Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

CIS3005-N Information Governance Portfolio: Risk Management & Training

Verified

Added on 2022/11/28

AI Summary

This portfolio examines information governance for a national dating agency, Private Match, focusing on risk management and staff training. The report begins with an introduction to information governance and its importance for data security, emphasizing confidentiality, integrity, and availability. It proposes a risk management plan to enhance operational and environmental security, including risk identification, assessment, and control. The portfolio identifies information assets such as strategies, intellectual properties, and customer data, and assesses potential threats and vulnerabilities. It also provides strategies for risk control, including defense, transferral, mitigation, acceptance, and termination. Furthermore, the portfolio discusses staff training and security considerations, covering ethical, legal, and regulatory compliance, including the Data Protection Act and GDPR, and outlines a framework for preventing data breaches. Finally, the portfolio concludes by summarizing the key findings and recommendations for effective information governance.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: INFORMATION GOVERNANCE
Information Governance
Name of the Student
Name of the University
Author’s Note:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1
INFORMATION GOVERNANCE
Table of Contents
1. Introduction............................................................................................................................2
2. Proposal of Risk Management to enhance Operational and Environmental Security of the
Company....................................................................................................................................2
2.1 Objective of the Risk Management..................................................................................2
2.2 Identification of Information Assets................................................................................4
2.3 Risk Assessment...............................................................................................................6
2.4 Risk Control.....................................................................................................................8
2.5 Business Continuity Planning........................................................................................10
3. Staff Training and Security Considerations.........................................................................12
3.1 Ethical, Legal and Regulatory Compliance...................................................................12
3.2 Data Protection Act........................................................................................................14
3.3 Data Breach Incidents....................................................................................................14
3.4 Suitable Framework for ensuring Prevention of Data Breaches....................................15
3.5 Ensuring Policy in place with Quarterly Review...........................................................15
3.6 Process of Company complying GDPR or Reporting to any Suspected Fraud Activity
..............................................................................................................................................16
4. Conclusion............................................................................................................................17
References................................................................................................................................18

2
INFORMATION GOVERNANCE
1. Introduction
Information governance (IG) can be referred to as the proper management of
information within any particular company. Information governance focuses on CIA or
confidentiality, integrity and availability of the confidential data under every circumstance
and hence providing proper guidance over data security (Tallon, Ramirez and Short 2013).
The report highlights a proper discussion on information governance program for a popular
national dating agency, known as PM or Private Match. This particular website matches
people, who are looking for a partner with similar personalities and interests. Around 6
offices are present of this company and they have been expanding their business majorly.
They had IT support teams for every office and current they are using their own server
equipment for storing the data. The administrator of Private Match uses algorithms of
artificial intelligence that automatically notify the client as soon as match is being found. The
user can accept, reject and even mark as tentative for later reviewing. With the help of AI, it
is being observed that matching is done in a better manner. Since, customers are providing
personal data, it is quite important to include information governance. It would help them in
securing CIA or confidentiality, integrity and availability of data. This report will be
providing details regarding two most important segment of risk management and staff
training as well as security consideration.
2. Proposal of Risk Management to enhance Operational and Environmental Security
of the Company
2.1 Objective of the Risk Management
Private Match requires risk management in their business for enhancing their
operational and environmental security of the organization (Smallwood 2014). The main
objective of this risk management is identifying the potential issues even before they occur so

