Organization Members Developing Information Security Policies : a Case Study

Information security policies (ISPs) have a key role in organizational information security. Research has introduced processes for ISP development, including lifecycle models. There are also recommendations to include contextual issues in the ISP development to ensure that the ISP provides tailored protection to the organization’s assets. One way of ensuring this is to include organization members in the development efforts. We identified six functions for the organization member participation from the research literature. Then, we presented two case studies of organizations where the personnel was included in the ISP development process. We found that the participation of the organization members did add value to the process through these functions but that there were also some negative effects. The inclusion of organization members in ISP development can help in gathering feedback directly at the beginning of the lifecycle without the need to go through the entire cycle to identify issues.