FrameworkControlObjectivesManagementGuidelinesMaturityModels4. [622800]
Managing an Information
Security Policy Architecture:
A Technical Documentation
Perspective
by
Prosecutor Mvikeli Maninjwa
Managing an Information Security
Policy Architecture: A Technical
Documentation Perspective
by
Prosecutor Mvikeli Maninjwa
Dissertation
submitted in fulfillment of the requirement for the degree
Magister Technologiae
in
Information Technology
in the
Faculty of Engineering, the Built Environment and
Information Technology
of the
Nelson Mandela Metropolitan University
Supervisor: Dr. Kerry -Lynn Thomson
Co-Supervisor: Prof. Rossouw Von Solms
January 2012
ABSTRACT
Information and the related assets form critical business assets for most organizations.
Organizations depend on their information assets to survive and to remain competitive. However, the organization’s information assets are faced with a number of internal and
external threats, aimed at compromising the confidentiality, integrity and/or availability (CIA)
of information assets. These threats can be of physi cal, technical, or operational nature. F or an
organization to successfully conduct its business operations , information assets should always
be protected fro m these threats . The process of protecting information and its related assets,
ensuring the CIA thereof , is referred to as information security.
To be effective, information security should be viewed as critical to the overall success of the
organization, and therefore be included as one of the organization’s Corporate Governance
sub-functions, referred to as Information Security Governance. Information Security
Governance is the strategic system for directing and controlling the organization’s
information security initiatives. Directing is the process whereby management issues
directives, giving a strategic direction for information security within an organization. Controlling is the process of ensuring that management directives are being adhered to withi n
an organization. To be effective, Information Security Governance directing and controlling
depend on the organization’s Information Security Policy Architecture.
An Information Security Policy Architecture is a hierarchical representation of the various
information security policies and related documentation that an organization has used. When directing, management directives should be issued in the form of an Information Security
Policy Architecture, and controlling should ensure adherence t o the Information Security
Policy Architecture. However, this study noted that in both literature and organizational practices, Information Security Policy Architectures are no t comprehensive ly addressed and
adequately managed. Therefore, this study argues towards a more comprehensive Information
Security Policy Architecture, and the proper management thereof.
DECLARATION
I _____________________________ _, hereby declare that:
• The work in this thesis is my own work.
• All sources used or referred to have been documented and
recognized .
• This thesis has not previously been submitted in full or partial
fulfilment of the requirements for an equivalent or higher
qualification at any other recognized educational institution.
_____________________________________
ACKNOWLEDGEMENTS
Above all, I’d like to address my utmost gratitude to God Almighty for providing me with an
opportunity to undertake this study.
Further, I’d like to address my sincerest gratitude to the following people:
• My supervisors , for their ongoing support, patience and guidance ;
• Our research team, for all the invaluable support ; and
• To my family, especially my wife, for their moral support and for all the time I took
from them which was rightfully theirs .
vi
TABLE OF CONTENTS
Chapter 1: Introduction ……………………………………………………………. 1
1.1 Prologue ……………………………………………………………………………………………………………. 1
1.2 Problem Area …………………………………………………………………………………………………….. 2
1.3 Problem Statement …………………………………………………………………………………………….. 3
1.4 Research Questions and Objectives ……………………………………………………………………… 3
1.5 Benefits and Significance of the Study …………………………………………………………………. 4
1.6 Research Process ……………………………………………………………………………………………….. 5
1.6.1 Research Methods ………………………………………………………………………………………… 5
1.6.2 Research Strategy ………………………………………………………………………………………… 9
1.7 Delineations …………………………………………………………………………………………………….. 10
1.8 Chapter Outline ……………………………………………………………………………………………….. 10
Chapter 2: Information Security …………………………………………….. 13
2.1 Introduction …………………………………………………………………………………………………….. 13
2.2 Information Assets …………………………………………………………………………………………… 14
2.3 Threats to Information Assets ……………………………………………………………………………. 15
2.4 Information Security …………………………………………………………………………………………. 16
2.4.1 Information Security Description …………………………………………………………………. 17
2.4.2 Information Security Requirements ………………………………………………………………. 20
2.4.3 Information Security Necessity ……………………………………………………………………. 21
2.5 Information Security Stakeholders ……………………………………………………………………… 25
2.6 Information Security Factors ……………………………………………………………………………… 26
2.6.1 The Human Factor ……………………………………………………………………………………… 27
2.6.2 Organizational Factors ………………………………………………………………………………… 28
2.6.3 Technical Factors ……………………………………………………………………………………….. 31
2.7 Information Security Controls ……………………………………………………………………………. 33
2.7.1 Physical Controls ……………………………………………………………………………………….. 34
2.7.2 Technical Controls ……………………………………………………………………………………… 34
vii
2.7.3 Administrative/Operational Controls …………………………………………………………….. 35
2.8 Conclusion ………………………………………………………………………………………………………. 36
Chapter 3: Information Security Governance ………………………….. 37
3.1 Introduction …………………………………………………………………………………………………….. 37
3.2 Corporate Governance ………………………………………………………………………………………. 38
3.3 Information Technology Governance ………………………………………………………………….. 39
3.4 Information Security Governance ………………………………………………………………………. 42
3.4.1 Benefits of Information Security Governance ………………………………………………… 47
3.4.2 Information Security Governance – A Multi- Dimensional Discipline ……………….. 49
3.5 Conclusion ………………………………………………………………………………………………………. 54
Chapter 4: Information Security Policies ………………………………… 56
4.1 Introduction …………………………………………………………………………………………………….. 56
4.2 Information Security Policies and Related Documentation ……………………………………. 57
4.2.1 Information Security Policy Architecture ………………………………………………………. 58
4.2.2 Information Security Policy Architecture Audiences ………………………………………. 59
4.2.3 Information Security Policy Lifecycle …………………………………………………………… 60
4.3 Qualitative Content Analysis ……………………………………………………………………………… 68
4.3.1 The Process ……………………………………………………………………………………………….. 69
4.3.2 Detailed Results of the Qualitative Content Analysis ……………………………………… 70
4.3.3 Summary of the Qualitative Content Analysis Results ……………………………………. 83
4.4 Conclusion ………………………………………………………………………………………………………. 87
Chapter 5: Policies in Practice – Case Study …………………………….. 90
5.1 Introduction …………………………………………………………………………………………………….. 90
5.2 The Process ……………………………………………………………………………………………………… 91
5.3 Company Profile ………………………………………………………………………………………………. 92
5.4 Organizational Policy Architecture …………………………………………………………………….. 92
5.5 Information Security Policy Architecture ……………………………………………………………. 93
5.5.1 Components of the Information Security Policy Architecture ………………………….. 94
5.5.2 Management of the Information Security Policy Architecture ………………………….. 95
5.6 Discussion ………………………………………………………………………………………………………. 98
viii
5.7 Conclusion …………………………………………………………………………………………………….. 100
Chapter 6: Information Security Policy Framework ……………… 102
6.1 Introduction …………………………………………………………………………………………………… 102
6.2 Information Security Policy Framework ……………………………………………………………. 102
6.2.1 IT/Security Best Practices and Standards …………………………………………………….. 103
6.2.2 Organizational Management Levels ……………………………………………………………. 104
6.2.3 Information Security Policy Lifecycle …………………………………………………………. 106
6.2.4 Strategic Objectives ………………………………………………………………………………….. 109
6.2.5 Strategic IT/Security Objectives …………………………………………………………………. 110
6.2.6 Corporate Information Security Policy ………………………………………………………… 111
6.2.7 Detailed and Issue -Specific Policies ……………………………………………………………. 112
6.2.8 End- User Directives and Guidelines ……………………………………………………………. 114
6.2.9 Technical Directives and Guidelines …………………………………………………………… 115
6.2.10 Technical Procedures ………………………………………………………………………………. 117
6.2.11 End- User Procedures ………………………………………………………………………………. 118
6.3 Framework Overview ……………………………………………………………………………………… 119
6.4 Conclusion …………………………………………………………………………………………………….. 127
Chapter 7: Conclusion …………………………………………………………… 129
7.1 Introduction …………………………………………………………………………………………………… 129
7.2 Evaluation of the Research Outcomes ……………………………………………………………….. 129
7.3 Significance of Study ……………………………………………………………………………………… 132
7.4 Li mitations and Possible Further Enhancements ………………………………………………… 133
7.5 Epilogue ………………………………………………………………………………………………………… 134
References …………………………………………………………………………….. 135
ix
LIST OF FIGURES
Figure 1.1: Chapter outline ………………………………………………………………………………………… 12
Figure 3.1: The relationship between Corporate Governance, Information Technology
Governance and Information Security Gover nance . ………………………………………………………. 43
Figure 3.2: Management level s …………………………………………………………………………………… 45
Figure 3.3: The direct -control cycl e. ……………………………………………………………………………. 46
Figure 6.1: Information Security Policy Framework ……………………………………………………. 120
LIST OF TABLES
Table 2.1: Information threa ts …………………………………………………………………………………….. 16
Table 4.1: Summary of qualitative content analysis results …………………………………………….. 85
Table 4.2: Topic coverage of the various studies …………………………………………………………… 86
1
Chapter 1 : Introduction
1.1 Prologue
Information is one of the most important assets for most organizations . In most organizations,
business processes depend on these information assets in order to be successful. Indeed , due
to the emergence of a number of legal and regulatory requirements , an organization could be
held legally responsible should anything happen to its information assets through negligence .
In extreme cases, loss or disruption of the or ganization’s information could result in an
organization no longer being in existence (Flowerday & Von Solms, 2009; Von Solms & Von
Solms, 2006a) .
In today’s business world, organizations no longer only use their information assets to
conduct business, but also to gain a competitive advantage over competitors. For example,
financial information, research information, organizational strategies and trade secrets are
used by organizations to define new strategies in order to remain competitive. Thus it can be
deduced that an organization’s information assets are c ritical to the overall success of an
organization (ISO/IEC 13335- 1, 2004, p. v; ISO/IEC 27002, 2005, p. viii; Von Solms & Von
Solms, 2006a; Whitman & Mattord, 2010, p. 2) .
As with all important organizational assets, information should be adequately protected from
a wide variety of internal and external risks. The process of protecting an organization’s
information assets is referred to as information security. The main objective of information
security is to preserve the confidentiality, integrity and availability of information assets (ISO/IEC 13335- 1, 2004, p. v; Whitman & Mattord, 2010, 49) .
To be effective, the process of information security should be strategically directed and
controlled through Information Security Governance, ensuring strategic alignment with other
organizational goals . Directing is the pr ocess whereby management within an organization
issues directives, giving the organization strategic direction for information security.
2
Controlling is the process of ensuring that management directives are being adhered to within
an organization . Thus, directing and controlling needs to form the basis for any governance
strategy within an organization (Von Solms & Von Solms, 2006b) .
1.2 Problem A rea
Information Security Governance directing and controlling are facilitated by the
organization’s Informati on Security Policy Architecture , which is a hierarchical
representation of the various information security policies and related documentation that an
organization has used (Grobler & Von Solms, 2004; Palmer, Robinson, Patilla, & Moser,
2001) . Directing should be achieved by issuing relevant information security policies and
related documentation to the whole organization. Similarly , controlling should be
accomplished by ensuring adhere nce to the various information security policies and related
documentation which are part of an organization’s Information Security Policy Architecture
(Bacik, 2008; Poore, 2005; Von Solms & Von Solms, 2006b) .
In order for an organization’s Information Security Policy Architecture to be effective , it
should be c omprehensive and properly targeted to the various audiences within an
organization (Von Solms, Thomson, & Maninjwa, 2011) . Further, an Information Security
Policy Architecture should clearly reveal all the relationships that exist between the various information security policies and related documentation. Also, an Information Security Policy
Architecture should be adequately m anaged (Von Solms et al. , 2011) . This includes
everything that should be done before, during, and after an Information Security Poli cy
Architecture has been structured . This way , an organization’s Information Security Policy
Architecture is most likely to enhance Information Security Governance and help an
organization in achiev ing its business objectives (Von Solms et al. , 2011) .
Unfortunately in many instances Information Security Policy Architectures are not adequately
addressed (Von Solms et al. , 2011) . A study of relevant literature revealed the following main
issues:
• Information Security Policy Architectures are not sufficiently comprehensive and
targeted to all audiences within an organization;
3
• The relationships between the various components within Information Securit y Policy
Architectures are not clear ; and
• Information Security Policy Architectures are not ad equately managed .
Therefore, this research study aimed to address these particular issues, with the aim of
potentially assisting organizations in having a more comprehensive and properly managed
Information Security Policy Architecture .
1.3 Problem S tatement
Based on a literature s urvey conducted, Information Security Policy Architectures are not
sufficiently comprehensive and the relationships that should exist between the various
constituting components are not adequately defined. Further , Informati on Security Policy
Architectures are not adequately managed.
1.4 Research Questions and Objectives
In orde r to address the problem s identified above , a number of research questions had to be
answered . The primary research question this study had to answer was ‘How can an
organization be assisted in defining a comprehensive Information Security Policy
Architecture? ’ In order to answer this primary research question, a number of secondary
research questions had to be answered. The secondary research question s posed by this study
were:
• What is an Information Security Policy Architecture and what is its importance? ;
• What are the various components that should constitute an organization’s Information
Security Policy Architecture? ;
• What relationships should exist between the various components of an organization’s
Information Security Policy Architecture? ; and
• How should an organization’s Information Security Policy Architecture be managed?
In order to answer the above research questions the following research objectives had to be
achieved throughout this research study . The primary research objective of this study was to
4
propose a holistic framework that encompasses all components of an Information Security
Policy Architecture and highlights the relationships between these components. In order to
achieve this primary research objective, a number of s econdary research objectives had to be
achieved. The secondary research objectives of this study were identified as follows :
• To define an Information Security Polic y Architecture and its importance ;
• To define the various components that should constitute an organization’s Information
Security Policy Architecture;
• To define the relationships that should exist between the various components of an organization’s Information Security Policy Architecture ; and
• To d efine the complete lifecycle that an organization’s Information Security Policy
Architecture should undergo to ensure proper management .
The following section discusses the benefits and significance of achieving the above research
objectives.
1.5 Benefits and Significance of the Study
This study is aimed at detailing the ideal composition of an organization’s Information
Security Policy Architecture . A comprehensive Information Security Policy Architec ture
could potentially enhance Information Security Governance within an organization. This is
because directing and controlling, which are basic principles of Information Security
Governance, are accomplished via information security policies and related d ocumentation,
which will be addressed in the proposed Information Security Policy Architecture . By
improving Information Security Governance within an organization, the whole process of
information security c ould be enhanced (Von Solms & Von Solms, 2006b; Von Solms et al.,
2011) .
To increase the research rigor and s ignificance of this study, a well- defined research process
was followed throughout this study, and is discussed in the following section.
5
1.6 Research Process
This section details the research process employed in this study to reach its conclusions. For
formal research, it is extremely important to define an appropriate research process . In doing
so, the overall research approach was conducted in accordance with the research objectives of
the study. Furthermore, following a clearly docume nted research process increases the
credibility of the study (Collis & Hussey, 2003, p. 50) .
The research process followed in this study was influenced by an underlying research
paradigm , which was qualitative in nature. A qualitative study focuses on understanding a
human or social problem, based on a complex, holistic view, formed with words and reporting in a natural setting (Creswell, 1998, p. 15) . Further, a qualitative study addresses the
subjective social aspects by focusing on the meaning and implications, rather than the measurement of social phenomena. As a result, qualitative research is often descriptive in
nature, with less numerical data collections and analysis (Collis & Hussey, 2003, p. 53;
Creswell, 1998, p. 15) . This qualitative research paradigm has resulted in the following
relevant research methods being used in this study , as discussed in the following sub- section.
1.6.1 Research Methods
In addressing the research objectives and the problem statement , this study has used
literature surveys, qualitative content analysis, a case study and argumentation as research
methods. Each of these research methods is briefly discussed next.
i. Literature S urveys
A literature survey is a research method used to identify and review previously published material relevant to the research study undertaken (Hofstee, 2006, p. 91) . In
context, literature surveys assisted in gathering secondary data about the current state
of the fields relevant to this study, which included information security, Information
Security Governance, and information security policies. This ensured that a strong
theory base acted as the foundation for work conducted within this research study.
Further more , literature surveys assisted in revealing the significance of the work done
within this study, and how the research fitted in with what ha d already been done in
6
past studies (Hofstee, 2006, p. 91) . All means have been made to ensure that the
content of the literature surveys is as current as possible . Further, literature survey
content was selected from respected authorities in the releva nt fields.
ii. Qualitative Content A nalysis
According to Krippendorff (2004, p. 18) , a qualitative content analysis is “a research
technique for making replicable and valid inferences from texts (or other meaningful
matter) to the context of their use”. The main focus of a qualitative content analysis is
to qualitatively examine data in order to interpret or understand what it means to
people, and what it enables or pre vents people from doing. In a qualitative content
analysis, the analysis of the data involves interpreting the results in a qualitative manner in order to answer the research questions. Usually, qualitative content analys is
starts with specific research qu estions in mind. This way, the texts are read for a
purpose, and not for what might eventually materialize from the texts (Krippendorff,
2004, p. 33) . Qualitative c ontent analys is often support s interpretations by means of
quotes from the analyzed texts to support research objectives (Krippendorff, 2004, pp. 87-88).
A qualita tive content analysis formed one of the secondary data gathering methods
used in this study. It was used to determine the extent to which Information Security Policy Architectures have been addressed in literature. Chapter 4 details e xactly how
the qualita tive content analysis was conducted in this study.
iii. Case S tudy
To gather primary data, a case study research method was used . A case study i s the
study of events within their real -life context and is a particularly preferred research
method when questions such as “how” or “why” are being posed in order to evaluat e
an existing phenomenon in its context (Noor, 2008; Tellis, 1997; Yin, 2003, p. 1- 2).
This research used a single- case study, which utilized one organization to research a
certain phenomenon. The reason for using a single -case study is that, according to Yin
(2003, p. 41) , a single -case study is adequate when the case represents a typical case.
7
For example, if the objective of the case study is to capture the circumstances of a
commonplace or everyday phenomenon, then a single -case study could be used. As is
demonstrated in Chapter 5, a single -case study was sufficient for this research study.
In comparison to other research methods, case studies present the opportunity to use
multipl e sources of evidence. When multiple sources of evidence have been used, the
process of triangulation should be used. Triangulation is the process of consolidating the results and using them to confirm or disprove a certain phenomenon. Further, d ue
to the possibility of negative factors, such as bias within case study research, using multiple sources of evidence and triangulating them increases the reliability of the
case study research results (Yin, 2003, p. 97) . Exactly how triangulation has been used
within the case study conducted in this research study is detailed in Chapter 5.
Yin (2003, p. 84) describes six possible sources of evidence used for case study
research, namely, documentation, archival records, interviews, direct observation,
participant observation, and physical artifacts. However, there could be numerous
other methods that ca n be used to source evidence within case study research. This
dissertation only discuss es two of the above mentioned sources of evidence relevant to
this study, namely, documentation and interviews.
• Documentation
Almost all case studies utilize some form of documentation due to their vital and
explicit role. Documentation can take various forms, for example letters,
memoranda, administrative documents, and other internal records. The most
important use of documenta tion is to augment evidence from other sources of
evidence, such as interviews (Yin, 2003, p. 87) . The way documentation has been
used within the case study conducted in thi s study is discussed in Chapter 5.
