Sustainable information security policy in an organization

Sustainable tuition certification measures constitution in an make-upIntroductionThe purpose of this question paper is to investigate how physical compositions form sustainable knowledge certificate policies. Designing a sustainable reading warrantor department system polity is one of the most important issues facing judicatures today. It should non sole(prenominal) be the first step in an organizations nurture protection insurance constitution program precisely a continuing mould to ensure the indemnity should be maintained of high quality, it is fleet, comprehensive and get hold of to the organizations special(prenominal) dividing line objectives, strategic marks and culture needs. This is a particularly salient issue in organizations that operate in numerous political, cultural, legal, geographic and economic environments and, by necessity, just abouttimes must cod an examine protective cover constitution that employees give the axe conform to and actu completelyy use. education credentials measures represents a growing concern for organizations. As organizations ar relying and becoming more dependent on info systems for staying competitive, seduce strategic advantage and operations, the issue of effective study trade protection indemnity also becomes important and the necessary entry for organizational randomness certificate.In an organization, somewhat unique challenges can arise in pictureing an education security system department measure form _or_ system of government, much(prenominal) as form _or_ system of government differences arising through the various threats, endangerment acceptance and tolerance levels among business units inseparable and external requirements at a country, local and national level gay situationors and cultural differences. In some cases, an organization may require a region-specific entropy security form _or_ system of government that may be more restrictive than a global development security indemnity. However, the reason why an entropy security form _or_ system of government has to be enforced on an organization is because the knowledge security policy requires an drift from them.The literature re envision and an experimental study will be employ to investigate, explore and pick up different factors such as ease of use, graphic blueprinter perceptions of user shortcomings, attitude toward usage, peer influence, perceive behavioral control usage, perceived ease of use, quality of working life, work attitude and intentions as to how to protrude a sustainable study security policy in an organization. The look fuss and goal.The research problem of this study is to investigate how to cast a sustainable discipline security policy in an organization. Surprisingly, non athe likes of much is kn avow about how to design security policies that pay financial aid to unique organizational security features, employees and business needs (Siponen and Iivari, 2006). In business, an data security policy is a document that states in writing how an organization should plan to protect its study systems and technology assets, provides guidance base on standards, regulations and rules of what to and what not to do. However the training security policy quality, flexibility and usability are limited. Therefore employees do not pay attention, visit, take in abide and assume the information security policy.An information security policy that is viewed as design product and that is normative lists actions that the employees should follow or should not perform. The design of an information security policy does not necessarily make it possible to send all situations reasonably. However, to guide the design of the information security policy, the product and an exertion principle should state how it needs to be applied, and a design method acting should state how it needs to be crafted (Siponen and Iivari, 2006). P roduct design and development is a complex and lengthy process for organizations since it involves multiple participants from several organizational departments who are required to make decisions outside their area of expertise. To address the problem organizations oft purchase ready made information security policies from various sources such as ISO, text books or adopt information security policies from government and other online sources. This leads to incomplete activities and flaws which lead to difficult to follow information security policy.Sound information security policy should protect the information and systems, as well as the individual employees and the organization as a square from a wide variety of threats (Veiga, Martins and Eloff, 2007). It also should serve as a prominent statement to the outside world about the organizations commitment to information security. An information security policy is frequently considered to be a breathing document, meaning that th e document is never finished but is continuously updated as technology, regulations and business requirements change. The information from systematic monitoring should serve as a critical input to evaluation, aspect, execution of instrument and design of the information security policy. The information security policy should be seen not only as an artefact document of the organization to enforce best information security practices but also should identify details of what is acceptable or unacceptable and what is honest behavior from the employees in order to ensure sound security of information. reading security policy should be sustainable. training security covers people and process issues as well as technology. The design of information security policy in an organization should be integrated into a process that involves employee usability test and input from various regions, regulations, industry standards and business units. An information security policy is the necessary f oundation for a sound organizational information security. instruction security policy should be able to enhance business operations by reducing luck, ensuring protection of organizational critical information assets and fall information systems security management costs as well as to improve information systems operations while also supporting the demands of internal and external compliance. Since m whatsoever of these policies require human involvement, for example employee and customer actions, the goals should be measured and checked if they are met only if such human activities can be influenced and monitored and if positive outcomes have incentives while negative actions are sanctioned.The goal of this research study is to investigate how to design, create and maintain a sustainable information security policy using experimental methods and control heighten groups in an organization. An effective information security policy should be based on a usability standard that can be achieved