Information Security Policies and Procedures Guidance for Agencies

Impact of Digital Transformation on Security Policies and Standards - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-7998-2367-4.ch004 ◽

2020 ◽

pp. 47-62

Author(s):

Dasari Kalyani

Keyword(s):

Information Security ◽

Security Policy ◽

Large Scale ◽

Management Strategies ◽

Security Policies ◽

Risk Levels ◽

Security Models ◽

Policies And Procedures ◽

Good Policy ◽

The Right

In today's digital e-commerce and m-commerce world, the information itself acts as an asset and exists in the form of hardware, software, procedure, or a person. So the security of these information systems and management is a big challenging issue for small and large-scale agencies. So this chapter discusses the major role and responsibility of the organization's management in identifying the need for information security policy in today's world of changing security principles and controls. It focuses on various policy types suitable for all kinds of security models and procedures with the background details such as security policy making, functionality, and its impact on an agency culture. Information security policies are helpful to identify and assess risk levels with the available set of technological security tools. The chapter describes the management strategies to write a good policy and selection of the right policy public announcement. The agencies must also ensure that the designed policies are properly implemented and ensure compliance through frequent intermediate revisions.

Download Full-text

Impact of Deterrence and Inertia on Information Security Policy Changes

Journal of Information Systems ◽

10.2308/isys-52400 ◽

2019 ◽

Vol 34 (1) ◽

pp. 123-134

Author(s):

Kalana Malimage ◽

Nirmalee Raddatz ◽

Brad S. Trinkle ◽

Robert E. Crossler ◽

Rebecca Baaske

Keyword(s):

Information Security ◽

Security Policy ◽

Online Survey ◽

Security Policies ◽

Security Measures ◽

Policy Changes ◽

Information Security Policy ◽

Improve Compliance ◽

The Impact

ABSTRACT This study examines the impact of deterrence and inertia on information security policy changes. Corporations recognize the need to prioritize information security, which sometimes involves designing and implementing new security measures or policies. Using an online survey, we investigate the effect of deterrent sanctions and inertia on respondents' intentions to comply with modifications to company information security policies. We find that certainty and celerity associated with deterrent sanctions increase compliance intentions, while inertia decreases respondents' compliance intentions related to modified information security policies. Therefore, organizations must work to overcome employees' reluctance to change in order to improve compliance with security policy modifications. They may also consider implementing certain and timely sanctions for noncompliance.

Download Full-text

Security Policies and Procedures

Strategic Information Systems ◽

10.4018/978-1-60566-677-8.ch149 ◽

2011 ◽

pp. 2352-2364

Author(s):

Yvette Ghormley

Keyword(s):

Information Systems ◽

Security Policy ◽

Security Policies ◽

Human Element ◽

Weakest Link ◽

Adoption And Implementation ◽

Policies And Procedures ◽

Management Commitment ◽

Physical Assets ◽

And Training

The number and severity of attacks on computer and information systems in the last two decades has steadily risen and mandates the use of security policies by organizations to protect digital as well as physical assets. Although the adoption and implementation of such policies still falls far short, progress is being made. Issues of management commitment, flexibility, structural informality, training, and compliance are among the obstacles that currently hinder greater and more comprehensive coverage for businesses. As security awareness and security-conscious cultures continue to grow, it is likely that research into better methodologies will increase with concomitant efficiency of security policy creation and implementation. However, attacks are becoming increasingly more sophisticated. While the human element is often the weakest link in security, much can be done to mitigate this problem provided security policies are kept focused and properly disseminated, and training and enforcement are applied.

Download Full-text

Security Policies and Risk Analysis

Securing the Information Infrastructure ◽

10.4018/978-1-59904-379-1.ch008 ◽

2008 ◽

pp. 137-160

Author(s):

Joseph Kizza ◽

Florence Migga Kizza

Keyword(s):

Network Security ◽

Risk Analysis ◽

Best Practices ◽

Security Policy ◽

Security Policies ◽

Communication Infrastructure ◽

Security Personnel ◽

Good Policy

In the last chapter, we discussed the basics of network security. Among the issues that we briefly touched on are the techniques and best practices that are currently being used by many security personnel in a variety of networks that make up the communication infrastructure. In this chapter, we are going to start with what is considered to be the most basic of all security techniques—security.policy. We will discuss several issues about security policy, like what constitutes a good policy and how to formulate, develop, write implement, and maintain a security policy.

