request to the core module. Those collected by each field
were fed back to the information security department and, if appropriate, the business
department shared approved contents, having approval notification, with the development
department and the infrastructure operation department. Also, the results of the technical
vulnerability check were stored in the SR core module by automatically performing the check
and performance inspection.
These were used not just for the security review, but as basic information for the regular
risk management activities and vulnerability management processes. In order to efficiently
control DevOps environments so that they were given the security review process works
effectively in a development environment mixed with traditional methods, the secure coding
plug-in is embedded in the developer’s Integrated Development Environment (IDE), which is
impossible to build if the application’s source codes do not meet the set security criteria. In
the KT&G case, when the initial security review process was set up, the stakeholders did their
jobs through various communication channels, ignoring the procedures.
This inconsistent request for work caused confusion and was beyond the scope of the
work resources that the information security department could handle. It was not until the
ticket management system using the Jira system was integrated into the IT service
management (ITSM) that normal operation became possible. The example confirmed that an
automation system was essential for establishing processes involving control. After that, all
processes were implemented based on automation.
As originally planned, the TFT expanded the concept so that the security review process, a
unit process of information security activities, could be linked to the ISMS’s information
security frameworks and finally implemented in EGIT; that is, a well-established process was
manageable as an extended concept in which the management and governance direction
systems of ISMS communicate. As shown in Figure 4, this led to a process in which
Initiation of EGIT through the Security Review Process: A Case Study of KT&G Corporation
http://www.iaeme.com/IJARET/index.asp 255 [email protected]
information security issues of business departments in the organization were passed over to
the board of directors beyond the management, centering around the information security
department that serves as a window for continuous communication with stakeholders.
Figure 5 Information Protection-centered Communication Process
4.2.2. Organizational Structures
The information security committee, in which the chief information security officer (CISO)
participates, has become a channel for the management to discuss security issues arising from
the enterprise’s overall departments through the security review process. The management
committee has become the highest management decision-making body that can be consulted
on IT, including information protection. The link between the information security committee
and the management committee is within the scope of the ISMS, and the final board reporting
and audit committee reporting are within the scope of direction required by the EGIT. As a
result, KT&G has an EGIT process structure through the security review process as intended.
In order to raise the information protection organization to the form of corporate-wide
activities, it was necessary, among other things, to upgrade the authority of the chief
information protection officer. The TFT in the case determined that this was important for the
implementation of the EGIT from information protection and IT control perspective.
Moreover, the restructuring of the security organization was spurred because the Enforcement
Decree of the Act on Promotion of Information and Communication Network Utilization and
Information Protection was set to be implemented in conjunction with the relevant period.
This enforcement decree required the mandatory designation of the CISO for assets of KRW
5 trillion or more and prescribed in detail the qualifications of the CISO. Thus, the company
became interested in actively qualified CISO designations and information protection
organization design.
In this regard, the company commissioned a consulting firm a case analysis service for an
information protection organization and, based on the results of the service, the strengths and
weaknesses of internal qualified persons and external experts were compared and reviewed in
various ways and an internal person was designated under the judgment of the management
committee. The appointed CISO took the role of supervising the overall information
protection management across the company, including the establishment and operation of an
information protection management system, internal vulnerability assessment and
management, and computer asset risk assessment. Accordingly, the department concerned
was reorganized into a new organization under the management support HQs’ Chief
Operations Officer (COO), which is a parallel structure. Originally, it was the information
management department, a subdivision belonging to the IT office.
The revision was carried out to ensure consistency and to obtain executive power within
the organization through changes in information protection policies and guidelines by
Kwansoon Park, Boyoung Kim
http://www.iaeme.com/IJARET/index.asp 256 [email protected]
processing practical security tasks through recruiting an additional security expert at the
managerial level and placing an internal influential person for decision-making while
managing internal and external interests. In the course of a series of reorganizations, the
security review process was identified as a risk in the review of the aforementioned
requirements for designating the CISO of the Enforcement Decree of the Act on Promotion of
Information and Communication Network Utilization and Information Protection, leading to
the role of a viable trigger.
