The Role of Change Control Boards in Ensuring Cybersecurity Compliance for IT Infrastructure

Hewa Majeed Zangana (1), Firas Mahmood Mustafa (2), Ayaz Khalid Mohammed (3), Marwan Omar (4)
(1) IT Dept., Duhok Technical College, Duhok Polytechnic University, Duhok, Iraq
(2) Chemical Engineering Dept., Technical College of Engineering, Duhok Polytechnic, Duhok, Iraq
(3) Computer System Department, Ararat Technical Private Institute, Kurdistan Region - Iraq
(4) Illinois Institute of Technology - USA
Fulltext View | Download
How to cite (IJASEIT) :
Zangana, H. M., Mustafa , F. M., Mohammed, A. K., & Omar , M. (2025). The Role of Change Control Boards in Ensuring Cybersecurity Compliance for IT Infrastructure. JITCE (Journal of Information Technology and Computer Engineering), 9(1). Retrieved from https://jitce.fti.unand.ac.id/index.php/JITCE/article/view/303
Citation Format :

In the dynamic landscape of information technology, maintaining cybersecurity compliance is a paramount concern for organizations. Change Control Boards (CCBs) play a crucial role in this context, serving as a governance mechanism to oversee and manage changes within IT infrastructure. This paper explores the significance of CCBs in ensuring cybersecurity compliance, focusing on their functions, processes, and impact on organizational security posture. Through a comprehensive review of existing literature and case studies, the research highlights how CCBs facilitate risk assessment, enforce policy adherence, and mitigate potential threats arising from changes in the IT environment. The findings underscore the importance of structured change management and suggest best practices for integrating cybersecurity considerations into the CCB workflow. By understanding the role of CCBs, organizations can enhance their ability to safeguard sensitive data and maintain regulatory compliance in an ever-evolving threat landscape.

[1] A. M. A. M. Al-Sartawi, “Information technology governance and cybersecurity at the board level,” International Journal of Critical Infrastructures, vol. 16, no. 2, pp. 150–161, 2020.
[2] D. Antonucci, The cyber risk handbook: Creating and measuring effective cybersecurity capabilities. John Wiley & Sons, 2017.
[3] M. R. Asghar, Q. Hu, and S. Zeadally, “Cybersecurity in industrial control systems: Issues, technologies, and challenges,” Computer Networks, vol. 165, p. 106946, 2019.
[4] I. Atoum, A. Otoom, and A. Abu Ali, “A holistic cyber security implementation framework,” Information Management & Computer Security, vol. 22, no. 3, pp. 251–264, 2014.
[5] J. M. Borky, T. H. Bradley, J. M. Borky, and T. H. Bradley, “Protecting information with cybersecurity,” Effective Model-Based Systems Engineering, pp. 345–404, 2019.
[6] S. Bozkus Kahyaoglu and K. Caliyurt, “Cyber security assurance process from the internal audit perspective,” Managerial auditing journal, vol. 33, no. 4, pp. 360–376, 2018.
[7] N. Chowdhury and V. Gkioulos, “Cyber security training for critical infrastructure protection: A literature review,” Comput Sci Rev, vol. 40, p. 100361, 2021.
[8] N. Chowdhury and V. Gkioulos, “Key competencies for critical infrastructure cyber-security: a systematic literature review,” Information & Computer Security, vol. 29, no. 5, pp. 697–723, 2021.
[9] A. Clark-Ginsberg and R. Slayton, “Regulating risks within complex sociotechnical systems: Evidence from critical infrastructure cybersecurity standards,” Sci Public Policy, vol. 46, no. 3, pp. 339–346, 2019.
[10] M. Gale, I. Bongiovanni, and S. Slapnicar, “Governing cybersecurity from the boardroom: challenges, drivers, and ways ahead,” Comput Secur, vol. 121, p. 102840, 2022.
[11] A. Garcia-Perez, M. P. Sallos, and P. Tiwasing, “Dimensions of cybersecurity performance and crisis response in critical infrastructure organisations: an intellectual capital perspective,” Journal of intellectual capital, vol. 24, no. 2, pp. 465–486, 2023.
[12] C. C. Hartmann and J. Carmenate, “Academic research on the role of corporate governance and IT expertise in addressing cybersecurity breaches: Implications for practice, policy, and research,” Current issues in auditing, vol. 15, no. 2, pp. A9–A23, 2021.
[13] B. Karabacak, S. O. Yildirim, and N. Baykal, “Regulatory approaches for cyber security of critical infrastructures: The case of Turkey,” Computer Law & Security Review, vol. 32, no. 3, pp. 526–539, 2016.
[14] E. D. Knapp, Industrial Network Security: Securing critical infrastructure networks for smart grid, SCADA, and other Industrial Control Systems. Elsevier, 2024.
[15] E. D. Knapp and R. Samani, Applied cyber security and the smart grid: implementing security controls into the modern power infrastructure. Newnes, 2013.
[16] W. Knowles, D. Prince, D. Hutchison, J. F. P. Disso, and K. Jones, “A survey of cyber security management in industrial control systems,” International journal of critical infrastructure protection, vol. 9, pp. 52–80, 2015.
[17] E. W. Lubua and P. D. Pretorius, “Cyber-security policy framework and procedural compliance in public organisations,” in Proceedings of the International Conference on Industrial Engineering and Operations Management, 2019, pp. 1–13.
[18] J. D. Michels and I. Walden, “How Safe is Safe Enough? Improving Cybersecurity in Europe’s Critical Infrastructure Under the NIS Directive,” Improving Cybersecurity in Europe’s Critical Infrastructure Under the NIS Directive (December 7, 2018). Queen Mary School of Law Legal Studies Research Paper, no. 291, 2018.
[19] A. Onumo, I. Ullah-Awan, and A. Cullen, “Assessing the moderating effect of security technologies on employees compliance with cybersecurity control procedures,” ACM Transactions on Management Information Systems (TMIS), vol. 12, no. 2, pp. 1–29, 2021.
[20] R. S. H. Piggin, “Governance, risk and compliance: impediments and opportunities for managing operational technology risk in industrial cyber security and safety,” in 9th IET International Conference on System Safety and Cyber Security (2014), IET, 2014, pp. 1–8.
[21] O. Santos, Developing cybersecurity programs and policies. Pearson IT Certification, 2018.
[22] M. Senol and E. Karacuha, “Creating and implementing an effective and deterrent national cyber security strategy,” Journal of Engineering, vol. 2020, no. 1, p. 5267564, 2020.
[23] J. Srinivas, A. K. Das, and N. Kumar, “Government regulations in cyber security: Framework, standards and recommendations,” Future generation computer systems, vol. 92, pp. 178–188, 2019.
[24] M. Syafrizal, S. R. Selamat, and N. A. Zakaria, “Analysis of cybersecurity standard and framework components,” International Journal of Communication Networks and Information Security, vol. 12, no. 3, pp. 417–432, 2020.
[25] B. Uchendu, J. R. C. Nurse, M. Bada, and S. Furnell, “Developing a cyber security culture: Current practices and future needs,” Comput Secur, vol. 109, p. 102387, 2021.
[26] M. Vitunskaite, Y. He, T. Brandstetter, and H. Janicke, “Smart cities and cyber security: Are we there yet? A comparative study on the role of standards, third party risk management and security ownership,” Comput Secur, vol. 83, pp. 313–331, 2019.
Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