3
INFORMATION GOVERNANCE
that the risk handling activities might be planned as well as invoked for mitigating the
adverse effects over achievement of the objectives. The administrator of PM would be able to
detect, analyse and even manage the threats. Successful detection of the threats mainly
includes identification of the vulnerabilities and threats that could be affecting the respective
assets of the company. An effective risk management involves a proper risk identification
through better involvement and collaboration of all stakeholders. A strong leadership with
every stakeholder is required for establishment of the environment for open discussion and
disclosure of risks (Van Grembergen and De Haes 2018). There are three components of risk
management, which are as follows:
i) Risk Identification: The first component is risk identification, in which the
inventory assets are identified and prioritized. Finally, the threats and risks are identified and
prioritized. For Private Match, the main assets include IT infrastructure, servers, database,
software applications and software packages. Since, they are dealing with customers’ data, it
is evident that they would require high level of risk management, so that there exists no
option of data loss under any circumstance.
ii) Risk Assessment: The second component of risk management is risk assessment,
by which the vulnerabilities within threats and assets could be identified and the asset
exposure is identified as well as quantified (Caldicott 2013). The risk factors could be easily
identified so that risk evaluation is possible in PM without much complexity.
iii) Risk Control: The final component of risk management is risk control. It is the
collection of methodologies, through which the organizations are able to evaluate the
potential losses before taking any action for successful reduction or elimination of the threats.
It is required to manage or control the risks effectively so that PM does not face any type of
complexity.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4
INFORMATION GOVERNANCE
2.2 Identification of Information Assets
Risk can be defined as the possibility to lose anything of value such as assets,
resources for any company. Information asset like a body of knowledge, which is eventually
organized as well as managed as one single entity (Hagmann 2013). For any specific
corporate asset, the information assets of the company comprise of financial values. This
particular value increments in the direct relationship to those people, who have the core
ability of making use of the information. Since, any information comprises of a shorter life
cycle, it has the tendency of depreciating over time like several other corporate assets. Speed
at which information value is being lost mainly is dependent on the type of information the
asset could represent and level of accuracy the information is remaining on time. In
maximum companies, this information could not be utilized as a liability. The information
asset could be sub divided as per criteria for not only the frequency of use or relative
importance (Silic and Back 2013). The information assets of PM are extremely important and
significant for the success of the company and even for improving future revenue or
reduction of future expenses. The major information assets of PM are as follows:
i) Strategies: The first information asset of PM is their business strategies. They have
made unique business strategies for gaining competitive advantages. These strategies,
objectives, goals and plans are required for improving the current position of the company
within the existing market.
ii) Intellectual Properties: These are the second important and significant information
assets for Private Match. Intellectual properties are valuable copyrights, patents, trademarks
or any other information, which is substantially granted legal protections like trade dress
(Wu, Straub and Liang 2015). The developed software with AI algorithms is also included as
IP.

5
INFORMATION GOVERNANCE
iii) Trade Secrets: The trade secrets are inclusive of methods, processes, formulas,
designs, techniques and procedures together are termed as other important information asset
for PM and are used for competitive advantages.
iv) Decision Support Tools: Another vital and distinctive information asset for PM is
decision support tool. These are information tools as well as confidential data, which are
being utilized for improving business decisions.
v) Customer Data Documentation: This is yet another vital information asset for PM
(Von Solms and Van Niekerk 2013). Since they have to deal with customers’ data, it is highly
required for them to document customer data and preserve them for avoiding any kind of data
loss.
Information Assets Criteria 1:
Impact to
Revenue
Criteria 2:
Impact to
Profitability
Criteria 3:
Impact to
Public
Image
Weighted
Score
Criterion Weight (1 to 100) 30 40 30
Business Strategies 0.6 0.9 0.4 66
Intellectual Properties 0.8 0.8 0.7 77
Trade Secrets 0.3 0.6 0.5 48
Decision Support Tools 0.7 0.9 0.6 75
Customer Data Documentation 1.0 1.0 1.0 100
Weighted Factor Analysis Worksheet
(Created by the Author in MS Word)

6
INFORMATION GOVERNANCE
2.3 Risk Assessment
Risk assessment in Private Match is completed in five distinctive steps, which are
given:
i) Identification of Hazards: The first step in this particular risk assessment is
identification of hazards. PM would be able to look for the major of threats and
vulnerabilities related to the respective organizational assets (Crossler et al. 2013). This is
required for their successful implementation of risk management plan.
ii) Decision of getting harmed: The second step of risk assessment that should be
considered by Private Match is that they should check the vulnerabilities are affecting which
particular asset of the company.
iii) Evaluation of the Risks: The risks identified are required to be evaluated in the
next step, for understanding the level of vulnerability. This particular step is vital as PM has
to deal with customers’ personal data and data loss which might result in loss of reputation as
well as failure of the business.
iv) Recording of Findings: In the fourth step, it is needed to record the findings of
risk evaluation and analyse them in an effective manner.
v) Reviewing of Assessment: The final step of this risk assessment process is to
review the entire assessment (Peltier 2013). It helps in understanding what steps should be
undertaken for successful elimination or eradication of the risks identified.
2.3.1 Threats Vulnerabilities Assets Worksheet or TVA
Threats IT
Infrastruc
ture
Servers Databas
e
Artificial
Intelligen
ce
Software
Applicati
ons
Priority of
Controls (1
to 10)

