Information security governance in the electricity industry

https://doi.org/10.14488/BJOPM.2021.045 ABSTRACT Goal: This study aims to assess the importance and use of Information Security (IS) governance in the electricity industry and other segments, in order to propose IS governance guidelines for this industry. Design / Methodology / Approach: Literature review was made of scientific articles, frameworks and norms that supported the field research applied to managers, coordinators and experts from IS area, totaling 104 respondents from different countries. The data collected were analyzed by comparing the degree of importance with the use, and also by means of cross-analysis. Results: It was observed that most respondents agree with the importance of the themes approached, however, in practice, these concepts are not always used by the organization. Besides, it was observed that when security is directly responding for the high level of the organization, the maturity level is between optimized and managed. However, where security is subordinated to the technology area, the level appears with higher percentage, as repeatable. Limitations of the investigation: The sample size is a limiting factor as it was conditioned to questionnaire responses sent to IS experts through electronic means and social networks and it is not possible to generalize as the population size is not known. Practical implications: To assist the electricity industry in taking measures turned to IS governance, and, with that, increase consumer protection with regard to their classified data and the company’s reliability in power supply. Originality / Value: The present research originality lies in the proposal of 10 IS governance guidelines obtained from the literature review and the field research applied to IS experts, aiming to raise, more and more, its level of


INTRODUCTION
Cyber attacks are increasingly more sophisticated and complex, leading companies to financial collapse and degradation of their image. Thus, areas like Information Security (IS) start to play a crucial role in organizations' corporate strategy (Alencar et al., 2018), becoming vital for any industry that wants to protect its data (Cardoso et al., 2019). IS, over the years, could no longer be addressed with a technical view alone, and showed the need of an approach turned to the business and integrated to the strategic management in order to reach the whole organization with well structured norms and policies (Carcary et al., 2016).
performing a comparative analysis of the results found and the findings of the authors surveyed in the bibliometric research, in order to propose IS governance guidelines to the electricity industry, in order to propose IS governance guidelines to the electricity industry.
The present study was organized in sections; introduction, then section 2 presenting the theoretical framework about Information Security Governance in the electricity industry; section 3 describes the methodological processes; the fourth section presents the analysis of results; and in section 5, IS Governance Guidelines are proposed for the electricity industry; and, finally, the sixth section presents the conclusion and proposals for further research.