• Interviews
Interviews are one of the most important sources of case study evidence (Tellis,
1997) . Interviews are guided conversations that f orm an essential source of
8
evidence within a case study as interviews can provide great insight into a social
phenomenon. In context, this study used focused interview s, within which the
respondents would be interviewed for a short period of time and asked a certain set
of questions (Yin, 2003, p. 90) . These interviews were conducted to corroborate
certain issues from documentation. Even though focused interviews wer e used, the
interviews were still conversational and open -ended (Yin, 2003, p. 90) . Interviews
and how they have been used within the case study conducted in this study have
been detailed in Chapter 5.
iv. Argumentation
According to Dictionary.com (2011) , argumentation is defined as “the action or
process of reasoning systematically in support of an idea, action, or theory”. Argumentation is a research method relevant for problem solving, which uses solid
reasoning based on evidence in support of certain claims and conclusions. In arguing,
it is important for the researcher to present so lid arguments and to establish the
validity and soundness of those arguments (Govier, 2010) .
For argumentation, this research stud y utilized an inductive reasoning process , which
involves deriving conclusions from observations or a set of data (Haruvy & Stahl,
2004) . The inductive reasoning process was utilized to provide solid arguments to
argue towards a holistic framework for an organization’s Information Security Policy
Architecture. A framework is a set of concepts and ideas used for organizing a thought process about a particular problematic situation. Thus , within a framework, differe nt
topics and their interrelation are identified and organized to facilitate the thought process for a certain problematic situation (Karyda, Kiountouzi s, & S Kokolakis,
2005) . As a result, argumentation was used within this research study to facilitate the
thought process that should be followed in providing a framework for an
organization’s Information Security Policy Architecture.
9
The following sub -section discusses the step -by-step procedure detailing the research
strategy that was used in conducting this study and details how the various research
methods, as described above, have been used in this study.
1.6.2 Research Strategy
Initially, this research study conducted a detailed literature survey to establish the current
state of information security. In this literature survey, information security was noted to be
of extreme importance to organizations, and required a well -planned strategy thro ugh
Information Security Governance to be effective . Therefore, a further literature survey
was conducted to determine the current state of Information Security Governance. To be
effective, Information Security Governance was noted to be largely reliant on an
organization’s Information Security Policy Architecture, which is a hierarchical representation of the organization’s information security policies and related
documentation. It was argued that to enhance Information Security Governance, an
organization’s Information Security Policy Architecture should be first addressed .
A research article highlighting the need for organizations to enhance their Information
Security Policy Architectures was formulated , accepted and presented at the Information
Security South Africa (ISSA) conference. In general, feedback from this conference has
enhanced this research project. To further investigate the issues raised by this article , a
qualitative content analysis was conducted to determine the extent to which literature studies have addressed Information Security Policy Architectures. Also, a single -case
study was conducted to determine the extent to which an Information Security Policy Architecture was addressed in practice.
From the above exe rcises, it was concluded that in both literature studies and
organizational practices, Information Security Policy Architectures were not adequately addressed. Therefore, this study argued towards a holistic framework to assist
organizations in creating and managing a more comprehensive Information Security
Policy Architecture. This way, the overall Information Security Governance strategy of an organization could potentially be improved, resulting in improved information security
10
within an organization. In turn, improved information security c ould facilitate the
achievement of business objectives due to reduced information risks.
This section has presented the overall research process that was used throughout this study .
The main aim of this section was to give surety of the validity and reliability of the results
presented by this dissertation, as a well structured and recognized research process has been
followed throughout this research study.
As each research study needs to be properly focused, t he following section discusses the
delineations of this study .
1.7 Delineations
This study is aimed at potentially enhancing information security practices within
organizations . This is accomplished by ensuring that information security is strategically
aligned with the organization’s overall objectives through Information Security Governance.
In turn, information Security Governance is noted to be largely dependent on the
organization’s Information Security Policy Architecture. Therefore, this study mainl y focuses
on how an organization’s Information Security Policy Architecture can be properly managed
and made more comprehensive . However, this study does not discuss the actual contents that
should be found within the various components of an organization’ s Information Security
Policy Architecture. This study focuses on the recommended structure that an organization’s
Information Security Policy Architecture should take, as well as how this architecture should be managed.
1.8 Chapter O utline
In this introductory chapter , the fields of information security, Information Security
Governance, and Information Security Policy Architecture and how they assist in the overall
success of an organization have been briefly introduced. Current problems identified in these
fields, research questions and object ives to address those problems , as well as the research
process followed to achieve the research objectives , hav e all been discussed in this chapter .
11
After this introductory chapter, Chapter 2 discuss es information security in detail , together
with its benefits to an organization . It is argued tha t, to be effective , the process of
information security requires strategic alignment with the organization’s overall business
objectives. This alignment is argued to be attainable through Information Security
Governance.
Information Security Governance is discussed in Chapter 3. For a holistic view, Information
Security Governance is discussed in relation to other forms of governance, such as
Information Technolog y Governance and Corporate Governance. It is argued that, to be
effective, Information Security Governance relies on the organization’s Information Security Policy Architecture.
An Information Security Policy Architecture is discussed in detail in Chapter 4. It is
discussed i n relation to how it assists an organization to adequately manage its information
security policies and related documentation. Further, Chapter 4 determine s to what extent
Information Security Policy Architectures are addressed in literature by means of a qualitative
content analysis . Further, to a limited extent, Chapter 5 determine s to what extent Information
Security Policy Architectures have been addressed in practice by means of a case study.
From the above chapt ers, it is noted that in both literature and organizational practices
Information Security Policy Architectures are not adequately addressed. Therefore, Chapter 6
propose s possible solutions towards ensuring comprehensive and properly managed
Information S ecurity Policy Architectures . Lastly, Chapter 7 conclude s this dissertation by
evaluating whether the objectives of this research study have been achieved, together with
possible future enhancements of the solutions proposed in this study
Figure 1.1 below shows the chapter outline discussed above diagrammatically.
12
Figure 1.1: Chapter outline
Chapter 2: Information Se curity Chapter 1: Introduction
Chapter 3: Information Se curity Governance
Chapter 4: Information Se curity Policies
Chapter 5: Policies in Practice – Case Study
Chapter 6: Information Se curity Policy Framework
Chapter 7: Conclusion
13
Chapter 2 : Information Security
2.1 Introduction
Information and the related assets, specific and unique to an organization, form one of the
most valuable assets in an organization (Von Solms & Von Sol ms, 2005) . This is due to the
fact that most business processes rely heavily on the organization’s information assets. Organizations rely heavily on their information assets not only for survival, but to gain a
competitive advantage over competitors. Therefore, information assets of an organization
should always be adequately protected against threats, including natural or environmental,
accidental, and deliberate threats. The process for protecting information assets is generally
referred to as informat ion security (ISO/IEC 27002, 2005, p. viii; Von Solms & Von Solms,
2005; Von Solms & Von Solms, 2006a; Whitman & Mattord, 2010, p. 2) .
Securing an organization’s information assets in the past was not as c omplicated as it is
currently (Dlamini, Eloff & Eloff, 2009) . Mostly, physical security was adequate to ensure
secure access to the organization’s critical information assets. However, with the introduction
of the Internet, the business environment has become increasingly interconnected. The
Internet has introduced a number of benefits, such as fast, convenient, and cost effective ways
for organizations to do business. However, an increased need for an online presence for organizations has increased exposure to the outside world. As a result, information is now
expo sed to an ever -growing and wide variety of vulnerabilities and threats. Further, threats are
no longer of physical nature only, but also of technical and operational nature (Dlamin i et al. ,
2009; ISO/IEC 27002, 2005, p. viii ). These threats to information assets could potentially be
minimized if the process of information security is clearly understood and implemented. This chapter describe s the process of information security in detail. Further, this chapter will
conclude by arguing that due to the importance and the complex nature of the information security process, it needs to be properly governed as a Corporate Governance sub- function.
14
2.2 Information Assets
Information is raw data that has been manipulated in some way, leading to a greater
understanding of a certain situation. Raw data can be manipulated through addition,
subtraction, division, tabulation, or any other means that results in new meaningful
knowledge. To be regarded as information, after manipulation, raw data should result in something previously unknown or less assuredly known, be useful in some way, reduce
uncertainty, or change some beliefs (Flowerday & Von Solms, 2009) .
A few types and examples of information include, but are not limited to, p rivacy information,
medical information, proprietary information, financial information, account information such
as identities and passwords, employee information, customer information, research
information, development plans, investigation information , and competitor se nsitive
information such as company secrets , corporate strategies and trade secrets (Humphreys,
2008; NIST 800- 60, 2008, pp. 14- 17).
The organization’s information and the related assets are a valuable resource for most
organizations. These information assets have been described as the lifeblood for many
organizations (Von Solms & Von Solms, 2006a) . Organizations not only use their information
and related assets as a business enabler, but also to gain competitive advantage against competitors. Due to the importance of these assets, some have even argued that information
assets are the most valuable assets for many, if not all, organizations (ISO/IEC 13335- 1, p. v,
2004; ISO/IEC 27002, 2005, p. viii; Von S olms & Von Solms, 2006a ; Whitman & Mattord,
2010, p. 2) .
Therefore , the organization’s information assets, as vital business assets, need to be properly
managed like all other important business assets and should be the responsibility of everyone in an organization, especially general business managers at all management levels (ISO/IEC
13335- 1, 2004, p. v) . Regardless of the form information takes, or the means by which it is
acquired, stored, processed, transmitted, accessed and used, maintained and disposed or
destroyed , it should always be appropriately protected from a wide variety of threats (Bernard,
15
2007; ISO/IEC 27002, 2005, p. viii ; Whitman & Mattord, 2010, p. 49 ). The following section
discusses the various threats that information assets must be protected against.
2.3 Threats to Information Assets
Informa tion assets are exposed to a wide variety of threats. A threat is anything that has the
potential to harm an asset, and thereby an organization. A threat normally threatens the confidentiality, integrity, and/or availability of information assets. Information assets
normally possess vulnerabilities which are the means by which assets can be exploited by
threats (ISO/IEC 13335- 1, 2004, p. 6; NIST 800- 53A, 2010, appendix b) .
There are a number of characteristics of threats, as stated in ISO/IEC 13335- 1 (2004, p. 7) .
Firstly, a threat is associated with its impact. In other words, the amount of damage it can potentially cause to an organization should it materialize. A second characteristic is the
likelihood and the frequency that the threat could materialize. A thir d characteristic is
associated with the source of the threat. A threat can originate from within or outside the organization. Lastly, a threat is normally associated with the motivation behind it. This could
include financial gain and competitive advantage . It is important to take all these
characteristics of threats into consideration in order to adequately manage risks to information assets.
Table 1 below shows the different categories of information threats, as well as a few examples
of each. These cate gories include natural or environmental threats, as well as human related
threats, which can be either deliberate or accidental. When securing information assets, it is important that all these different categories of threats are taken into consideration.
16
Human Environmental
Deliberate Accidental
Earthquake
Lightning
Floods
Fire Eavesdropping
Information modification
System hacking
Malicious code
Social engineering
Theft Errors and omissions
File deletion
Incorrect routing
Physical accidents
Table 2.1: Information threats (ISO/IEC 13335- 1, 2004, p. 7)
These threats could exploit the technology responsible for storing, processing, transmitting, or
destroying information. Further, these threats could exploit the people handling such
information. Therefore, information and related assets must be protected by all means through
a properly managed information security process (ISO/IEC 13335- 1, 2004, p. v; W hitman &
Mattord, 2010, 49) . This information security process is further discussed in detail in the
following section.
2.4 Information Security
As noted in Section 2.2, information assets are important organizational asset s that should be
suitably protected. It has also been noted that information threats range from environmental threats, to threats caused by humans, which can be either deliberate or accidental. Also, it was
noted that human related threats, accidental or deliberate, can be of physica l, technical, or of
an operational nature. An example of a physical threat would be someone walking into the building and stealing a laptop or information from a laptop with removable media. A technical
threat would be someone remotely accessing a bank’s network via the Internet to steal
information. Similarly, an operational threat would be an organization not having or properly
managing information security policies and related documentation. All of these different types of information threats need to be adequately addressed via an enhanced information security
process. The following sub- sections describe the process of information security in more
17
detail, from its objectives, its requirements to the need and importance of information
security.
2.4.1 Info rmation Security Description
Information security has been described as “the vehicle by which the organization’s
information assets are secured ” (Whitman & Mattord, 2010, p. 3) . This ‘vehicle’ does not
just provide protection against information risks, but business risks , as information security
could be likened to business security (Von Solms & Von Solms, 2005) . Essentially,
information security is about protecting the confidentiality, integrity, and availability (CIA)
of information (Dhillon, 2007; ISO/IEC 13335 -1, 2004; ISO/IEC 27002, 2005; McConnell,
1994; NIST 800- 53A, 2010; Pfleeger & Pfleeger, 2007; Syamsuddin & Hwang, 2010) .
Information security is accomplished through the protection of the systems that are used to
acquire, process, store, transmit, and destroy information. Information security can be
accomplished through the application of technology, poli cy, and training and awareness
programs (McConnell, 1994; Whitman & Mattord, 2010, p. 4) . Properly impl emented,
information security ensures business continuity, minimizing business risks, and
maximizing return on investments and business opportunities (ISO/IEC 27002, 2005, p.
viii; NIST 800- 53A, 2010, p. 1) .
As already mentioned previously, the most important objectives of information security are to safeguard the CIA of information. Whil e there is research that opposes or adds to these
objectives (Tirado, 2008; Whitman & Mattord, 2010) , this dissertation focuses on
information security based on ensuring the CIA of information. Next, each of these
information security objectives is briefly discussed.
i. Confidentiality
Sometimes called secrecy or privacy, confidentiality is the process of ensuring that only
entities with sufficient and demonstrated rights may access certain information (Pfleeger
& Pfleeger, 2007, p. 11) . Entities in this case could mean anything or anyone requiring
access to information, such as people or computer applications. Confidentiality is breached if unauthorized entities read, view, print, or simply know that particular
18
information exists (ISO/IEC 13335 -1, 2004, p. 2; NIST 800 -53A, 2010 , appendix b;
Pfleeger & Pfleeger, 2007, p. 11) .
There are a number of measures used to achieve confidentiality. These include, but are
not limited to, cryptography, information classification, secure document storage,
application of information security policies, and education of information stakeholders
(Whitman & Mattord, 2010, p. 6) .
However, there are a number of technological innovations that are making it difficult to
achieve confidentiality. This is due to the fact that recent developments are aimed at
making data accessible to many, but with less authorization structures and fewer rules
(Dhillon, 2007, p. 318) .
ii. Integrity
Integrity is the process of ensuring that only entities with sufficient and demonstrated
rights may modify certain information, thereby ensuring the accuracy and completeness
of information assets (ISO/IEC 13335- 1, 2004, p. v; NIST 800 -53A, 2010, p. 1) .
Modification may mean any of the following: changing, writing, deleting, creating, or changing the statu s of an information asset. According to Dhillon (2007, p. 318) , the
integrity process should not only secure the integrity of data, but also its interpretation, ensuring correct interpretation thereof.
For information to have integrity there needs to be assurance that information is
accurate, meaningful, usable, and unmodified. If the information has been m odified, that
should only be done in acceptable ways, and by authorized people or processes (Pfleeger & Pfleeger, 2007, p. 11) .
Further, for information to have integrity there needs to be a sound system of internal
controls . There are a number of these controls and techniques, for example, check bits,
data retransmission, data recovery and redundancy bits (Flowerday & Von Solms, 2009;
Whitman & Mattord, 2010, p. 7) .
19
iii. Availability
Availability is an information security objective aimed at ensuring that information is
reliably accessible and usable in a timely manner as required by an authorized entity
(ISO/IEC 13335- 1, 2004, p. v; NIST 800- 53A, 2010, appendix b) . This ensures that
systems and information stored, processed, transmitted, or destroyed, together with
security controls used to protect systems and information, are all functioning properly.
System failure, for example, results in b reach of availability (Dhillon, 2007, p. 318;
Syamsuddin & Hwang, 2010) .
According to Dhillon (2007, p. 318) , altho ugh availability is important, it is less
controversial for organizations than confidentiality and integrity. However, it has been predicted by some that ensuring availability is security’s next great challenge for
organizations (Pfleeger & Pfleeger, 2007, p. 11) .
For information or a system to be considered to be available, it must be easily accessed
and used in the way intended, and there should be timely response to legitimate requests.
Further, there should be fair allocation of resources to multiple requests. Lastly, to
increase the availability of a system, fault tolerance should be built into the system, and
system failures should lead to gr aceful termination of services or to work arounds
instead of system crashes which might result in loss of information (Pfleeger & Pfleeger, 2007, p. 11) .
In order for information security to be conducted in the most effective way that will benefit
the whole organization, it must take into account all of the various requirements specific to
the organization. These requirements could be gathered from a wide variety of sources,
including laws, regulations, standards, Risk M anagement, and the general organizational
business requirements (ISO/IEC 27002, 2005, p. ix ). The next sub- section briefly discusses
the different information security requirements as these are important inputs to information
security.
20
2.4.2 Information Security Requirements
To be effective, information security requirements should be gather ed from a wide variety
of sources. These sources include , but are not limited to, applicable laws, management
orders and directives, policies, standards, instructi ons, regulations, procedures, and
organizational mission/business needs (ISO/IEC 27002, 2005, p. ix ; NIST 800- 53A, 2010,
appendix b) . In essence, these sources of information security requirements can be grouped
into three categories , discussed next.
i. Organizational Business R equirements
Information security requirements must be aligned with the overall business
requirements of an organization; hence, Von Solms and Von Solms (2005) refer to
information security as business security. Not treated this way, information security initiatives in an organization are most likely to be ineffective. There fore, it is vital that
information security requirements take into account the principles, objectives and unique business requirements of an organization. This way, the information security
function will not be seen as, or potentially be, an impediment to business processes, but
a driver of such business processes (ISO/IEC 27002, 2005, p. ix ; Whitman & Mattord,
2010, p. 3) .
ii. Legal, Statutory, Regulatory, and Contractual R equirements
Based on the type of industry, there might be a need for an organization to gather
information security requirements from the legal, statutory, regulatory, and contractual
requirements that an organization, including its external parties, have to comply wi th. A
few examples of these include organizational record preservation, copyright restrictions, and data protection legislation (Gerber & Von Solms, 2008; ISO/IEC 27002, 2005, p.
ix).
iii. Information Security Risk M anagement
Risk M anagement, as one of the sources of information security requirements, is an
extremely crucial process as it determines the unique information risks the organization
faces. As the first step, the Risk M anagement process should identify all of the
21
organization’s information assets and risks these assets face. Then, the next step should
be assessing the vulnerabilities of the ide ntified assets. Following vulnerability
assessment, the Risk Management process should determine the likelihood that a certain threat might exploit an asset’s vulnerabilities, as well as the impact on the organization
should these exploitations occur. Last ly, controls should be implemented as risk
treatment measures in order to reduce information risks to an acceptable level (Gerber & Von Solms, 2008; ISO/IEC 27002, 2005, p. ix ; ISO/IEC 27005, 2008, p. 6) . A global
survey conducted by Ernst & Young in 2009 revealed tha t due to the importance of the
Risk M anagement process, its improvement was the top information secu rity priority for
most organizations .
Information security is complex and requires man y resources such as adequate funding and
information security professionals for it to be successful. Due to this complexity and need
for increased spending, some organizations disregard the information security function and
see it as a waste of the organization’s resources (Drugescu & Etges, 2006) . However, this
should not be the case. Studies have shown that information security inv estments results in
positive and effective information security in an organization (Drugescu & Etges, 2006) .
The following sub- section discusses the need and the impor tance, as well as the benefits of
information security.