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7
INFORMATION GOVERNANCE
Computer
Virus
Yes No Yes Yes Yes 3
Rogue
Security
Software
No Yes Yes Yes Yes 2
Trojan
Horse
Yes Yes No No Yes 5
Adware
and
Spyware
No No No No Yes 10
Social
Engineerin
g Attack
No Yes No Yes Yes 7
DDoS
Attack
Yes Yes Yes No No 4
Phishing No Yes No No Yes 9
SQL
Injection
Attack
Yes Yes Yes Yes Yes 1
Rootkit No Yes No Yes Yes 5
Man in the
Middle
Attack
No Yes No No Yes 8
TVA Worksheet
(Created by the Author in MS Word)

8
INFORMATION GOVERNANCE
2.4 Risk Control
Risk control is a set of methods, through which any specific firm can evaluate or
assess the potential losses and then undertake relevant actions for reduction or elimination of
the threats. Risk control is the most effective technique, which uses findings from risk
assessment that include identification of potential risk factor and providing level of
vulnerability (Siponen, Mahmood and Pahnila 2014). It implements proactive changes for
reduction of risks and hence limiting to the lost assets and income as well. There is a
diversified collection of potential dangers, competitors and obstacles and helps in
identification, assessment as well as preparation for any kind of dangers, disaster potentials
and hazards. It is a plan based strategy, which has core aims for identification and assessment
of the business strategies. The figurative and physical potentials might interfere with the
operations and objectives of the company. For the agency of Private Match, they should
consider to be major and the most important strategy for risk control. (Peltier 2016) The ten
identified risks for PM are system virus, rogue security software, Trojan horse, adware and
spyware, social engineering attack, DDoS attacks, phishing, rootkit, SQL injection attacks
and man in the middle attack.
2.4.1 Strategies for Risk Control
The five strategies of risk control include defence, transferral, mitigation, acceptance
and termination. These five above mentioned strategies are required for controlling the ten
identified risk for PM. The details are provided below:
i) Defence: The first and the foremost strategy for risk control is defence. The
application of safe guards, which eradicate or decrease the remaining controlled risks. This
particular strategy is for those risks, which need defence to lower the overall effect (Safa,

9
INFORMATION GOVERNANCE
Von Solms and Furnell 2016). The DDoS attacks and social engineering attacks in PM could
be controlled with this strategy.
ii) Transferral: The second strategy for risk control is transferral that shifts the risks
to any other area or the outside entity. The risks of rogue security software and adware and
spyware can be controlled with this specific strategy.
iii) Mitigation: The next strategy for control of risks is mitigation. The reduction of
impact of the information assets regarding exploitation of vulnerability is possible with
mitigation of the risks (Xu et al. 2014). The risks of man in the middle attack and phishing
can be controlled with this specific strategy.
iv) Acceptance: Another distinctive strategy for risk control is acceptance. Proper
understanding of consequences of selecting to leave any risk uncontrolled and then properly
acknowledging these risks, which remain without any attempt for control. The computer virus
and rootkit can be controlled with this specific risk control strategy.
v) Termination: The next strategy of risk control is termination. The removal or
discontinuation of the information assets from the operating environment of the company
(Yang, Shieh and Tzeng 2013). The Trojan horse and SQL injection attack can be controlled
with this specific risk control strategy.
2.4.2 Justification of Risk Control
The risk control strategies in PM are required for reducing or eliminating the issues
and threats faced by the organization in their systems. The first strategy of defence works for
deterring an exploitation of vulnerability, which needs major protection. These defence
methods could apply to the physical and logical methods for providing subsequent protection
of a defence strategy. This application of the several layers of defensive measures could be
known as defence in depth. The second distinctive strategy of risk control for PM is