4.2.3. Principles, Policies, Procedures
KT&G’s security review process includes technical security conditions, development security
conditions, forms of service contracts with external companies, application of SLA, periodic
outsourcing company audits, ownership of works, outsider security training, and personal
information’s collection, use, storage, and disposal. Since failure to meet the legal compliance
and the ISMS control items that were chosen by the company would not result in approval for
the security review, three-dimensional revision work was involved. This is also the result of
poor compliance and cultural resistance due to non-compulsory operations during the
guidance period for the security review process for the first two months of 2018.
Consequently, this security review process has resulted in an organization-wide essential
impact as intended by the TFT through the process of amending policy guidelines. The impact
of the security review process has enabled the revision of internal policy guidelines, directly
or indirectly, in accordance with laws and compliance. It has been confirmed that the
information protection-related compliance requirements for the company were continuously
improved in line with the PDCA cycle, the basic philosophy of ISMS, and that the value of
EGIT, which reflects the risk assessment results and interconnects the requirements of
stakeholders, has been met.
As an indirect effect, the security review process has also become a role model for
existing law compliance monitoring, auditing, personnel management and purchasing
guidance. As the results of each committee, such as the audit committee and the personnel
committee, are reflected in policies and guidelines, the security review process has become a
driver for organizational impact on the overall implementation of corporate governance.
4.2.4. Information
Before the introduction of the security review process, business and infrastructure
departments are judged on a project-by-project basis whether to connect to a central
management database or to organize information in a separate database. Therefore, relatively
diverse cloud platform choices and inconsistent database creation were allowed. After the
security review process was established, however, it was managed in a concise manner,
obtaining security and taking into account the importance of information, the status of
inclusion of corporate information and personal information, the network connectivity
section, and the interface and architecture. Above all things, control over the collection and
utilization of unnecessary excessive information and sensitive information has been enabled,
while the business departments’ arbitrary storing of data on external cloud platforms or
hosting services has been preventable.
This information management was also applied to external data generated prior to the
establishment of the security review process, with those data were included within the
governance scope, forcing a security review at the time of change. In this case of KT&G, data
stored independently in external Internet Data Center (IDC) was unified internally through the
operation of the security review process while the existing system was discarded after the ad
hoc application service was transferred from the cloud platform to the internal network.
Initiation of EGIT through the Security Review Process: A Case Study of KT&G Corporation
http://www.iaeme.com/IJARET/index.asp 257 [email protected]
This corresponds to the objectives of EGIT COBIT 2019, namely APO014—Managed
Data; DSS03—Managed Problems; MEA03—Managed Compliance With External
Requirements; and EDM03—Ensured Risk Optimization. Furthermore, new and unregistered
assets were included in the risk management scope for two months in 2018 through a
reinvestigation project of unidentified assets which were confirmed as risks in the security
review. This was a great driver for executing the asset identification process, which was the
most fundamental part of risk management, from an EGIT perspective and which led to the
establishment of the Configuration Management Database (CMDB) at the end of 2019 and
provided a foothold for the detailed management of the computerized assets that
systematically contained the information.
4.2.5. Culture, Ethics and Behavior
The security review process has affected this culture as follows: The security review requires
a collaborative coordination process and if agreed-upon requirements are not met, the project
will not be terminated. This type of uncompleted project and delay in opening the service time
shall be the responsibility of all relevant departments. Due to the security review process,
therefore, the organization gradually accepted the security process as part of the project and
has officially conducted coordination with other departments.
In addition, although the newly created information protection department was not
culturally supported, security activities gained momentum, while security compliance rates
increased relatively as the security review was recognized as official processes. Additionally,
culture was created to seek prior advice for each project in the review of changes in the
policies of major departments such as personnel, finance, human resources development
institute, overseas sales, marketing, and sales department. Such advice was relatively more
about internal and external information protection, customer personal information, and laws
and compliance than on security technologies. This prior advice culture became a factor that
led to the continuous increase of inter-departmental contacts and this phenomenon naturally
served to increase security recognition and a sense of ethics. This was an improvement in the
organizational culture that intended to reduce project risk through the gradual increase in the
number of security review requests and the increasing number of security review requests for
items unrelated to the security review.
