Review of the methods for the development of information security policies at organizations
This thesis aims to have an overview of the current studies in the development of information security policy. The research is based on a systematical literature review. The study focuses on the development process of information security policy and other relevant issues in information security policy development within organizations. There are four research questions are proposed based on this topic: 1) what are the functions of information security policy; 2) what kind of stakeholders should be involved in the development of information security policy; 3) what is the information security policy lifecycle; 4) what are the methods in development of information security policy.
The research references were gathered based on a literature research searching strategy. There are eighty-three reference gathered include scientific papers, company documents, and actual information security policy documents used in organizations. A conceptual analyze in multiple dimensions is accomplished to answer the research questions. Key conceptual descriptions with similar opinions are gathered together for further processed.
The study summarized eight general functions which all the information security policy should achieve within an organization: represent the security strategy, plan the security requirements, define roles and responsibilities, define rules and protocols, state punishment, reduce risk, assist decision making, and provide the secured environment. Nine stakeholders should be involved in information security policy development phases: the user community, executive management, legal& regulatory, the ICT specialist, security specialists, human resources, business unit representatives, public unit representatives, public relations, and external representatives. A key outcome of this thesis is an integrated information security policy development lifecycle from twenty-nine development suggestions from different articles. According to the material analyzing, there are five development stages in information security policy development: formulate a security group, assessment, plan, deliver, and operate. Another essential contribution of this thesis is that the research gaps which should be fulfilled but missing in current research are pointed out for the future study.
...
Asiasanat
Metadata
Näytä kaikki kuvailutiedotKokoelmat
- Pro gradu -tutkielmat [29743]
Lisenssi
Samankaltainen aineisto
Näytetään aineistoja, joilla on samankaltainen nimeke tai asiasanat.
-
Method Framework for Developing Enterprise Architecture Security Principles
Larno, Sara; Seppänen, Ville; Nurmi, Jarkko (RTU Press, 2019)Organizations need to consider many facets of information security in their daily operations – among others, the rapidly increasing use of IT, emerging technologies and digitalization of organizations’ core resources provoke ... -
State of the Art in Information Security Policy Development
Paananen, Hanna; Lapke, Michael; Siponen, Mikko (Elsevier Advanced Technology, 2020)Despite the prevalence of research that exists under the label of “information security policies” (ISPs), there is no consensus on what an ISP means or how ISPs should be developed. This article reviews state-of-the-art ... -
Abductive innovations in information security policy development : an ethnographic study
Niemimaa, Marko; Niemimaa, Elina (Taylor & Francis, 2019)Developing organisational information security (InfoSec) policies that account for international best practices but are contextual is as much an opportunity for improving InfoSec as it is a challenge. Previous research ... -
Effects of Sanctions, Moral Beliefs, and Neutralization on Information Security Policy Violations Across Cultures
Vance, Anthony; Boyer Fellow, Selvoy J.; Siponen, Mikko T.; Straub, Detmar W. (Elsevier, 2020)A principal concern of organizations is the failure of employees to comply with information security policies (ISPs). Deterrence theory is one of the most frequently used theories for examining ISP violations, yet studies ... -
Organization Members Developing Information Security Policies : a Case Study
Paananen, Hanna; Siponen, Mikko (Association for Information Systems, 2023)Information security policies (ISPs) have a key role in organizational information security. Research has introduced processes for ISP development, including lifecycle models. There are also recommendations to include ...
Ellei toisin mainittu, julkisesti saatavilla olevia JYX-metatietoja (poislukien tiivistelmät) saa vapaasti uudelleenkäyttää CC0-lisenssillä.