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

10
INFORMATION GOVERNANCE
transferral. It is the successful sharing of the responsibilities of risks within any specific third
party (Singh 2013). It is needed for not permanently removing the risks, however providing a
shield to the company assets. Another important strategy for Private Match is mitigation. This
particular strategy ensures completion removal or mitigation of the risks by implementing
measures and restricting a successful attack. The fourth strategy for PM regarding risk control
is acceptance. It accepts the identified threat, however deploys no defence strategy. Few risks
are effective for the business. Finally, the fifth strategy is termination. Instead of utilizing a
safeguard for protection of the asset and deployment of 0 safeguards, this particular strategy
eventually removes asset from environment with risk (Soomro, Shah and Ahmed 2016). It is
highly recommended for PM to implement these five above mentioned strategies for
successful eradication of the ten risks identified.
2.5 Business Continuity Planning
Business continuity planning or BCP can be referred to as the procedure that is being
included to create a specific system for prevention as well as recovery from any potential
threats to an organization. The main objectives of BCP is to enable each and every ongoing
operation before or even at the time of execution of the disaster recovery. It is the core
capability for making the changes within organizational environment. It helps in enabling the
companies to endure these changes or even to adapt a new method to work in the manner that
is effective for the business (D'Arcy, Herath and Shoss 2014). BCP would be extremely
effective for PM for few distinctive advantages, which are as follows:
i) Minimization of Effect of Disruption: The disruption effects are highly reduced
with successful implementation of BCP in PM and they would be able to run the business
smoothly.

11
INFORMATION GOVERNANCE
ii) Reduction of Physical Asset Risk: The risks to physical assets are the most
common risks for PM and this could be reduced with an effective BCP (Andress 2014).
iii) Recovery of Critical System: The critical system could be easily recovered in a
specific time frame and this would be easily analysed without any complexity.
iv) Measuring of Level of Compliance: The level of compliance could be measured
with the help of BCP in PM (Cárdenas, Manadhata and Rajan 2013).
2.5.1 Disaster Recovery
Disaster recovery planning is the structured approach with basic instructions to
respond towards any type of incident (Ahmad, Maynard and Park 2014). It is a sequential
plan that comprises of the subsequent precautions for successful minimization of effects of a
disaster so that the company could continue in operation or quickly resuming of the mission
critical functionalities. The disaster recovery planning includes a better analysis of the
business processes or needs of continuity. Before generation of a detailed planning, PM can
easily perform an analysis of the business impact as well as risk analysis, so that they are able
to establish the recovery time objective. As PM has to deal with customers’ personal data, the
disaster recovery planning would be extremely effective for the business (Posey et al. 2014).
The main issues such as data, suppliers, resources, technology and budget are required to be
analysed and it is possible with the successful implementation of DR plan.
2.5.2 Incident Response Plan
The incident response (IR) planning is a documented as well as systematic
methodology towards approaching or managing the situations that result from the incidents or
breaches of IT security (Chen, Ramamurthy and Wen 2015). The IR plan in PM could be
used in the enterprise IT facilities and environments for limiting, identifying and responding

12
INFORMATION GOVERNANCE
along with counteracting the security incidents that are occurring. The five steps in incident
response planning are as follows:
i) Preparation.
ii) Detection and Reporting.
iii) Analysis.
iv) Containment and Neutralization.
v) Post Incident Activities.
3. Staff Training and Security Considerations
Staff training is considered as one of the major and the most significant requirements
in an organization (Webb et al. 2014). This particular training program, which helps out the
employees to learn subsequent skills or knowledge for improving performance in the current
roles. Training is extremely expansive as well as focuses on the growth of employees
regarding their future performances. An effective training and development program even
helps in retaining the correct and appropriate people so that they are able to enhance their
business profits. This type of training is the procedure of providing training to the existing
staff of the organization, which could be extremely beneficial for both growths of the staff
and organizational productivity (Kolkowska and Dhillon 2013). This type of training could
be completed for various distinctive reasons such as improvement in the performances or
overall professional development of staff. Private Match should include staff training for each
and every staff in the organization.
3.1 Ethical, Legal and Regulatory Compliance
The main reason for such training is that the members of this organization would be
able to handle the issues and complexities effectively. Moreover, they have to understand