It has been also gradually internalized that the legal team in charge of the legal review
process, which was established before the security review process, provided collaborative
opinions through a security review when it determined that corresponding cases related to
items associated with personal information or information protection. This change in the
organization’s internal culture was also seen in the case of Web-vulnerability removal
collaboration. Many Web-vulnerabilities that were first derived in 2017 and those newly
added and neglected in 2018 were found. Prior to the establishment of the security review
process, the person-in-charge carried out various promotions and coordination meetings to
encourage the development departments and infrastructure departments to improve their
vulnerabilities, but an extremely low elimination rate of less than 10% has resulted.
To solve these problems, the information security department presented the agenda to the
information security committee. The information security committee decided that those
problems were a matter of appropriate education and ordered to implement three times of
half-day collective education and to make 1 simulated hacker and 1 secure-coding expert
reside in the developer’s office twice a week for three months. This helped to provide the
information and education needed to deal with vulnerabilities in the same physical space for
immediate resolution. This method supported organizational culture in two aspects. First, the
understanding of secure coding and Web vulnerability handling of the developers was
Kwansoon Park, Boyoung Kim
http://www.iaeme.com/IJARET/index.asp 258 [email protected]
actually increased and, second, through the process of mutual respect and understanding,
communication between departments became smoother and it motivated a culture of mutual
cooperation. Subsequently, the support of the infrastructure departments to address CVE and
CCE vulnerabilities was achieved by deploying system security specialists in the
infrastructure operation room during the vulnerability removal period through the lessons
learned in this example [66].
Additionally, these internal success stories were reported to the information security
committee again to inform that the decision-makers’ results were properly maintained, thus
providing momentum of a virtuous cycle for actively informing them of the success of the
process. This is meaningful because, in terms of governance, it is the part that connects to the
governing body the core philosophy of EGIT, which are Monitor, Evaluate, and Assess
(MEA) and Evaluate, Direct, and Monitor (EDM).
4.2.6. People, Skills, and Competencies
With the security review enabled, more resources were needed compared to the initial
establishment of the process. As the security review process matured, the number of review
requests for various and new forms of cases increased. Consequently, the information security
department decided that it needed experts who could fully analyze technical, administrative,
and physical security. In response, the KT&G information security manager analyzed the
number of requests for the security review over six months and calculated the budget estimate
for the IT portfolio approved for the project, presenting necessary professionals to the
information security committee.
The recruitment plan has been approved through this process. This confirmed the results
that the security review process had a positive effect on the recruitment of professionals and
the training of internal personnel, and that the actual review results and figures made it easier
for the management to understand. In the case of KT&G, the personnel were assigned to each
specialized area and the outsourcing and internal personnel were combined to increase
efficiency.
Finally, the security review team consisted of the general manager of security review, the
director of security review and personal information, the specialist for secure coding, the
simulated hacker, and the expert for infrastructure vulnerabilities. This team was also
designed to assess and relocate the number of security review processes and the adequacy of
resources each year. These staffing arrangements met the COBIT 2019 objectives in terms of
EGIT DSS02-Managed Service Requests and Incidents. Also, for effective resource
management, additional outsourcing SLA contracts provided flexible support to additional
personnel when the workload increased and, if regular work is reduced, those personnel were
placed in process upgrading tasks, enabling stable operation.
On another instance, the establishment of the security review process led to the IT
department’s demand to understand the overall security frameworks and, in 2019, the
ISO27001 examiner training for the IT department was conducted for over five days. This is a
virtuous cycle triggered by the security review, which has become an opportunity to
internalize security within the company.
4.2.7. Services, Infrastructure, and Applications
KT&G was an organization with less understanding of information security so that it needed a
strategic approach to change its organizational structure through limited authority and
resources. From the EGIT perspective, the primary objective of the security review process
was to gain the understanding and support of the management and the board of directors
through these activities. From the structural point of view, the security review process
Initiation of EGIT through the Security Review Process: A Case Study of KT&G Corporation
http://www.iaeme.com/IJARET/index.asp 259 [email protected]
embodied continuous risk management on the security side and played a key process role in
the EGIT as an intermediate filter in the core areas of the EGIT COBIT as in Figure 6.
