Enterprise information security policy assessment - an extended framework for metrics development utilising the goal-question-metric approach

Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach

Help or hindrance The practicality of applying security standards in healthcare

The protection of patient information is now more important as a national e-health system approaches reality in Australia. The major challenge for health care providers is to understand the importance information security whilst also incorporating effective protection into established workflow and daily activity. Why then, when it is difficult for IT and security professionals to navigate through and apply the myriad of information security standards, do we expect small enterprises such as primary health care providers to also be able to do this. This is an onerous and impractical task without significant assistance. In the development of the new Computer and Information Security Standards (CISS) for Australian General Practice, a consistent and iterative process for the interpretation and application of international standards was used. This involved both the interpretation of the standards and the application of knowledge to create a practical but acceptable level of security for the primary healthcare environment. From a security perspective such practical application of standards poses the dichotomous challenge (and criticism) of how much security is sufficient versus how much can the primary healthcare environment manage. This paper describes the path of development from standards to implementation using the CISS as an example. It is concluded that more practical assistance is required by the security profession to support the national e-health initiative if Australia is to provide a safe and secure healthcare environment

Feasibility study on incorporating IEC/ISO27001 information security management system (ISMS) standard in it services environment

Feasibility Study on incorporating IEC/ISO27001 Information Security Management System (ISMS) in IT Services Environment is a research study by taking an organization as a case study to carry out a feasibility study on existing maturity level of managing information security and propose an implementation approach to the organization based on ISO27001 ISMS standards. The activities involve the security gap assessment, drafting the mandatory documents as per ISO 27001 ISMS standard requirement. The objective of this study is to identify the common information security incidents and the ISO27001 ISMS practices on corrective and prevention actions. Beside, this research study is focusing on analyzing the current state of an organization by conducting a feasibility study on the readiness of ISO27001 ISMS practiced by the organization. The methodology of this research study was derived with the research operational framework that comprised of several project phases, ISO27001 ISMS implementation phases that mapped to the deliverables. The deliverables and expected results are series of document sets that must comply to the ISO27001 ISMS standard such as initial draft of ISMS policy manual, risk assessment methodology, risk assessment report, statement of applicability (SOA) will be developed to meet the ISO27001 ISMS requirement and criteria. Also, the mandatory activities such as gap assessment, information security risk assessment will be proposed and conducted with the relevant reports to be prepared as part of the results and findings to accomplish the objectives of this research study. The findings of the feasibility study from the gap assessment that has been performed within an organization are not meeting the requirement of ISO27001 ISMS. Hence, this research study proposed the implementation approach based on ISO27001 ISMS standards to implement the ISMS controls to close the gaps and mitigate the risks identified from the gap assessment findings

Applying action research in the formulation of information security policies

Information Systems Security (ISS) is crucial in all and each of the services provided by organizations. This paper focuses on Small and Medium Sized Enterprises (SMEs) as although all organizations have their own requirements as far as information security is concerned, SMEs offer one of the most interesting cases for studying the issue of information security policies. Within the organizational universe, SMEs assume a unique relevance due to their high number, which makes information security efficiency a crucial issue. There are several measures which can be implemented in order to ensure the effective protection of information assets, among which the adoption of ISS policies stands out. This article aims to constitute an empirical study on the applicability of the Action Research (AR) method in information systems, more specifically through the formulation of an ISS policy in SMEs. The research question is to what extent this research method is adequate to reach the proposed goal

Exploring Knowledge Sharing Practices for Raising Security Awareness

This study aims to explore the types of information can be effectively communicated in three knowledge-sharing methods and their impact on employees’ security practice. On one end, guarding the organisation’s information system against cyber-attacks is critical and improving users’ knowledge and skills is a common approach to any security program. On the other end, organisations lack a clear understanding in determining what types of security information should be delivered through various methods of communication to be effective in boosting users’ knowledge and compliance behaviour. The study employed a qualitative method using semi-structured interviews with business users in Vietnam. The initial findings indicate a single method of knowledge and skill development is not sufficient to assist users to deal with complex and constant changing security needs. It is necessary to further experiment methods of encouraging formal and peer knowledge sharing that can support individual effort in complying with security policies

Critical success factors for the implementation of a security policy in health clinics