Download Full-text

A Case Study of Effectively Implemented Information Systems Security Policy

Information Security and Ethics ◽

10.4018/978-1-59904-937-3.ch118 ◽

2008 ◽

pp. 1727-1740

Author(s):

Charla Griffy-Brown ◽

Mark W.S. Chun

Keyword(s):

Information Security ◽

Security Policy ◽

Case Analysis ◽

Web Based ◽

Systems Security ◽

Policies And Procedures ◽

Technical Architecture ◽

The Relationship

This chapter demonstrates the importance of a well-formulated and articulated information security policy by integrating best practices with a case analysis of a major Japanese multinational automotive manufacturer and the security lessons it learned in the implementation of its Web-based portal. The relationship between information security and business needs and the conflict that often results between the two are highlighted. The case also explores the complexities of balancing business expedience with long-term strategic technical architecture. The chapter provides insight and offers practical tools for effectively developing and implementing information security policies and procedures in contemporary business practice.

Download Full-text

State Information Security Policy (Comparative Legal Aspect)

Cuestiones Políticas - Conflictividad política, pandemia de COVID-19 y nuevos paradigmasConflictividad política, pandemia de COVID-19 y nuevos paradigmas ◽

10.46398/cuestpol.3971.08 ◽

2021 ◽

Vol 39 (71) ◽

pp. 166-186

Author(s):

Viacheslav B. Dziundziuk ◽

Yevgen V. Kotukh ◽

Olena M. Krutii ◽

Vitalii P. Solovykh ◽

Oleksandr A. Kotukov

Keyword(s):

Information Security ◽

Security Policy ◽

Rapid Development ◽

Legal Aspect ◽

Public Information ◽

Security Policies ◽

The European Union ◽

Public Authorities ◽

Information Security Policy ◽

State Information

The rapid development of information technology and the problem of its rapid implementation in all spheres of public life, the growing importance of information in management decisions to be made by public authorities, a new format of media — these and other factors urge the problem of developing and implementing quality state information security policy. The aim of the article was to conduct a comparative analysis of the latest practices of improving public information security policies in the European Union, as well as European countries such as Poland, Germany, Great Britain, and Ukraine. The formal-logic, system-structural and problem-theoretical methods were the leading methodological tools. The analysis of regulatory legal acts showed that there is a single concept of international information security at the global and regional levels, which requires additional legal instruments for its implementation. It is stated that the reform of national information security policies has a direct impact on the formation of a single global information space. According to the results of the study, it is substantiated that the United Kingdom is characterized by the most promising information security policy.

Download Full-text

Influences of Frame Incongruence on Information Security Policy Outcomes

International Journal of Social and Organizational Dynamics in IT ◽

10.4018/ijsodit.2013070103 ◽

2013 ◽

Vol 3 (3) ◽

pp. 33-50 ◽

Cited By ~ 2

Author(s):

Anna Elina Laaksonen ◽

Marko Niemimaa ◽

Dan Harnesk

Keyword(s):

Information Security ◽

Security Policy ◽

Cognitive Theory ◽

Security Policies ◽

Policy Outcomes ◽

Information Security Policy ◽

Internet Service ◽

Policy Frames ◽

Concept Of Information

Despite the significant resources organizations devote to information security policies, the policies rarely produce intended outcome. Prior research has sought to explain motivations for non-compliance and suggested approaches for motivating employees for compliance using theories largely derived from psychology. However, the socio-cognitive structures that shape employees' perceptions of the policies and how they influence policy outcomes have received only modest attention. In this study, the authors draw on the socio-cognitive theory of frames and on literature on information security policies in order to suggest a theoretical and analytical concept of Information Security Policy Frames of Reference (ISPFOR). The concept is applied as a sensitizing device, in order to systematically analyze and interpret how the perceptions of policies are shaped by the frames and how they influence policy outcomes. The authors apply the sensitizing device in an interpretive case study conducted at a large multinational internet service provider. The authors’ findings suggest the frames shape the perceptions and can provide a socio-cognitive explanation for unanticipated policy outcomes. Implications for research and practice are discussed.