Figure 6 COBIT 5 Governance and Management Key Areas
An automated ticket processing system was needed to implement smooth procedures in
this structure. This automated system reduced the resources required for the unnecessary
interdepartmental assignment of work, enabling fair review without being affected by human
emotions. In particular, due to the nature of the security review, this automated system serves
as a filter for internal and external regulations and control items, and it is difficult to apply fair
and consistent standards when interests between the responsible personnel and the
departments affect it. In conclusion, a well-implemented security review management system
adds administration and governance elements from a security perspective to all systems
included in the review. Specifically, the systems affected by the security review process were
the source code configuration management system and DevOps system. In the case of the
source code configuration management system, it was reorganized to suit the security
conditions and unified and managed the source code that had been autonomously stored in the
developer PCs or unauthorized systems. As regards DevOps, changes that were not approved
for security review were systematically prevented by the distribution management system,
Jenkins. If the secure coding solution is internalized in the integrated development
environment and does not meet a certain level of secure coding, the process applied makes it
impossible to build. Although there were initial loads, relatively small amounts of
vulnerabilities were finally found during regular simulated hacking and vulnerability checks,
which in the long run had a positive impact on source security and resource efficiency.
5. CONCLUSION
The bottom-up EGIT system, based on the security review process designed by KT&G, is
characterized by the efficient implementation of seamless communication and enterprise-wide
information security transferring from the lowest level (i.e., the information security manager)
to the highest level (e.g., the IT control manager of the governance structure). It has also been
confirmed that within the organization, security departments have the advantage of actively
pursuing the digitalization of the company because they can understand the EGIT and present
a direction to facilitate future independent EGIT projects. KT&G’s case is the first successful
project showing that the structure of bottom-up IT governance can be more effective than
typical top-down IT governance and its key implications are as follows:
First, a bottom-up EGIT approach requires in-house experts. In the TFT of the KT&G
case, the overall project was designed by the information security manager and IT control
manager who joined in the late 2018 with an understanding and expertise in EGIT. By the
Kwansoon Park, Boyoung Kim
http://www.iaeme.com/IJARET/index.asp 260 [email protected]
time the project was approved, internal stakeholders had no awareness of EGIT and through
persuading the stakeholders on active collective education and its needs, EGIT goals and
objectives could be internalized in the project. As a matter of fact, even after the project was
launched, a clear understanding of the needs began to take place later in 2018 when the
security review process was established and the frameworks of ISMS were met. This
approach corresponds to the S7 IT governance function/officer and S8
Security/Compliance/Officer of IT governance structure, which is one of the EGIT
components suggested by De Haes and, as he claimed, is relatively easy to implement in the
organization and highly effective. Even though this was not a theory that was presented with a
bottom-up approach in mind, it was also confirmed to be an important item for an EGIT
bottom-up approach.
Second, an automated management system that can run the entire security review process
is essential. Particularly, the system is more emphasized in large organizations because, as
shown by the KT&G case, it was found that the security review was handled only by instant
messages, e-mails, telephone calls, and meetings without systematization during the initial
process operation phase and, due to this, the systematical management was hard when
workloads were managed and highly complicated tasks’ transferring and approval were
handled. There was also a problem that the security review request department did not
recognize the security review process as a required process. The process, however, gradually
settled down after the automated system was established. As can be seen in the case analysis,
the best way is, therefore, to link to the IT service management system (ITSM) already
established in the company and if there is no systematized ITSM, separate ticket management
systems should be considered.
If automated CVE, CCE, and CWE inspection tools, secure coding tools, and Application
Program Interface (API) are linked when the system is established, more systematic
management is possible. Doing this in the same vein as identifying technical vulnerabilities
physically is impossible without the aforementioned automation solutions. In conclusion,
KT&G established a security review management system to automate the entire process and
to manage technical and administrative risks in conjunction with an automated vulnerability
management system. As the technical importance was highlighted in previous studies, this
study, as a real-world example, shows once again that it is important to adopt and utilize
technologies in order to succeed modern EGIT based on the security review process
presented.
Third, continuous communication with management is important in the construction of all
intra-company processes. Communication channels with management are key points for
ISMS and EGIT establishment [9,21,26]. These activities can only be effective if they are
performed regularly and repeatedly. The additional lesson learned from this study is that in
communication with the management and board of directors, approaching in the form of
compliance can make successful results. ISO27001:2013 and K-ISMS make management
review and information security committee mandatory, while COBIT 2019 prescribes one of
the four domains of management objectives as Monitor, Evaluate, and Assessment (MEA).
