Governance Practices and Critical Success factors suitable for Business Information Security

Information Security (IS) is increasingly becoming an integrated business practice instead of just IT. Security breaches are a challenge to organizations. They run the risk of losing revenue, trust and reputation and in extreme cases they might even go under. IS literature emphasizes the necessity to govern Information Security at the level of the Board of Directors (BoD) and to execute (i.e. plan, build, run and monitor) it at management level. This paper describes explorative research into IS-relevant Governance and Executive management practices. Answering the main research question: "Which practices at the level of Governance are relevant for Business Information Security Maturity" The initial phase of this research consists of a review of academic and practice-oriented literature on these relevant practices. This list of practices is then examined and validated through expert panel research using a Group Support System (GSS). The paper ultimately identifies a list of 22 core principles. This list can function as frame of reference for Boards of Directors and Management Teams in order to increase their level of Business Information Security (BIS) Maturity.