Information Security Governance: Standardizing the Practice of Information Security


This ECAR research bulletin discusses the trend to use a variety of risk assessment frameworks and standards to create an information security program that is sufficiently comprehensive for colleges and universities. These standards include the Control Objectives for Information and related Technology (CobiT) IT control framework, the Information Technology Infrastructure Library (ITIL) service management framework, and the set of information control objectives now commonly referred to as ISO 27001. In specific, the process of implementing this framework at Georgia State University (GSU) is discussed. In addition, the bulletin provides a rationale for an information security governance framework that enables executives to see the degree to which their information security programs are effective in assessing and mitigating risks, protecting confidential data, aligning goals with institutional academic and business objectives, and continuously improving over time.

Citation for this work: Clark, Tammy L., and Toby D. Sitko “Information Security Governance: Standardizing the Practice of Information Security” (Research Bulletin, Issue 17). Boulder, CO: EDUCAUSE Center for Analysis and Research, 2008, available from

Download Resources