For newly established processes applied across the enterprise, cultural resistance arises
although there are differences in degree. If the leadership's understanding is low, it is difficult
for IT, the core of EGIT, to reach the stage where it mutually affects corporate decision-
making. Thus, as shown in the KT&G case, it is necessary to create a formal and significant
environment as much as possible. This is because when compliance or obtaining certifications
is determined to be one of the company’s goals, the procedure itself is difficult to be ignored
and must be implemented to achieve the goals measured by performance. The information
Initiation of EGIT through the Security Review Process: A Case Study of KT&G Corporation
http://www.iaeme.com/IJARET/index.asp 261 [email protected]
security committee has become a communication channel that is regularly discussed at the
management meetings.
Communication is essential even among horizontal departments. Active communication,
support, and education are needed, as can be seen in the case of the on-site deployment of
experts in the vulnerability removal project. The lack of a clear understanding of technical
measures tended to delay action activities for vulnerabilities found in applications and
infrastructure systems. Also, it was found that these issues caused frequent misunderstandings
between departments during initial operations after the process was established. This can be
perceived as a task that is added to the existing works from the perspective of the responsible
personnel, so it was important to increase understanding through continuous education and
not to be delayed due to individual technical capabilities. It was confirmed that smooth
communication between departments is as important as vertical communication to resolve this
conflict structure. This proved that “R9 corporate internal communication addressing IT on a
regular basis item” and “APO-08 Managed Relationship, a requirement of COBIT 2019,”
highlighted by De Haes et al. (2010), are important parts of the bottom-up EGIT
establishment through the security review process.
Fourth, in the case of the security review process, new IT systems cannot be released
unless approved, so it has a strong tendency to control. This coercion is necessary for
successfully operating the security review process. This is because in the initial stages of the
establishment of the process there was no active cooperation between the relevant
departments during the guidance period and, therefore, the TFT carried out the work of
amending policy guidelines for coercion. Clear coercion prevented the unnecessary waste of
resources due to inter-departmental interests or environmental variables and culturally
increased awareness of compliance with information protection. This is not emphasized in the
top-down EGIT because, in the top-down case, the processes established by management
decisions are generally supported within the organization and have a tendency of coercion. As
can be seen in the case, however, it is emphasized as a key element in a bottom-up approach
that has relatively low management interest.
After all, it is a premise that is emphasized or inherent in traditional top-down EGIT
implementations but relatively emphasized in bottom-up EGIT implementations through the
security review process. As the results of the case show, the modern process-oriented bottom-
up governance approach is evolving into an inoperable form without digitization. This is
because the information security activity itself, called security review, contains technical
items and is not manageable without automated database processing. Real-time
communication is likewise required based on data extracted from the database, and it is
impossible to detect and act on violations without the technical implementation of devices for
control. This automation is also more meaningful because it is systemically applicable to
establishing processes that require coercion.
REFERENCES
[1] Morck, R.; Steier, L. The global history of corporate governance: An introduction. In A history
of corporate governance around the world: Family business groups to professional managers,
University of Chicago Press: 2005; pp. 1-64.
[2] Loh, L.; Venkatraman, N. Diffusion of information technology outsourcing: influence sources
and the Kodak effect. Information systems research 1992, 3, 334-358.
[3] Van Grembergen, W.; De Haes, S. Enterprise governance of information technology:
achieving strategic alignment and value; Springer Publishing Company, Incorporated: 2020.
Kwansoon Park, Boyoung Kim
http://www.iaeme.com/IJARET/index.asp 262 [email protected]
[4] Weill, P.; Ross, J.W. IT governance: How top performers manage IT decision rights for
superior results; Harvard Business Press: 2004.
[5] Pereira, R.; da Silva, M.M. IT governance implementation: The determinant factors.
Communications of the IBIMA 2012, 2012, 1.
[6] Elizabeth Abraham, S. Information technology, an enabler in corporate governance.
Corporate Governance: The international journal of business in society 2012, 12, 281-291,
doi:10.1108/14720701211234555.
[7] Gregory, R.W.; Kaganer, E.; Henfridsson, O.; Ruch, T.J. IT Consumerization and the
Transformation of IT Governance. MIS Quarterly 2018, 42, 1225-1253.