INFORMATION SECURITY GOVERNANCE IN THE ELECTRICITY INDUSTRY
In organizational environments, where data interconnections increase every day, information becomes an asset like any other asset of the company, and needs appropriate protection, due to the high exposure to threats and vulnerabilities (Valencia-Duque and Orozco-Alzate, 2017). Thus, Information Security is protection of information from several types of threats to ensure business continuity, minimize risks, and maximize return on investments and business opportunities (Kim et al., 2017).
IS Governance is a tool for specification of rights and decision and responsibility, aiming at encouraging desirable behaviors in the use of information security. Businesses today are increasingly dependent on their information security infrastructures, which makes necessary the implementation of IS governance in companies to ensure business continuity (Yaokumah, 2014).
IS governance main objective is to align this security to the business requirements, considering the guarantee of services continuity and minimization of business exposure to risks. Governance can be motivated by several factors, however, one of the most important factors is transparency in IS administration and availability of this security infrastructure. Providing security and availability of IS infrastructure is currently a challenge for organizations, because these practices ensure the business availability (Georg, 2017).
To avoid and reduce relevant risks, the identification of controls to be implanted requires careful planning and attention to details. IS governance needs, at least, the participation of all employees in the organization, including directors and executives in leadership, organizational structures and processes, which will ensure that the company IS sustains the organization's strategies and goals. The participation of shareholders, suppliers, third parties, customers or other external parties may also be necessary. A specialized external consultancy may also be fundamental (You et al., 2018).
Moreover, IS governance is accountable for controlling, directing and supervising processes required to protect information from an organization in order to guarantee availability, confidentiality, integrity and keep alignment with the business strategic management (Rebollo et al., 2015). This governance is obtained from the implementation of a set of appropriate controls, including policies, processes, procedures, organizational structures and software and hardware functions (Chinyemba and Phiri, 2018).
These controls must be established, implanted, monitored, critically analyzed and improved, where necessary, to ensure that the organization's business goals and security will be met. It should be done jointly with other business management processes (Miloslavskaya and Tolstoy, 2017).
Due to the large impact this area has suffered with internal or external attacks of any nature, companies are seeking high maturity in their IS governance (Carcary et al., 2016). Looking from an organizational perspective, information security governance is part of the corporate governance, playing a strategic role to ensure that goals will be achieved and risks mitigated (Nicho, 2018).
The manager and the team should know the business goals and strategy in order to align information security to these goals. These data can be surveyed through the business' strategic planning documents, meetings with managers, directors and employees (Haqaf and Koyuncu, 2018;Höne and Eloff, 2009;Johnston and Hale, 2009;Moon et al., 2019).
There are discussions, among professionals of the area, on what sphere information security should be within the organizational structure to reach high level of maturity in its governance (Carcary et al., 2016;Cholez and Girard, 2014;Sánchez et al., 2009;You et al., 2018).
It is worth highlighting that there is today in Brazil and across the world a growing demand for electricity to supply the industry, commerce and households. This demand ends up by making companies place themselves in the current market, many times just to build the generation unit and put it into operation, without addressing aspects that can be decisive for the organization business (Machado et al., 2016).
Thus, IS governance is present in the corporate environment of large and medium companies, and this theme is becoming consolidated in the market, but information security focused on operational availability of an electricity generation plant is something really difficult to see nowadays (Krishnan et al., 2017).
IS governance in the utilities industry is a relatively new subject, since this market is increasingly heating. Due to the growing attacks to this environment the theme was given more importance, in order to ensure availability, confidentiality and integrity of information in the electricity industry (Amin and Wollenberg, 2005;Evans et al., 2019;Machado et al., 2016;Kim and Tong, 2013;Rodofile et al., 2019;Thiyagarajan et al., 2015;Woo and Kim, 2018).
The guarantee of availability, confidentiality and integrality of this technology in the electricity industry depends on a structured IS governance (Qassim et al., 2019). Moreover, the risks faced in environments with critical infrastructure, like transport, electricity and telecommunications, have cyber attacks as main threat (Kure et al., 2018).