2.4.3 Information Security Necessity
Traditionally, information security has been managed separately from the rest of the organization’s objectives, in an ad- hoc manner, only addressed when incidents occur, and
only treated as a physical and technical issue (Dlamini et al., 2009) . However,
organizations are now realizing the need for proper management and governance of
information security, aligning it with the rest of the organization’s goals, and realizing that
information security could be viewed, primarily, as a human issue. However, even with
these new improvements and realizations, organizations are stil l continuously faced with a
number of growing information security challenges, including human- , technology -, and
organizational -related challenges (Dlamini et al., 2009; Werlinger, Hawkey, & Beznosov,
22
2009) . This further emphasizes the need for enhanced and comprehensive information
security in organizations.
A further reason organizations are in such great need for information security is that a large
number of information systems have not been designed to be secure. However, i t is
important that security is built into the information system. Due to its importance, information security should no longer be a by -product but form a core component of the
organizations systems and processes (ISO/IEC 27002, 2005, p. viii; Von Solms & Futcher, 2007; Wing, 2006) .
Further, the introduction of the Internet, though extremely valuable, has resulted in a
number of security concerns , which has further necessitated stringent information security
measures. The Internet has resulted in massive interconnection and public sharing of information resources. As a result, the Internet has increased the challenges of achieving
access control, with distributed computing worsening the situation by weakening the
effectiveness of centralized control. Hence security breaches have become increasingly common, ambitious, and more sophisticated. Organizations of all sizes must always be
prepared for the se security breaches, as they may incur expensive recovery costs and
integrity losses (ISO/IEC 27002, 2005, p. viii ; Rees, 2010) .
In general, there is increased need for enhanced information security as security breaches
are on the rise. Ernst & Young (2009) discovered that 66 percent of organizations noted an
increase in both external and internal breaches . Most concerning about these breaches is
that, in the majority of cases, they are never even detected, and therefore never
appropriately addressed. According to Killmeyer (2006, p. xviii ), government studies
indicate that 10 security breaches out of 10,000 were being identified and, as such, had the potential to be appropriately address ed. This impedes proper estimation of damage and
financial losses caused by security breaches. Therefore, it is important that organizations
implement security controls that prevent, or at least detect, security incidents.
23
Lastly, a further contributing f actor to security breaches, and therefore necessitating
enhanced information security, could be the adoption of new technologies. Although
valuable, new technologies, such as cloud computing and virtualization could introduce a
number of information risks . For example, in cloud computing, an organization might not
know exactly where in the cloud its information is residing and how it is managed. For virtualization, an organization might not consider that an attacker has a single point of
attack, as multipl e virtual servers could be residing on one physical server . According to
Ernst & Young (2010) , 45 percent of organizations are using, evaluating or planning to use
cloud computing. There could be an increase in the number of organizations using
virtualization as well. However, according to Ernst & Young (2009) , very few
organizations are considering the information security implications of these new technologies. Some organizations are only concerned about the bene fits of these
technologies. However, organizations must apply the principles of information se curity and
assess the potential impact of any new technologies on the organization’s overall security,
looking beyond any promised benefits of such technologies (Ernst & You ng, 2009) .
From the above sub- sections, it should be clear what information security is and what its
objectives are, how organizations should determine information security requirements, as well
as the need and importance of information security. Accor ding to a global survey conducted
by Deloitte (2009) , some organizations are gradually realizing the benefits of information
security and are starting to increase their number of information security initiatives.
Organizations need to implement proper information security measures. These measures
should not only be of a technical, reactive nature, but also of a strategic and more proactive
approach (Dlamini et al., 2009) . A number of past approaches to information security have
been purely technical, ignoring the operational/administrative and strategic approach.
However, it has been argued that a purely technical approach to information security could
result in increased information risks. As a result, studies and best practices in current literature are beginning to focus more on the operational/administrative and strategic dim ension of
information security (Dhillon , 2007; ISO/IEC 13335- 1, 2004; ISO/IEC 27002, 2005; IT
24
Governance Institute, 2007; Syamsuddin & Hwang, 2010; Von Solms & Von Solms, 2009;
Whitman & Mattord, 2010) .
The technical dimension of information security is still as important as it has ever bee n, and
will always remain important. However, for a holistic and more successful approach, these technical aspects need to be supported by strategic, operational/administrative information
security principles. There are a number of basic information securi ty principles that
organizations should follow for the successful implementation of information security. Firstly,
organizations should have an information security policy . This information security policy
should reflect the organizational objectives , as w ell as the organizational culture. Further, this
information security policy should be supported by a number of organization- specific sub –
policies and other related documentation. Information security policies and the related documentation are the main foc us of this research study, and are discussed in detail in Chapter
4 of this dissertation . As a second principle for the successful implementation of information
security, there should be visible support from all management levels . Management support
usually results in organizations having adequate funding for information security. Also, management support typically results in increased adherence to information security policies
by the organization’s employees. Thirdly, there should be an effective inc ident response
management process which details the right channels to be followed by the organization’s
employees in handling and reporting information security incidents. Fourthly, there should be
a measurement system to evaluate the whole security program , and ensure that it is being
adhered to by the whole organization. Lastly, all information security stakeholders should be
made aware, trained, and educ ated regarding information security (Dhillon, 2007, p. 323;
Dlamini et al. , 2009; ISO/IEC 27002, 2005, p. x; Knapp, Marshall, Rainer, & Morrow, 2006;
Werlinger et al. , 2009; Whitman & Mattord, 2010, p. 13) .
Previously, information security stakeholders have had the impression that information
security is the sole responsibility of the technical security personnel (Dlamin i et al. , 2009;
Whitman & Mattord, 2010, p. 3) . However, treated this way, information security is most
likely to fail. The next section discusses the different people that should be responsible for
25
information security, and the roles they should play in the overall information security
program of an organization.
2.5 Information Security Stakeholders
Rather than b eing the sole responsibility of a small, dedicated group of technical
professionals, as has been the case in the past, information security has now become a
complex battle which the technical professionals alone cannot win. Information security now
ranges from data protection to human resource protection, and the business environment has
become increasingly interconnected. Further, information threats have become increasingly sophisticated and distributed, and are now more focused on exploiting the human fa ctor of
information security. This has resulted in information security requiring participation by all employees in the organization, especially general business managers (ISO/IEC 27002, 2005,
p. viii ; Whitman & Mattord, 2010, p. 3) .
Besides requiring participation from employees within the organization, information security
may also require participat ion from external parties specific to the organization, such as
suppliers, third parties, shareholders, and specialist advice from consultants. Therefore, for information security to be implemented in a comprehensive manner, it requires participation
from any external parties specific to the organization, as well as all employees within the
organization (ISO/IEC 27002, 2005, p. viii ). The following paragra ph determines what is
meant by ‘all employees’ .
Anyone involved with the gathering, storing, processing, transmitting, or the destruction of
information, whether via technological means or not, is responsible for information security,
whether directly or indirectly. This ranges from information security managers, information
security professionals, information technology ( IT) managers, IT professionals, to the general
end-users. Further, non -technical general business managers and professionals are also
infor mation security stakeholders. Non- technical general business managers and
professionals may include senior executives ultimately responsible for corporate assets, such as the CE O, the board of directors, the Risk M anagement team, the audit team, the
26
compl iance team, the legal team, the physical security team, as well as the human resources
team (Bernard, 2007; Whitman & Mattord, 2010, p. 3) .
Essentially, the above information security stakeholders , internal to the organization, can be
grouped into three categories of audiences. Firstly, there is the end -user audience, which
generally encompasses everyone wit hin an organization, including general business managers
and professionals, IT/security managers and professionals and all other employees within the
organization. Secondly, there is the management audience which specifically encompasses
non-technical general business managers ultimately responsible for corporate assets . Lastly,
there is the technical audience which specifically consists of IT/security managers and
professionals responsible for the management of the organization’s systems (Grobler & Von
Solms, 2004; Kadam, 2007; Von Solm s et al., 2011) . All of these organizational internal
audiences, together with external stakeholders, form critical information security stakeholders.
Therefore, all of the information security stakeholders mentioned above should be made
aware of their roles in information security so that they may become security advocates, and
therefore business advocates (Bernard, 2007) . Raising security awareness to all stakeholders
could help in addressing the human factor of information security . The following section
discusses three important factors of information security, namely, human, organizational, and
technical factors.
2.6 Information Security Factors
By information security factors, this study refers to the elements that contribute to the overall success or failure of the process of information security. It is important that organizations
thoroughly understand these different types of information security factors for information
security to be successful. Further, it is important that organizations thoroughly understand
how these different information security factors relat e to one another. This way, an
organization would properly address these different information security factors in the most comprehensive manner. The following sub -sections discuss the three major information
security factors, namely, human, organizational , and technical factors.
27
2.6.1 The Human Factor
As stated previously, information security requires participation by all employees in the
organization. Often it is said that information security is mostly a human issue more than it
is a technology issue (Ashenden, 2008; Schultz, 2005) . Even the best technologies in the
world cannot, for example, stop a social engineering at tack targeted at manipulating the
user into believing that a certain request for access codes is legitimate. In the past, little
attention was paid to the human factor of information security (Ashenden, 2008; Deloitte,
2009; Dlamini et al. , 2009) . However, there is an increase in stu dies recognizing the need
for addressing the human factor of information security, and some of these studies include Da Veiga and Eloff (2010), ISO/IEC 27002 (2005), NIST 800 -50 (2003), Thomson and
Von Solms (2006), Thomson, Von Solms, and Louw (2006), and Van Niekerk and Von
Solms (2010) .
In a study conducted by Bakhshi, Papadaki, and Furnell (2009) , they concluded that
humans, specifically end -users, are easy targets and should not be relied upon to have
natural instincts when it comes to protecting themselves. Therefore, end- users must be
equipped with the necessary knowledge and skills through information security education, training, and awareness (SETA) programs (Bakhshi et al. , 2009; Dlamini et al., 2009) .
Also , organizations are beginning to realize that information security is mostly a human
issue. According to a survey conducted by Deloitte (2009) , organizations do acknowledge
that people, including third parties, are a huge information security challenge. However,
most organizations pay little attention to SETA programs. In many organizations, there is
an over -abundance of technologies and technol ogists at the expense of experts dealing with
the human factor. Therefore, there is a need for properly managed initiatives focused on
dealing with the human factor of information security in organizations (Deloitte, 2009;
Schultz, 2005) .
Organizations are beginning to implement initiatives aimed at dealing with the human
factor of information security. According to a globa l survey conducted by Ernst & Young
28
(2009) , while some organizations may implement SETA programs, these programs are not
working as well as they could. This is due to a number of problems, such as limited
budgets, weak content, and ad- hoc initiatives. Some SETA programs encourage the
establishment of a blame culture, which is damaging and counter -productive. Further, most
SETA programs are not built on sound pedagogical, psychological, and communications
principles (Ernst & Young, 2009; Lacey, 2010) .
Information security initiativ es aimed at addressing the human factor of information
security should be aimed at instilling a secure culture in organizations. For this reason, top management should support these initiatives, as this has been shown to have a direct
influence on the orga nizational security culture and the level of policy enforcement
(Knapp, Marshall, Rainer, & Ford, 2006) . Ultimately, these initiative s should be developed
with the intention of positively influencing the behaviour of end- users, and therefore
instilling a secure culture (Da Vei ga & Eloff, 2010; Knapp et al. , 2006; Thomson & Von
Solms, 2006; Thomson et al., 2006; Van Niekerk & Von Solms, 2010) .
The result of a secure culture should be that end -users are aware of emerging threats, and
should know the right channels to follow w hen reporting security incidents. Each user
would become a “Security Deputy” to the organization’ s information security personnel,
and would take some responsibility in preventing security incidents, whether they are accidental or deliberate, and whether t hey originate from inside or outside the organization
(Dlamini et al., 2009; Styles & Tryfonas, 2009) .
The human factor of information security should not be addressed in isolation to other
information security factors. The following sub -section discusses the second important
information security factors, namely, the organizational factors.
2.6.2 Organizational Factors
Besides the issues regarding the human factor discussed above, there are organizational factors of information security. The organizational factors refer to issues specific and
unique to the organization that determine the success or downfall of information security.
29
Organizational factors facing most organizations include, but are not limited to, lack of
resources due to lack of funds, inadequate staffing, policies and policy management,
organizational culture and employee behaviour , top management support, organization
size, industry type, organizational structure, and environmental elements such as rapid technology changes, competitor’s behaviour , customer’s security requirements, and
legislation changes (Ernst & Young, 2009; Kraemer, Carayon, & Clem, 2009; Werlinger et
al., 2009) . However, this sub- section emphasizes on the three main organizational factors
that have been noticeably the most challenging according to the literature survey conducted. These organizational factors include top management support, lack of resources
due to lack of funds, and the organizational structure. The following paragraph discusses
the management support factor.
Even though information security should be a responsibility of everyone in an
organization, it should primarily be a responsibility of managers. Managers include
information security managers, IT managers, and non technical general business managers
(Whitman & Mattord, 2010, p. 3) . This is critical for planning and especially funding
purposes. Technical professionals cannot do much without the support of managers. Werlinger et al. (2009) found that the greater the management support, the more effecti ve
information security becomes as organizations spend more on information security
resources. Besides planning and funding, studies have concluded that the security culture
and l evel of policy enforcement in an organization is positively influenced by management
support ( Knap p et al. , 2006; Werlinger et al. , 2009) .
Often, however, general business managers are not aware of the information security
measures that can be used to reduce business risks, but are willing to employ security
planni ng techniques if they receive awareness and training about these techniques and their
importance (Werlinger et al., 2009) . To support the above statement, Choi, Kim, Goo, and
Whitmore (2008) also concluded that managerial information security awareness directly
and positively influences managerial actions tow ards information security. Therefore, it is
imperative that information security professionals close the gap that exists between them
and general management (Bakari, Tarimo, Yngstrom, Magnusson, & Kowalski, 2007;
30
Rainer, Marshall, Knapp, & Montgomery, 2007) . Thus, information security pro fessionals
should make the tangible benefits of information security explicit, for example information
security for the goal of raising customer confidence. This would help in convincing general
management about the need for information security (Drugescu & Etges, 2006; Werlinger
et al., 2009) . However, this is not always possible due to the organizat ional factor of
inadequate staffing, and therefore not having security experts to convince other stakeholders. At the same time, inadequate staffing could be a result of inadequate
information security budget. Inadequate information security budget is anot her major
organizational factor, and is discussed in the next paragraph.
Inadequate information security budget has been, and still is, one of the major
organizational information security factors. According to the global survey by Ernst &
Young (2009) , in most organizations, the lack of appropriate information security
resources due to inadequate budgets was a challenge, and was expected to continue being a challenge. Organizations should understand that information security investment is one of
the most effective ways of reducing the severity of security incidents, as more information
security measures will be implemented (Khansa & Liginlal, 2009) . According to Deloitte
(2009) , in hard economic times, there could be a temptation to cut security costs in an
organization. However, this is the time that security threats are the greatest (D eloitte ,
2009) .
Increasing investments in information security implies fewer monetary damages to an
organization, as wel l as reduced negative publicity in case a particular security risk
materializes. No cost saving can ever justify the brand damage or the rep utational damage
of an organization that can result from a security breach (Deloitte, 2009) . Remarkably, as
shown by the most recent survey by Ernst & Young (2010) , 46 percent of organizations
have indicated that their annual investment in information security is increasing.
Lastly, a major organizational factor of information security is the structure of the
organization. How the organization is structured and consequently where the information
security function is placed within the organization plays a significant role in determining
31
the overall success of the information security function. Whitman and Mattord (2010, pp.
175-183) make reference to five options that an organization can choose from in
determining where to place the informatio n security function within an organization:
1. Placing the information security function under the IT function;
2. Placing the information security function under the security function;
3. Placing the information security function under the administrative services
function;
4. Placing the information security fu nction under the insurance and Risk
Management function ; or
5. Placing the information security function under the strategy and planning function.
All these options have advantages and disadvantages. However, the last option, which is
placing the information security function under the strategy and planning function, is
recommended by Whitman and Mattord (2010, pp. 175- 183). The reason for this option to
be recommended is that it means an organization views information security as critical to the overall success of the organization. This last option should be the main aim for
information security managers and professionals (Whitman & Mattord, 2010, pp. 175 –
183).
Besides the human and organizational factors of i nformation security already discussed
above, there are technical factors to information security . The technical factors of
information security were the only factors of information security in consideration when
information security was still in its infanc y (Dlam ini et al. , 2009) . The following sub-
section discusses the technical factors of information security in more detail.
2.6.3 Technical Factors
For many decades, information security was managed only as a technical function and as such was the responsibility of the technical professionals in the organization (Whitman &
Mattord, 2010, p. 3) . Arguably, this is still the case in some organizations as the Deloitte
(2009) study shows that a number of organizati ons still consider information security a
technical infrastructure issue. As a result, there has been, and still is, a lower consideration
32
given to the human and organizational factors of information security (Koskosas, Pavlitsas,
& Kakoulidis, 2011) . If information security is treated purely as a technical issue, with less
consideration for the human and organizational factors, then information securit y is most
likely to be ineffective (ISO/IEC 27002, 2005, p. viii ; Whitman & Mattord, 2010, p. 49) .
The technical aspects of information security, however, will always be as important as they
have been in the past. This is due to the fact that t he technical aspects form the most
fundamental components in the process of information security. Addressed in relation to the human and organizational factors, the technical factors of information security could
yield more advantages than disadvantages. However, as is the ca se in some organizations,
too much emphasis on the technical aspects of information security and exaggeration of the capabilities of these technical protection mechanisms could lead to a false sense of
security. This false sense of security in turn could l ead to low motivation for people to
comply with security policies (Zhang, Reithel, & Li, 2009) . Therefore, during security
awareness programs in an organization, t he capabilities of technical security mechanisms
should not be exaggerated, but instead drawbacks and limitations should be emphasized.
Further, from an end -user perspective, the usability of information security features in
security applications is another technical factor. Most information security technologies are not user friendly. End- users should be able to protect themselves and thus security
applications should be designed to allow end -users to easily understand and access them. If
adequately addressed, this technical factor could positively result in end -users being more
secure and requiring little or no assistance from the technical personnel for security configurations (Furnell, 2005; Katsabas, Furnell, & Dowland, 2005) .
From a management/technical personnel perspective, technology complexity is another
technical factor that needs to be considered and addressed. As a result of the negative impacts of this factor, it is extremely difficult for decision makers to manage the big
picture and to design information security policies that cover all possible configurations of
a certain system. Properly addressed, t his technical factor could yield positive results, such
as improved decision making by management/technical personnel (Werlinger et al., 2009) .
33
All of the above mentioned information security factors, namely, human, organizational, and
technical factors, could be addressed if organizations realize and acknowledge their existence,
and realize how these factors are related to one another. These information security factors
affect information security in an organization, positively or negatively. If they are not
appropriately addressed, by default, these factors will negatively impact information security.
However, if these factors are appropriately addressed as it has been advised in this section,
these factors could result in improved information security in an organization. To address
these different information security factors, organizations should implement appropriate
information security co ntrols. The following section discusses the different types of
information security controls an organization should use to holistically address information security.
2.7 Information Security Controls
Information security in an organization is achieved by implementing a suitable set of controls, which can range from an action, device, procedure, or technique used to address one or more
of the information security factors discussed earlier in this chapter. Controls should be
established, implemented, monitor ed, reviewed, and improved based on the unique
information security requirements of an organization. When appropriately selected, information security controls result in enhanced information security programs in
organizations. However, identifying which information security controls should be
implemented requires careful planning and attention to detail. Otherwise, there could be duplicate controls, or a shortage of controls, which would result in wasted resources and/or
security loopholes. As a result of t he complex nature of managing controls, there is much
literature to aid with the management of information security controls, including, among others, ISO/IEC 27002 (2005), IT Governance Institute (2007), NIST 800- 53A (2010),
Pfleeger and Pfleeger (2007), and Rees (2010) .