during the design techniques appropriate to implement sustainable information security policy.Importance of research problemThe victorful design of information security policy is critical in todays environment of rapid change and challenges in addressing information security policy compliance and effectiveness in organizations. The information security policy is the foundation on which a sound information security is built. As with any foundation, it must be well designed, and well constructed it can then be trusted to support the organizations business objectives and goals effectively. It is essential that effective information security policy practices be in place in organizations to ensure the success of information security policy. Effective information security policy requires that users view and follow the information security mission as described in the organizations information security policy.Flexibility and usability are essential elements of an information sec urity policy life cycle, particularly of the design process of information security policy formulation and implementation. An information security policy needs to be sustainable and not rigid. While the importance of the information security policy in ensuring the security of information is acknowledged widely, to date, there has been little experiential analysis of its design, impact or effectiveness in this role. Designing sustainable information security policy is critical to protecting the organizations information systems and assets. The consequences of violating such as information security policy might be all-embracing and expensive. The organizations information security policy should be written with a clear understanding of the expected outcome and the need to be flexible and utile. The information security policy should incorporate clear definitions and user responsibilities (Gaunt 1998). It should also capture to influence behavior and turn employees into participants in the organizations efforts to secure its information assets.Information security policy plays an important role in preventing, detecting and responding to security threats and breaches. Organizations should have security controls to protect their information. One of the most important controls, match to Hone and Eloff (2002), is the information security policy. The information security policy is probably to be ineffective if it is not written well, understood, followed and accepted by all employees.The results of this study will help practitioners understand how an organization can design sustainable information security policy to achieve effective information security.Research argumentThe information security of an organization might be left in a less effective state in situations where information security policy is not followed by employees. Employee perception, in some instances, is that chase the rules in information security policy interferes and gets in the path of doi ng their day-to-day work and their ability to accomplish their job tasks. This is because they feel as though this approach is cumbersome and a waste of time. An employees failure to keep up with the information security policy is a key concern of information security practitioners and organizations. According to Desman (2002) information security is not a technical issue, but rather a human issue, therefore the most hearty threat to the security of information in an organization is its employees (Gaunt 1998). Information security policy should be fair, reasonable, understandable, flexible and usable. If an information security policy is not flexible and usable, employees will not follow it and it will break. According to Besnard and Arief (2004), the design of security products and information security policy should rely more on the rules of human-computer interaction. The employees, independent of their knowledge and intellect, should be able to read an organizations informatio n security policy understand, follow, comply and adhere to it.One of the ways to implement inviolable information security practices in an organization is to ensure that a lucubrate information security policy is in place. The content of the information security policy is particularly prodigious, as it should be monitored for any changes after it is espouse to attain relevance and an understanding of whether there were changes due to the policy or program. According to Gaunt (2000) user participation in the development of an organization information security is necessary if it is to achieve wide acceptance.Problem relevancyAccording to Hone and Eloff (2002) one of the most important information security controls in an organization is the information security policy. However, this important document it is not always easy to put together and develop. Some organizations derive their information policy from business goals, service level agreements, industry best practices, and inte rnationalistic Standard Organization standards such as ISO 27000, or copy library paste from other ready made policy templates found or procured from textbooks or online resources.Content in information security policies differ according to the sign of organization for example, corporations, academic institutions, government, and within departments such as information technology, human resources, legal, and finance to name a few. The degree of guidance varies from very specific references of what to do or not to do and sanctions of not following the rules. Sanctions sham employees actual compliance with information security policy. According to Bia and Kalika (2007), the decision to phrase an information security policy, for example, a policy of acceptable use, occurs when the organization has undergo problems, interlocking, damage, or business loss because of improper use of information security rules.The application of a security policy is considered essential for managing t he security of information systems. Implementing a successful information security policy in an organization, however, is not a straightforward task and depends on many factors (Karyda, Kiountouzis and Kokolakis, 2004). Sometimes, employees view the information security policy as an obstacle and a barrier to come about and, in an effort, to do their job more efficiently, employees might not follow the rules set in the information security policy document. Despite the fact that organizations have information security policy in place, more often than not, the application of information security policy fails to attain its goals. To ensure that information security policy is effective, information security professionals must first understand the social elements, including cultural and generational variances that affect employee behavior and perceptions about information security policy (Cisco, 2008).According to Baskerville and Siponen (2002), strict access controls imposed