Evaluation and Prioritization of Information Security Controls of ISO/IEC 27002:2013 for SMEs Through Fuzzy TOPSIS

The objective of this research is to find out the level of information security in the academic information system to give recommendations improvements in information security management. The method used is qualitative research method, which data obtained based on the results of questionnaires distributed to respondents with the Guttmann scale. Based on the analysis results, 13 objective controls and 43 security controls were scattered in 3 clauses. From the analysis, it was concluded that the maturity level of information system security governance was 2.51, which means the level of maturity is still at level 2 but is approaching level 3 well defined.

Download Full-text

Investigation into the State-of-Practice of Operations Security Management Based on ISO/IEC 27002

International Journal of Technology Diffusion ◽

10.4018/ijtd.2016010104 ◽

2016 ◽

Vol 7 (1) ◽

pp. 53-72 ◽

Cited By ~ 1

Author(s):

Winfred Yaokumah

Keyword(s):

Information Security ◽

Organizational Performance ◽

Security Management ◽

Educational Institutions ◽

Special Focus ◽

Cross Sectional ◽

Security Controls ◽

Level 3 ◽

Iec 27002 ◽

Insight Into

This study assessed information security management in organizations through a questionnaire based on the ISO/IEC 27002, with special focus on operations security. A survey with cross-sectional research design was conducted and data collected from 223 participants from 56 organizations. Overall, the level of operations security maturity was 61.2%, which is the maturity Level 3 (well-defined). This level suggested that operations security controls and processes were documented, approved, and implemented organization-wide. Backups and malware protection were the most implemented security controls, while logging, auditing and monitoring were the least implemented controls. Assessment of inter-organizational operations security found significant differences among the organizations. Financial and Health Care Institutions outperform Educational Institutions and Government Public Service. The study provided insight into maturity levels of operations security controls and the results useful for benchmarking inter-organizational performance, competitiveness and improvement in information security.

Download Full-text

Towards Modelling the Impact of Security Policy on Compliance

Journal of Information Technology Research ◽

10.4018/jitr.2016040101 ◽

2016 ◽

Vol 9 (2) ◽

pp. 1-16 ◽

Cited By ~ 4

Author(s):

Winfred Yaokumah ◽

Steven Brown ◽

Alex Ansah Dawson

Keyword(s):

Information Security ◽

Security Policy ◽

Structural Equation ◽

Partial Least Square ◽

Least Square ◽

Roles And Responsibilities ◽

Security Controls ◽

Security Compliance ◽

Iec 27002 ◽

The Impact

This study develops a model, based on the controls present in ISO/IEC 27002 framework, to integrate the role of technical and administrative security controls. The model provides better understanding of how security policy can influence security compliance and the pathway through which this effect is generated. Data were collected from 223 IT security and management professionals. Using Partial Least Square Structural Equation Modelling (PLS-SEM) and testing hypotheses, the study finds that information security policy has significant indirect influence on information security compliance. The effect of security policy is fully mediated by security roles and responsibilities, operations security activities, and security monitoring and review activities. Security policy strongly influences operations security activities and has the greatest effect on security roles and responsibilities. Among the three mediating variables, monitoring and reviews has the most significant influence on security compliance. Conversely, the impact of security policy on compliance is not significant.

Download Full-text