A Segurança de Sistemas de Informação (SSI) é primordial em todos e cada um dos serviços oferecidos pelas organizações. De entre as medidas de segurança, as políticas assumem na literatura um papel central. Todavia, nota-se a existência de um reduzido número de estudos empíricos sobre a implementação de políticas SSI e quais os fatores críticos de sucesso para a sua implementação. Este artigo contribui para minimizar essa falha mediante a apresentação dos resultados de um inquérito sobre a adoção de políticas de SSI em clínicas de saúde. Se bem que todas as organizações apresentem requisitos próprios ao nível da SSI, reconhece-se que o sector da saúde oferece um dos casos mais interessantes para o estudo da temática da SSI em particular e das tecnologias de informação e sistemas de informação em geral. Os resultados são discutidos á luz da literatura e identificam-se trabalhos futuros com vista a potenciar a implementação de políticas de SSI.Information systems security (ISS) is crucial in all and each of the services provided by organizations. Among the security measures, policies assume a central role in literature. However, there is a reduced number of empirical studies about the implementation of ISS policies and which are the critical success factors for its implementation. This paper contributes to mitigate this flaw by presenting the results of a survey in the adoption of ISS policies in health clinics. While all organizations have their own ISS requirements, the health sector is recognized to offer one the most interesting cases for the thematic study of ISS in particular and information technology and information systems in general. The results are discussed in literature and future works are identified with the aim of enabling the implementation of ISS policies.info:eu-repo/semantics/publishedVersio

Internalization of Information Security Policy and Information Security Practice: A Comparison with Compliance

Most recent information security incidents have been caused by employees’ poor managements rather than technology defects. Accordingly, organizations try to improve their information security by demanding that employees conform to information security policies. Previous studies examined the effect of organization’s enforcement-based systems, using penalties and rewards, on employees’ comply with information security policies. It found there is a lack of autonomy and sustainability if conformity depended on external environmental factors. To confirm, following social influence theory, that employees’ information security practices can be better performed if they go beyond compliance and are internalized, we developed an instrument that measures employees’ attitudes on information security policies and conducted a pilot test. The results show that information security practices are performed better by the higher internalization group than by the compliance group, proving the greater effectiveness of internalization in improving both employees’ and organizations’ information security

Information systems security policies : a survey in portuguese public administration

Information Systems Security is a relevant factor for present organizations. Among the security measures, policies assume a central role in literature. However, there is a reduced number of empirical studies about the adoption of information systems security policies. This paper contributes to mitigate this flaw by presenting the results of a survey in the adoption of Information System Security Policies in Local Public Administration in Portugal. The results are discussed in light of literature and future works are identified with the aim of enabling the adoption of security policies in Public Administration.(undefined

Improving an organisations existing information technology policy to increase security

A security policy which includes the appropriate phases of implementation, enforcement, auditing and review is vital to protecting an organisations information security. This paper examined the information security policy of a government organisation in response to a number of perceived shortcomings. The specific issues identified relating to the organisations security policy as a result of this investigation were as follows: a culture of ignoring policies, minimal awareness of policies, minimal policy enforcement, policy updating and review ad hoc at best, policy framework, lengthy policy development and approval process, no compliance program, no formal non-compliance reporting and an apparent inconsistent enforcement across the whole of the organisation. In response to these identified issues, the following recommendations were made to improve the information security of the organisation: changing the organisations culture, creating an awareness mechanism for policies, improving the organisations culture, create an ICT policy awareness programme, review and re-write existing policies, policy enforcement, policy compliance, policy noncompliance reporting, policy updating and review, improve the policy development and approval process, policy compliance checking and uniform policy enforcement. Whilst it is also likely that a lack of governance contributed to these issues, this aspect was not addressed in this paper. It is hoped that timely implementation of the remedies presented here will increase the organisations information security

Understanding the management of information security controls in practice

The ever greater reliance on complex information technology environments together with dynamically changing threat scenarios and increasing compliance requirements make an efficient and effective management of information security controls a key concern for most organizations. Good practice collections such as COBIT and ITIL as well as related standards such as the ones belonging to the ISO/IEC 27000 family provide useful starting points for control management. However, neither good practice collections and standards nor scholarly literature explain how the management of controls actually is performed in organizations or how the current state-of-practice can be improved. A series of interviews with information security professionals from European organizations was conducted in order to better understand how a coherent and comprehensive suite of controls is built and maintained in practice and to help organizations refine related work practices. The interviews focused on the activities of control management as well as on the roles and responsibilities of the individuals and groups involved in those activities. The results of a qualitative content analysis of the gathered data allowed an aggregate description of control management on the basis of a generic control management cycle ranging from the creation of a control design to its implementation and review