during exu berant growing organizational changes can become an obstacle by restrain access to information thereby threatening the organizations survival. This problem is one of pass organizational emergence because of limited information access and presents conflicting and mean demands for security policy making. Unexpected business opportunities may require actions that conflict with their information security policy.Some of the problems facing organizations are of employees not following the information security policy, which reflects the social nature of human beings. According to Kabay (2002), an information security policy challenges employees to change the way they think about their own responsibility for protecting the organizations valuable information. Attempting to impose information security policy on unwilling employees results in resistance some(prenominal) because stricter information security procedures make jobs more difficult and because people do not like to be told what to do. The process of design and development of information security policy plays an important role in the life cycle of an information security policy and affects how people feel about the information security policy and whether they see rules as a needless imposition of power or an expression of their own values. Unfortunately, an information security policy conflicts with most peoples view of reality for example, an employee showing sensitive information to someone who does not have the appropriate level of authorization to view such information because they both work on the same project team. However, if users fail to comply with the rules, an information security policy can help deter abuse (Straub and queen regnant 1990).Although having an information security policy in an organization is essential, it is not decorous to ensure an employees compliance with it. Therefore, the aim of this paper is to understand what factors should be considered in the design of a sustainable information security policy in order to motivate employees to comply with the information security policy and understand how important it is. Definitions of TermsFor the purposes of this paper Information security policy by definition, an information security policy refers to a clear, understandable comprehensive and unmortgaged plan, rules, and practices that regulate access to an organizations system and the information included in it. It is outlined as the security policy in a document that states in writing how an organization plans to protect the companys physical and information technology assets. Information policy is defined as the combination of laws, regulations, rules, and guidelines that steer the creation, management, and use of information that greatly shapes the roles of information in society. Information policy includes a vomit of issues related to freedom of information, privacy, secrecy, security, intellectual property, and information and communication technolo gies among other policy areas. Information system security is defined as the state of being free from unacceptable risk. Thus, information security focuses on reducing the risk of computing and communication systems, especially in regard to the misuse, destruction, modification or inappropriate disclosure of information either by intent or accident. Product design and development in this paper refers primarily to the design and development of new information security policy.Research questions and Hypothesis.The main research question for this study is formulated as How to design sustainable information security policy in an organization?Hypothesis H1 Is there a significant difference between flexibility and usability? H2 Is there a significant relationship between flexibility and usability? H3 If an information security policy is usable then is there a need for sanctions? H4 If an information security policy is flexible then is there a need for rewards?ReferenceAgarwal, R and Samba murthy, V. (2002). Principles and models for organizing the IT function. MIS Quarterly Executive, 1(1), 1-16.Baskerville, R., and Siponen, M. (2002). An information security meta-policy for emergent organizations. Logistics Information Management, 15(5/6), 337-346.Besnard, D. and Arief, B. (2004). computer security impaired by legal users. Computers Security, 23(3), 253-26.Bia, M., and Kalika, M. (2007). Adopting an ICT code of conduct An empirical study of organizational factors. Journal of Enterprise Information Management, 20(4), 432-446.CISCO. Data leakage ecumenic The effectiveness of security policies, 2008, Retrieved March 29 2010 http//www.cisco.com/en/US/solutions/ confirmative/ns170/ns896/ns895/white_paper_c11-503131.pdfDa Veiga, A., Martins, N., and Eloff, JHP. (2007). Information security culture validation of an assessment instrument. Confederate African Business Review, 11(1), 147-166.Desman, M.B. (2002). Building an information security awareness program. Boca Ra ton, FL, Auerbach Publications.Doherty, NF., and Fulford, H. (2006). aline the information security policy with the strategic information systems plan. Computers Security, 25(1), 55-63.Eloff, JHP., Labuschagne L, and Badenhorst KP. (1993) A comparative degree framework for risk analysis methods. Computers and Security, 12(6), 597-603.Gaunt, N. (1998). Installing an appropriate IS security policy in hospitals. International Journal of Medical Informatics, 49(1), 131-134.Gaunt N. (2000). Practical approaches to creating a security culture. International Journal of Medical Informatics, 60(2), 151-157.Hone, K., and Eloff, JHP. (2002). Information security policy what do international security standards say? Computers and Security, 21(5), 402-9.Kabay, M. (1994). Psychological factors in the implementation of information security policy. EDPACS, The EDP Audit, Control, and Security Newsletter, 11(10), 1-10.Karyda, M., Kiountouzis, E., Kokolakis, S. (2005). Information systems security policies a contextual perspective, Computers and Security, 24(3), 246-260.Lapke M., and Dhillon, G. (2008). Power relationships in information systems security policy formulation and implementation. European Conference on Information Systems, 16, 1358-1369.Siponen, M., and Iivari, J. (2006). Six design theories for IS security policies and guidelines. Journal of the Association for Information System,s 7(7), 445-472.Thomson, K. L., von Solms, R., and Louw, L. (2006). Cultivating an organizational information security culture. Computer Fraud and Security, 10, 7-11.Straub, D.W., and Nance, W.D. (1990). Discovering and disciplining computer abuse in organizations A field study. MIS Quarterly, 14(1), 45-60.Warman, AR. (1992). organisational computer security policy the reality. European Journal of Information Systems, 1(5), 305-10.Zhang, Y., Liu, X., and Wang, W. (2005). constitution lifecycle model for systems management. IT Professional, 7(2), 50-54.