In today’s global business environment, the significance of information is idely accepted, and information systems are truly pervasive throughoutbusiness and governmental organisations. The growing dependence of ost organisations on their information systems, coupled with the risks, benefits and opportunities IT carries with it, have made IT governance an ncreasingly critical facet of overall governance. Boards and management like need to ensure that IT is aligned with enterprise strategies, and enterprise strategies take proper advantage of IT.

Security breaches are an increasingly common occurrence. As early as 996, the US General Accounting Office (GAO) reported that the US Department of Defense experienced as many as 250,000 attacks on 15,000 systems the previous year, of which 65 percent were successful, costing hundreds of millions of dollars. More sobering is that only 400 of these were detected and only 20 reported. In 1996 it was largely a vulnerability. Five years later it is a definite threat, as illustrated by the recent US Federal Bureau of Investigation (FBI) investigation into the extortion ofmore than 100 e-commerce sites by attackers not only threatening to disclose customer information, but actually carrying out their threats. Many national governments have recognised the importance of security, establishing initiatives to reinforce such measures as segregating infrastructures according to their sensitivity, investing in better authentication methods and making users of the infrastructure accountable for their actions.

Executive management has a responsibility to ensure that the organisation rovides all users with a secure information systems environment.Furthermore, organisations need to protect themselves against the risks
inherent in the use of information systems while simultaneously recognising the benefits that can accrue from having secure information systems.Thus, as dependence on information systems increases, so too does the
criticality of information security, bringing with it the need for effective information security governance.

What Is Information Security?

Security relates to the protection of valuable assets against loss, misuse, isclosure or damage. In this context, “valuable assets” are the informationrecorded on, processed by, stored in, shared by, transmitted or retrieved from an electronic medium. The information must be protected against harm from threats leading to different types of vulnerabilities suchas loss, inaccessibility, alteration or wrongful disclosure. Threats include errors and omissions, fraud, accidents and intentional damage. Protectionarises from a layered series of technological and non-technologicalsafeguards such as physical security measures, background checks, useridentifiers, passwords, smart cards, biometrics and firewalls. These safeguards should address both threats and vulnerabilities in a balancedmanner.

n the ever-changing technological environment, security that is state-ofthe-art today is obsolete tomorrow. Security must keep pace with these changes. It must be considered an integral part of the systems developmentlife cycle process and explicitly addressed during each phase of the process. Security must be dealt with in a proactive and timely manner tobe effective.