Information security policy development : considering the practices of making rules

Abstract

Information security policies (ISPs) are at the core of organizations’ information security efforts. They set objectives for protecting information assets and direct employees to achieve these goals. Advice for ISP development is available both in research and best practice literature. A common approach to describing ISP development is a lifecycle model that depicts inputs such as assessments, the ISP creation, and outputs that are implemented and maintained until the cycle starts again. However, ISP development needs to be planned to support the business requirements by adapting the method and the resulting policy to fit the context. The rules that are created in this process must be well considered so that employees are able to follow them in their daily work without conflicts with their other duties. This dissertation presents an action research study on ISP development. Its theoretical base is constructed around the idea that the ISP subject is a moral thinker who will make decisions about complying with rules by weighing options to reach the best possible results. This has implications for the ISP development process. The policy developers must be able to critically assess the alternatives for new rules based on their knowledge of the operations of the organization. In the study, the researcher helped a consultant firm to reconfigure their ISP development service to one that serves the client organization’s information security needs better. A set of 11 critical considerations were introduced to support critical thinking during the development process. They were based on previous research and needs expressed by companies. The critical considerations were used to highlight issues in the ISP development that needed new practices to foster critical thinking. During four cycles of action research, new practices were formed in the ISP development process to improve the gathering of facts and employee opinions in the client organization. This dissertation contributes to the current research on ISP development by presenting a way to convert general guidelines to local practices. The critical considerations can be used to further study the success of ISP development, and they can be easily implemented by practitioners in new contexts