So, the challenges faced by the electricity sector involving IS are clear. For being something with significant economic and socioenvironmental relevance, on November 22, 2018, in Brazil, the President-in-Office approved Decree N° 9.573, addressing specifically National Policy for Security in Critical Infrastructure, PNSIC. This decree addresses issues about total or partial interruption in critical infrastructure that causes social, economic and environmental impact, preventive and reactive measures destined to critical infrastructure security and resilience capacity after the occurrence of an anomalous situation (Brasil, 2018).

METHODOLOGY
The present study first conducted a literature review with the main focus on ordering concepts of authors and their respective opinion on the subject. The bibliometric research method was adopted, according to Costa (2010) and Ferreira et al. (2019), through access to articles from SCOPUS base. Frameworks and norms involving the theme were also analyzed.
For the bibliometric research, the following keywords were used: a) "information security management" OR "information security governance", a total of 1424 articles; b) "management strategic" total of 506; c) "information security" AND "energy" total of 507; d) "scada" AND "security", total of 2207; e) "information technology governance", total of 245. In all these researches, the following filters were applied: Document Type = Article or Review and Article title, Abstract, Keywords and Source Type = Limit to Journal and Year = Limit to: 2009 to 2019. Thus, the following quantity was found: a) "information security management" OR "information security governance", a total of 24; b) "management strategic", total of 7; c) "information security" AND "energy" total of 3, d) "scada" AND "security", total of 5; e) "information technology governance", total of 4. Totalizing 43 articles that supported this research (Oliveira et al., 2021).
The bibliometric research result served to ground the survey type field research that was conducted in the ambit of IS governance in some segments of the industry, chiefly the electricity industry, which sought to map opinions of experts in the area.
A survey of key information was made to assist in the preparation of the questionnaire, based on what was found in the literature, shown in Table 1, in order to identify the level of importance and utilization of IS governance, as well as make a cross-analysis of respondents / companies profiles and their level of maturity. The respondents received the link to the questionnaire and, before it was sent, a pre-test was made with three respondents, which validated the issues proposed. 3. In an organizational structure, according to your experience, Information Security should answer to whom? You et al. (2018), Carcary et al. (2016), Cholez and Girard (2014), Sánchez et al. (2009) 4. What is the area of activity of your company? Gray (2012) 5. In which country is your company locate?  (2009) 15. Application and information access control policy in order to prevent unauthorized access Mishra (2015), Chinyemba and Phiri (2018) 16. In all the creation of new projects, involve the Information Security team so that it is born with controls and standards (Security by Design) 18. Employee to have adequate Information Security training when effective in na organization Höne and Eloff (2009) 19. Have monitoring when a security incident occurs Nazareth and Choi (2015) 20. Disaster Recovery for effective business continuity Mishra (2015), Georg (2017), Rebollo et al. (2015) The questionnaire comprised 20 closed-ended and open-ended questions with space for additional comments from respondents. In order to guarantee more intensity in answers, avoiding the use of "yes" and "no" alone, the Likert Scale was used with five points of importance and utilization: (1) Very low; (2) Low; (3) Medium; (4) High; and (5) Very high.
The mailing was sent to IS groups on LinkedIn, WhatsApp and Telegram, and to IS users from several segments of the industry, and a sample of 104 respondents was obtained. There were national and international respondents in order to obtain better understanding in the results. For international respondents, the same questionnaire was used, translated into English.
Next, data collection and tabulation was made based on the questionnaires answered and then the analysis of results, which was separated into four parts: respondents' profile; companies segment and localization; information security governance: utilization x importance; and cross-analysis. The results were analyzed through frequency analysis, comparing the level of importance to utilization. A comparative analysis with literature was also conducted, where we sought to verify whether these were corroborated or not with the findings of the authors surveyed in the bibliometric research.
After analysis of results, guidelines on information security governance were prepared for the electricity industry. The results were analyzed and grounded in the conclusions of this study, as well as for the preparation of future research.