[8] De Haes, S.; Haest, R.; Van Grembergen, W. IT governance and business-IT alignment in
SMEs. ISACA Journal: the source for IT governance professionals/ISACA (= Information
Sytems Audit and Control Association)-Place of publication unknown 2010, 6, 38-44.
[9] ISACA. COBIT 2019 Framework: Introduction and Methodology. ISACA Journal 2019.
[10] ISACA. COBIT 5 : A Business Framework for the Governance and Management of
Enterprise IT. ISACA Journal 2012.
[11] Alreemy, Z.; Chang, V.; Walters, R.; Wills, G. Critical success factors (CSFs) for information
technology governance (ITG). International Journal of Information Management 2016, 36,
907-916.
[12] Cervone, H.F. Implementing IT governance: a primer for informaticians. Digital Library
Perspectives 2017, 33, 282-287, doi:10.1108/DLP-07-2017-0023.
[13] Neumann, S.; Ahituv, N.; Zviran, M. A measure for determining the strategic relevance of IS
to the organization. Information & Management 1992, 22, 281-299.
[14] Vithayathil, J. Will cloud computing make the I nformation T echnology (IT) d epartment
obsolete? Information Systems Journal 2018, 28, 634-649.
[15] Petruch, K.; Stantchev, V.; Tamm, G. A survey on IT-governance aspects of cloud computing.
International Journal of Web and Grid Services 2011, 7, 268-303.
[16] Pan, Y. Heading toward artificial intelligence 2.0. Engineering 2016, 2, 409-413.
[17] Valentine, E.; Stewart, G. Enterprise business technology governance: Three competencies to
build board digital leadership capability. In Proceedings of 2015 48th Hawaii International
Conference on System Sciences; pp. 4513-4522.
[18] Lutz, C.; Hoffmann, C.P.; Bucher, E.; Fieseler, C. The role of privacy concerns in the sharing
economy. Information, Communication & Society 2018, 21, 1472-1492.
[19] Urban, T.; Tatang, D.; Degeling, M.; Holz, T.; Pohlmann, N. The unwanted sharing economy:
An analysis of cookie syncing and user transparency under GDPR. arXiv preprint
arXiv:1811.08660 2018.
[20] Shameli-Sendi, A.; Aghababaei-Barzegar, R.; Cheriet, M. Taxonomy of information security
risk assessment (ISRA). Computers & Security 2016, 57, 14-30.
[21] Technical Committee : ISO/IEC JTC 1/SC 27 Information security, c.a.p.p. ISO/IEC
27001:2013 [ISO/IEC 27001:2013] Information technology — Security techniques —
Information security management systems — Requirements. 2013.
[22] Radack, S. NIST SP 800-115 Guide to Information Security Testing and Assessment; National
Institute of Standards and Technology: 2008.
[23] ISACA, I. Global Status Report on the Governance of Enterprise IT (GEIT)—2011. Available
on line at http://www. isaca. org/Knowledge-Center/Research/Documents/Global-Status-
Report-GEIT-10Jan2011-Research. pdf 2011.
Initiation of EGIT through the Security Review Process: A Case Study of KT&G Corporation
http://www.iaeme.com/IJARET/index.asp 263 [email protected]
[24] ISACA. COBIT 2019 implementaion guide : Implementing and Optimizing an Information
and Technology Governance Solution. ISACA Journal 2018.
[25] IV, J.W.L. Holistic IT Governance, Risk Management, Security and Privacy: Needed for
Effective Implementation and Continuous Improvement. ISACA JOURNAL 2016, Volume 5
[26] ISO. ISO/IEC 38500:2015. 2015.
[27] Brown, C.V. Examining the emergence of hybrid IS governance solutions: Evidence from a
single case site. Information systems research 1997, 8, 69-94.
[28] Zmud, R.W. Design alternatives for organizing information systems activities. Mis Quarterly
1984, 79-93.
[29] Tavakolian, H. Linking the information technology structure with organizational competitive
strategy: A survey. MIS quarterly 1989, 309-317.
[30] Olson, M.H.; Chervany, N.L. The relationship between organizational characteristics and the
structure of the information services function. Mis Quarterly 1980, 57-68.
[31] King, J.L. Centralized versus decentralized computing: organizational considerations and
management options. ACM Computing Surveys (CSUR) 1983, 15, 319-349.
