| This dissertation is a descriptive case study of information security governance in higher education institutions. It is a qualitative study that describes, through institutional theoretical constructs, the information security governance frameworks responsible for the protection of sensitive personal information at three large public research universities. The objectives of the study are (1) assess the impact of the regulative policy environment on security management structures in higher education and specifically addresses the regulative initiative, the Gramm-Leach-Bliley Act (GLBA) and the strategic initiative Information Security Governance: A Call to Action. (2) Describe the information security governance structures in academic institutions in terms of examining the roles and responsibilities of the security governance actors in the large public research universities that participated in the case study. (3) Describe the impact of information security governance on the institutionalization of information security enterprises in higher education in terms of strategic security outcomes, namely strategic planning, security policy development and security program development.;The study begins with a descriptive assessment of the regulative compliance policy environment by first describing the historical background that led to the modern conceptual framework of information security, which evolved from the inception of national security after World War II. It laid the groundwork for describing the institutional regulative environment that affects information security governance frameworks in the institutions that participated in the study. The assessment examines the regulative initiatives that effect the protection of sensitive personal information, which were addressed by the participants in the study that include: The Family Educational Rights and Privacy Act (FERPA); the Health Insurance Portability and Accountability Act (HIPAA); GLBA and related financial instruments including the Sarbanes-Oxley Act, Fair and Accurate Credit Transactions Act (Red Flags Rule) and the Program Compliance Industry (PCI) standard.;The security enterprises at three large public research universities agreed to participate in the case study. At each institution, a set of three security governance actors from each university, namely the Chief information Officer, Chief Security Officer and Chief Compliance Officer or IT Auditor agreed to be interviewed for the study. Each participant was interviewed regarding their roles and responsibilities within the institutional security enterprise at their university, and they were asked to describe, from their perspective, their university's institutional security governance frameworks in terms of regulative compliance, strategic planning and security policy and program development. After transcribing and evaluating the data from the field site interviews, each institutional security governance structure was described using the organizational narrative approach. The organizational narratives provided a story line on how their information security governance structures developed within their institutional frameworks.;The three narratives are followed by a discussion based on a comparative analysis of the security structures and mechanisms in place at each university. The results from the comparative analysis indicate that the strategic initiative, Information Security Governance: A Call to Action, a normative governance mechanism, did not have a direct impact on the development of any of the institutional security enterprises that participated in the study, but do suggest that GLBA, a coercive governance mechanism has had an indirect influence on the institutions by mandating they have information security programs embedded within their governance frameworks and that they designate institutional information security officers at their institutions. In each institution, no antecedents to information security governance were identified, but at each university, the information security enterprise reported directly to IT. The CIO, at each university, was the institutional strategic security officer while the Chief Security Officer was responsible for supervising security staff, managing operational and regulative compliance issues. The results also suggest the role of the Chief Compliance Officer is still in the development stages in IT security enterprises. The results also revealed two potentially important factors that require further investigation. First, the results suggest that culture plays a pivotal role in the success of information security governance frameworks in higher education. Second, the results suggest that organizational maturity plays an important role in the robustness of information security governance structures and security enterprises in academic institutions. |
