Aligning the information security policy with the strategic information systems plan

Two of the most important documents for ensuring the effective deployment of information systems and technologies within the modern business enterprise are the strategic information systems plan (SISP) and the information security policy. The strategic information systems plan ensures that new systems and technologies are deployed in a way that will support an organisation’s strategic goals whilst the information security policy provides a framework to ensure that systems are developed and operated in a secure manner. To date, the literature with regard to the formulation of the information security policy has tended to ignore its important relationship with the strategic information systems plan, and vice versa. In this paper we argue that these two important policy documents should be explicitly and carefully aligned to ensure that the outcomes of strategically important information system initiatives are not compromised by problems with their security

An investigation into the uptake, content, dissemination and impact of information security policies in large UK-based organizations

Despite its widely acknowledged importance, the information security policy has not, to date, been the subject of explicit, empirical scrutiny, in the academic literature. To help fill this gap an exploratory research project was initiated that sought to investigate the uptake, content, dissemination and impact of information security policies in large UK-based organizations. The results of this research have indicated that whilst policies are now fairly common, at least amongst our sample, there is still a high degree of variety in terms of their content and dissemination

The application of information security policies in large UK-based organizations: an exploratory investigation

Despite its widely acknowledged importance, the information security policy has not, to date, been the subject of explicit, empirical scrutiny, in the academic literature. To help fill this gap an exploratory research project was initiated that sought to investigate the uptake, content, dissemination and impact of information security policies. To this end, a questionnaire was mailed to senior IS executives, in large UK-based organizations, and 208 valid responses were received. The results of this research have indicated that whilst policies are now fairly common, at least amongst our sample, there is still a high degree of variety in terms of their content and dissemination

Reinforcing the security of corporate information resources: a critical review of the role of the acceptable use policy

Increasingly users are seen as the weak link in the chain, when it comes to the security of corporate information. Should the users of computer systems act in any inappropriate or insecure manner, then they may put their employers in danger of financial losses, information degradation or litigation, and themselves in danger of dismissal or prosecution. This is a particularly important concern for knowledge-intensive organisations, such as Universities, as the effective conduct of their core teaching and research activities is becoming ever more reliant on the availability, integrity and accuracy of computer-based information resources. One increasingly important mechanism for reducing the occurrence of inappropriate behaviours, and in so doing, protecting corporate information, is through the formulation and application of a formal ‘acceptable use policy (AUP). Whilst the AUP has attracted some academic interest, it has tended to be prescriptive and overly focussed on the role of the Internet, and there is relatively little empirical material that explicitly addresses the purpose, positioning or content of real acceptable use policies. The broad aim of the study, reported in this paper, is to fill this gap in the literature by critically examining the structure and composition of a sample of authentic policies – taken from the higher education sector - rather than simply making general prescriptions about what they ought to contain. There are two important conclusions to be drawn from this study: 1) the primary role of the AUP appears to be as a mechanism for dealing with unacceptable behaviour, rather than proactively promoting desirable and effective security behaviours, and 2) the wide variation found in the coverage and positioning of the reviewed policies is unlikely to be fostering a coherent approach to security management, across the higher education sector

The information security policy unpacked: A critical study of the content of university policies

Ensuring the security of corporate information, that is increasingly stored, processed and disseminated using information and communications technologies [ICTs], has become an extremely complex and challenging activity. This is a particularly important concern for knowledge-intensive organisations, such as Universities, as the effective conduct of their core teaching and research activities is becoming ever more reliant on the availability, integrity and accuracy of computer-based information resources. One increasingly important mechanism for reducing the occurrence of security breaches, and in so doing, protecting corporate information, is through the formulation and application of a formal information security policy (InSPy). Whilst a great deal has now been written about the importance and role of the information security policy, and approaches to its formulation and dissemination, there is relatively little empirical material that explicitly addresses the structure or content of security policies. The broad aim of the study, reported in this paper, is to fill this gap in the literature by critically examining the structure and content of authentic information security policies, rather than simply making general prescriptions about what they ought to contain. Having established the structure and key features of the reviewed policies, the paper critically explores the underlying conceptualization of information security embedded in the policies. There are two important conclusions to be drawn from this study: 1) the wide diversity of disparate policies and standards in use is unlikely to foster a coherent approach to security management; and 2) the range of specific issues explicitly covered in university policies is surprisingly low, and reflects a highly techno-centric view of information security management

Using the Internet for international marketing: web site design issues for UK SMEs competing in foreign markets

Using the Internet for international marketing: web site design issues for UK SMEs competing in foreign market