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

13
INFORMATION GOVERNANCE
algorithms of artificial intelligence and for this particular reason, it is vital for them to know
about the way to handle the systems, so that customers get error free services (AlHogail
2015). An effective staff training even helps the organization in enhancing their security
aspects and more security factors are enhanced to a high level.
The ethical compliance for staff training is to be maintained in PM. Every moral code
of conduct, which includes compassion, diversity and honesty should be followed effectively
so that the business follows ethical workplace limitations. The two major functions of the
business would be followed, which are as follows:
i) Protection of Company’s Bottom Line: The bottom line of the company would be
easily secured and protected and the unethical behavioural impacts would be easily identified
without much complexity.
ii) Makes the Company A Great Place for working: PM would become a great place
for working as soon as ethical compliance would be maintained and the employees as well as
customers would be highly satisfied.
The legal compliance for the staff training should also be maintained within PM, since
it is needed to train the employees as per rules, regulations as well as company policies,
which are applicable to the employment (Laszka, Felegyhazi and Buttyan 2015). The
customers’ personal data are being used in this agency for matching purposes and hence it is
required for them to understand the importance of laws and regulations in a better manner.
Moreover, there would be lesser chances of loss and theft of confidential data and staff
performance would be improved. Regulatory compliance refers to the adherence to
regulations and laws, which are relevant to the business processes. The violations of
regulatory compliance regulation could eventually result into major legal punishments for
staff of PM with federal fines. The most effective law or standard that is applicable to the

14
INFORMATION GOVERNANCE
case study is ISO27001. They are using the current version of 2013, since it is providing a set
of standard requirements for their existing ISMS or information security management system.
PM is able to establish, implement, operate, monitor, maintain or even improve the ISMS
with regulatory compliance.
3.2 Data Protection Act
Data Protection Act 2018 is the successful deployment of the GDPR in the United
Kingdom. Each and every employee in Private Match, who is responsible for using the
personal data, should follow distinct rules, known as principles of data protection (Layton
2016). The eight principles of Data Protection Act, which are required to be followed by the
staff of PM are as follows:
i) Fairly and Lawfully Processed.
ii) Processed for restricted Purposes.
iii) Relevant, Adequate and No Excessive.
iv) Accurate.
v) Not kept for longer than is Necessary.
vi) Processed in Line with rights.
vii) Secure.
viii) Not transferred without proper protection.
3.3 Data Breach Incidents
There had been multiple incidents of data breach. The first popular incident occurred
in Yahoo, which impacted more than 3 billion user accounts. It occurred in year of 2013-14
and the attack comprised of the real names, telephone numbers, dates of birth and email

15
INFORMATION GOVERNANCE
addresses of the customers were revealed. Another popular data breach incident occurred for
Marriott International during the year of 2014. More than 500 million customers were
affected and the data were stolen. Since, PM has to deal with customers’ data, such incidents
could easily occur for them.
3.4 Suitable Framework for ensuring Prevention of Data Breaches
IT Infrastructure Library or ITIL framework is the most suitable framework for
ensuring prevention of data breaches. There are five stages in the ITIL life cycle, which
include service strategy, service design, service transition, service operation and continual
service improvement (Lebek et al. 2014). All the five stages are focused over a specified
phase of the service life cycle. PM would be able to resolve the issues and new IT services
could be designed. The main goal is making the entire organization to think as well as act in a
strategic manner. It is also effective for better governance of information.
One of the most distinctive goal of this IG is providing the employees with
subsequent data, which they could easily trust or access during consideration of business
decisions. In several popular organizations, the responsibilities or duties for the tasks of data
governance are being split amongst the teams of database, storage and security (Shameli-
Sendi, Aghababaei-Barzegar and Cheriet 2016). The requirement of this step is to manage
information not becoming evident until an event is occurring like corporate merger,
compliance audit and lawsuit. As this type of governance has become the most significant
approach towards corporate functionalities such as compliance, customer outreaches and
business procedures, several distinctive organizations have started to include chief
information governance officers for leading the relevant projects and programs.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