Information security controls are grouped into three main categories, namely, phys ical,
technical and operational or administrative controls (Bidgoli, 2006, p. 13; Killmeyer, 2006 , p.
15). Like all other information security entities, these different typ es of information security
34
controls are interconnected and interdependent to one other (Sveen, Torres, & Sarriegi, 2009) .
The following sub -sections briefly d iscuss each of these types of controls.
2.7.1 Physical Controls
Physical controls are aimed at restricting physical access to the organization’s equipment.
Organizations should ensure that information and systems are physically protected from
both insider s and outsiders. Physical access to any information system must be justified
before it is granted. It is important to note that, most of the time, if people have physical access to a certain system, then that system is vulnerable (Bidgoli, 2006, p. 13; Killmeyer,
2006, p. 15) .
A few examples of physical controls include keyboard locks , security guards, cipher locks,
keypads, alarms and environmental systems for temperature, humidity, water, lightning,
power and fire (Killmeyer, 2006, p. 15; NIST 800 -53, 2009, p. 21) .
2.7.2 Technical Controls
Physical controls alone are not sufficient to secure information and information systems,
hence the need for technical controls. Technical controls are safeguards or
countermeasures impleme nted through hardware, software or firmware components of the
system. Ideally, technical controls should be hard to defeat (Killmeyer, 2006 , p. 15; NIST
800-53A, 2010) .
Examples of technical information security controls include anti -virus software, digital
signatures, encryption, network management tools, passwords, smart cards, dial -up access
control, callback systems, audit trails, and intrusion- detection/prevention expert systems
(Killmeyer, 2006, p. 15)
Previously, however , most organizations and researchers paid significant attention to only
the physical and technical controls and neglecting the administrative or operational controls (Deloitte, 2009; Dlamini et al., 2009; Koskosas et al., 2011) . This has resulted in
information security being seen by many as only a physical and technical issue, whereas it
35
should be more of a human and organizational issue. The following sub- section briefly
discusses these administrative/operation al controls.
2.7.3 Administrative/Operational Controls
These types of controls are safeguards or countermeasures primarily implemented and
executed by people (NIST 80 0-53A, 2010, appendix b) . To a large extent, physical and
technical information security controls are dependent on administrative or operational controls. The main reason for this is that administrative/operational controls are about
people, and people are in control of the physical and technical controls.
A few examples of these types of controls include the security awareness, training, and
education programs (SETA), security review and audit reporting, data/resource ownership,
IT management and super vision, disaster recovery and contingency plans (Killmeyer,
2006, p. 15) . The type of administrative/operational controls most relevant to this research
study is infor mation security policies and related documentation. These controls act as a
reference point detailing how all the other controls should be implemented within an organization (Kadam, 2007) . Policies and the related documentation are discussed in detail
in Chapter 4 of this dissertation.
When implementing information security controls, it is important that an organization does
not significantly interfere with information usage for legitimate users through excessive use of
information security controls. It is easy for information security professionals to focus more
on confidentiality and integrity and forget about the availability of information assets (Post &
Kagan, 2006) . Information security controls should be carefully selected based on the
organization- specific risks and organization- specific goals. This will ensure that information
assets are adequately protected, and therefore business objectives should be met (ISO/IEC 27002, 2005, p. ix ). In conclusion, the next section discusses the main arguments of this
chapter.
36
2.8 Conclusion
Some have argued that information security should no longer be called information security
but business security (Von Solms & Von Solms, 2005) . This is due to the fact that
information security is extremely crucial to the well- being of the whole organization. If the
process of information security is adequately addressed, an organization could reap both the
explicit and implicit benefits thereof. However, information security is a very complex and
continuous process, which, initially, could incur massive spending. However, if information security is in alignment with the organization’s strategic objectives, there will be returns on
information security investments (Drugescu & Etges, 2006) . To be comprehensive and
effective, the process of information security needs participation by everyone in an
organization, especially general business managers. Further, information security needs to be
managed in the most strategic manner, aligning it with general business goals, and it should
address more than just the technical aspects, but also the human and organizational aspects.
In order for information security to be addressed in the most strategic, comprehensive and
effective manner, and be in alignment with the rest of the organization’s goals, information
security must be recognized as one of the C orporate Governance sub -functions. The
Corporate Governance sub- function responsible for information security is generally referred
to as Information Security Governance (Von Solms & Von Solms, 2009) . The foll owing
chapter discusses Information Security G overnance, in relation to other forms of governance,
namely, Corporate Governance and Information Technology G overnance.
37
Chapter 3 : Information Security
Governance
3.1 Introduction
According to Dictionary.com (2011) , to govern is “to direct and control the actions, af fairs,
policies, or functions of an organization, a political unit, or a nation”. Likewise for
organizations, to govern is to give instructions detailing how the organization should operate,
and to ensure adherence to those instructions. As it has be en noted in Chapter 2, Section 2.8,
due to its importance, the process of information security needs to be properly governed throughout the whole organization. This means that information security activities of an
organization should be properly directed and controlled using good Corporate Governance
principles. A Corporate Governance sub- function responsible for information security is
referred to as Information Security Governance ( Von Solms, 2006) .
Information Security Governance is the Corporate Governance sub- function ultimately
responsible for ensuring that the organization’s information assets are protected in the most comprehensive manner. Organizations must address Information Security Gover nance in the
most comprehensive manner that will be relevant, specific and unique to the organization. Further , there is no single Information Security Governance solution that suits all
organizations (Von Solms & Von Solms, 2009, p. 17) .
This chapter discusses Information Security Governance in more detail. However, this
discussion cannot take place in isolation as Information Security Governance is closely
related to two other forms of governance, namely, Information Technology Governance and
Corporate Governance. To fully understand Information Security Governance, it is important
to understand how it relates to Information Technology Governance and Corporate
Governance. Therefore, as the first step towards fully understanding Information Security Governance, the following section discusses the overarching form of governance in
organizations, referred to as Corporate Governance .
38
3.2 Corporate Governance
As can be deduced from the general governance definition in the previous section, Corporate
Governance defines the means for directing and controlling corporations or organizations.
Ideally, directing and controlling should be achieved by means of policies and internal
controls in an organization. In essence, Corporate Governance provides the structure through
which the organization’s objectives are set, whilst providing the means of achieving those
objectives, and monitoring the organization’s pe rformance against those objectives. Further,
Corporate Governance can also be regarded as a set of relationships between an
organization’s management, board of directors, shareholders and other stakeholders (Abu –
Musa, 2010; Cadbury Report, 1992; Handley -Schachler, Juleff, & Paton, 2007; Institute of
Directors South Africa, 2009; Poore, 2005) .
Corporate Governance is the overarching, all encompassing form of governance in an
organization, which should take into account all aspects of the organization, including finance, human resource , research and development, market ing, IT and information security
(Johnston & Hale, 2009; Von Solms, 2006) .
As Corporate Governance is responsible for the well -being of the whole organization, it
should therefore ultimately be the responsibility of the highest level of management in an organization, normally the board of directors (Posthumus, Von Solms, & King, 2010) . The
board of directors should always apply due care and diligence with regard to Corporate
Governance as poor governance will certainly produce undesirable results (Institute of
Directors South Africa, 2009) .
In the past, there have been a number of catastrophes due to poor Corporate Governance.
Large -sized organizations, such as Enron and WorldCom, have collapsed due to the lack of
good Corporate Governance (Ko & Fink, 2010; Posthumus & Von Solms, 2005) . As a result,
governance legi slations such as Sarbanes -Oxley in the USA have emerged and require pu blic
organizations to apply Corporate Governance practices, or else the organization could face
serious legal consequences (Ko & Fink, 2010) .
39
However, Corporate Governance is very broad and high- level in nature, and therefore does
not address every aspect of an organization in detail. To address the focused, low -level
aspects of an organization in detail, t he Corporate Governance function is supported by a
number of governance sub- functions. As it has already been noted above, Corporate
Governance is an ‘umbrella’ covering all other forms of governance in an organization. As
one of the Corporate Governance s ub-functions relevant to this study, the next section
discusses Information Technology Governance. Later, the different forms of governance, and how they relate to the process of information security and Information Security Governance,
are discussed.
3.3 Information Technology Governance
Most organizations rel y on IT to function effectively, or even to survive. This is due to the
fact that IT has become a fundamental business tool and a significant factor in the future of
business strategies of many organizations (ISO/IEC 38500, 2008, p. v) . IT enables individuals
and organizations to manage transactions, information, and knowledge required for initiating and maintaining economic and social activities. As a result, IT is an important asset in many
organizations. For a number of organizations , IT strategy may even become business strategy
(Posthumus, Von Solms, & King, 2010) . The reason for this is that organizations create
business value not from IT itself, but the strategic way they use IT. As a result, there is a
general prediction that in the near future , IT will become a key driver for an organization’s
financial prosperity (Posthumus et al., 2010) .
When properly governed, IT presents a number of advantages for organizations, such as
savings in cost and time, improved business processes, greater competitive advantage,
increased business value, return on IT investments, and ease of collaboration with
stakeholders located anywhere in the world (Ko & Fink, 2010; Posthumus et al., 2010) .
However, as with all other good things , there are side effects. With the increased
interconnectivity and globalization, speed and complexity, IT has the potential to incur great
risks (IT Governance Institute, 2007, pp. 5- 8). Poorly governed IT could result in significant
expenditure of the organization’s financial and human resour ces, resulting in no return on IT
40
investments, and the adverse impact of this on organizations would be significant. On the
other hand, properly governed IT greatly benefits an organization as business objectives are
considered first, followed by how IT ca n be effectively used to achieve those business
objectives. Therefore, as a number of organizations depend on IT to survive and to attain a competitive advantage, these organizations should treat IT in the same manner as corporate
finance or general Corpor ate Governance (Posthumus et al., 2010) . The Corporate
Governance sub -function responsible for governing the organization’s IT initiatives is
referred to as Information Technology Governance (ISO/IEC 38500, 2008, p. v) .
Information Technology Governance is the system used within an organization to govern the
use of technology with regard to information acquisition, storage, processing, transportation, and destruction (Abu -Musa, 2010) . Also, Information Technology Governance consists of the
leadership, organizational structures, and processes that are concerned with ensuring that IT is properly aligned with the organization’s strategic goals and delivers value to the organization.
Further, Information Technology Governance is concerned with managing IT -related risks, IT
resource usage, and measuring overall IT performance within an organization. This way, Information Technology Governance enables an organization to take full advantage of its
information resources and maximize benefits and opportunities, and thereby gain a
competitive advantage over competitors (IT Governance Institute, 2007) .
Therefore, Information Technology Governance should form an integr al part of Corporate
Governance and should be a responsibility of the highest level of management in an
organization. The alignment between Corporate Governance and Information Technology
Governance is desirable as factors, both positive and negative, that affect Corporate
Governance in evitably cascade to Information Technology Governance as well. This
integration between Information Technology Governance and Corporate Governance is only possible if the board of directors recognize and oversee Information Technology Governance.
As an add ed advantage, when the highest level of management is involved in IT decision-
making, the organizational culture towards IT could positively change (Ko & Fink, 2010;
Posthumus et al., 2010) .
41
Poorly governed IT could result in crises that could even result in the downfall of the
organization. Improperly governed IT decisions could result in s ignificant financial losses,
less return on IT investments, and bad IT investments. Due to the lack of good Information Technology Governance, the following crises occurred in the past few years. In 2001,
Disney’s Internet division lost $878 million when i t was forced to shut down its portal,
Go.com, due to being unable to remain competitive with its competitors Yahoo and AOL (Girard, 2002) . Further, Kmart lost $130 million due t o supply chain software and hardware
that did not meet the market’s expectations (Changepoint Corporation, 2004) . Additionally,
Gateway lost $143 million due to the scrapping of IT projects that no longer supported the
organization’s strategic objectives (Girard, 2002) . Lastly, Nike lost $400 million due to bad
software investments (Changepoint Corporation, 2004) . All of these catastrophes were as a
result of poor Information Technology Governance (Posthumus & Von Solms, 2005) . To a
large extent, poor Information Technology Governance is as a result of the boards of directors
making the wrong decisions with regard to IT. This inappropriate overseeing of IT by the
boards of directors is mainly due to the lack of adequate board -level IT guidance (Posthumus
& Von Solms, 2005) .
The board of directors often does not have the necessary knowledge to ask intelligent
questions with regard to IT risks and expenses, and therefore needs more specific guidance on
how to address Information Technology Governance (Posthumus et al., 2010) . As a result,
Posthumus and Von Solms (2005) argue towards the need for an IT oversight committee
whose sole purpose should be to advise the board of directors in Information Technology
Governance related issues. Posthumus et al. (2010) maintain that the question is no longer
whether the board of directors should be involved in IT related decisions, but how the board
of directors can be assisted in making IT related decisions. This means that the board of
directors, with the help of senior IT executives, should adequately address Information Technology Governance as it is one of the integral components of Corporate Governance.
However, achieving good Information Technology Governance takes time, and does not
happen by accident, but needs proper planning, preparation, implementation and monitoring
(Posthumus et al. , 2010) . Further, in order for Information Technology Governance to be
42
more effective, it should not be addressed in isolation from other forms of governance. As it
has already been stated above , Information Technology Governance is a sub- function of
Corporate Governance. However, Corporate Governance and Information Technology Governance alone are not enough to ensure that all of the organization’s valuable information
assets are properly secured from a wide variety of risks. Information Technology G overnance
is only concerned with how IT can be effectively used to achieve business objectives, as well as how information risks introduced as a result of IT can be addressed. However, not all
information risks are as a result of IT. For example, organizat ion’s employees leaving
confidential documents on top of their desks when going to lunch could result in information
risks materializing, and this is not related to technology. This type of employee behaviour can
be appropriately addressed if the organizat ion is properly governing its information security
initiatives. The following section and the rest of this chapter discuss the governance of
information security initiatives within an organization.
3.4 Information Security Governance
In Chapter 2 it was discussed that information security is a very complex process which needs
proper planning to be successful. Due to the sophistication and increased number of information threats, organizations can no longer perform information security activities in an
ad-hoc manner. It is important that information security activities are governed as part of the
overall governance strategy of an organization. The explicit inclusion of the organization’s information security activities as part of the organization’s Corporate Governance strategy is
referred to as Information Security Governance ( Von Solms, 2006) .
Information Security Governance is a sub- function of Information Technology Governance
(Von Solms & Von Solms, 2009, p. 26) . However, Information Security Governance goes
beyond just addressing technology. The reason for this is, as opposed to Information
Technology Governance, Information Security Governance is specifically concerned with
addressing the risks to the organization’s information itsel f rather than just the technology
(Poore, 2005) . Figure 3.1 below illustrates the relationship between Information Technology
Governance, Information Security Governance and Corp orate Governance.
43
Figure 3.1: The relationship between Corporate Governance, Information Technology Governance and
Information Security Governance (Von Solms & Von Solms, 2009, p. 26) .
Figure 3.1 clearly shows that Information Technology Governance and Information Security
Governance fall under the ‘umbrella’ of Corporate Governance. Even though there is much
overlap, Information Security Governance extends beyond Information Technology
Governance. The reason for this is that Information Technology Governance is mainly
concerned with how or ganizations can effectively use IT to achieve business objectives,
whilst managing IT -related risks. To a large extent, this is also part of Information Security
Governance. However, there are other aspects that are purely integral to Information Security
Governance and not necessarily part of Information Technology Governance. For example,
legal and regulatory compliance iss ues, as well as organizational Risk M anagement and
forensics. These aspects are integral to Information Security Governance, but role players of these aspects are not necessarily from IT but could be from other disciplines, and may not be
reporting through the line function of IT. Further, issues concerned with employee behaviour
towards protecting the organization’s information assets do not always involve IT or technology. Therefore, there is a need for a specialized form of governance to specifically
deal with issues relating to information security (Poore, 2005; Von Solms & Von Solms,
2009, p. 26) .
Therefore , Information Security Governance can be described as the system by which the
organization’s information security activi ties are directed and controlled (Von Solms & Von Corporate Governance
Information Technology
Governance Information Security Governance
44
Solms, 2006b) . In C hapter 2, Section 2.4, information security activities have already been
noted to be concerned with maintaining the confidentiality, integrity, and availability (CIA) of
the organization’s information and related assets. Therefore, Information Security Governance
can be further described as the strategic system by which the CIA of i nformation and related
assets is maintained (Abu -Musa, 2010; Johnston & Hale, 2009; Von Solms & Von Solms,
2009, p. 24) .
However, in a number of organizations, there is poor alignment between Information Security
Governance and Corporate Governance. In a number of organizations, Information Security
Governance is not a regular item of discussion in the board room (Abu -Musa, 2010) .
However, for Information Security Governance to be successful and be aligned with the rest of the organization’s objectives, it is important for the board of directors to consider
Information Security Governance as an inte gral part of Corporate Governance (Abu -Musa,
2010; Von Solms & Von Solms, 2009; Von Solms & Von Solms, 2006 a). As the board of
directors is ultimately responsible for Information Security Governance, failure in protecti ng
the organization’s information assets could ultimately result in the board of directors, and specifically the CEO, being held responsible. Should the board of directors fail to prove that
due care and diligence has been taken in addressing Information S ecurity Governance, there
could be a legal charge of negligence.
To be effectively implemented, an organization’s Information Security Governance strategy
should be comprehensive. It should direct and control all information security related
activities within an organization. There are various types of activities within an organization. Firstly, there are strategic activities that are concerned with the overarching strategic
initiatives of an organization. With regard to information security, these should include
activities that provide a strategic direction for information security within an organization.
These strategic activities should be a responsibility of the Strategic Level management, where
the board of directors, the CEO, and other C -level executi ves reside. Secondly, the Tactical
Level management, constituting of mid -level management, should be responsible for
expanding the strategic information security activities from the Strategic Level into more detailed activities and should report to the Str ategic Level. In turn, the detailed activities from
45
the Tactical Level should be used as input into the Operational Level, where operational
management should ensure that the high- level activities are properly executed within the daily
operations of the or ganization. These various management levels are illustrated in Figure 3.2
below.
Figure 3.2: Management levels (Von Solms & Von Solms, 2006b)
The whole process of issuing directives from the Strategic Level through the Tactical, to the
Operational Level can be referred to as directing (Von Solms & Von Solms, 2009, pp. 29- 38;
Von Solms & Von Solms, 2006b; Von Solms, 2005) . The process of directing i s one of the
main focuses of this dissertation, and is discussed in detail in Chapter 4 .
To ensure that information security directives are being adhered to, measurement data should be collected from the Operational Level. This data collection can be acco mplished via
electronic means, such as log files, firewalls, and specialized software. Furthermore, methods such as interviews, inspections, and questionnaires can be used to collect data which cannot
be sourced electronically. All this data should be used to measure compliance at the
Operational Level, which, after being analyzed and summarized, will then facilitate compliance measurement at the Tactical Level and ultimately at the Strategic Level. This
process of ensuring compliance from the Operational L evel, through the Tactical Level, to the
Strategic Level can be referred to as controlling (Abu -Musa, 2010; Von Solms & Von Solms,
Strategic
Level
Tactical Level
Operational Level
46
2006b) . This cyclic concept of directing and controlling forms the basis for any form of
governance, and is illustrated in Figure 3.3 below.
Figure 3.3: The direct -control cycle (Von Solms & Von Solms, 2006b) .