RESULT ANALYSIS
The field research was conducted from 03/05/2020 to 04/26/2020 and included 104 respondents. The analysis of the results is separated into four parts: profile of respondents; profile, segment and localization of companies; information security governance: utilization x importance, and cross-analysis.

Profile of respondents
In order to increase reliability of data collected, the present research mapped the professional profile of respondents and companies (Question 01), and found that 26% are IS Managers, 12.5% are IS Coordinators; 40.4% are IS Experts, and others related to IS represent 21.2%.
With regard to the level of experience of respondents (Question 02), 43.3% have over 15 years, 22.1% from 10 to 15 years, 20.2% from 5 to 10 years, and 14.4% up to 5 years. The level of respondents with 10 to over 15 years of experience reached 65.4%, showing the research level of confidence.
In order to check strategic issues involving IS governance, a question regarding information security subordination in corporate ambit was made (Question 03). Discussion about who information security should report to is controversial among respondents. According to Carcary et al. (2016), Cholez and Girard (2014), this theme must be further addressed and debated. Around 35.6% of respondents suggest that security should directly report to the organization President. For 27.9% of respondents, security should report to the CIO. According to the numbers shown in Table 2, the experts disagree considerably on this theme.

Profile, segment and localization of companies
Companies from the most different sectors were analyzed (Question 04), as shown in Table 3, most of them from Information Technology, Information Technology and Energy, totaling 50.9%.  (2020) Since the theme is highly relevant at global level, the research sought respondents not only in national ambit, but in international ambit as well (Question 05). With respondents from several places across the world, the research counted on 19.6% in total, as presented in Figure  1, with 80.4% of Brazilian companies and 73.10% from the Southeast region, the most developed in the country. COBIT is a tool that helps measure the level of maturity of processes. As presented by Schmitz et al. (2021), there are five maturity levels, as follows: 1. Ad-hoc: there are no processes; 2. Repeatable: there is repetition of procedures in a planned, monitored and adjusted way; 3. Defined processes: there is managed control, using process; 4. Managed and measured: controls established, operating within defined limits and 5. Optimized: control is continuously improved to meet targets, and was used to observe the level of maturity of organizations' information security (Question 06). It can be observed, in Table 4, that most companies, 26.9% show level 3 of maturity level, followed by 24% of companies with level 2 of maturity. Corroborating the literature, it is evident the level of maturity of electricity companies (Kure et al., 2018).

