secau Security Research Centre, Edith Cowan University, Perth, Western Australia
The ever greater reliance on complex information technology environments together with dynamically changing threat scenarios and increasing compliance requirements make an efficient and effective management of information security controls a key concern for most organizations. Good practice collections such as COBIT and ITIL as well as related standards such as the ones belonging to the ISO/IEC 27000 family provide useful starting points for control management. However, neither good practice collections and standards nor scholarly literature explain how the management of controls actually is performed in organizations or how the current state-of-practice can be improved. A series of interviews with information security professionals from European organizations was conducted in order to better understand how a coherent and comprehensive suite of controls is built and maintained in practice and to help organizations refine related work practices. The interviews focused on the activities of control management as well as on the roles and responsibilities of the individuals and groups involved in those activities. The results of a qualitative content analysis of the gathered data allowed an aggregate description of control management on the basis of a generic control management cycle ranging from the creation of a control design to its implementation and review.