For a complete understanding of Information Security Governance, it is important to note that
there is a difference between Information Security Governance and information security
management. Information security management is contained within Information Security
Governance and is concerned with the more visible aspects of Information Security
Governance. Information security management basically deals with information security
aspects between the Tactical and the Operational Levels, whereas Information Security Governance starts and ends at the Strategic Level (Von Solms & Von Solms, 2009, p. 25) .
To adequately achieve proper Information Security Governance, however, there are a number
of barriers that organizations need to overcome. One of the major barriers is that, traditionally,
in a number of organizations, information security activities have been directed using a
bottom -up approach (Johnston & Hale, 2009; Ohki, Harada, Ka waguchi, Shiozaki, & Kagaya,
2009) . What have been discu ssed in the previous paragraphs and illustrated in Figure 3.3 is
an example of a top -down approach for directing information security initiatives. A top- down
Strategic
Level
Tactical Level
Operational Level Control Direct
Execute
47
approach is whereby information securi ty directives originate from the Strategic Level and are
then distributed to the rest of the organization. On the other hand, a bottom -up approach is
whereby the IT/security technical personnel would decide what is relevant for the
organization and create information security policies and the related documentation based on
the way they deem necessary, not necessarily in line with strategic directives. This approach
is flawed as it, firstly, does not necessarily consider strategic objectives, and secondly, i s
normally a reactive approach. This approach is reactive in nature as it is normally based on incidents that occur at the perimeter of the organization. Also, in using a pure bottom -up
approach, organizations stand the risk of focusing more on the individual cha llenges of
information security and end up not realizing the bigger picture of information security. In
fact, a pure bottom -up approach for directing causes misalignment between Corporate
Governance and Information Security Governance, which can be disastrous. This
misalignment could result in unnecessary or imprope r information security controls and could
result in security programs that cannot solve the difficulties surrounding information security within an organization. Instead, a more strategic, proactive, and top- down approach for
directing is recommended for effective Information Security Governance (Johnston & Hale,
2009; Ohki et al., 2009) .
Besides the challenges of the traditional bottom -up approach to information security, there are
other barriers that prevent effective Information Security Governance. These include the negative aspects of the human factors, organizational factor s and technical factors as has
already been discussed in Chapter 2, Section 2.6. However, if Information Security
Governance is addressed in the most comprehensive manner and treated as an integr al part of
Corporate Gove rnance and directed using a top- down approach, then an organization could
reap both the tangible and intangible benefits of Information Security Governance (Poore,
2005) . Some of the tangible and intangible benefits of Information Security Governance are
discussed in the following sub- section.
3.4.1 Benefits of Information Security Governance
There are a number of benefits which can be realized if an organization practices Inform ation Security Governance. Some of these benefits include improved strategic
48
alignment, increased business effectiveness and efficiency, optimized information security
investments and reduced uncertainty of business operations. Also, Information Security
Governance is beginning to act as a market differentiator. This means that organizations
might become market leaders and gain a competitive advantage against competitors as a direct result of adequately implementing Information Security Governance (Abu -Musa,
2010; Johnston & Hale, 2009; Posthumus & Von Solms, 2004) .
Another benefit of Information Security Governance is associated with the image of an
organization to its prospective trading partners. Before partnering, some organizations
explicitly state that a prospective partner must, for example, conform to a certain
information security best practice. This increases confidence and trust amongst trading
partners. Also, Information Security Governance increases trust in relationships between
an organization and its customers. A further benefit of Information Security Governance
is the fact that it reduces a number of information security related risks. These risks could
damage the organization’s reputation, if not the organization itself, should those risks materialize (Abu -Musa, 2010; Johnston & Hale, 2009; Posthumus & Von Solms, 2004) .
Information Security Governance additionally aids in the adequate implementation of
information security policies and their related documentation, while also acting as a
compliance measurement and reporting system against adherence to thi s policy
documentation. In turn, this could assist in proving that the organization has applied due care and diligence towards protecting its information and related assets (Von Solms &
Von Solms, 2006a; Von Solms et al., 2011) .
Lastly, organizations that practice Information Security Governance are most likely to pay
lower costs towards, firstly, auditing services. This is due to the ease of the auditing process if an organization has already implemented Information Security Governance
based on an information security framework that is widely accepted as a best practice.
Secondly, organizations are more likely to pay lower costs towards insurance services. This is due to the fact that an organization practicing Information Security Governance
49
has fewer chances of risks materializing towards information assets (Abu -Musa, 2010;
Johnston & Hale, 2009; Posthumus & Von Solms, 2004) .
In order for organizations to achieve the best results from Information Security
Governance and to reap all of the above -mentioned benefits, organizations should realize
that Information Security Governance is a complex, continuous, and diverse process, requiring participation by everyone, especially general business managers. As a result of
its complexity and diversity, Information Security Governance is composed of a number
of different, but interrelated, facets or dimensions which should work together in order to
ensure a comprehensive approach towards Information Security Governance. The
following sub- section discusses this idea of Information Security Governance as a multi –
dimensional discipline.
3.4.2 Information Sec urity Governance – A Multi-Dimensional Discipline
Information Security Governance requires a holistic approach in order to be successful.
Unfortunately, there is no off -the-shelf or one -fits-all solution towards Information
Security Governance. An organiza tion’s Information Security Governance strategy should
be unique to the organization, and be based on the organization- specific risks (Von Solms,
2001) . For an orga nization- specific and holistic approach, Information Security
Governance should be viewed as consisting of a number of different but interrelated dimensions. Following are some of these Information Security Governance dimensions, as
outlined by Von Solms (2001) .
i. The (Corporate) Governance D imension
This dimension of Information Security Governance is the ‘umbrella’ for all the other dimensions. It is concerned with information security being seen as an organizational
strategy towards adequately protecting the organization’s information assets.
Theref ore, ensuring that information security is governed and included as one of the
Corporate Governance sub- functions is the ultimate aim of this dimension. This
dimension is important to ensure a more stable, solid and long -term plan towards
information secur ity in an organization (Institute of Directors South Africa, 2009) .
50
ii. The M anagement D imension
The information security management dimension of Infor mation Security Governance
is concerned with the more visible aspects of the governance dimension above. This
includes the day -to-day management of all the other Information Security Governance
dimensions as discussed in this section. This dimension is important in dealing with the more short -term and daily information security activities.
iii. The Risk Management D imension
Information security is mostly about identifying and managing risks that the organization’s information assets are potentially faced with, and this is accom plished
through the process of Risk M anagement , as has already been discussed in Chapter 2,
Section 2.4.2. T his Risk Management process should be based on identification of
valuable information assets and a critical assessment of potential threats against these
information assets. Further, the Risk M anagement process should identify
vulnerabilities that the identified assets posses. Also, the potential impact to the organization should the identified vulnerabilities be exploited should be determined, as
well as the probability of threats exploiting these vulnerabilities. Lastly, based on the
above critical risk assessment, action plans should be introduced to treat and reduce
the identified risks to acceptable levels . For strategic alignment , the Risk M anagement
dimension of Information Security Governance should be included as part of the
organization’s general Risk M anagement strategy (ISO/IEC 27005, 2008) .
iv. The O rganizational D imension
Section 2.6.2 in the previous chapter stressed how the organization of the information security function within an organizational structure greatly determines the overall
success of Information Security Governance within an organization (Whitman &
Mattord, 2010, pp. 175- 183). This organizational dimension, however, does not only
refer to the physical structure of an organization, but also to other organizational
structural aspects such as roles and responsibilities and the involvement of senior
management with information security.
51
v. The Best P ractice D imension
There are a number of internationally accepted best practices for inform ation security.
These best practices are a combination of well tested and proven theoretical and
practical concepts from various knowledgeable and experienced people. These best
practices detail how best to deal with information security issues. Therefore , existing
knowledge in the form of best practices should be used to assist organizations with Information Security Governance (Poore, 2001; Tsohou, Spyros Kokolakis,
Lambrinoudakis, & Gritzalis, 2010) . The best practice dimension of Information
Security Governance greatly assists in adequately addressing the other dimensions of Information Security Governance as discussed in this section.
vi. The C ertification Dimension
This dimension is about organizations being certified to conform to certain information security standards. An example of a certification that a number of
organizations are pursuing is ISO/IEC 27001 (2005) . There are a number of reasons
for organizations to pursue information security certification. Firstly, by earning certifica tion, an organization would be addressing Information Security Governance in
an effective manner, which in turn would then increase stakeholder confidence in the organization. Secondly, before partnering with other organizations, organizations
would ensure their prospective business partners to have certain information security
certification. Lastly, information security certification would provide and prove due care and diligence towards information security.
vii. The L egal/Regulatory D imension
There could be a number of legal, statutory, regulatory, and contractual requirements that an organization has to comply with based on the type of industry that the
organization operates in. Examples of these include copyright restrictions,
organizational record preserva tion and data protection legislation. This dimension is
starting to have a major influence on the organization’s Information Security
Governance and this influence is expected to increase as non -compliance by
52
organizations could result to serious civil and/or legal consequences (Gerber & Von
Solms, 2008) .
viii. The A wareness Dimension
Information security is very often a human issue and humans are seen as the weakest
link in information security. An organization could have the best technical controls,
but these would not adequately protect the organization’s information assets if the
organization’s employees are not information security aware. As a result of the
importance of the human factor of information security, numerous guidelines, for
example NIST 800- 50 (2003) , focus on this awareness dimension. This dimension of
infor mation security is attracting much attention as organizations are beginning to
realize and appreciate the potential of the human factor towards information security.
The human factor of information security has been discussed in Chapter 2, Section
2.6.1.
ix. The T echnical Dimension
Amongst all Information Security Governance dimensions, this dimension is probably
the oldest as it is where information security originated decades ago. In fact, a number
of other Information Security Governance dimensions are ther e to enhance this
dimension. For example, the awareness dimension is mostly used to educate users on how to behave in order for technical controls to be effective. As a result, the technical
dimension is the most popular amongst all the identified dimensio ns in this section. In
fact, some even consider information security to be purely a technical issue, which is one of the information security challenges highlighted in Chapter 2, Section 2.6.3.
However, the technical dimension has always been, and will alw ays be, an extremely
important dimension of Information Security Governance as it is directly responsible for protecting the confidentiality, integrity, and availability of the organization’s
information assets (Dlamini et al. , 2009) .
53
x. The Policy D imension
The policy dimension is of extreme importance as it necessitates information se curity
requirements, objectives and directives to be expl icitly documented. According to the
Information Security Governance principles already discussed in this chapter, this
dimension is concerned with directing. It was emphasized that directing should be
implemented in a top -down approach, from the Strategic Level, through the Tactical
Level, to the Operational Level (Von Solms & Von Solms, 2006b; Von Solms et al. ,
2011) .
The policy dimension of Information Security Governance is the primary focus of this
research study. The reason for foc using on this dimension is that it directly supports
Information Security Governance by facilitating the processes of directing and
controlling. However, the various aspects and components of this dimension are not
adequately addressed in literature and practice, as has been s tated in C hapter 1,
Section 1.4. As a result , this dimension is thoroughly deliberated on in Chapter 4 of
this dissertation.
xi. The Monitoring/Control/Measurement/Metrics D imension
It is widely accepted that one cannot manage what one cannot measure (Von Solms &
Von Solms, 2006b) . Therefore, this dimension of Information Security Governance is
concerned with measuring the extent to which management directives towards information security are being adhered to within an organization. In other words, this
dimension is all about ensur ing compliance to the policy dimension already discussed
above. It is of little or no value to have an information security policy that cannot be enforced (Von Solms & Von Solms, 2006b) . For enforcement and compliance
measurement, this dimension includes more than just the technical means, but al so
aspects such as the level of information security awareness among end- users.
According to the principles of Information Security Governance already discussed in
this chapter, this dimension is concerned with controlling, which should be achieved
in a bottom -up approach, from the Operational Level, through the Tactical, to the
54
Strategic Level, where complianc e to the Strategic Level directives can ultimately be
determined.
If seen as a multi -dimensional discipline, Information Security Governance is most likely
to be effective within an organization. The above list of the various dimensions of
Information Sec urity Governance is not necessarily a comprehensive or fixed list. This is
due to the dynamic nature of information security. However, the precise number and
contents of the dimensions is not of paramount importance. The most important thing is
for organiz ations to regard Information Security Governance as consisting of a number of
dimensions, and know that these dimensions need to work together for comprehensive and effective Information Security Governance (Grobler & Von Solms, 2004; Von Solms,
2001; Von Solms & Von Solms, 2009, pp. 18- 24).
In this section, Information Security Governance was discussed in detail, as well as how it relates to ot her forms of governance, namely, Corporate Governance and Information
Technology Governance. The benefits of adequately implementing Information Security
Governance were identified. Further, for organizations to fully reap those benefits, this section
discussed that Information Security Governance should be implemented in a holistic manner,
taking into account the various dimensions of Information Security Governance.
3.5 Conclusion
Organization’s information assets are amongst the most important assets for almost all
organizations and these assets are often described as the lifeblood of an organization.
Therefore, like all other critical business assets, information assets should be adequately
protected through the process of information security. Information security should not be
addressed in an ad -hoc, reactive manner, but should be addressed in a more organized,
proactive, and holi stic manner through the strategic process of Information Security
Governance.
If appropriately implemented, Information Security Governance could result in a number of
benefits. In order for an organization to reap those benefits, it is important to reali ze that
55
Information Security Governance is a complex, multi -dimensional discipline, and address it
accordingly. Further, Information Security Governance should be strategically placed as one
of the Corporate Governance sub- functions. This means that inform ation security activities
should be directed and controlled throughout all of the organizational levels.
To facilitate Information Security Governance directing and controlling at all management
levels, information security policies and related documentat ion should be used. This
documentation should be used as a means of directing or giving instructions as to what should be done by the whole organization with regard to information security. Further, these
information security policies and related documenta tion should serve as a reference point for
controlling. Controlling is the process of measuring and ensuring compliance to the directives
given by management. Due to the potential of enhancing the processes of directing and
controlling, the policy dimension is one of the most, if not the most, important dimensions of Information Security Governance. Without this dimension, it would be difficult, if not
impossible, to achieve proper Information Security Governance. Due to the significance of
this dimension, the following chapter explores the policy dimension in more detail.
56
Chapter 4 : Information Security Policies
4.1 Introduction
Due to the critical nature of the organization’s information assets, the process of information
security should be properly governed through Information Security Governance in order to
ensure alignment with the organization’s overall strategic objectives. It has been ascertained
in Chapte r 3 that Information Security Governance is accomplished through directing and
controlling. Directing is the process whereby management issues directives to the whole organization, giving a strategic direction with regard to information security. Controlli ng is
the process of ensuring adherence to management directives (Von Solms & Von Solms,
2006b; Von Solms et al. , 2011) .
To facilitate the process of management giving directives and ensuring adherence to those
directives, an organization should use a series of information security policies and related
document ation. This has been referred to as the policy dimension of Information Security
Governance in Chapter 3, Section 3.4.2. Without this policy dimension, it would be difficult, if not impossible, for an organization to claim to be in full control of its information security
initiatives (Doherty & Fulford, 2006; Grobler & Von Solms, 2004; Von Solms & Von Solms,
2004; Von Solms et al ., 2011) .
This chapter discusses information security policies and their related documentation in more
detail. Furthermore, this chapter discusses an Information Security Policy Architecture, which is a hierarchical representation of the various information security policies and related
documentation of an orga nization. Finally, this chapter concludes by empirically revealing the
extent to which the various components of an Information Security Policy Architecture have
been addressed in selected literature.
57
4.2 Information Security Policies and Related Document ation
According to Dictionary.com (2011) , a policy is the strategy, principle, or rule that details a
definite course of action adopted for the sake of practicality, convenience, and usefulness,
intended to influence and determine present and future actions and decisions. With regard to
information security, a policy defines strategic directives set by management concerning the
protection of the organization’s information assets. The main goal of information security policies and related documentation should be to positively influence the organizati on’s end-
users with regard to information security (Doherty & Fulford, 2006; Von Solms & Von
Solms, 2004; Whitman & Mattord, 2010, pp. 117- 121).
There are a number of tangible and intangible benefits that an organization could reap if
information security policies and rel ated documentation are adequately implemented and
managed within an organization. In most organizations, the quality of the information security program is largely determined by the organization’s information security policies and related
documentation (Bacik, 2008, p. 4) . This is because all information security endeavours within
an organization begin and end with policies. Further, with information security policies and related documentation properly implemented and managed, an organization could effectively
implement and manage its information security controls. This is due to the fact that information security policies and related documentation form the most fundamental
information security control, which determines how other information security controls
should be managed. Also, information security policies and related documentation provides a
reference point for information security audits and other information securit y activities within
an organization. With properly managed information security policies and related
documentation, information security events can be controlled in a more proactive manner,
rather than in a reactive manner. Very importantly, information se curity policies and related
documentation should be aimed at positively influencing end- user behaviour towards
information security, thereby creating an information security culture within an organization
(Bacik, 2008, pp. 4- 6; Doherty & Fulford, 2006; Kadam, 2007; Peltier, 2004; Von Solms &
Von Solms, 2004; Whitman & Mattord, 2010, pp. 118- 122).
58
In some cases, organizations have a single, all -encompassing, information security policy
document targeted to everyone within an organization (Bacik, 2008, pp. 1- 6). However, if
manage d as a single, all -encompassing document, information security policy documentation
is most likely to be ineffective. Due to it being too broad and large , this documentation easily
ends up never being read and difficult to maintain (Bacik, 2008, pp. 1- 6; Whitman & Mattord,
2010, pp. 118- 122). Therefore, to be effective, information security policy documentation
should be hierarchically broken down into more manageable and targeted documentation,
forming what can be referred to as an Information Security Policy Architecture, as discussed
in the following sub- section.
4.2.1 Information Security Policy Architecture
An Information Security Policy Architecture, sometimes referred to as an Information Security Policy Framework, is a hierarchical and structural representation of all
information security policies and related documentation that an organization has used
(Bacik, 2008, pp. 21-30; Palmer et al. , 2001; Von Solms & Von Solms, 2009, pp. 61- 71).
Further, an Information Security Policy Architecture shows how the various information security policies and related documentation are related to one another.
There are a number of b enefits for an organization that properly manages its Information
Security Policy Architecture. An Information Security Policy Architecture clearly details
an organization’s strategic approach towards information security and is a reference
framework for j ustifying the actions that an organization takes with regard to information
security. A well thought out and detailed Information Security Policy Architecture can be used to show that due care and diligence has been taken in protecting the organization’s
information assets. However, proving due care and diligence should not be the main
objective of an Information Security Policy Architecture. The main objective should be to facilitate the achievement of business objectives as a result of improved Informatio n
Security Governance (Bacik, 2008, pp. 21- 29; Von Solms & Von Solms, 2006b) .
Managing an organization’s Information Security Policy Architecture should not be a one –
time and absolute event, but rather should be a continuous process which changes and
59
grows with the organization and its business requirements. This way, an organization’s
Information S ecurity Policy Architecture is most likely to facilitate the achievement of
business objectives as it will remain relevant and up to date (Bacik, 2008, pp. 21- 29; Von
Solms & Von Solms, 2006b) .
The actual components that should form an organization’s Information Security Policy
Architecture vary within the various studies in literature. Therefore, one of the objectives
of this dissertation is to argue towards the components that should constitute an
organization’s Information Security Policy Architecture. The actual components identified
are thoroughly analyzed in Chapter 6.
To be comprehensive, an organization’s Information Security Policy Architecture should
consider the various types of audiences that exist within an organization in order for it to be well -accepted and adhered to (Von Solms et al. , 2011) . The following sub -section
discusses the various types of audiences that an organization’s Information Security Policy Architecture should take into consideration.