16
INFORMATION GOVERNANCE
3.5 Ensuring Policy in place with Quarterly Review
PM should review their security policy on a quarterly basis. This would allow them in
proactively tackling the policy and take necessary actions as per requirements. As they have
to deal with customers’ data, it is needed for them to maintain information governance within
the business, hence maintaining ethical and legal compliances (Öğütçü, Testik and
Chouseinoglou 2016). This type of governance eventually balances proper use and security of
information. IG even helps with operational transparency, legal compliance before reduction
of the expenditures, related to legal discovery. Private Match could easily establish a logical
and consistent framework for the employees for the core purpose of handling sensitive data
through the various procedures and policies of information governance.
These distinctive policies provide a proper guidance for the behaviour about the
agency as well as employees handling ESI or electronically stored information. This
information governance is responsible for encompassing traditional records management and
even incorporating the compliance, information protection and security, knowledge
management, business intelligence, risk management, data science, enterprise architecture,
privacy, audit, information technology management, business analytics, data archive, data
storage and many more (Cezar, Cavusoglu and Raghunathan 2013). Thus, quarter review of
security policies is required for PM.
3.6 Process of Company complying GDPR or Reporting to any Suspected Fraud
Activity
PM can comply with GDPR for protecting personal data of their customers. The steps
to GDPR compliance are as follows:
i) Ensuring Stakeholders appreciating Importance of GDPR.
ii) Documenting Customers’ Personal Data and holding Information Audit.

17
INFORMATION GOVERNANCE
iii) Reviewing Current Privacy Notices and making Changes.
iv) Checking the Procedures and updating them.
v) Identification of Lawful basis in the GDPR.
vi) Reviewing Process of Seeking, recording and Managing Information.
vii) Ensuring Detection and Investigation of a Data Breach.
viii) Determination of Lead Data Protection Authority.
4. Conclusion
From the above report, it can be noted that information governance provides major
description about retention as well as disposition of data, so that they are able to avoid
privacy, compliance and access control issues. It is considered as the most holistic approach
that is being utilized for better management of corporate information only successful
implementation of major metrics, controls, roles and processes. These above mentioned
implemented metrics are solely responsible for treating confidential information as the most
valuable business asset. The major objective of this holistic approach for IG is making the
information assets completely available to those, who require it during streamlining of better
management. It is even required for reduction of the storage expenses, thus ensuring
compliance.
Information governance enables an organization in reducing each and every legal risk
related to the inconsistently managed or unmanaged information for being more agile as
providing response to the changing market place. Private Match is a popular dating agency
that has decided to secure their customers’ data and information by means of enhancing the
overall effectiveness and efficiency of data governance for bringing major changes in the
organizational security system. The above provided report has clearly outlined a detailed

18
INFORMATION GOVERNANCE
analysis of risk management in the dating agency of Private Match with relevant details. Data
protection regulations are also provided in this report. The final part of the report has
described about staff training and security considerations for the organization, including
ethical, legal and regulatory aspects. Moreover, data breaches are also described in this report
with the process of company complying GDPR.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

19
INFORMATION GOVERNANCE
References
Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: towards an
organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2),
pp.357-370.
AlHogail, A., 2015. Design and validation of information security culture
framework. Computers in Human Behavior, 49, pp.567-575.
Andress, J., 2014. The basics of information security: understanding the fundamentals of
InfoSec in theory and practice. Syngress.
Caldicott, F., 2013. Information: To share or not to share. Information Governance
Review. Information: To share or not to share.
Cárdenas, A.A., Manadhata, P.K. and Rajan, S.P., 2013. Big data analytics for security. IEEE
Security & Privacy, 11(6), pp.74-76.
Cezar, A., Cavusoglu, H. and Raghunathan, S., 2013. Outsourcing information security:
Contracting issues and security implications. Management Science, 60(3), pp.638-657.
Chen, Y.A.N., Ramamurthy, K.R.A.M. and Wen, K.W., 2015. Impacts of comprehensive
information security programs on information security culture. Journal of Computer
Information Systems, 55(3), pp.11-19.
Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M. and Baskerville, R.,
2013. Future directions for behavioral information security research. computers &
security, 32, pp.90-101.
D'Arcy, J., Herath, T. and Shoss, M.K., 2014. Understanding employee responses to stressful
information security requirements: A coping perspective. Journal of Management
Information Systems, 31(2), pp.285-318.

