Review of the methods for the development of information security policies at organizations

Abstract

This thesis aims to have an overview of the current studies in the development of information security policy. The research is based on a systematical literature review. The study focuses on the development process of information security policy and other relevant issues in information security policy development within organizations. There are four research questions are proposed based on this topic: 1) what are the functions of information security policy; 2) what kind of stakeholders should be involved in the development of information security policy; 3) what is the information security policy lifecycle; 4) what are the methods in development of information security policy. The research references were gathered based on a literature research searching strategy. There are eighty-three reference gathered include scientific papers, company documents, and actual information security policy documents used in organizations. A conceptual analyze in multiple dimensions is accomplished to answer the research questions. Key conceptual descriptions with similar opinions are gathered together for further processed. The study summarized eight general functions which all the information security policy should achieve within an organization: represent the security strategy, plan the security requirements, define roles and responsibilities, define rules and protocols, state punishment, reduce risk, assist decision making, and provide the secured environment. Nine stakeholders should be involved in information security policy development phases: the user community, executive management, legal& regulatory, the ICT specialist, security specialists, human resources, business unit representatives, public unit representatives, public relations, and external representatives. A key outcome of this thesis is an integrated information security policy development lifecycle from twenty-nine development suggestions from different articles. According to the material analyzing, there are five development stages in information security policy development: formulate a security group, assessment, plan, deliver, and operate. Another essential contribution of this thesis is that the research gaps which should be fulfilled but missing in current research are pointed out for the future study.