4.2.2 Information Security Policy Architecture Audiences
To be comprehensive and effective, an organization’s Information Security Policy
Architecture should be targeted to the various audiences in a manner relevant and appropriate for the specific audiences (Von Solms et al. , 2011) . As was briefly discussed
in Chapter 2, Section 2.5 , there are three types of audiences within an organization that an
Inform ation Security Policy Architecture should consider, namely, end- users,
management and the technical audience (Grobler & Von Solms, 2004; Kadam, 2007; Von Solms et al. , 2011) . These different audiences are briefly reinstated in the following
paragraph in relation to an Information Sec urity Policy Architecture .
The end -user audience refers to all employees within an organization. However, it is
important to identify other types of audience s besides the end- user audience as there is
some policy documentation specifically relevant to onl y certain audiences. For example,
the management audience consists of the general business executives, such as the board of
60
directors, the CEO, and other general business executives. Management audience approval
and support should be obtained in order for an organization’s Information Security Policy
Architecture to be effective. Additionally, the technical audience is composed of technical personnel, including IT/security management executives and practitioners. The technical
audience is basically respons ible for the daily operations and maintenance of the
organization’s information security initiatives (Grobler & Von Solms, 2004; Kadam,
2007; Von Solms et al. , 2011) .
For an organization’s Information Security Policy Architecture to be comprehensively
managed further, it should be properly planned, formulated, implemented, monitored and
maintained. These cyclic stages, from planning to maintenance, can be collectively
referred to as the Information Security Policy Lifecycle (Tuyikeze & Pottas, 2010;
Wahsheh & Alves -Foss, 2008) . This cycle should cover everything that needs to be
considered before, during, and after the implementation of an organization’s Information Security Policy Architecture. The following sub- section discusses the Information
Security Policy Lifecycle further.
4.2.3 Information Security Policy Lifecycle
For effective and comprehensive management, an organization’s Information Security
Policy Architecture should go through an Information Security Policy Lifecycle, which
should consist of five phases, namely, Plan, Formulate, Implement, Monitor, and Maintain
(Hong, Chi, Chao, & Tang, 2003; Kadam, 2007; Knapp, Franklin Morris Jr., Marshall, &
Byrd, 2009; Palmer et al. , 2001; Tuyikeze & Pottas, 2010; Wahsheh & Alves -Foss, 2008) .
The various stages of the Information Security Policy Lifecycle are discussed in detail
below.
i. Plan
This phase of the Information Security Policy Lifec ycle is concerned with
everything that should be done before the various components of an Information Security Policy Architecture are actually formulated. This includes going through
processes that will ensure that an organization’s Information Security P olicy
61
Architecture is relevant to the organization’s specific business objectives and risks.
The first major step when planning for an Information Security Policy Architecture
is attaining top management approval and support (Kadam, 2007; Tuyikeze &
Pottas, 2010) .
One way of attaining management approval and support is by conducting a high-
level Business Impact Analy sis (Kadam, 2007) . According to Kadam (2007) ,
Business Impact Analysis is one of the most eff ective ways for understanding the
importance of information security within an organization, as well as to convince management about the importance of information security. Business Impact
Analysis should commence by interviewing the management audience in order to
identify the critical business processes of an organization. Then, the management
audience should be interviewed in order to determine the impact on the
organization should the confidentiality, integrity, or availability (CIA) of
information assets for the identified business processes be compromised. The
information from the Business Impact Analysis would assist in understanding
business objectives and reveal how information security can be used to achieve
those business objec tives. Furthermore, the gathered information from the
Business Impact Analysis would serve as a starting point for further processes that
need to be conducted within the planning phase of the Information Security Policy
Lifecycle.
After the high -level Bus iness Impact Analysis process has laid the foundation, an
organization should conduct a detailed Risk Management process (Kadam, 2007;
Tuyikeze & Pottas, 2010) . As was discussed in Chapter 2, Section 2.4.2, Risk
Management is one of the methods for identifying information security requirements that are specific to the organization. Risk Management enables an
organizat ion to formulate an Information Security Policy Architecture relevant to
the organization’s unique risks.
62
In practice, Risk Management should be used to identify the organization’s
valuable assets and the security threats those assets are potentially faced with.
Further, Risk Management should assess the vulnerabilities of the a ssets to the
identified threats and the likelihood of those threats exploiting the identified
vulnerabilities. In addition, the impact on the organization should the identified
threats exploit the asset vulnerabilities should be assessed. Lastly, within the Risk Management process, action plans should be form ulated into risk treatment p lans
to reduce ris ks to acceptable levels. These risk treatment p lans should detail
informatio n security controls to be used in order to reduce risks (Gerber & Von
Solms, 2008; ISO/IEC 27002, 2005, p. ix ; ISO/IEC 27005, 2008, p. 6) .
Information security controls have already been discussed in Chapter 2, Section
2.8.
After the planning phase, the various components of an Information Security
Policy Architecture can then be formulated.
ii. Formulate
After the planning has been completed, the next phase in the Information Security Policy Lifecycle should be to develop or formulate the various components of an
Information Security Policy Ar chitecture. D uring formulation, an organization
should ensure that an Information Security Policy Architecture is relevant to the organization. Therefore, using other organization’s policies and related
documentation or templates from the Internet should be avoided. However, should
such templates be used, an organization should ensure that they are tailored to fit
the organization. When an organization creates its own Information Security
Policy Architecture from the beginning, using best practices and stan dards as
guidance, then the Information Security Policy Architecture is most likely to be
effective and fit into the culture of an organization (H öne & Eloff, 2002a; 2002b;
Verdon, 2006) .
63
To further fit into the culture of an organization, the Information Security Policy
Architecture should be targeted to specific audiences within an organization during
formulation. To accomplish this, other relevant stakeholders outside of the
IT/security domain, such as general business professionals and managers, should
be considered for their potentially valuable input. This would ensure that the
Information Security Policy Architectu re is well- accepted, understood and adhered
to within the whole organization (Grobler & Von Solms, 2004; Kadam, 2007; Von
Solms et al. , 2011) .
After the various components of the Information Security Policy Architecture have
been formulated, the next phase should be to implement the Information Security Policy Architecture, as discussed next.
iii. Implement
After an Information Security Policy Architecture has been formulated, it should then be implemented into the daily operations of the organization. According to
Kadam (2007) , the implementation phase is extremely challenging as there will
always be conflicts between the demand s of security versus ease of use of the
organization’s systems. Further, implementation cannot be ac hieved by simply
enforcing the Information Security Policy Architecture . End -users’ attitudes
towards information security need to be positively influenced; otherwise end -users
will find ways of circumventing information security controls that are deemed to be obstacles in their daily work (Furnell & Thomson, 2009) . Therefore, the
implementation phase should be carefully planned, covering all types of audiences within an organization. The discussion of the implementation phase in context of
the various types of audiences within an organization follows .
• Management A udience
All information security efforts should begin with the organization’s management, who need to approve of all the various components of an
Information Security Policy Architecture. In order to approve information
64
security initiatives, management has to be convinced and shown return on
security investments. In many cases, resistance from management could be
as a result of the fact that a comprehensive Information Security Policy
Architecture would normally require additional i nvestments in people,
processes and technology. Therefore, the cost/benefit analysis would have
to be prepared to justify the expenditure involved in implementing a
comprehensive Information Security Policy Architecture. One of the ways
to appeal to management would be to argue that implementing controls that
could prevent a security incident from occurring is less costly than having to resolve the damages to an organization should a security incident
materialize. Further, management should be made aware of their ong oing
role in information security within an organization. If management demonstrates visible and continuous support for information security
within an organization, then the organization’s Information Security Policy
Architecture is most likely to be taken seriously and accepted by the
organization’s end- users (Höne & E loff, 2002a; Kadam, 2007; Knapp et
al., 2009; Tuyikeze & Pottas, 2010) .
• Technical A udience
As has been stated previously, the technical audience is responsible for th e
management of information security initiatives within an organization.
Therefore, the technical audience should ensure that the organization’s
systems are configured and managed based on the Information Security
Policy Architecture. With regard to the implementation of the various
components of an Information Security Policy Architecture, the technical
audience would already be familiar with a number of these activities.
However, the technical audience would still need to be specifically trained
with rega rd to their specific areas of roles and responsibilities. This would
ensure that the technical audience has a thorough understanding of the technologies and techniques that should be used to implement an
65
organization’s Information Security Policy Architect ure (Kadam, 2007;
Von Solms et al. , 2011) .
• End-User A udience
In order for an organization’s Information Security Policy Architecture to
be properly implemented, it should be published and easily available and
accessible to everyone within an organization. This can be accomplished in
a number of ways, including full paper -based or electronic copies,
summarizing the Information Security Policy Architecture on colourful brochures, or using the organization’s local intranet. When the intranet has
been used, there should be clear hyperlinks showing relationships between
the various Information Security Policy Architecture components. Further,
a marketing strategy could be used in order to attract end -users and make
them more eager to learn and adhere to the Information Security Policy Architecture. Whichever method of diss emination is selected, it should be
consistent with the organization’s culture (H öne & E loff, 2002a; Kadam,
2007; Knapp et al., 2009; Tuyikeze & Pottas, 2010) .
After the Information Security Policy Architecture has been disseminated,
security education, training and awareness (SETA) programmes should be
conducted. SETA programmes should be conducted to educate and train
the organization’s end- users about how to adhere to the Information
Security Policy Architecture. Further, SETA pr ogrammes should be
conducted with the target audience in mind and customised accordingly. As
stated previously, management involvement within SETA programmes is
crucial as end -users would then most likely take SETA programmes more
seriously (H öne & Eloff, 2002a; Kadam, 2007; Tuyikeze & Pottas, 2010) .
There are multiple ways in which SETA programmes can be delivered.
Some of these include a formal classroom training, web- based e- learning
and video- based training. Whichever form of delivery is chosen within an
66
organization, there should be adequate interactivity required from the end –
user participating in the SETA programme. This interactivity enhances the
learning process that takes place during the SETA programme (H öne &
Eloff, 2002a; Kadam, 2007) .
After end -users have been educated and trained about the various
Information Security Policy Architecture components, they should acknowledge they have read and understood this documentation by signing
it (ISO/IEC 27002, 2005, p. 7; Von Solms & Von Solms, 2009, pp. 61- 71).
Lastly, within the implementation phase, the lower -level components should
facilitate the implementation of the higher -level components of an organization’s
Information Security Policy Architecture. For example, within the hierarchical
Information Security Policy Architecture, the lower -level components, for
example, proc edures should be used to implement the higher -level components,
for example, high level policies. The exact names of the various components that should constitute an organization’s Information Security Policy Architecture are
discussed in detail in Chapter 6. After the implementation phase, the next phase in
the lifecycle should be to monitor and ensure that the implemented Information Security Policy Architecture is being adhered to.
iv. Monitor
It is of no use to have an Information Security Policy Architect ure if it will not be
adhered to. Therefore, monitoring mechanisms, both technical and administrative,
should be implemented to ensure that everyone adheres to the organization’s
Information Security Policy Architecture (T uyikeze & Pottas, 2010; Von Solms et
al., 2011) .
To facilitate monitoring, a bottom -up approach should be f ollowed. Monitoring
should start from the Operational Level, where measurement data should be collected. This data collection can be prepared via electronic means, for example,
67
log files, firewalls, specialized software, or methods such as interviews,
inspections, and questionnaires for data which cannot be sourced electronically.
Through detailed analysis, this data should be used to measure compliance at the
Operational Level. In turn, this should facilitate compliance measurement at the
Tactical Level an d ultimately at the Strategic Level (Abu -Musa, 2010; Von Solms
& Von Solms, 2006b; Von Solms et al. , 2011) .
v. Maintain
The last stage of the Information Security Policy Lifecycle is maintaining the
Information Security Policy Architecture. Based on a number of criteria, an
organization’s Information Security Policy Architecture should be reviewed and
updated. These criteria include the following. Firstly, feedback from the
monitoring stage of the Information Security Policy Lifecycle above can be used
to deter mine what needs to be changed in the organization’s Information Security
Policy Architecture. Secondly, any recent major changes in the organization’s infrastructure or activities could necessitate changes to the organization’s
Information Security Policy Architecture. Thirdly, an organization should have
predetermined intervals of when the different Information Security Policy Architecture components should be reviewed and maintained. Lastly, changes in
legal and regulatory requirements may also require mo dification of the
organization’s Information Security Policy Architecture (Höne & Eloff, 2002a) .
However, before making any necessary changes to an organization’s existing
Information Security Policy Architecture, an organization should move through
the Information Security Policy Lifecycle from the first phase and go through all
the phases for that specific change. This ensures that the organization’s
Inform ation Security Policy Architecture remains relevant and grows with the
organization, and that it always supports the organization’s strategic objectives.
For comprehensiveness, it is important for an Information Security Policy Architecture to be
targeted to all three audiences in an organization as detailed above. Further, an organization’s
68
Information Security Policy Architecture should be properly managed through the
Information Security Policy Lifecycle as detailed above. This should be the case in bot h
theory and practice. In practice, organizations should implement and properly manage an Information Security Policy Architecture, targeted at the different types of audiences. An
Informati on Security Policy Architecture in practice is discussed in detail in the following
chapter. In theory, information security literature should provide comprehensive solutions
detailing which components should constitute an organization’s Information Security Policy
Architecture, as well as how these components should be related to one another. Furthermore,
there needs to be comprehensive guidelines from literature concerning the management of an organization’s Information Security Policy Architecture (Von Solms et al. , 2011) .
However, as has already been discussed in Chapter 1 and noted by Von Solms et al. (2011) , in
both organizational practices and in literature, Information Security Policy Architectures have not been addressed in an adequate and comprehensive manner. Further, Von Solms et al.
(2011) noted that the technical audience has been largely disregarded in past discussions
about Information Security Policy Architectures. To augme nt these findings, a qualitative
content analysi s is discussed in this chapter. This qualitative content analysis investigates to
what extent literature, from five major information security journals, has discussed the various
components of an Information Security Policy Architecture, in relation to the different target
audiences. This qualitative content analysis is discussed in the following section.
4.3 Qualitative Content Analysis
As already detailed in Chapter 1, Section 1.6.1, this study uses qualita tive content analysis as
one of its research methods, according to the guidelines by Krippendorff (2004) . The purpose
of this qualitative content analysis is two -fold. Firstly, this analysis aims to reveal to some
extent the current state of research with regard to the various components of an Information
Security Policy Architecture. This analysis is conducted with regard to the various audiences
within an organizat ion. Secondly, this qualitative content analysis aims to establish the
relevance of the research objectives of this dissertation. The remainder of this section discusses the process followed in conducting this qualitative content analysis, as well as the
results of this analysis.
69
4.3.1 The Process
This qualitative content analysis was conducted on five information security journals,
namely, Computer Fraud & Security (2011), Computers & Security (2011), IEEE Security
& Privacy (2011), Information Management & Computer Security (2011) and Information Security Journal – A Global Perspective (2 011). These journals have been chosen for a
number of reasons. Firstly, they all have information security as their primary focus. Secondly, these journals are well established as they have been in existence for a long
time. Lastly, these journals are a combination of both academic and industry research.
In each of these journals, all articles since the year 2003 until the middle of 2011 were
collected. This time period ensured an adequate amount of time was allowed to reveal
trends specifically regard ing the various aspects of an Information Security Policy
Architecture.
From each journal, only original research articles were included, and therefore editorials,
news, updates, and short discussions were excluded from the analysis. In analyzing the
articles, firstly, the title of the article would be analyzed. If the title was ambiguous, then
the abstract and keywords would be considered. If there still was uncertainty, then the introduction and conclusions of the article would be analyzed. If after anal yzing all of the
above there still was some uncertainty about the article, then the whole article would be
analyzed.
In analyzing the various articles, the main aim was to identify articles that generally
discuss one or more components of an Information S ecurity Policy Architecture, for
example, policies and procedures, to name a few. After this, the next step was to identify the target audience of the articles. The analysis was aimed at revealing to what extent the
various audiences have been addressed in dividually, as well as in comparison to each
other. This was accomplished by analyzing whether an article only briefly mentions the related component of an Information Security Policy Architecture, for example,
mentioning that a component is vital. Else, it was analyzed whether an article went into a
70
detailed discussion about the various components of an Information Security Policy
Architecture, discussing how they should, for example, be managed.
The various components of an Information Security Policy Ar chitecture are referred to in
this qualitative content analysis exactly the way they are referred to in the individual articles. At a later stage, specifically in Chapter 6, this dissertation proposes the
components that should constitute an Information Se curity Policy Architecture, as well as
the terminology that should be used for refe rring to the various components and how an
Information Security Policy Architecture should be managed. These propositions are
mostly based on the information systematically gathered and holistically integrated from
the various studies within this qualitative content analysis.
The following sub- section discuss the detailed results of the qualitative content analysis
that has been conducted as an overview of existing approache s for dealing with the
various aspects and components of an Information Security Policy Architecture. This
detailed overview is summarized in a sub- section thereafter.
4.3.2 Detailed Results of the Qualitative Content Analysis
Bishop (2003) argues that information security has three main components, namely,
requirements, policies , and mechanisms. Requirements define information security goals,
policies define how to meet the goals set whilst defining information security
requirements and mechanisms are used to enforce policies . In his discussion, Bishop
(2003) implies the need for the existence of end-user-, management -, and technical
audience -related policy documentation. H owever , there is no further detailed discussion
with regard to this policy documentation.
Botha and Gaadingwe (2006) conducted research i n pursuit of revealing the history of
information security research. Their paper analyses the work published in the past 20 IFIP
SEC conferences . In their analysis, Botha and Gaadingwe (2006) identified a number of
topics that the published articles seemed to fall under. Amongst the identified topics, their
study mentions the existence of management -related policy documentation, as well as
71
technical -oriented policy documentation. How ever, no end- user-related policy
documentation has been mentioned. Furthermore, this study only pointed out that articles
under certain topics exist , but no further details were given detailing what exactly the
various articles discuss in detail .
Chipperfield and Furnell (2010) conducted a study aimed at providing ways of improving
end-user adherence to policies. They concluded that awareness program s should be
conducted in a targeted manner , specific to different end- user personalities , shaped to fit
their role, level of interest, and ways the different end-users feel comfortable in engaging.
Then, they argued that verification mechanisms should be implemented to ensure that the
right messages have been sent, are correctly understood by the end- users and are having
the desired effect. However, their study did not discuss the actual policies themselves in
any detail or, for example, how they should be managed. This study only focuses on increasing end -user adherence to, assumedly, already well -managed policies. In addition,
this study does not consider the management and technical audiences, but only the end –
user audience.
Dlamini, et al. (2009) undertook a study which was aimed at revealing the history of
information security, its current state, as well as predict the future of information security. In its discussion, this study analyzed articles published in four major information security
journals between the years 2005 and 2006. These journals include Computers & Security, Computer Fraud & Security, IEEE Security & Privacy and Information Management &
Computer Security. In addition to these , the 2006 Computer Security Institute/Federal
Bureau Investigations (CSI/FBI) report , as well as the 2006 SA NS Institute report were
both analyz ed. However, among all the diff erent topics identified in their analysis, there
was no explicit topic related to any of the various components of an Information Security Policy Architecture. As a result, on the s ummative table that is presented later in this
chapter in Table 4.1, there is purposefully no input for this study. This study has been included in this analysis purely to illustrate the lack of literature studies with regard to
information security polici es and related documentation.
72
Doherty and Fulford (2006) argued towards the need for aligning the information security
policy with the strategic information systems plan. In their discussion about information
security policies, Doherty and Fulford (2006) implied the need for the existence of policy
documentation targeted to all three audiences within an organization . However, no further
details have been given with regard to these policies, other than how they should be
aligned with the strategic information systems plan.
