Information security policy development and implementation: The what, how and who
Introduction
Organisations today are more dependent than ever on Information Technology (IT) as IT supports their day-to-day transactions as well as numerous other critical business functions. According to Doughty and Grieco (2005), “IT should be seen as a way for increasing the accessibility, speed and comprehensiveness of information that supports the decision-making processes within the organisation”. However, the dependency on IT has unfortunately resulted in an increase in potential threats to organisations' information assets.
A 2014 cybercrime survey in the United States of America found that more damage was caused by insider attacks than by outsider attacks, with insider involvement comprising the highest percentage of damage in the following incidents: private or sensitive information unintentionally exposed (82%); confidential records compromised or stolen (76%); customer records compromised or stolen (71%); and employee records compromised or stolen (63%) (CERT Insider Threat Center, 2014 ). Based on the findings of this survey, it is evident that organisations must have security controls in place to ensure the confidentiality, integrity and availability of their information.
This paper posits that one important mechanism for protecting organisations' information assets is the formulation and implementation of an effective information security policy. The main contribution made by this paper is the proposal of a key component “1” in the framework termed the “Information Security Policy Development Life Cycle” (ISPDLC – Fig. 2). This framework indicates the various constructs that information security practitioners need to consider in the development and implementation of an effective information security policy.
The remainder of this paper is structured as follows: The background to an information security policy is discussed in Section 2, Section 3 describes the research methodology, and Section 4 covers the constructs of the proposed component (ISPDLC). The relationship between the constructs of the ISPDLC is highlighted in Section 5, while Section 6 highlights the stakeholders that are involved in the development and implementation of the information security policy. Finally, Sections 7 and 8 discuss the findings and offer a conclusion.
Section snippets
Information security policy
The literature contains many definitions for an information security policy. Chen and Li (2014) state that an information security policy is used by management to differentiate between employee behaviours that are either permitted or prohibited, as well as the consequent sanctions if the forbidden behaviours take place. On the other hand, ISO/IEC 27002 (2013) states that the objective of an information security policy is to provide management with direction and support in accordance with
Research methodology
This study used a mixed method approach, combining both qualitative and quantitative methods during the data collection and data analysis processes. Firstly, the study adopted a qualitative approach during the formal content analysis of existing theories on and methods for developing an information security policy. The interpretation of the results of the content analysis subsequently resulted in the development of a conceptual framework. Secondly, quantitative data was collected using a survey
Framework codes: the WHAT
The ten framework codes are based on the integration of the existing information security policy development and implementation methods and models found in the current literature, plus the input of the surveyed security professionals. The findings revealed different codes that organisations should consider when developing and implementing an effective information security policy. Fig. 1 depicts the final ten codes of the proposed framework.
By reflecting on the different codes depicted in Fig. 1
The relationship between the ISPDLC constructs: the HOW
The results of the content analysis revealed a high frequency of occurrence of Management Support and Employee Support. Accordingly, it was assumed that it is essential that Management Support and Employee Support are involved in all the processes when developing and implementing an information security policy. Therefore, inferential statistical tests were conducted to ascertain whether there is a relationship between Management Support and the Information Security Policy Development Life Cycle
Information security policy stakeholders: the WHO
In order for an information security policy to survive and attain its objectives, management, employees and stakeholders need to support the entire process involved in developing and implementing it. The development of an effective security policy requires a combination of skills which emanate from the experiences of the different stakeholders (Diver, 2007). Respondents in the survey suggested various stakeholders that should be involved in the process of developing and implementing the policy.
Conclusion
The main objective of the research on which this paper is based was to provide a framework (including the SPDLC) that would ensure a comprehensive structured methodology for developing and implementing an effective information security policy.
A formal content analysis of current information security policy development methods was conducted using secondary sources to obtain a deep understanding of the processes. The content analysis revealed various codes that are considered to be the main
Discussion and limitations
The first limitation of this paper is related to the demographics of the respondents in the survey. The respondents of the survey were from the United States of America and the United Kingdom only, which may constitute a limitation with regard to the generalisability of the study findings, as these two countries are developed countries with advanced technology. It is therefore important that the proposed framework should provide guidelines that underdeveloped countries could follow in order to
Stephen V. Flowerday
Department of Information Systems, University of Fort Hare, East London, South Africa
Stephen holds a doctoral degree in Information Technology from the Nelson Mandela Metropolitan University. He is presently a professor focusing on Information Security at the University of Fort Hare. Stephen has supervised postgraduate students and published extensively within his research field.
References (45)
The theory of planned behaviour. Special Issue: theories of cognitive self-regulation
Organ Behav Hum Decis Process
(1991)- et al.
Information systems security policies: a contextual perspective
Comput Secur
(2005) How to review and assess information security policy: the six-step process
- et al.
Success factors in information security implementation in organisations
Proc IADIS Int Conf e-Society
(2007) Security policy management process within a six sigma framework
J Inf Secur
(2012)- et al.
Producing your network security policy
(2007) How to write an information security policy
- et al.
Deterrence and incapacitation: estimating the effects of criminal sanctions on crime rates
(1978) - et al.
Quantitative, qualitative, and mixed research methods in engineering education
J Eng Educ
(2009) - et al.
Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness
MIS Q
(2010)
Definition of binding agreement
U.S. State of Cybercrime Survey. 2014
Understanding organisation employee's information security omission behaviour: an integrated model of social norm and deterrence
Integrating information security policy management with corporate risk management for strategic alignment
Statistical methods for organizational research: theory and practice
Information security policy: a development guide for large and small companies
IT governance: pass or fail?
Inf Syst Audit Control Assoc
Risk appetite and tolerance
Structural equation modelling and regression: guidelines for research practice
Commun AIS
How to write a policy manual
Multivariate data analysis
An empirical study of information security policy on information security elevation in Taiwan
Inf Manag Comput Secur
Cited by (0)
Stephen V. Flowerday
Department of Information Systems, University of Fort Hare, East London, South Africa
Stephen holds a doctoral degree in Information Technology from the Nelson Mandela Metropolitan University. He is presently a professor focusing on Information Security at the University of Fort Hare. Stephen has supervised postgraduate students and published extensively within his research field.
Tite Tuyikeze
School of ICT, Sol Plaatje University, Kimberley, South Africa
Tite holds a DPhil in Information Systems from the University of Fort Hare. His primary research area focuses on the maturity assessment of information security policy. He has previously published research papers in this research area. Tite works as a senior lecturer at Sol Plaatje University.