[32] Peterson, R. Crafting information technology governance. Information systems management
2004, 21, 7-22.
[33] De Haes, S.; Van Grembergen, W. An Exploratory Study into IT Governance
Implementations and its Impact on Business/IT Alignment. Information Systems Management
2009, 26, 123-137, doi:10.1080/10580530902794786.
[34] Malhotra, A.; Van Alstyne, M. The dark side of the sharing economy… and how to lighten it.
Communications of the ACM 2014, 57, 24-27.
[35] Morgan, B.; Kuch, D. Radical transactionalism: legal consciousness, diverse economies, and
the sharing economy. Journal of law and society 2015, 42, 556-587.
[36] Nwogugu, M.C. The Case Of Apple, Inc., and Fintech: Managerial Psychology, Corporate
Governance and Business Processes. Corporate Governance and Business Processes 2015.
[37] Copie, A.; Fortis, T.-F.; Munteanu, V.I.; Negru, V. From cloud governance to iot governance.
In Proceedings of 2013 27th International Conference on Advanced Information Networking
and Applications Workshops; pp. 1229-1234.
[38] Haffke, I.; Kalgovas, B.; Benlian, A. Options for Transforming the IT Function Using
Bimodal IT. MIS Quarterly Executive 2017, 16.
[39] Tallon, P.P.; Ramirez, R.V.; Short, J.E. The information artifact in IT governance: toward a
theory of information governance. Journal of Management Information Systems 2013, 30,
141-178.
[40] Horlach, B.; Drews, P.; Schirmer, I. Bimodal IT: Business-IT alignment in the age of digital
transformation. Multikonferenz Wirtschaftsinformatik (MKWI) 2016, 1417-1428.
[41] Dafoe, A. AI governance: A research agenda. Governance of AI Program, Future of Humanity
Institute, University of Oxford: Oxford, UK 2018.
[42] ISO, I. IEC 38500: 2008. Corporate governance of information 2008.
[43] ISO/IEC. ISO/IEC 38500:2015(en) Information technology — Governance of IT for the
organization ISO/IEC 2015.
[44] Weill, P.; Ross, J.; Governance, I. How top performers manage IT decision rights for superior
results. Harvard Business School Press, Boston, MA 2004.
[45] Brown, A.E.; Grant, G.G. Framing the frameworks: A review of IT governance research.
Communications of the Association for Information Systems 2005, 15, 38.
Kwansoon Park, Boyoung Kim
http://www.iaeme.com/IJARET/index.asp 264 [email protected]
[46] Sambamurthy, V.; Zmud, R.W. Arrangements for information technology governance: A
theory of multiple contingencies. MIS quarterly 1999, 261-290.
[47] Zmud, R.W.; Boynton, A.C.; Jacobs, G.C. The information economy: A new perspective for
effective information systems management. ACM SIGMIS Database: the DATABASE for
Advances in Information Systems 1986, 18, 17-23.
[48] Lessig, L. Remix: Making art and commerce thrive in the hybrid economy; Penguin: 2008.
[49] Bartens, Y.; Schulte, F.; Voss, S. E-business IT governance revisited: An attempt towards
outlining a Novel Bi-directional business/IT alignment in COBIT5. In Proceedings of 2014
47th Hawaii International Conference on System Sciences; pp. 4356-4365.
[50] Baumard, P. A Brief History of Hacking and Cyberdefense. In Cybersecurity in France,
Springer: 2017; pp. 17-30.
[51] Henderson, J.C.; Venkatraman, H. Strategic alignment: Leveraging information technology
for transforming organizations. IBM systems journal 1993, 38, 472-484.
[52] Schmidt, W.C. World-Wide Web survey research: Benefits, potential problems, and solutions.
Behavior research methods, instruments, & computers 1997, 29, 274-279.
[53] Barnard, L.; von Solms, R. The evaluation and certification of information security against BS
7799. Information Management & Computer Security 1998.
[54] Charlet, L. The ISO Survey of Management System Standard Certifications 2018.
Recuperado: 2018.
[55] Moen, R. Foundation and History of the PDSA Cycle. In Proceedings of Asian network for
quality conference. Tokyo. https://www. deming.
org/sites/default/files/pdf/2015/PDSA_History_Ron_Moen. Pdf.