Eloff and Eloff (2005) argue towards an effective Information Security Architecture,
which defines the components that should constitute an organization’s overall information security strategy. They concluded that an Information Security A rchitecture should meet
the following r equirements to be effective: it should be holistic and all enc ompassing; it
should include a detailed informa tion security Risk M anagement plan; it should
synchronize all con trols; it should follow a life -cycle approach, and it should be
measurable. W ith regard to the Information Security A rchitecture being holistic and all
encompassing , Eloff and Eloff (2005) advise, among other things, the inclusion of an
information security policy and other related policies. However, t here is no detailed
discussion about the information security policy and other related policies mentioned.
Furthermore, the mentioned information security policy and other related pol icies are
seemingly targeted only to the end-user and management audiences .
Fulford and Doherty (2003) explored the uptake, content, dissemination and impact of
information security policies in large UK -based organizations. This study empirically
explored the following issues with regard to information security policies. Firstly, the
prevalence and updating of information security policies within large UK-based
organizations was investigated. Secondly, methods used to dissemi nate information
security policies to the employees of the various organizations were explored. Thirdly, the
coverage of the inform ation securi ty policies was reviewed. Fourthly, factors that impact
the successful implementation of the information security policies were identified .
However, this study has two limitations. Firstly, this study only focused on UK -based
organizations and generalizati on of the results has not been argued. Secondly, this study is
an exploratory study, only aimed at revealing how organizations manage their information
73
security policies. As such, this study does not give any explicit solutions towards the
identified probl ems from how organizations currently manage their information security
policies. As a result, Fulford and Doherty (2003) suggested that future st udies should
focus in detail on how information security policies should be managed, including how
they should be formulated, implemented, and evaluated.
Furnell (2006) presented a study aimed at reducing the insider threat towards i nformation
security. He argue d that, to some extent , the insider threat is due to misinformed end –
users. He therefore argued that t here should be adequate security training and awareness
programs that promote adherence to information security policies. Undoubtedly , the
deliberate, malicious insider threat still exists . However , according to Furnell (2006) , even
those malicious end-users can change their behaviour if they see that information security
policies are clearly promoted and colleag ues are following them. This is because if there is
a secure culture within an organization , malicious users might conclude that their
malicious actions are likely to be identified. Furnell 's (2006) study therefore, only focused
on information security policy adherence by end- users .
Gupta and Hammond (2005) gather ed information a bout IT -related security issues in
small organizations . The results of their study indicate d that small organi zations may have
information security policies and related documentation (for example, procedures) in
place, but these are not effectively implemented and working as well as they could be.
However, this study is also an exploratory study, only aimed at revealing how small
organizations manage t heir information security policy documentation. It does not give
any solutions towards the identified problems of organizations not effectively managing
their informatio n security policy documentation.
Hagen, Alb rechtsen, and Hovden (2008) explored the implementation of organizational
information security measures and the effectiveness of such measures. Their study
revealed that information security policy documentation measures are the most commonly
implemented measures in their sample of organizations. However, these measures are the
least effective amongst the identified pool of information security measures in their
74
sample of organizations . Like some of the above studies, this study is also an exploratory
study, only aimed at revealing how organizations implement their information security
policy documentation measures, among other measures, and to what exte nt these measures
are effective . Therefore, this study only identifies the problem, but does not provide any
concrete solutions towards the identified problem.
Due to the lack of a theoretical framework for information security management, Hong et
al. (2003) presented an integrated systems theoretical framework . Their framework seems
to address aspects that involve all three audiences within an organizati on. Further, t his
framework is an integration of a number of theories, including the security policy theory,
the Risk M anagement theory, the control and auditing theory, the management systems
theory, and the contingency theory. With regard to the security policy theory, Hong et al.
(2003) argued that information se curity policy documentation should go throug h the
following lifecycle : planning, drafting, implementation , and reviewing. However, in their
framework, Hong et al. (2003) do not discuss how these li fecycle phases should be carried
out.
Thereafter, Hong, Ch i, Chao, and Tang ( 2006) presented an empirical study targeted at the
management audience with regard to a managerial information security policy, which can
be equated to the Corporate Information Security Policy. F irstly, their study determine d
the major factors that play a role in organizations implementing a managerial information
security polic y. Secondly, their study determined the degree to which the level of
information security was elevated in organizations implementing a managerial
information security policy. As a result, t he factors contributing to the success of an
information security p olicy have been identified in their study , and they further concluded
that adequately managing an information security policy could elevate the level of
information security in an organization. Further, Hong et al. (2006) discussed the
management of an information security policy in detail. However , this study only
considers the management audience and disregards the end-user and technical audiences
with regard to information security policy documentation.
75
Hughes and Stanton (2006) focused on how an organization should ensure that
information security policy d ocumentation is accepted and adhered to within an
organization. However, their study targeted only the end-user audience and the
management audience , completely disregarding the technical audience . Further, their
study briefly mentioned how policy adherenc e by end -users should be monitored and how
the success of those policies can be measured. However, no details have been given as to
how the actual policy documentation should be managed.
Due to the emergence of mobile devices , Hunter (2007) conducted a study to determine
whether there is a need for a mobile security policy . He concluded that, due to the extra
dimension of complexity that mobility incurs, a ma jor revision of an organization’s
Information Security Policy Architecture could be required. However, Hunter (2007)
states that at a deeper technical level, nothing would f undamentally change as a result of
mobility. Therefore, existing methods for information security could still be used.
Seemingly, t his study would be of interest to the technical audience as it only determines
whether a mobile security policy is necessary or not .
Kadam (2007) introduced comprehensive guidelines focused on the development and
implementation of an Information Security Policy Architecture for all target audie nces
within an organization. In his discussions, Kadam (2007) detailed how planning should be
conducted before an Information Security Policy Architecture can be formulated. Further,
he discusses what should be taken into consideration when formulating the various
components of an organization’s Information Security Policy Architecture. However, the discussion on how an Information Security Policy Architecture should be formulated was
not comprehensive at all. Further, Kadam (2007) conducted a detailed discussion about
how the various components of an Information Security Policy Architecture should be
implemented . Surprisingly, however, he did not discuss how, after implementation, an
organization’s Information Security Policy Architecture should be monitored and
maintained. That being said, a mongst all the studies identified in this qualitative content
analysis, the study conducted by Kadam (2007) was one of the few studies with research
objectives closely aligned with the research objectives of this dissertation . As a result, a
76
number of suggestions from Kadam’s study have be en used in the solution part of this
dissertation , togethe r with different/new contributions, in pursuit of proposing a holistic
solution towards a comprehensive Information Security Policy Architecture .
Karyda et al. (2005) conducted a study concerning the proper implementation of
information security policy documentation in organizations. In their study, Karyda et al.
(2005) explored the processes of formulating, implementing and adopting information
security policy documentation. However, their study does not discuss the maintena nce of
information security policy documentation. Furthermore, within the various stages of their
discussion, Karyda et al. (2005) focus more on what should be done, and less on how or
what must be considered in doing so. For example, with regard to policy formulation, one
of the ir activities is "c ompile the se curity policy document" and another activity is "w rite
the security procedures". However, how exactly all this should be done , as well as what
needs to be considered in doing so, has not been discussed. Further, their study is based on
information security policy documentation targeted to the end-user audience and the
management audience, and once again disregarding the technical audience.
Based on their primary data from a wide variety of highly qualified information security
professionals, Knapp et al. (2009) developed a comprehensive information security policy
process model. This model is aimed at assisting organizations in properly managing their information security policy documentation in order to enhance Information Security
Governance. As the main element, their model consists of nine policy management
phases. These include Risk M anagement, policy development, policy approval, policy
awareness and training, policy implementation, monitoring, policy enforcemen t, policy
review and policy retirement. Further, their model consists of both internal and external
factors that influence the overall management of information security policy documentation. Internal factors include management support, business objectives ,
organizational culture, technology architecture, as well as internal threats. External factors include technology advances, economic sector, industry standards, legal and regulatory
requirements, as well as external threats. Lastly, their model consists of two broad
categories, which include the overarching Information Security Governance, and
77
Organization Information Security Office, which houses the practitioner actually
responsible for policy management. However, t his study has two limitations. Firstly , it is
targeted to end-users and management audience, disregarding the technical audience .
Secondly, like most of the studies detailed above, t his study only focuses on what should
be done and not on how or what should be taken into consideration when doi ng so. For
example, their study only states that "policy implementation" shou ld be one of the
processes conducted when managing information security policy documentation. However, exactly how this should be done , or what should be considered when
implement ing information security policy documentation has not been discussed .
In their study, Knapp et al. (2006) provided empirical evidence suggesting that
managem ent support directly and positively influences policy enforcement and adherence,
and therefore instils a secure culture within an organization. Their study, however, does
not discuss information security policies in detail as it only focuses on how managem ent
support influences policy adherence. Once again, their study only mentions end -user and
management related aspects of information security policies, with no mention of the
technical audience related aspects.
Kraemer et al. (2009) suggest that human and organizational factors play a major role in
the identification of information security vulnerabilities . Further, Kraemer et al. (2009)
revealed the complex relationships that exist among the various human and organizational
factors. All the se factors are categorized into nine areas, namely, external influences,
human error, management, organization, performance and resource management,
technology, training, and policy issues. Polic y issues include the following issues, namely,
policy overload, poor quality of policy documentation, lack of policy specification, not
updating policies , policy purpose not documented, lack of policy writing expertise, lack of
policy evaluation, lack of policy accountability, policies not easily accessible to end- users,
and policies not being adhered to within an o rganization. However, this study only
identified these policy issues and does not suggest any possible solutions to address the identified policy issues. Further, this study only makes reference to policy issues related to
78
the end-user audience and the man agement audience, with no reference to the technical
audience.
Kritzinger and Smith (2008) presented a model to enhance information security awareness
among st the organization’ s employees , spanni ng all three types of information security
audiences. Their model consists of a number of components to be addressed, one being
the non- technical information security issues , one of which is information security
polic ies. This study briefly mentions what should be done when managing information
security policies. However , this study does not focus on exactly how or what should be
considered when managing information security policies . For example, in their study, they
encourage organizations to "design and implement the information security p olicy".
However, how this should be done , or what should be considered when designing and
implementing an information security p olicy has not been discussed as that was “outside
the scope of the study ” (Kritzinger & Smith , 2008) .
Malin (2007) proposes a technical architecture aimed at enforcing information security
policies through technical mechanisms. Specifically, his study has discussed how network
infrastructure devices could aid in adding additional layers of defence by detecting and
preventing malicious activities within the network infrastructure. In essence, t his study
should be of interest to the technical audience as it only discusses the technical aspects of
enforcing information security polici es. Unfortunately , this study only focus es on
enforcement, ignoring the other aspects of information security policies.
Mason (2003) describes information security as a continuous process that, to be effective ,
needs a comprehensive approach. For a comprehensive approach towards information
security, he proposes that the first step should be to identify the organization’ s assets to be
protected. Secondly, he states that protective measures should be implemented, spanning
such discrete areas as people using the system, physical security, and computer systems
security, ensuring adherence to relevant information security best practices and standards.
Thirdly, Mason (2003) states that policies and procedures should be implemented , and
everyone in an organization, including management, should be educated to adhere to
79
policies and procedures . Lastly, he argues tha t technical solutions should be implemented
by the technical audience based on information security policies and procedures .
However, Mason (2003) does not discuss informa tion security policy and procedures in
detail. He only mentions that they should exist.
Peltier (2004) discussed the need for information security policies and stated that
information security policies should form part of the organization’ s overall policy
structure. Further, he proposed the various high-level information security policies that
should exist in an organization and briefly described what each information security
policy should cover . He proposed that information security policies should cover the
following topics, namely, employment practices, employee standards of conduct, conflict
of interest s, performance management, employee discipline, information security,
corporate communications, procurement and contracts, records management, asset classification, workplace security, and business continuity planning . However, i n his
study, Peltier (2004) only focused on high- level information security policies targ eted to
end-users and management audiences, disregarding the technical audience. Further , he
does not discuss in detail how these various information security policies should be
managed, but rather that they should exist.
Ravenel (2006) offered practical advice on how to measure operational information
security metrics. Relevant to this dissertation, he gives advice on how to measure systems
misconfigurations and policy violations. From a systems misconfiguration standpoint, an
effective metric would be , for example, the number of misconfigured devices discovered
by netwo rk scanners. From a policy violations standpoint , an ef fective metric would be
the collected data from network scanners and mapping that data to technical tests for
policy compliance. Ravenel (2006) argues that p olicy aspects that cannot be measured
electronically need people to intervene manually and use inspection, interviews or
questionnaires to source measurement data. He further states that examples of the
measuremen t data that is difficult to source electronically include reviewing policies,
checking the integrity of a backup system, or determining how users feel about
information security policy documentation. After all measurement has been conducted, he
80
argues that the measurement data be used to rationalize needed information security
budget and initiatives. Ther efore, Ravenel (2006) aims to facilitate policy compliance
monitorin g and reporting by providing ways of measuring the success of policies, which is
a very important aspect of policy management. However, his study does not discuss other
policy management aspect s, for example, policy development. Specifically , his study
would be of interest to the technical audience.
Ruighaver, Maynard, and Warren (2010) investigated a certain typ e of information
security policies specifically targeted to the end -user audience, referred to as acceptable
use policies . Specifically, Ruighaver et al. (2010) proposed an alternative way of
improving the management of acceptable use policies. Acceptable use policies are policies
targeted to end-users, detailing what is acceptable and not acceptable when using the
organization's systems. The study by Ruighaver et al. (2010) proposes the use of ethical
decision making as an alternative for end -users to adhere to acceptable use policies , rather
than end- users traditionally being expected to blindly follow acceptable use policies. As
acceptable use policies cannot cover everything, Ruighaver et al. (2010) advises that end –
users make ethical judgments in making de cisions that could endanger the organization’s
security. In doing so, the usability and suitability of acceptable use polic ies would be
positively affected, they concluded. However, this study is only targeted to the end- user
audience.
Sinclair and Smith (2010) conducted a study to discuss the challenges that negatively
impact effective access contr ol in organizations. Among these challenges are the issues
concerning wrong assumptions made by the organization’s technical audience with regard
to information security policies. Sinclair and Smith (2010) further disc uss the problems
that exist with regard to the management of information security policies that negatively
impact access control in an organization. However, their discussion is only targeted at the
technical audience. Further, this discussion is not compr ehensive as it only briefly
mentions the identified problems with information security policies, and provides no
solutions to the identified problems .
81
Tsoumas a nd Tryfonas (2004) conducted a study specifically targeted at the technical
audience. Their study is aimed at reducing the burden that the technical audience
encounters when implementing and managing information security policy documentation
at the lowe st technical levels . In their study , Tsoumas and Tryfonas (2004) proposed an
architecture for a policy automation software tool that, based on the high- level policy
requirements, will create and implement the relevant low -level technical configurations.
However, this study is only focussed on the technical audience policy documentation,
disregarding end -user and management audience policy documentation.
Verdon (2006) raises awareness that software developers should incorporate information
security into systems development by ensuring alignment and adherence to information
security policies. Further , Verdon (2006) briefly discusses the various types of
information security policies that should be considered during systems development and
this discussion is conducted on information security policies targeted at all three audiences
in an organization. The various information security policies he mentions include a
corporate security policy, acceptable use policy, privacy policy, email policy, information
systems security policy, network security policy, secure application development pol icy,
incident management policy and data classification policy. In his discussion, Verdon
(2006) mentioned that policies should be reasonable, understandable, and practicable, with
very few exceptions. However, Verdon (2006) does not discuss the management of the
various information security policies in detail.
Von Solms and Von Solms (2004) presented a study aimed at assisting organizations in
improving their security culture. They argued that before a security culture can manifest in
an organization, information security policies must be in existence and be properly
managed. Further, they s tate that proper end -user awareness and education programs
should be regularly conducted to assist end -users to adhere to information security
policies. However, Von Solms and Von Solms (2004) do not discuss the various
information security policies that should exist in an organization. Further, they do not discuss how information security policies should be managed. Also, their study is focused
82
only on the end-user and management audiences, with no specific reference to the
technical audience.
Von Solms and Von Solms (2006b) argued towards an Information Security Governance
model based on the direct -control cycle of Corporate G overnance. This direct -control
cycle span s all three management levels w ithin an organization, namely, Strategic Level,
Tactical Level and O perational Level. In their model, the direct part refers to the issuing
of directives or instructions by the organization’s management, giving a strategic direction
to the whole organization towards information security. Further, the control part refers to
ensuring t hat management directives are being adhered to. In their model, Von Solms and
Von Solms (2006) detailed that management d irectives are normally issued in the form of
information security policy documentation, organized in an Information Security Policy
Architecture. Further, they state that this policy documentation should be targeted to all
three different audiences within an organization. However, in their study, they only
suggest what should be done with regard to an Information Security Policy Architecture to
facilitate Information Security Governance , but do not discuss how exactly this should be
accomplished.
Wiant (2005) evaluated whether having an information security policy at a hospital
impacts security incident reporting about computer abuse, as well as the seriousness of
such security incidents. Wiant (2005) concluded that h ospitals that have an information
security policy have generally experienced fewer security incidents than those hospitals
without an information security policy. However, this study does not discuss information
security policies in any detail as it only focuses on how they impact incident reporting as well as the seriousness of those incidents. Further, this study only focuses on security
incidents as a resul t of end- users’ interactions with information security policies, and
disregards the management audience and technical audience’s involvement with
information security policies.
Lastly, Zhang et al. (2009) conducted a study that aim s to reveal to what extent perceived
technical security protection affects end -user behaviour , specifically, end -user compliance
83
with information security policies. Their results suggest that both attitude and perceived
technical protection directly and indirectly affects end- user willingness to comply with
information security policies. As a result, Zhang et al. (2009) suggest that during
awareness programs, the capabilities of technical mechanisms should not be exaggerated;
rather the limitations of these technical mechanisms should be emphasized. However, this
study only focus es on end-user related policy documentation, with no specific mention of
management and technical audience related aspects concerning information security
policies . In addition, this study does not discuss information security policies in any detail,
as it is mainly focused on end-user’s willingness to comply with information security
policies .
Therefore, as can be seen from the detailed qualitative content analysis above, the various
aspects and components of an Information Security Policy Architecture have not been
adequately and comprehensively addressed in current relevant literature. A number of
literature studies do not discuss an Information Securit y Policy Architecture in detail and
in relation to all the various audiences that should be taken into consi deration , especially
the technical audience. A summary of this qualitative content analysis is presented in the
following sub- section.
4.3.3 Summary of the Qualitative Content Analysis Results
A summary of the results of the qualitative content analysis d etailed above is presented in
Table 4.1 below.
