Information Security Policy: A Management Practice Perspective
📝 Abstract
Considerable research effort has been devoted to the study of Policy in the domain of Information Security Management (ISM). However, our review of ISM literature identified four key deficiencies that reduce the utility of the guidance to organisations implementing policy management practices. This paper provides a comprehensive overview of the management practices of information security policy and develops a practice-based model that addresses the four aforementioned deficiencies. The model provides comprehensive guidance to practitioners on the activities security managers must undertake for security policy development and allows practitioners to benchmark their current practice with the models suggested best practice. The model contributes to theory by mapping existing information security policy research in terms of the defined management practices.
💡 Analysis
Considerable research effort has been devoted to the study of Policy in the domain of Information Security Management (ISM). However, our review of ISM literature identified four key deficiencies that reduce the utility of the guidance to organisations implementing policy management practices. This paper provides a comprehensive overview of the management practices of information security policy and develops a practice-based model that addresses the four aforementioned deficiencies. The model provides comprehensive guidance to practitioners on the activities security managers must undertake for security policy development and allows practitioners to benchmark their current practice with the models suggested best practice. The model contributes to theory by mapping existing information security policy research in terms of the defined management practices.
📄 Content
Australasian Conference on Information Systems
Alshaikh et al.
2015, Adelaide, South Australia
InfoSec Policy Management Practices
Information Security Policy: A Management Practice Perspective
Moneer Alshaikh
Department of Computing and Information Systems
Melbourne School of Engineering
University of Melbourne
Victoria, Australia
Email: Malshaikh@student.unimelb.edu.au
Sean B. Maynard
Department of Computing and Information Systems
Melbourne School of Engineering
University of Melbourne
Victoria, Australia
Email: Sean.Maynard@unimelb.edu.au
Atif Ahmad
Department of Computing and Information Systems
Melbourne School of Engineering
University of Melbourne
Victoria, Australia
Email: Atif@unimelb.edu.au
Shanton Chang
Department of Computing and Information Systems
Melbourne School of Engineering
University of Melbourne
Victoria, Australia
Email: Shanton.chang@unimelb.edu.au
Abstract
Considerable research effort has been devoted to the study of Policy in the domain of Information
Security Management (ISM). However, our review of ISM literature identified four key deficiencies
that reduce the utility of the guidance to organisations implementing policy management practices.
This paper provides a comprehensive overview of the management practices of information security
policy and develops a practice-based model. The model provides comprehensive guidance to
practitioners on the activities security managers must undertake for security policy development and
allows practitioners to benchmark their current practice with the models suggested best practice. The
model contributes to theory by mapping existing information security policy research in terms of the
defined management practices.
Keywords: Information security policy, Policy development, Security policy management
practice
1 Introduction
There is growing recognition of the role of management in protecting organisational information from
a range of security risks such as: leakage of trade secrets and intellectual property, disruption of
mission-critical systems, and malicious attack from both insiders and outsiders (Ahmad et al. 2014a;
Alshaikh et al. 2014; Webb et al. 2014) Policy is a critical formal control by which senior management
provides strategic and tactical guidance on a range of issues such as what security structures, roles,
and processes must be instituted and the acceptable use of information technologies (Ahmad et al.
2014b; Sommestad et al. 2014). Consequently, security researchers have consistently argued that the
effectiveness of managerial practices associated with security policy is critical to a successful security
program (Maynard and Ruighaver 2006; Siponen et al. 2014).
Australasian Conference on Information Systems
Alshaikh et al.
2015, Adelaide, South Australia
InfoSec Policy Management Practices
Our review of both professional and academic literature reveals that considerable research effort and
progress has been made on the provision of high-level policy management lifecycles or models for
organisations. However, there are a number of deficiencies that reduce their utility to organisations
seeking guidance on what managerial practices are involved in implementing security policy. The
literature: lacks a holistic view of the policy lifecycle (deficiency 1); lacks consistency in terminology
and semantics (deficiency 2); uses varying levels of granularity in describing policy management
activities (deficiency 3); and makes it difficult to extricate guidance on policy management from that
of other practice areas such as risk management and Security Education, Training, and Awareness
(SETA) (deficiency 4).
Therefore, the aim this paper is to: (1) provide a comprehensive overview of the management practices
of information security policy; and (2) develop a practice-based model that addresses the four
aforementioned deficiencies. The study addresses the following research question:
What information security policy management practices should be implemented in organisations?
This paper is organised as follows. First, we review existing policy management lifecycles in the
background section. Second, we explain the research methodology employed to review and analyse
the literature. Third, we propose a model of managerial practices related to security policy. Fourth, we
explain how the proposed model addresses the identified deficiencies in the discussion section.
Finally, we revisit the main contribution and conclude with implications of the research.
2 Background
There are a number of studies on the development and implementation of information security policy
(Bayuk 1997; Kadam 2007; Knapp et al. 2009; Rees et al. 2003; SANS Institute 2001; Whitman
2008). The majority of these studies present the development of security policy as multi-stage
lifecycles. Using a lifecycle approach to develop security policy is very beneficial as it allows good
This content is AI-processed based on ArXiv data.