[56] Wang, C.-H.; Tsai, D.-R. Integrated installing ISO 9000 and ISO 27000 management systems
on an organization. In Proceedings of 43rd Annual 2009 international carnahan conference on
security technology; pp. 265-267.
[57] Bahtit, H.; Regragui, B. Risk Management for ISO27005 Decision Support. International
Journal of Innovative Research in Science, Engineering and Technology 2013.
[58] Standardization, I.O.f. ISO 31000: 2009: Risk Management: Principles and Guidelines;
International Organization for Standardization: 2009.
[59] Purdy, G. ISO 31000: 2009—setting a new standard for risk management. Risk Analysis: An
International Journal 2010, 30, 881-886.
[60] Albakri, S.H.; Shanmugam, B.; Samy, G.N.; Idris, N.B.; Ahmed, A. Security risk assessment
framework for cloud computing environments. Security and Communication Networks 2014,
7, 2114-2124.
[61] Kong, H.-K.; Hong, M.K.; Kim, T.-S. Security risk assessment framework for smart car using
the attack tree analysis. Journal of Ambient Intelligence and Humanized Computing 2018, 9,
531-551.
[62] Technical Committee : ISO/IEC JTC 1/SC 27 Information security, c.a.p.p. ISO/IEC
27002:2013 [ISO/IEC 27002:2013] Information technology — Security techniques — Code
of practice for information security controls. 2013.
[63] McGraw, G. Automated code review tools for security. Computer 2008, 41, 108-111.
[64] Howard, M.; Lipner, S. The security development lifecycle; Microsoft Press Redmond: 2006;
Vol. 8.
[65] McGraw, G.; Chess, B. The Building Security in Maturity Model ({BSIMM}). 2009.
Initiation of EGIT through the Security Review Process: A Case Study of KT&G Corporation
http://www.iaeme.com/IJARET/index.asp 265 [email protected]
[66] Kwansoon Park, B.K. Building the Security Function Point Method for Web Application
Vulnerability Remediation. International Journal of Recent Technology and Engineering
(IJRTE) 2019, Volume-8 Issue-4, 5962-5968, doi:DOI:10.35940/ijrte.D8948.118419.
[67] Boehm, B.W.; Ross, R. Theory-W software project management principles and examples.
IEEE Transactions on Software Engineering 1989, 15, 902-916.
[68] Charette, R.N. Software engineering risk analysis and management; Intertext Publications
New York: 1989.
[69] Dorofee, A.J.; Walker, J.A.; Alberts, C.J.; Higuera, R.P.; Murphy, R.L. Continuous Risk
Management Guidebook; Carnegie-Mellon Univ Pittsburgh PA: 1996.
[70] Mataracioglu, T.; Ozkan, S. Governing information security in conjunction with COBIT and
ISO 27001. arXiv preprint arXiv:1108.2150 2011.
[71] Almeida, R.; Lourinho, R.; da Silva, M.M.; Pereira, R. A model for assessing COBIT 5 and
ISO 27001 simultaneously. In Proceedings of 2018 IEEE 20th Conference on Business
Informatics (CBI); pp. 60-69.
[72] Sheikhpour, R.; Modiri, N. An approach to map COBIT processes to ISO/IEC 27001
information security management controls. International Journal of Security and Its
Applications 2012, 6, 13-28.
[73] ISACA. COBIT 5 for Information Security. 2012.
[74] ISACA. COBIT 5 Enabling Information. ISACA Journal 2013.
[75] ISACA. COBIT 5 Enabling Processes. ISACA Journal 2012.
[76] ISACA. COBIT 5 Implementation ISACA Journal 2012.
[77] ISACA. COBIT 2019 : Governance and Management Objectives. ISACA Journal 2019.
[78] De Haes, S.; Van Grembergen, W.; Joshi, A.; Huygh, T. COBIT as a Framework for
Enterprise Governance of IT. In Enterprise governance of information technology, Springer:
2020; pp. 125-162.
[79] Agency, K.I.S. K-ISMS : Information Security and Pravacy management system certification
gudie. Korea Internet & Security Agency 2019, 252.
[80] Alleman, G.; Coonce, T.; Price, R. Increasing the Probability of Program Success with
Continuous Risk Management. The Measurable News 2018, 27.