A Conceptual Framework of IT Security Governance and Internal Controls




                                                     Nadianatra Musa


                                                          Abstract



               The  Board  and  senior  management  use  internal  controls  and  IT  risk  governance  to
               ensure  that  the  corporation’s  directives  such  as  security  policies,  standards,
               procedures, guidelines, administrative rules and practices at all organizational levels are
               properly  chosen  and  adapted  to  the  organization,  implemented  and  enforced.  There
               were  three  research  problems  identified  in  this paper, (1) Lack  of  involvement  of  the
               board  and  senior  management  in  understanding  IS/IT  security  problems,  (2)
               unbalanced implementation of IS/IT security within the Formal, Technical and Informal
               components and (3) lack of internal control applications over IS/IT security. This had led
               to the development of a conceptual framework of IT Security Governance and Internal
               Controls. Interviews were undertaken with eight Malaysian Publicly Listed Companies to
               identify  the  issues  that  relate  to  IS/IT  Security  Governance  in  Malaysia.  The  findings
               reported  in  the  data  analysis  were  consistent  with  the  conceptual  framework  of  IT
               Security Governance and Internal Controls.
























                                                                                                           23