Information security governance in the public sector involves risk management, accountability frameworks, network security, e-government systems infrastructure, mitigation plans, and alignment with corporate strategy. It equips organizations with the ability to deal with the security of their vital information assets systematically. However, several recent hacking incidents reveal the fact that substandard governance processes are among the common causes of weak security measures in most organizations. This study has been conducted following the established protocol outlined in the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) guidelines. Systematic Mapping Review (SMR) initially identified 1496 papers, and this reviews and reports on 41 papers. The reviewed literature emphasizes the adherence to recognized governance standard frameworks such as ISO/IEC 27,001, EU General Data Protection Regulations (GDPR), and EU Network and Information Security Act (NIS) for providing effective information security guidance frameworks in the public sector. However, a general scarcity is found regarding the best practices followed in the area of information security compliance. There is a lack of employing key performance indicators, risk assessment measures, security maturity models in organizations, and compliance audits. Additionally, the study suggests that, to some extent, the adoption of appropriate information security governance procedures is linked with available budgeted resources for individual organizations. The study results can serve as a starting point for the research and practitioners’ community in the area of information security governance.

Improving and strengthening cybersecurity in the public sector should represent a top priority for government agencies, including municipalities and regions. To be resilient against cyberattack surges, organizations should consider establishing a cybersecurity program based on international standards and best practices. In this paper we explore the cybersecurity compliance in the Swedish public sector in relation to the best practices and guidelines highlighted in the ISO/IEC 27001A framework. Our findings indicate that the overall security status among the municipalities and regions contained many flaws, with substantial holes and critical issues. ISO/IEC 27001A creates a standardized base, but it is somewhat theoretical and starts with a policy, not providing insights on how to govern information security. Also, most of these “ISO/IEC”-related gaps were found to have been compiled into a single “Technology” domain. Though compliance with standards, best practices, and regulatory requirements can help reduce cyber risks, it does not guarantee that an organization will have strong cybersecurity. To address this issue and assess how well organizations can protect, discern, react, and recover from cyberattacks, an effective method for measuring security performance must be developed.

Once, system thinking was about singular systems. Today we exist in a far more complex world, with systems interacting with systems, directly or indirectly. Information security, therefore, must involve all systems in the chain. New legal European regulations such as Guidelines for Data Protection Regulation demand that the ICT/IT world must include systems outside the organizational border to be involved and accounted for under enterprise information security umbrella. Recent mega hacks analyzed in this article point to the fact that a systems thinking perspective is needed to create modern governance, risk, and compliance security model framework. This research work puts forth a conceptual model based on Viable System Model appropriate for a major global information security restructuring. A motive for VSM is grounded in that it works fine with securing modern laws like GDPR and CCPA in supporting a needed enterprise perspective.

Several previous researchers have looked at the management of the “firm” in International Business to establish the underlying key strategic factors for successful “firms”. Trying to identify the critical drivers defining the winners. However, there is a need to study why some fail or simply become mere “followers”. This paper will look at one of these overlooked negative human aspects of management factors found in many organizations, particularly affecting networking organizations, effects of the “strong man”, and how to mitigate this negative factor through system thinking.

Once, system thinking was about singular systems. Today we exist in a far more complex world, with systems interacting with systems, directly or indirectly. Today's info security involves all systems in the chain; to use an old maxim, "No chain is stronger than its weakest link". The ICT world has become so interconnected that holistic system thinking is needed, with systems outside the organizational border to be involved and accounted for. ICT criminals are using increasingly sophisticated attack methods, often based on the victim's system architecture. In the Dec 2020 security breach at the network management firm Solarwinds in the US, an external party had added a trojan horse package to the Solarwinds management system. The hack gave the hackers stealth control of both Solarwinds as its 18.000 customers' internal system environments. Including high-security targets like the FBI, Homeland Security, and Microsoft. 

The attack was sophisticated, using the Solarwinds system knowledge, standards, and code layouts. Anyone not doing a deep survey would see Solarwinds code. The trojan was well-known but rewritten to the standards of the target. Solarwinds shows that we now entered a "new brave world", demanding a much more structural system discussion, how to protect our ICT. Based on this attack's sophistication, this was probably a 7- or 8-time successful attempt. We need solid enterprise-wide, system-coordinated security perspectives. But, how can we use system thinking to help plan a better and more cost-efficient security approach on an enterprise-level? For 14 years, this researcher worked with info security in a global automotive company, having the Viable System Model as its internal system model. When not "sabotage" by managers, yes, it happened; VSM worked fine. VSM also works fine with securing modern laws like GDPR when having an enterprise perspective. Info Security desperately needs enterprise system thinking.

Security problems we have to deal with today regarding Internet are created by ourselves. Internet, initially created to handle US Government data traffic, evolved to become communication between different research institutes. The protocols that were used had no security at all. Today we still use this network to almost everything and the complexity has grown tremendously. Compared to when the network initially was created, we now try to protect assets rather than just communicate, divide users according to permission and accessibility, and deal with privacy issues. Basically, everything is depending on the network that initially was created with no security.

Privacy has been a critical security aspect for the EU, but with the event of the GDPR privacy is both a legal aspect and an auditable ICT concept. GDPR includes topics like: owning your own data, independent of who collected it and where it is stored, and; the right to be forgotten. Each data collector also needs to have a complete data-flow map, describing any privacy data sets in a flow, to make these traceable and ready for audit inspection. Any organization handling EU residents’ data, needs to adhere to proactive Information Security processes. 

GDPR is based on the principles of Governance, Risk, and Compliance. It is not a purely legal construct; it is a management and strategy issue, not an IT issue. Further examples relate to cloud services with distributed resources, which illustrate the complex problem situation.