Information Security Governance: Utilization x Importance
The topic information security is discussed from several points of view. In order to have an effective IS governance analysis, the level of importance and utilization of some processes was studied. Many organizations end up by disregarding important processes for being expensive and demanding time.
The objective of this section is to understand the perception of respondents concerning some fundamental aspects found in the literature and understand how their organizations are with regard to each theme proposed. For a better understanding, a table was created unifying 13 questions of the research which are described in the questions from 08 to 20. Both for level of importance and level of utilization, the following abbreviations were used: VL (very low), LO (low), ME (medium), HI (high) and VH (very high), as shown in Table 6. Then a comparative analysis was made of the degree of importance and utilization for each of the 13 questions.  (2020) While analyzing the importance and utilization of the Business Continuity Plan (BCP) (Question 08), it was observed that high and very high utilization level reached 39.4%. One can notice that few organizations have an effective BCP. When the importance of having a BCP in the organization was analyzed, answers were 92.3% positive (very high and high). This result corroborates the literature, as demonstrated by Georg (2017), Kim et al. (2017), Ajayi and Hussin (2018), Yaokumah (2014). However, 36.5% is observed for medium utilization and 23.8% for low and very low. Therefore, it is important for the company to count on an effective BCP, because it will assist it during a crisis. From this point of v iew, information availability, confidentiality and integrity are also included in this context. Question 09 addresses IT Governance aligned to Corporate Governance. Since the subject is technology, which involves everything in a company, the importance of keeping alignment with corporate governance, according to respondents, is fundamental for information security, thus corroborating El Ghorfi et al. (2018); and it was mentioned by around 86.6% of respondents as high and very high. On the other hand, 54.8% of companies use IT and Corporate Governance alignment. However, 21.2% for medium utilization and 24% for low and very low were observed, an expressive percent of non utilization.
The perception of the majority of respondents was 90.4% of importance, as presented in Question 10, where the theme addressed was efficient technological resources capable of mitigating IS risks. The utilization by organizations also presented a considerable percent, 59.6%. Only 17.3% of respondents answered that the level of utilization was low or very low, leaving a good percent of organizations with high technological resources. Since technology influences performance and particularly information security, in this question, its importance in the literature was identified based on Machado et al. (2016), Krishnan et al. (2017).
Most respondents agree that Information Security should be aligned to the organization strategic planning (Question 11), presenting, between high and very high, 87.5%. However, the level of utilization in companies reached 57.7%. The total of respondents that opted for low and very low is 6.7%. Information Security alignment to strategic planning is fundamental to obtain high level of maturity, as reported by Georg (2017) It can be observed that 94.3% of respondents corroborate the theory of having a firewall for perimeter and another for the Datacenter (Question 12). The level of utilization is considered by 75% of organizations. Only 8.6% of companies don't present this level of segregation. In the past, information security was more concerned with communications leaving the company to the internet. Over time, it was noticed that lateral movements inside the organization should also be monitored.
Question 13 addresses how the user and the business awareness on information security increase the organization's maturity level. According to Hone and Eloff (2009), Nazareth and Choi (2015), in order to obtain effective information security governance, it is important to raise the user awareness on the theme. According to Table 5, 94.2% of respondents agree with the theme. However, 21.2% of companies do not use this process, while 57% use this process.
About Question 14, Security policies and norms signed by the top management, it was observed that around 84.6% agree that norms and policies should be signed by the top management. However, the level of utilization in organizations proved to be very relevant with regard to the theme. Around 63.5% of companies have norms and policies signed by the executive board, while 19.3% do not use policies and norms signed by the board, and 17.3% opted for Medium, informing a transition level in the process. The information security policy is intended to document procedures and guidelines referring to how information should flow inside the organization and outside it, and must be subject to continuous updates. Höne andEloff (2009), Johnston andHale (2009) emphasize the creation of policies and norms with the executive board consent. The research revealed agreement of respondents with regard to the theme.
Access controls are described in a policy according to the level of security the information demands (Question 15). In this process, rules are defined, as well as each user's responsibility. For Mishra (2015), Chinyemba and Phiri (2018), these controls are necessary in information security governance. In concert with the literature, around 92.3% agree with this opinion. The level of utilization in organizations presents good numbers, around 65.4% of organizations count on access control policies. However, it was observed that 18.3% of organizations do not use the theme addressed in the question, while 16.3% are in transition phase.
Question 16 states that every creation of new projects should involve the information security team for them to include controls and norms (Security by Design), and count on an effective IS governance. The expression 'security by design' indicates that the software, from the beginning, was conceived to present high level of security, that is, it is conceived, first of all, in the security practices and standards. So, the importance of this theme, according to the respondents, reaches 88.4%. However, according to the mentioned research, companies adopt this concept weakly, reaching 44.3%, though the level of importance is high.
The effective risk management (Question 17) provides identification of threats, with development of action plan. With the results obtained in risk assessment, the definition of priorities and decision making are put into practice. For Martins et al. (2019), You et al. (2018), Kalogeraki et al. (2018), the risk management involving information security is fundamental for efficient governance. Around 92.3% agree with authors, while 50% of the companies that participated in the study count on this process. However it is worth observing that 26.9% of the organizations do not use the theme addressed and 23.1% marked it as medium, observing the phase of transition.
Providing appropriate training in information security when the employee is admitted in the organization is the theme addressed in Question 18. Today, for information security, the user is still the most critical aspect. Raising awareness of the user about information security is critical to avoid simple problems that may cause large financial impacts (Dhillon et al., 2016). According to Höne and Eloff (2009), effective trainings and awareness are still one of the best ways to help information security governance. Aligned to the authors, 80.7% agree with the theme proposed. However, the level of utilization is below the expected, because 52.9% of the companies use this process in their IS governance and 32.7% do not present low and very low utilization. Also, 14.4% of respondents opted for medium utilization, showing that the process is not yet defined.
An effective monitoring of security incidents (Question 19) raises the level of maturity of the governance. It involves, in real time, the monitoring of systemic events that are fundamental to the organization. According to experts, 93.3% agree that it is important to manage incidents in the organization. Companies adopt these measures, reaching 59.6%, while 16.3% do not use the process and 24% are in maturation phase.
Question 20 states that having a DR (Disaster Discovery), in addition to increasing the company's competitiveness and efficiency, provides continuity to the business, keeping information availability. Besides, the quick recovery of the service can avoid financial losses. In this analysis, 94.3% of experts agree with the importance of having a DR to provide continuity to the business. However, because it involves high costs, only 49.1% of organizations use a DR. It was also observed 20.2% of medium utilization and 30.7% of low and very low utilization.

