Information Security Policy
An integral part of any information security management program is the information security policy. Although information security policies may undergo multiple revisions as part of a process development lifecycle and, as a result, may generally improve in quality, a more explicit systematic and comprehensive process of quality improvement is required. This research area focuses on the improvement of security policy quality, using a multiple stakeholder perspective.
Security Policy Quality Importance
Modern organisations are highly reliant on their information systems and on the information assets that these systems encompass. It has been argued that information is analogous to the organisation's "lifeblood" and that if the organisation's information is compromised then the organisation may cease to exist. Having good security management in place to project these systems, and their information assets, has become critical to organisation best practice. A precursor to good security in organisations is the development and implementation of an information security policy. The purpose of an information security policy is to define the means to protect the organisation's information and related assets from threats that would make the information inaccurate or unavailable, and to ensure that only people authorised to do so may view, change or delete information.
Levels of Information Security Policy
Within security policy research there exist several "levels" at which organisations can develop policy. These levels are usually represented as a hierarchical structure and range from the top level governing or strategic polices through to technical and acceptable use policies. Information security policies often form the basis on which security management practices are built and help to dictate the type of technological security controls that are used. As a result of the increased importance of security issues to organisations, the importance of having an appropriate, high quality strategic information security policy for an organisation is clear. This is backed up in many geographic areas with government regulations regarding aspects of information technology – for instance the Sarbanes-Oxley Act, the EU Data Protection Directive, Australia's Privacy Legislation and the Health Insurance Portability and Accountability Act. With the implementation of these government regulations, the role of the information security policy has shifted from simply specifying the rules and processes of the organisation with regard to security and now must also incorporate legislative and other regulatory controls.
Information Security Policy Quality
Given the relationship between policy and the security of an organisation as outlined above, it is logical to suggest that a higher quality information security policy should influence the quality of the organisations security as a whole. It is logical to assume that the reverse would also be true: not having a strategic information security policy, or having a poor quality policy, would result in less than optimum information security in the organisation. Thus, improving information security policy quality within organisations, may improve the overall security of an organisations information. To be able to improve information security policy quality, however, there needs to be a manner in which quality can be assessed. The following model of security policy quality components can be used a a guide in the assessment process.
Maynard, S.B.; Ruighaver, A.B. and Ahmad, A. (2011), "Stakeholders in Security Policy Development". Proceedings of the 9th Information Security Management Conference, Perth, Australia: Edith Cowan University.
Maynard, S.B. (2010) "Strategic Information Security Policy Quality Assessment: A Multiple Constituency Perspective" PhD Thesis, The University of Melbourne.
Ruighaver, AB; Maynard, SB; Warren, M (2010) "Ethical Decision Making: Improving the Quality of Acceptable Use Policies", Computers and Security, Volume 29, Issue 7, October 2010, Pages 731-736.
Maynard, S.B. and Ruighaver, A.B. (2007) "Security Policy Quality: A Multiple Constituency Perspective". In Assuring Business processes, Proc. of the 6th Annual Security Conference, Ed. G. Dhillon. Washington DC: Global Publishing, USA. 11-12 April 2007.
Maynard S. and Ruighaver, A.B. (2006) "What Makes a Good Information Security Policy: A Preliminary Framework for Evaluating Security Policy Quality". 5th Annual Security Conference, Las Vegas, Nevada USA, 19-20 April 2006.
Maynard, S., and Ruighaver, A.B. (2003) "Development and Evaluation of Information System Security Policies" in Information Systems: The Challenges of Theory and Practice, Hunter, M. G. and Dhanda, K. K. (eds), Information Institute, Las Vegas, USA, pages 366 - 393.
Maynard, S., and Ruighaver, A.B. (2002) "Evaluating IS Security Policy Development". Third Australian Information Warfare and Security Conference, Perth, Australia, 28-29 November 2002.
Maynard, S., Ruighaver, A.B. and Sandow-Quirk, M. (2002) "Redefining the IS Security Policy". IS ONE World Conference, Las Vegas, Nevada USA, 4-5 April 2002.
Maynard, S and Ruighaver, A (1999) "An Analysis of IS Security Policy Evaluation" Proceedings of the Tenth Australasian Conference on Information Systems, Wellington, New Zealand, 1-3 December 1999 Pages 577-585.