There is a need for a new perspective, moving from systems management to data flow management. We propose a systemic model which illustrate processes and flows within a fractal structure; we build on Beer’s Viable System Model. Such a model enables mapping of complexity and data flows and provide a tool for auditing and, thus, enable meeting the requirements of GDPR.

Since the end of the 1980s, there have been several initiatives to control and manage IT environments. ITIL is one of the more successful models, COBIT another. However, thanks to the IP protocol and Internet, since mid-2000 the world has seen a veritable data explosion, affecting IT governance. Some predictions expect current data volumes to grow more than 10 times till 2020, having serious implications both from governance and security perspectives. Additionally, we see some new EU regulations, i.e., Network and Information Security Directive (NIS) and General Data Protection Regulation (GDPR), implemented in May 2018. The latter two will directly affect the scope of IT governance within the European Union and for non-European entities handling EU Citizen’s personal data, with substantial fines if not complying. Both regulations forces anyone handling such data to consider information strategies that include big data management, governance, and information security as a convoluted context. Particularly, GDPR make them to related questions, a governance package. This creates a need for a paradigm shift to remediate/mitigate identified limitations in today’s traditional governance models. This article discusses governance from a holistic perspective, based on the data flow, as per the requirements of GDPR. These are the issues which were not envisioned when today’s governance models were designed in the late 1980s or early 1990s.

Social support services are becoming popular among the citizens of every country and every age. Though, social support services easily accessible on mobile phones are used in different contexts, ranging from extending your presence and connectivity to friends, family and colleagues to using social media services for being a social activist seeking to help individuals confined in miserable situations such as homeless community, drug addicts or even revolutionists fighting against dictatorships etc. However, a very recent development in the European Parliament’s law (2016/679) on the processing and free movement of personal data in terms of EU-GDPR (General data protection rules) considers the low funded social service development efforts unsafe. This article analyses a case study conducted at a shelter for homeless mothers in the United States to conceptualize the future similar development efforts from low end public activist groups within European union. This article aims to raise awareness on this issue and also puts forth a conceptual model to envision the possibilities of mitigating the risks attached to such development efforts under the light of EU-GDPR which will be implemented in may 2018.

Since the end of the 1980s, there have been several initiatives to control and manage enterprise IT environments. ITIL is one of the more successful models, COBIT another, accompanied by others as British Petroleum’s OBASHI model. However, thanks to the IP protocol and Internet, since mid-2000 the world has seen a veritable data explosion, affecting IS governance, singular IS systems now integrated. Some recent predictions expect current data volumes to grow more than 10 times till 2020, with serious implications both on governance and IT security. Additionally, we see some new EU regulations, i.e., primarily the new General Data Protection Regulation (GDPR), implemented in May 2018. Something that directly affects the scope of IS governance within the European Union and for non-European entities handling EU Citizens’ personal data; with substantial fines if not complying. The regulation forces anyone handling personal data to consider information strategies that include big data management, IS governance, and information security as a convoluted context, not by themselves, a governance package. This creates a need for a paradigm shift to remediate/mitigate identified limitations in today’s traditional governance models. This paper discusses governance from a holistic and agile perspective, based on the overall data flow, as per the requirements of GDPR. Issues that were not envisioned when today’s IS governance models were designed or not even in their latest releases. 

Today, still, ICT Governance is being regarded as a departmental concern, not an overall organizational concern. History has shown us that implementation strategies, which are based on departments, results in fractional implementations leading to ad hoc solutions with no central control and stagnation for the in-house ICT strategy. Further, this recently has created an opinion trend; many are talking about the ICT department as being redundant, a dying out breed, which should be replaced by on-demand specialized external services. Clearly, the evermore changing surroundings do force organizations to accelerate the pace of new adaptations within their ICT plans, more vivacious than most organizations currently is able to. This leads to that ICT departments tend to be reactive rather than acting proactively and take the lead in the increased transformation pace in which organizations find themselves. Simultaneously, the monolithic systems of the 1980ies/1990ies is often very dominating in an organization, consume too much of the yearly IT budget, leaving healthy system development behind. These systems were designed before data became an organizational all-encompassing resource; the systems were designed more or less in isolation in regards to the surrounding environment. These solutions make data sharing costly and not at all optimal. Additionally, in strives to adapt to the organization’s evolution, the initial architecture has become disrupted and built up in shreds. Adding to this, on May 25, 2018, an upgraded EU Privacy Regulation on General Data Protection Regulation (GDPR) will be activated. This upgraded privacy regulation includes a substantial strengthening of 1994’s data privacy regulation, which will profoundly affect EU organizations. This regulation will, among other things, limit the right to collect and process personal data and will give the data subject all rights to his/her data sets, independentof where this data is/has been collected and by whom. Such regulation force data collecting and processingorganizations to have total control over any personal data collected and processed. This includes detailedunderstanding of data flows, including who did what and when and under who’s authorization, and how data istransported and stored. Concerning data/information flows, maps are a mandatory part of the system documentation. This encompasses all systems, including outsourced such as cloud services. Hence, individual departments cannot any longer claim they “own” data. Further, since mid-2000, we have seen aglobal inter-organizational data integration, independent of organizations, public or private. If this integration ceasesto exist, the result will be a threat to the survival of the organization. Additionally, if the organization fails to providea transparent documentation according to the GDPR, substantial economic risk is at stake. So, the discussion aboutthe ICT departments’ demise is inapt. Any organizational change will require costly and time-consuming ICTdevelopment efforts to adapt to the legislation of today’s situation. Further, since data nowadays is interconnectedand transformed at all levels, interacting at multiple intersections all over the organization, and becoming a unifiedbase of all operative decisions, an ICT governance model for the organization is required.