A Conceptual Framework of It Security Governance and Internal Controls

Nadianatra Musa


The Board and senior management use internal controls and IT risk governance to ensure that the corporation’s directives such as security policies, standards, procedures, guidelines, administrative rules and practices at all organizational levels are properly chosen and adapted to the organization, implemented and enforced. There were three research problems identified in this paper, lack of involvement of the board and senior management in understanding IS/IT security problems, unbalanced implementation of IS/IT security within the Formal, Technical and Informal components and lack of internal control applications over IS/IT security. This had led to the development of a conceptual framework of IT Security Governance and Internal Controls. Interviews were undertaken with eight Malaysian Publicly Listed Companies to identify the issues that relate to IS/IT Security Governance in Malaysia. The findings reported in the data analysis were consistent with the conceptual framework of IT Security Governance and Internal Controls.


IT security governance; internal controls; formal component; informal component; technical component

Full Text:



Baker, W., and Wallace, L. 2007. Is Information Security Under Control?: Investigating Quality in Information Security Management. IEEE Security And Privacy Magazine, 5(1), 36-44.

Baskerville, R. 1988. Designing Information Systems Security. New York: John Wiley.

Bedell, D. 2006. Security Complex. Global Finance, 20(6): 25.

Boyle, G. and Webb, E. G. 2007. Sarbanes-Oxley and its Aftermath: A Review of the Evidence. https://ir.canterbury.ac.nz/bitstream/handle/10092/2438/12614152_Sarbanes-Oxley01b.pdf?sequence=1&isAllowed=y [23 December 2018].

D. W. Straub, and R. J. Welke. 1998. Coping with systems risk: Security planning models for management decision making. MIS Quarterly, 22(4): 441-469.

Dhillon, G., and Backhouse, J. 2000. Technical opinion: Information system security management in the new millennium. Communications Of The ACM, 43(7), 125-128.

Dhillon, G., Tejay, G., and Weiyin, H. 2007. Identifying Governance Dimensions to Evaluate Information Systems Security in Organizations. https://www.computer.org/csdl/proceedings/hicss/2007/2755/00/27550157b.pdf [22 December 2018]

Force, N. C. S. S. T. 2004. Information Security Governance: A Call to Action. http://www.isacaroma.it/pdf/news/0412-gbsecgovernance.pdf [30 December 2005].

G. Labovitz, and V. Rosansky. 1997. The Power of Alignment: How Great Companies Stay Centered and Accomplish Extraordinary Things. New York: John Wiley & Sons, Inc.

Gordon, L. A., Loeb, M. P., Lucyshyn, W., and Sohail, T. 2006. The Impact of the Sarbanes-Oxley Act on the Corporate Disclosures of Information Security Activities. Journal of Accounting and Public Policy, 25(5):1-41.

Indrakanti S., Varadharajan V., and Agarwal R. 2007. On the design, implementation and application of an authorization architecture for web services. Int. J. Information and Computer Security, 1(2):64-108.

IT Governance Institute. 2003. Board briefing on IT governance. Rolling Meadows: IT Governance Institute.

IT Governance Institute. 2006. Information Security Governance: Guidance for Boards of Directors and Executive Management ; 2nd Edition. Rolling Meadows: ISACA.

Lin, P. P. 2006. Systems security threats and controls. https://washburn.edu/faculty/espahbod/A625_files/System-security-threats-and-controls.pdf [20 December 2018].

Mishra, S. and Dhillon, G. 2007. Information Systems Security Governance Research: A Behavioral Perspective. https://pdfs.semanticscholar.org/3f74/9f754d05d7a46a2e4f39fd019c1d00b54323.pdf [23 December 2018].

Moghadam, R. S., and Ricardo C. P. 2018. Information security governance in big data environments: A systematic mapping. Procedia computer science, 138: 401-408.

N. Musa, and B Clift. 2017. Internal Control and Standard Operating Procedures in Malaysian Corporations. Journal of Telecommunication, Electronic and Computer Engineering (JTEC), 9(2-10):25-31.

OECD. 1999. Principles of Corporate Governance. Paris Cedex: OECD.

OECD. 2002. OECD Guidelines for the Security of Information Systems and Networks: Towards a culture of security. https://www.oecd.org/internet/ieconomy/15582260.pdf [23 December 2018].

O'Leary, C., Iselin, E., and Sharma, D. 2006. The Relative Effects of Elements of Internal Control on Auditors' Evaluations of Internal Control. Pacific Accounting Review: Accounting & Tax Periodicals, 18(2): 69.

Prasad, A. and Green, P. 2015. Governing cloud computing services: Reconsideration of IT governance structures. International Journal of Accounting Information Systems, 19:45-58.

Rebollo, O., Mellado, D., and Fernandez-Medina, E. 2014. Isgcloud: a security governance framework for cloud computing. The Computer Journal, 58(10): 2233-2254.

Rebollo, O., Mellado, D., Fernández-Medina, E., and Mouratidis, H. 2015. Empirical evaluation of a cloud computing information security governance framework. Information and Software Technology, 58: 44-57.

Rogers, V. C., Marsh T. A., and Enthridge J.R. 2004. Internal Controls: Winning the battle against risks. Internal Auditing ABI/INFORM Global, 19(4): 28.

Schlosser, F., Beimborn, D., Weitzel, T., and Wagner, H. T. 2015. Achieving social alignment between business and IT–an empirical evaluation of the efficacy of IT governance mechanisms. Journal of Information Technology, 30(2): 119-135.

Sinclitico, G. 2007. Management Controls Have Finally Gone Away!. https://ignet.gov/sites/default/files/files/sp07jpi.pdf [23 December 2018].

Solms, B. V. 2001. Corporate Governance and Information Security. Computers & Security, 20(3): 215-218.

Solms, B.V. 2006. Information Security- The Fourth Wave. Computers & Security, 25 (3): 165-168.

Swanson, R. M. 1999. Internal Controls: Tools, not hoops. Strategic Finance, 81(3):6.

Ula, M., and W. Fuadi. 2017. A Method for Evaluating Information Security Governance (ISG) Components in Banking Environment. Journal of Physics: Conference Series. 812(1): 1-7.

Wu, S. P. J., Straub, D. W., and Liang, T. P. 2015. How information technology governance mechanisms and strategic alignment influence organizational performance: Insights from a matched survey of business and IT managers. Mis Quarterly, 39(2), 497-518.

Yassine, M., Zaydi, M., Abdelkebir, S., and Ezzati, A. 2018. Building a Maturity Framework for Information Security Governance Through An Empirical Study In Organizations. https://www.researchgate.net/publication/325555260_Building_a_maturity_framework_for_information_security_governance_through_an_empirical_study_in_organizations [23 December 2018].


  • There are currently no refbacks.

e-ISSN : 2289-2192

For any inquiry regarding our journal please contact our editorial board by email apjitm@ukm.edu.my