1. License

Creative Commons License

 

The non-commercial use of the article will be governed by the Creative Commons Attribution license as currently displayed on Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

2. Author(s)’ Warranties

The author(s) warrants that the article is original, written by stated author(s), has not been published before, contains no unlawful statements, does not infringe the rights of others, is subject to copyright that is vested exclusively in the author and free of any third party rights, and that any necessary permissions to quote from other sources have been obtained by the author(s).

3. User Rights

JITCE adopts the spirit of open access and open science, which disseminates articles published as free as possible under the Creative Commons license. JITCE permits users to copy, distribute, display, and perform the work for non-commercial purposes only. Users will also need to attribute authors and JITCE on distributing works in the journal.

4. Rights of Authors

Authors retain the following rights:

  • Copyright, and other proprietary rights relating to the article, such as patent rights,
  • the right to use the substance of the article in future own works, including lectures and books,
  • the right to reproduce the article for own purposes, 
  • the right to self-archive the article.
  • the right to enter into separate, additional contractual arrangements for the non-exclusive distribution of the article's published version (e.g., post it to an institutional repository or publish it in a book), with an acknowledgment of its initial publication in this journal (Journal of Information Technology and Computer Engineering).

5. Co-Authorship

If the article was jointly prepared by other authors; upon submitting the article, the author is agreed on this form and warrants that he/she has been authorized by all co-authors on their behalf, and agrees to inform his/her co-authors. JITCE will be freed on any disputes that will occur regarding this issue. 

7. Royalties

By submitting the articles, the authors agreed that no fees are payable from JITCE.

 

8. Miscellaneous

JITCE will publish the article (or have it published) in the journal if the article’s editorial process is successfully completed and JITCE or its sublicensee has become obligated to have the article published. JITCE may adjust the article to a style of punctuation, spelling, capitalization, referencing and usage that it deems appropriate. The author acknowledges that the article may be published so that it will be publicly accessible and such access will be free of charge for the readers. 

Downloads

Download data is not yet available.