Download Full-text

Exploring Information Security Risks in Healthcare Systems

Health Information Systems ◽

10.4018/978-1-60566-988-5.ch110 ◽

2011 ◽

pp. 1713-1719 ◽

Cited By ~ 1

Author(s):

Amy Ray ◽

Sue Newell

Keyword(s):

Information Security ◽

Security Policies ◽

Social Dimensions ◽

Healthcare Organizations ◽

Security Risks ◽

Local Systems ◽

Security Breaches ◽

Policies And Procedures ◽

The Social ◽

Organizational Security

The volume and severity of information security breaches encountered continues to increase as organizations, including healthcare organizations, struggle to identify more effective security policies and procedures. Publicly available guidelines such as GASSP or ISO17799 that are designed to facilitate development of effective security policies and procedures have been criticized for, among other things, inadequate attention to differences in organizational security needs (Baskerville & Siponen, 2002), and for inadequate attention to the social dimensions of security problems (Dhillon & Backhouse, 2001). In this contribution, we argue that the diversity of organizational security needs, as well as the need to recognize the social dimensions to security problems, will continue to grow as companies move away from employing unique, proprietary approaches to software and network development, in favor of adopting standards-based plug-and-play applications, and related standards-based methods and technologies designed to enable interorganizational as well as local systems interoperability.

Download Full-text

Information Availability

Handbook of Research on Information Security and Assurance ◽

10.4018/978-1-59904-855-0.ch019 ◽

2009 ◽

pp. 230-239 ◽

Cited By ~ 1

Author(s):

Deepak Khazanchi

Keyword(s):

Information Technology ◽

Information Security ◽

Security Policy ◽

Second Order ◽

Business Continuity ◽

It Infrastructure ◽

Information Availability ◽

Policies And Procedures ◽

Concept Of Information

This chapter describes the concept of information availability (IAV) which is considered an important element of information security. IAV is defined as the ability to make information and related resources accessible as needed, when they are needed, where they are needed. In the view of the authors, this notion encompasses more than just making sure that the information technology (IT) infrastructure is technically adequate and continuously available, but it also emphasizes other often-ignored attributes of IAV, such as appropriate policies and procedures, an effective security policy, and the establishment of a workable business continuity plan. Thus, the goal of the chapter is to define IAV in the context of information security and elaborate on each of these first and second order determinants of information availability.

Download Full-text

A Case Study of Effectively Implemented Inormation Systems Security Policy

Enterprise Information Systems Assurance and System Security ◽

10.4018/978-1-59140-911-3.ch003 ◽

2011 ◽

pp. 25-41 ◽

Cited By ~ 1

Author(s):

Charla Griffy-Brown ◽

Mark W.S. Chun

Keyword(s):

Information Security ◽

Security Policy ◽

Case Analysis ◽

Web Based ◽

Systems Security ◽

Policies And Procedures ◽

Technical Architecture ◽

The Relationship

Download Full-text

Exploring the Effectiveness of Information Security Policies

Advances in Information Resources Management - Emerging Information Resources Management and Technologies ◽

10.4018/978-1-59904-286-2.ch003 ◽

2011 ◽

pp. 43-66

Author(s):

Neil F. Doherty ◽

Heather Fulford

Keyword(s):

Information Security ◽

Security Policy ◽

Human Error ◽

Security Policies ◽

Unexpected Finding ◽

Security Breaches ◽

The United Kingdom ◽

Significant Relationships ◽

It Managers ◽

Information Assets

Ensuring the security of corporate information assets has become an extremely complex, challenging and high-priority activity, due partly to their growing organizational importance, but also because of their increasing vulnerability to attacks from viruses, hackers, criminals, and human error. Consequently, organizations are having to prioritise the security of their computer systems, to ensure that their information assets retain their accuracy, confidentiality, and availability. Whilst the importance of the information security policy (InSPy) in ensuring the security of information is widely acknowledged, there has, to date, been little empirical analysis of its impact or effectiveness in this role. To help fill this gap an exploratory study was initiated that sought to investigate the relationship between the uptake and application of information security policies and the accompanying levels of security breaches. To this end a questionnaire was designed, validated, and then targeted at IT managers within large organisations in the United Kingdom. The findings, presented in this chapter, are somewhat surprising, as they show no statistically significant relationships between the adoption of information security policies and the incidence or severity of security breaches. The chapter concludes by exploring the possible interpretations of this unexpected finding, and its implications for the practice of information security management.

Download Full-text