Cross-analyses of Respondents' Profiles x Companies' Profiles x Maturity
In the previous section, the research data were separately assessed, and, in this section, three cross-analyses were made, which provided more assertiveness and understanding of information security governance. The starting point of the cross-analysis was to verify the respondents' understanding with regard to information security subordination, along with the analysis of its organization.
Considering the great discussion the theme has caused in the information security environment, the information crossing generated some points of attention. As presented in Table 7, around 35.6% of respondents informed that information security should be directly subordinated to the President, but, when it was verified in their organizations, only 22.1% of them present this organizational model. Another aspect to be observed is the parity of numbers when security is subordinated to the technology chief. Around 27.9% of respondents informed that security should report to technology and, presenting a very close number, 29.8% of companies count on this organizational structure. The level of maturity of organizations with regard to information security varies according to the area subordination. Defined, optimized, managed and measured processes represent 64.4%, according to Table 8. That said, it was observed that the technology area (CIO) presents the highest number, since 29.8% of the companies have security directly linked to technology.  (2020) However, after further analysis, it was noticed that where security is reporting directly to the organization CEO, the maturity level stays between optimized and managed, as shown in Table 9. However, where security reports to the technology area (CIO), the level that presents higher percent is repeatable.

PROPOSALS OF IS GOVERNANCE GUIDELINES
Based on the analysis of results presented in previous sections, a set of information security governance guidelines was prepared for the electricity industry.
1st Guideline: Information security governance should report directly to the organization CEO.
This guideline discusses information security in the organizational structure. Authors like Carcary et. al, (2016) and You et. al (2018) debate on the best strategy for subordination of information security governance, and indicate subordination to higher levels of the company. In the present study, most respondents considered subordination to the CEO as the best option, because the maturity level is raised in this scenario.
2nd Guideline: The organization should count on a business continuity plan.
Since this is a strategic item for the organization's continuity, a well prepared plan is required to support IS governance. According to Yaokumah (2014), information security governance helps ensure the business continuity. This second guideline is proposed to ensure that information security will be considered in the plan.
3rd Guideline: A Disaster Recovery planning aligned to the business continuity plan is essential.
A disaster recovery is necessary to ensure continuity of services and minimization of exposure to risk, according to Georg (2017). Availability is a fundamental aspect for information security.
4th Guideline: Information security alignment with the company's strategic planning.
With this alignment, the top management becomes informed of all security decisions. According to Haqaf and Koyuncu (2018), Nicho (2018), IS governance should be part of corporate governance due to its strategic role, ensuring that the organization objectives will be achieved and risks will be mitigated. That said, this guideline is also corroborated by the study with respondents.
5th Guideline: Awareness of information security to the business and to the user.
It is essential to raise awareness of all on the importance of information security. With it, some risks can be avoided. According to Nazareth and Choi (2015), Höne and Eloff (2009), norms, policies, awareness and training help reduce any type of attack, and minimize risks. With it, governance maturity is also increased.
6th Guideline: Information security policies and norms signed by the executive board.
Well defined information security governance guidelines, policies and norms, with approval of the board, increase the level of maturity, and the documents proposed gain more visibility in the organization. According to Carcary et al. (2016), these policies should reach the whole organization. For Chinyemba and Phiri (2018), IS governance occurs by implementing these policies and controls in the organization. So, this guideline is about acceptance and signature of these policies by the executive board.
7th Guideline: Count on risk management for information security.
Monitoring of risks helps reduce future negative impacts. According to Kure et al. (2018), lack of maturity in information security governance maximized risks in the electricity industry. For Martins et al. (2019), the electricity industry, for being essential to human life, should keep security governance in order to mitigate any type of risks. In this industry, risk management is necessary.
8th Guideline: Train new employees in information security.
With that, the employee becomes aware of information security norms and policies practiced in the company. This movement must be continuous, through training and communication (Cardoso et al., 2019). Training the new employee in guidelines and best information security practices, according to Nazareth and Choi (2015), raises IS governance maturity. It also helps in the effective participation of all inside the organization, according to You et al. (2018). So, training the user in the act of hiring is necessary.
9th Guideline: Monitoring of information security incident.
Such monitoring helps reduce possible negative impacts in case any incident occurs. For Nazareth and Choi (2015), Kure et al. (2018), monitoring tools help avoid attacks, information leaks and financial loss in the organization. So, this guideline of effective monitoring of IS incidents is very important.
10th Guideline: Count on firewall for the datacenter and another for perimeter protection.
This model helps prevent direct attacks to the organization datacenter. In case the perimeter is compromised, actions can be taken with regard to the datacenter. This guideline arises from market experience, where companies do not protect their perimeter, the most valuable portion of the business. Having an effective segmentation in the network, with controlled access helps elevate the level of maturity and reduces the risk of attacks to the productive environment and to the automation environment.

CONCLUSION
The present study, first surveyed the literature on IS governance in corporate ambit, how strategic management directly affected the area and how the electricity industry was positioned about the theme. With this identification, it was possible to ground the composition of this research.
Then, the mapping of the perception of IS managers, coordinators and experts was made with regard to IS governance, by means of the answers obtained with the questionnaire. It was evident, in this stage, that the importance given by the professional to the themes addressed is not always the same in the organization. Moreover, it could be observed that the level of maturity stays between optimized and managed where security reports directly to the organization CEO. On the other hand, if IS is subordinated to more operational areas, such as Information Technology, the maturity level is much lower, reaching a repeatable level.
Since the financial aspect and the organization image are highly affected when some anomaly occurs in the cybercrime environment, some companies, for presenting high maturity level in their processes, seek to follow good practices not to face a financial collapse or tarnish their image.
Based on the research results, 10 guidelines were suggested as best practices for the electricity industry, aiming to answer the central question of the research. It is worth highlighting the following guidelines: information security should report to the CEO; there should be internal segmentation of the environment allowing actions of authorized persons only; there should be efficient monitoring of information security incidents in order to control anything that occurs in the network.
All guidelines help form an effective IS governance with methods, training, awareness, and well defined norms. It is worth mentioning that this is a continuous movement, always seeking the evolution of processes and increasing their maturity.
However, the proposed guidelines may not be generalized and further studies should be conducted to adapt new IS governance guidelines in other industries, because there is a limitation in the size of the sample used, which was conditioned to the 104 respondents of the questionnaire, making it impossible to generalize as the size of the population is not known.
With the analysis of this research and answers obtained in this study, we hope that companies will adopt information security governance, or, for those that already count on well structured processes, that they will increasingly raise their level of maturity. IS must reach the whole organization with its processes and norms, rather than being just a technological information security.
While seeking the theme evolution in organizations, due to the importance of the subject, it is suggested, as future work, the creation of new IS governance guidelines to contribute to the improvement in the organizational maturity level. A research turned to the safe development in organizations and the maturity of the teams, factors that influence IS maturity and respective subordination to the organization hierarchical level. An analysis of the data from the respective research, using multivariate analysis or MCDM method, -Multiple criteria decision making, is also proposed, since the General Data Protection Law in Brazil is focused on personal data leaks and this development team will play a key role in this protection.