20
INFORMATION GOVERNANCE
Hagmann, J., 2013. Information governance–beyond the buzz. Records Management
Journal, 23(3), pp.228-240.
Kolkowska, E. and Dhillon, G., 2013. Organizational power and information security rule
compliance. Computers & Security, 33, pp.3-11.
Laszka, A., Felegyhazi, M. and Buttyan, L., 2015. A survey of interdependent information
security games. ACM Computing Surveys (CSUR), 47(2), p.23.
Layton, T.P., 2016. Information Security: Design, implementation, measurement, and
compliance. Auerbach Publications.
Lebek, B., Uffen, J., Neumann, M., Hohler, B. and H. Breitner, M., 2014. Information
security awareness and behavior: a theory-based literature review. Management Research
Review, 37(12), pp.1049-1092.
Öğütçü, G., Testik, Ö.M. and Chouseinoglou, O., 2016. Analysis of personal information
security behavior and awareness. Computers & Security, 56, pp.83-93.
Peltier, T.R., 2013. Information security fundamentals. CRC press.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. Auerbach Publications.
Posey, C., Roberts, T.L., Lowry, P.B. and Hightower, R.T., 2014. Bridging the divide: A
qualitative comparison of information security thought patterns between information security
professionals and ordinary organizational insiders. Information & management, 51(5),
pp.551-567.
Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance
model in organizations. computers & security, 56, pp.70-82.

21
INFORMATION GOVERNANCE
Shameli-Sendi, A., Aghababaei-Barzegar, R. and Cheriet, M., 2016. Taxonomy of
information security risk assessment (ISRA). Computers & Security, 57, pp.14-30.
Silic, M. and Back, A., 2013. Factors impacting information governance in the mobile device
dual-use context. Records Management Journal, 23(2), pp.73-89.
Singh, G., 2013. A study of encryption algorithms (RSA, DES, 3DES and AES) for
information security. International Journal of Computer Applications, 67(19).
Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information
security policies: An exploratory field study. Information & management, 51(2), pp.217-224.
Smallwood, R.F., 2014. Information governance: Concepts, strategies, and best
practices (Vol. 574). John Wiley & Sons.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs
more holistic approach: A literature review. International Journal of Information
Management, 36(2), pp.215-225.
Tallon, P.P., Ramirez, R.V. and Short, J.E., 2013. The information artifact in IT governance:
toward a theory of information governance. Journal of Management Information
Systems, 30(3), pp.141-178.
Van Grembergen, W. and De Haes, S., 2018. Introduction to the Minitrack on IT Governance
and its Mechanisms.
Von Solms, R. and Van Niekerk, J., 2013. From information security to cyber
security. computers & security, 38, pp.97-102.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for
information security risk management. Computers & security, 44, pp.1-15.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

22
INFORMATION GOVERNANCE
Wu, S.P.J., Straub, D.W. and Liang, T.P., 2015. How information technology governance
mechanisms and strategic alignment influence organizational performance: Insights from a
matched survey of business and IT managers. Mis Quarterly, 39(2), pp.497-518.
Xu, L., Jiang, C., Wang, J., Yuan, J. and Ren, Y., 2014. Information security in big data:
privacy and data mining. Ieee Access, 2, pp.1149-1176.
Yang, Y.P.O., Shieh, H.M. and Tzeng, G.H., 2013. A VIKOR technique based on
DEMATEL and ANP for information security risk control assessment. Information
Sciences, 232, pp.482-500.