Aligning the information security policy with the strategic information systems plan

Two of the most important documents for ensuring the effective deployment of information systems and technologies within the modern business enterprise are the strategic information systems plan (SISP) and the information security policy. The strategic information systems plan ensures that new systems and technologies are deployed in a way that will support an organisation’s strategic goals whilst the information security policy provides a framework to ensure that systems are developed and operated in a secure manner. To date, the literature with regard to the formulation of the information security policy has tended to ignore its important relationship with the strategic information systems plan, and vice versa. In this paper we argue that these two important policy documents should be explicitly and carefully aligned to ensure that the outcomes of strategically important information system initiatives are not compromised by problems with their security

Enterprise information security policy assessment - an extended framework for metrics development utilising the goal-question-metric approach

Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach

PENGEMBANGAN STRATEGI IS/IT DALAM BERBAGAI BIDANG BISNIS: STATE OF THE ART

ABSTRACTIS/IT strategy is one of the keys to a company's success in running a business. IS/IT is usually in line with existing business strategies. In the last few decades, many IS/IT models have been developed and implemented with the aim of improving business management by utilizing the latest technology. Motivated by the application of IS/IT in various business models, this paper aims to emphasize the importance of this strategy in business transformation. This paper contains an overview of the strategy and identification of IS/IT strategies that have been implemented in various business areas. This paper is expected to provide additional knowledge for researchers, communities and IS/IT practitioners in developing and implementing better IS/IT in the future. Keywords: IS/IT strategy, business strategy, management I

Mismatched Understanding of IS Security Policy: A RepGrid Analysis

Professional and academic literature indicates that organizational stakeholders may hold different perceptions of security rules and policies. This discrepancy of perceptions may be rooted into a conflict between the compliance of stakeholders to organizational norms on the one hand, and security rules on the other. The paper argues that a mismatched understanding of security policy can have a devastating effect on the security of organizations, and should therefore be treated as a key reason for non-compliance to security policy. Using Personal Construct Theory and Repertory Grids we explore how different stakeholder groups within an organization can hold divergent views on the same security policies. Our findings have implications for the design of security policy training and awareness programs, as well as for the institution and internalization of good IS governance practices

Embedding Information Security Culture Emerging Concerns and Challenges

The behaviour of employees has been identified as a key factor in the protection of organizational information. As such, many researchers have called for information security culture (ISC) to be embedded into organizations to positively influence employee behaviour towards protecting organizational information. Despite claims that ISC may influence employee behaviours to protect organizational information, there is little empirical work that examines the embedding of ISC into organizations. This paper argues that embedding ISC should not only focus on employee behaviour, but rather in a holistic manner, involve everyone in the organization. The argument is developed through case studies in two organizations based on semi structured interviews of respondents, observations, and documents analysis from each organization. The results show that the challenges of embedding ISC are not as simple as changing employee behaviour and technical aspects of security. Rather, the more challenging problem is how to embed ISC in a holistic manner that includes senior management support and involvement to instil awareness through mandatory training with a clear assignment of responsibility and constant enforcement of security policies and procedures. We believe that the findings will provide researchers in ISC with a broader view of how ISC can be embedded in organizations

Policy Ambiguity: a Problem, a Tool, or an Inherent Part of Policymaking?

It has been acknowledged that the Information Systems (IS) discipline needs to pay attention to policymaking. However, the IS field has not yet sufficiently acknowledged complexities of policymaking and the resulting ambiguity. We present two worldviews that underlie how IS research has approached policymaking and, indirectly, policy ambiguity. In the dominant “representationalist” view, a policy is planned and implemented in a linear manner, and ambiguity is seen as problematic. The “enactivist” view sees a policy and its implementation as mutually constitutive: a policy does not exist without its implementation but it also guides the implementation. This can result in unresolvable paradoxes that manifest as ambiguities. Based on our review of the extant IS research we present existing perspectives to policy(making) and ambiguity. We call for IS researchers invested in policy/regulation-related research to be aware of and explicit about the views to policy(making) and ambiguity guiding their research

Making research real: Is action research a suitable methodology for medical information security

In the medical field. information security is an important yet vastly underrated issue, Research into the protection of sensitive medical data is often technically focused and does not address information systems and behavioural aspects integral to effective information security implementation, Current information security policy and guidelines are strategically oriented which, whilst relevant to large organisations, are less supportive to smaller enterprises such as primary care practices. Further, the conservative nature of the medical profession has been shown to hinder investigation into information technology use and management, making effective improvement based on research problematical. It is an environment which relies greatly on trust, inhibiting good security practice. Research into how information security practice in this setting can be improved demands an interpretivist approach rather than a positivist one. Action research is one such interpretivist method that allows a creation of scientific /mowledge with practical value. Whilst there is some opposition to the action research method on grounds ()f rigour, its fundamental cyclic process of participation, action and reflection promotes internal rigour and can overcome many of the barriers to research inherent in the primary care medical environment

Making Research Real: Is Action Research a Suitable Methodology for Medical Information Security Investigations?

In the medical field, information security is an important yet vastly underrated issue. Research into the protection of sensitive medical data is often technically focused and does not address information systems and behavioural aspects integral to effective information security implementation. Current information security policy and guidelines are strategically oriented which, whilst relevant to large organisations, are less supportive to smaller enterprises such as primary care practices. Further, the conservative nature of the medical profession has been shown to hinder investigation into information technology use and management, making effective improvement based on research problematical. It is an environment which relies greatly on trust, inhibiting good security practice. Research into how information security practice in this setting can be improved demands an interpretivist approach rather than a positivist one. Action research is one such interpretivist method that allows a creation of scientific knowledge with practical value. Whilst there is some opposition to the action research method on grounds of rigour, its fundamental cyclic process of participation, action and reflection promotes internal rigour and can overcome many of the barriers to research inherent in the primary care medical environment