Study End-user related
components Management related
components Technical audience
components
Mention Detail Mention Detail Mention Detail
Bishop (2003) X X X
Botha and Gaadingwe
(2006) X X
Chipperfield and Furnell
(2010) X
84
Study End-user related
components Management related
components Technical audience
components
Mention Detail Mention Detail Mention Detail
Dlamini et al. (2009)
Doherty and Fulford (2006) X X X
Eloff and Eloff (2005) X X
Fulford and Doherty (2003) X X X
Furnell (2006) X
Gupta and Hammond
(2005) X X X
Hagen et al. (2008) X X X
Hong et al. (2003) X X X
Hong et al. (2006) X X
Hughes and Stanton (2006) X X
Hunter (2007) X
Kadam (2007) X X X X X X
Karyda et al. (2005) X X X X
Knapp et al. ( 2009) X X X X
Knapp et al. (2006) X X
Kraemer et al. (2009) X X
Kritzinger and Smith
(2008) X X X
Malin (2007) X
Mason (2003) X X X
Peltier (2004) X X
85
Study End-user related
components Management related
components Technical audience
components
Mention Detail Mention Detail Mention Detail
Ravenel (2006) X X
Ruighaver et al. (2010) X X
Sinclair and Smith (2010) X
Tsoumas and Tryfonas
(2004) X X
Verdon (2006) X X X
Von Solms and Von Solms
(2004) X X
Von Solms and Von Solms
(2006b) X X X
Wiant (2005) X
Zhang et al. (2009) X
Table 4.1: Summary of qualitative content analysis results
The five information security journals used for this qualitative content analysis have a
combined total of 2398 general research articles from 2003 until the mid of 2011. From
this pool of researc h articles, only 32 articles (1.4%) directly dealt with the various
Information Security Policy Architecture components relevant to this dissertation, and were therefore included in the analysis as shown in Table 4.1 above. These articles were
categorized according to the targeted audience among the end- user, management, and
technical audiences. A summary of topic coverage is detailed in Table 4.2 below.
86
Topic evaluated Number of sources Percentage of total
A brief mention about end -user
related components 24 75%
A detailed discussion about end-
user related components 4 12.5%
A brief mention about management
related components 21 65.6%
A detailed discussion about
management related components 4 12.5%
A brief mention about technical
audience related components 17 53.1%
A detailed discussion about
technical audience related
components 3 9.4%
Table 4.2: Topic coverage of the various studies
As can be seen on Table 4.2 above, from the diminutive pool of relevant studies there is
still a lack of coverage of the various aspects and components of an Information Security
Policy Architecture targeting the various audiences. Among the various audiences, the technical audience seems to be neglected the most. This could be caused by the
misconception that the technical audience should already be acquainted with what is
required of them regarding information security. However, this dissertation argues
towards the need for detailed documentation targeted to the technical audience to exist. In
addition, this dissertation argues towards the necessity of including this technical
documentation into an organization’s Information Security Policy Architecture even though the technical audience might be familiar with what is required of them. There are a
number of reasons for the need of documentation specifically targeted to the technical
audience. Firstly, standardization would be facilitated, which would ensure uniformity in managing the organization’s systems. Secondly, the possibility of misalignment betwee n
87
IT/security objectives and strategic business objectives would be largely avoided. Thirdly,
without technical audience targeted documentation, managing the organization’s systems
woul d be complex and time -consuming and could waste a lot of resources. Fur ther, in
case the current technical personnel would leave the organization, the new technical personnel would have to effectively ‘re -invent the wheel’. Therefore, without properly
managed technical audience related documentation, it would be difficult for an
organization to claim full contr ol at the Operational Level and therefore at all management
levels, which would negatively impact Information Security Governance ( Von Solms et
al., 2011) .
However, as can be seen from the tables above, generally, the various aspects and
components of an Information Security Policy Architecture targeted to all audiences, not
only the technical audience, have not been comprehensively addressed by a number of
studies. Therefore, there is still a need for studies to comprehensively define the various
aspects and components of an Information Security Policy Architecture, targeting all types
of audiences withi n an organization.
In conclusion, there were two main objectives for this qualitative content analysis. Firstly, this
analysis was aimed at determining the extent to which Information Security Policy
Architectures have been addressed in literature. Second ly, this analysis was aimed at
establishing the relevance of the research objectives of this research study as outlined in Chapter 1, Section 1.4. The above two main objectives of this qualitative content analysis and
how they have been achieved in this ch apter are discussed in the following concluding section
of this chapter.
4.4 Conclusion
As it has been noted in this chapter, an Information Security Policy Architecture is the
foundation for an organization’s information security initiatives. Without a c omprehensive
and properly targeted and managed Information Security Policy Architecture, an organization’s information security initiatives are most likely to be ineffective. This is
88
because a properly managed Information Security Policy Architecture could assist in
facilitating Information Security Governance within an organization.
With regard to the various aspects and components of an Information Security Policy
Architecture, a qualitative content analysis was conducted in this chapter to establish the
necessity and relevance of some of the objectives of this dissertation. The qualitative content analysis has established the relevance of the primary objective of this dissertation, which was
to define a holistic framework that encompasses all components of an Information Security
Policy Architecture and highlights the relationships between these components. To achieve
this primary objective, the following secondary research objectives as outlined in Chapter 1,
Section 1.4 have been achieved in this chapte r. Firstly, one of the secondary objectives was to
define an Information Security Policy Architecture and its importance. This secondary objective was achieved in Section 4.2.1. Secondly, a further secondary objective which was
achieved in this chapter was to define the complete lifecycle that an organization’s
Information Security Policy Architecture should undergo to ensure proper management. This secondary objective was achieved in Section 4.2.3. Further, it can be argued that the relevance
of the follow ing secondary research objectives still to be achieved, namely, (1) to identify the
various components that should constitute an organization’s Information Security Policy
Architecture, and (2) to identify the relationship that should exist between the ide ntified
components, are a natural extension of the other research objectives discussed above, and
would be necessary in achieving the primary research objective of this dissertation. The
remaining secondary objectives are addressed in Chapter 6 of this dis sertation.
In conclusion, even though the individual studies of the various aspects and components of an
Information Security Policy Architecture are not fully comprehensive with regard to all types
of audiences, when systematically integrated, they could form comprehensive guidelines. As a
result, this dissertation integrates these existing but isolated guidelines to propose a holistic framework for a comprehensive Information Security Policy Architecture. This framework is
proposed in Chapter 6.
89
However , before proposing the framework for a comprehensive Information Security Policy
Architecture, it is necessary to first investigate how an Information Security Policy
Architecture is practically addressed in the real world. As a result, the following chapt er
conducts a case study to determine how, in one organization, the various aspects and components of an Information Security Policy Architecture are addressed.
90
Chapter 5: Policies in Practice – Case
Study
5.1 Introduction
In Chapter 3, Section 3.4, it has been discussed that due to the critical nature of the
organization’s information assets, information security should be implemented in the most
effective manner, which was argued to be through Information Security Governance.
Information Security Gove rnance has been described as the strategic system by which the
organization’s information security initiatives are directed and controlled. Most importantly, it was noted in Chapter 4, Section 4.2 that directing and controlling should be facilitated
through the organization’s Information Security Policy Architecture. An Information Security Policy Architecture represents the hierarchical structure of the organization’s complete
IT/security policy d ocumentation. When directing, management directives should be
documented and represented in an organization’s Information Security Policy Architecture. Further, controlling should ensure that the organization’s Information Security Policy
Architecture is adhered to (Von Solms & Von Solms, 2006b; Von Solms et al. , 2011) .
However, from the qualitative content analysis conducted in Chapter 4, Section 4.3, together
with other general literature studies, it was noted that there are certain deficiencies with regard
to some aspects of an Information Security Policy Arc hitecture. Firstly, it was found that
within the various studies, their proposed Information Security Policy Architectures are not fully comprehensive, as they do not have all components deemed necessary by this research.
Secondly, the management of an Inf ormation Security Policy Architecture was not discussed
comprehensively.
However, since these findings were gathered through secondary data, there was a need to
corroborate these findings through primary data gathering. Moreover, valuable lessons could
be learnt from such primary data, which could further aid in justifying the need for enhancing
Information Security Policy Architectures. Therefore, a case study was conducted to
91
determine the comprehensiveness, as well as the management of a certain organization’s
Information Security Policy Architecture. This chapter presents such a case study, starting
with the description of the process followed in conducting the case study, as discussed in the
following section.
5.2 The Process
As detailed in Chapter 1, Section 1.6.1, a case study was conducted in this research study
accordin g to guidelines by Yin (2003) . This was a single -case study aimed at exploring the
various components that exist in one organization’s Information Security Policy Architecture,
and how these are managed within the organization. This case study was conducted with the
purpose of learning how an Information Security Policy Architecture is managed in practice,
and for identifying points for further improvement. For confidentialit y purposes, the true
name of the organization that was used in conducting the case study will not be used. Instead, the organization will be referred to as Organization- X throughout this chapter.
Within the conducted case study, multiple methods were used for gathering the required data.
Firstly, documentation was used for data collection. The required documentation was gathered from the local intranet of Organization- X, with the help of key personnel from the
organization who helped in facilitating the whole case study. Key personnel included some members of the IT/security technical audience of Organization -X, who are responsible for the
daily operations and maintenance of the organization’s IT systems. Secondly, focused interviews, as has been defined in Chapter 1, Section 1.6.1, were used as another method for
gathering data. After the required documentation was collected, the technical audience was
interviewed for explanations of any issues identified when analyzing the documentation. At
times, these in terviews would be followed by email correspondence for further clarification.
After all the necessary data was collected, triangulation, as defined in Chapter 1, Section 1.6.1, was used to consolidate the results. Using multiple data gathering methods and
triangulating the results improved the reliability of the res ults of this case study (Yin, 2003, p.
85).
92
The rest of this chapter reports on the case study that was conduct ed, starting with a brief
description of the background of the organization that was used in this case study, as outlined
in the following section.
5.3 Company Profile
Organization -X is a large public tertiary institution in South Africa. Organization -X is as a
result of an amalgamation between three previously well -established tertiary institutions,
which took place within the past decade. As a result of the amalgamation, Organization- X has
approximately 25 000 students and approximately 2 500 staff membe rs, based on seven
campuses . Organization- X also has a total number of approximately 5 000 computers and
laptops in support of both students and staff.
Organization -X is committed to the vision of striving to be a dyn amic African U niversity,
recognized for its leadership in generating cutting -edge knowledge for a sustainable future .
They offer a diverse range of quality educational opportunities that are aimed at making a
critical and constructive contribution to regional, national and global sustainabil ity. Their
values include respect for diversity, excellence, ubuntu, integrity, respect for the natural
environment, and taking responsibility.
5.4 Organizational Policy Architecture
For the purpose of this research, organizational policy architecture ref ers to the overall
structure representing all the various policies and related documentation that an organization
has in existence, going beyond just IT/security policy documentation. Documentation found
on the local intranet of Organization -X was used to gather the various components that form
the overall organizational policy architecture of Organization- X.
The overall policy architecture of Organization- X is divided into nine broad categories, within
which further lower -level categories exist. Within th e various lower -level categories, the
various policies and related documentation are situated. The nine broad categories within the
overall policy architecture of Organization- X include the following:
93
1. Governance and management;
2. Student governance;
3. Academic;
4. Research, innovation and engagement;
5. Finance;
6. Human resources;
7. Organizational transformation and equity;
8. Marketing, media and corporate relations; and
9. Facilities and services.
In the above broad categories, the only category that is relevant to this study is the facilities
and services. Within the facilities and services category, there are five sub -categories, of
which only one of them is relevant to this study. These sub- categories include:
1. Library and information services;
2. Reprographic services;
3. Facilities management;
4. Health and safety management and services; and
5. Information and communication technology (ICT).
In the above sub- categories, only the ICT sub- category is relevant to this study. This sub –
category represents the Information Security Pol icy Architecture of organization -X, and is
detailed in the following section.
5.5 Information Security Policy Architecture
As it has already been discussed in Chapter 4, Section 4.2.1, an Information Security Policy
Architecture is a hierarchical represen tation of all the organization’s information security
policies and related documentation (Bacik, 2008; Von Solms & Von Solms, 2009, Chapter 6 ).
The various components that constitute the Information Security Policy Architecture of
Organization -X are discussed in the following sub -section.
94
5.5.1 Components of the Information Security Policy Architecture
Documentation found on the local intranet of Organization- X was used to gather the
various components that form the Information Security Policy Architecture of
Organization -X. The various components that constitute the Information Security Policy
Architecture of Organization- X have been grouped into three categories that are in
different levels. At the highest level, there are IT/security policies, at the mid -level, there
are IT/security guidelines and lastly, at the lowest level, there are IT/securit y procedures.
IT/security policies, guidelines, and procedures that constitute the Information Security
Policy Architecture of Organization -X are listed below.
IT/security policies include the following:
1. General ICT policy and principles ;
2. ICT remote access policy ;
3. ICT – electronic mail (email) policy ;
4. Web services policy ;
5. ICT security policy ;
6. ICT procurement policy ;
7. ICT telecommunication policy ;
8. ICT Internet access policy;
9. Audiovisual equipment policy;
10. SMS com munication policy; and
11. Printing and imaging policy .
IT/security guidelines include the following:
1. Asset classification and control ;
2. Personnel s ecurity ;
3. Physical and environmental s ecurity ;
4. Communications and operations m anagement ;
5. Access control ;
6. Systems development and m aintenance;
7. Business continuity m anagement ;
95
8. Compliance ; and
9. Security o rganization .
IT/security procedures include the following:
1. How to enable file and folder a uditing ;
2. How to encrypt folders and f iles;
3. Installing digital s ignatures in Outlook;
4. Systems change control management p rocedures ;
5. Procedure to grant systems rights;
6. Procedure to setup and install a wireless access p oint;
7. Procedures – email and AD groups management;
8. Procedures and controls related to developed s oftware ;
9. Procedures for systems access, patches and program t ransfers ;
10. Procedures for the addition of s ervices to Organization -X’s u sers;
11. Procedures for the procurement of ICT related resources ;
12. Cisco VPN how t o;
13. Microsoft VPN how t o;
14. Anti-spyware instructions for home users ; and
15. Protecting your home PC against v iruses .
As it has been discussed throughout the rest of this dissertation, it is important for an
organization’s Information Security Policy Architecture to be properly managed. This
includes everything that should be considered before, during, and after the Infor mation
Security Policy Architecture has been implemented (Kadam, 2007) . The following sub-
section discusses how the Information Security Policy Architecture of Organization- X is
managed.
5.5.2 Management of the Information Security Policy Architecture
To determine how Organization- X manages their Information Security Policy
Architecture, focused interviews were conducted. These interviews were conducted based
on the documentation that was gathered detailing the Information Security Policy
96
Architecture of Organization -X. Where there would be a necessity for further clarification
of discussions conducted in the previous interviews, there would be brief follow -up
interviews, or email correspondence.
Organization -X believes that their Information Security Policy Architecture undergoes an
adequate management process. To ensure comprehensive coverage, the various components of the Information Security Policy Architecture of Organization- X are
planned and formulated in conjunction with the various department managers for their
input. Further, all the components within the Information Security Policy Architecture of
Organization -X have been approved by the highest level of management withi n
Organization -X. After approval, the various components of the Information Security
Policy Architecture are implemented by the various departments within Organization -X.
This implementation is assisted by, among other means, guidelines and procedures found within the Information Security Policy Architecture of Organization -X. Further means of
implementation include various forms of end- user awareness programs conducted within
Organization -X. For staff members, a major awareness program includes an induction
process that all staff members undertake. For students, awareness includes messages that appear on all student computers during login, detailing important issues with regard to
IT/security policies, guidelines, and procedures relevant to students. After
implementation, adherence to the higher -level IT/security policies is facilitated by
guidelines and procedures. This means that by following guidelines and procedures, end-users adhere to the higher -level IT/security policies. Further, compliance to the
Information Security Policy Architecture is facilitated by monitoring and ensuring
compliance with the various industry standards and audit results from internal auditing
activities. After monitoring, there is a maintenance process that ensures continuous
relevance of the Information Security Policy Architecture of Organization -X. This
maintenance process is the annual review of the whole Information Security Policy Architecture of Organization -X. Like the planning and formulation phase s, the
maintenance phase is also conducted in conjunction with the various department ma nagers
for their diverse input.
97
However, even though considered adequate currently, the management of Organization –
X’s Information Security Policy Architecture could, arguably, be made m ore
comprehensive. How this could be done is detailed in the following chapter.
In considering how Organization- X manages their Information Security Policy
Architecture, it was essential to consider how the various audiences within Organization-X have be en addressed by the various components of the Information Security Policy
Architecture. As was discussed in Chapter 4, Section 4.2.2, there are three audiences that
an Information Security Policy Architecture should take into consideration, namely,
managem ent, end- users, and the technical audience (Kadam, 2007) . Within Organization –
X, almost all the components of their Information Security Policy Architec ture are mainly
targeted t o management and end -users. Even most of the low -level procedures, such as the
Virtual Private Network (VPN) procedures, are targeted to end -users on how to properly
configure a VPN client. However, the server side, which would be targeted to the technical audience, has been mostly disregarded in the Information Security Policy
Architecture of Organization -X. Only one or two procedures could be mapped as being
targeted specifically to the technical audience within Organization -X’s Information
Security Polic y Architecture. However, various technical aspects that would generally be
expected to be documented specifically for the technical audience, such as configurations
or tunings of the organization’s systems , could not be found within the Information
Securit y Policy Architecture of Organization -X. Due to the potentially sensitive and
confidential nature of the contents of the technical audience related documentation, there
was a possibility of this documentation being classified. However, as will be discussed in
the following paragraph, this was not the case. Apparently , the technical audience related
documentation did not exist at all within Organization -X.
To find out more about the lack of technical audience related documentation within the
Information Sec urity Policy Architecture of Organization -X, the technical audience was
further interviewed. The main question that was posed to the technical audience in the interview was as follows: “ What technical documentation do you use in conducting your
normal day to day duties , for example, configuring or maintaining a certain system or
98
device”? Their main response from the technical audience can be narrated as follows: “As
the majority of o ur systems are Microsoft based, we adhere to Microsof t best p ractices,
and make necessary changes according to our environment based on our knowledge and
experience. On one of our non- Microsoft services, there is no best practice, and therefore
we go according to knowledge transfer from suppliers and onto our systems, which then
get consulted with in order to adjust according to our envir onment”. After further
discussion, it was apparent that the custom adjustments that are made within
Organization -X due to their knowledge, experience and best practices are not documented
anywhere within the Information Security Policy Architecture of Organization -X.
Therefore, within the Information Security Policy Architecture of Organization -X, there is
a lack of detailed documentation specifically targeted to the technical audience with
regard to how they should conduct their duties of configuring and managing the
organization’s systems. The technical audience uses best practices, toget her with their
training, skills and knowledge to customize the configuration and maintenance of the
organization’s systems. However, these customizations are not documented anywhere
within the Information Security Policy Architecture of Organization -X.
5.6 Discussion
Adequate steps are claimed to have been taken in planning, formulating , implementin g,
monitoring and maintaining the Information Security Policy Architecture of Organization -X.
However, as with anything in information security, there is always room for improvement.
This is due to the dynamic nature of inf ormation security.
However, there are a number of issues identified with Organization- X’s Information Security
Policy Architecture during this case study. One of those issues is that there are no clear or apparent relationships between the various compone nts of Organization- X’s Information
Security Policy Architecture. Within the local intranet of Organization -X where the
Information Security Policy Architecture is situated, there is no complete hierarchical
representation of the various components and the ir level in the Information Security Policy
Architecture. The high -level, strategic information security policy is on the same webpage as
99
the rest of the IT/security policies. This resulted in it being difficult to identify the Corporate
Information Securi ty Policy amongst the multitude of policies outlined in Section 5.5.1 above,
which was finally discovered after analyzing all the policy documents, to be the “ICT security
policy ”. However, within the IT/security policies, there exist hyperlinks to the gui delines and
procedures webpage. Therefore, IT/security policies are on a higher level than guidelines and procedures. However, guidelines and procedures are on the same webpage. This could easily
be misinterpreted as symbolizing that guidelines and procedu res are on the same level of
Organization -X’s Information Security Policy Architecture, which, based on literature, should
not be the case (Kadam, 2007; Von Solms et al., 2011) . The various documents that should
constitute an organization’s Information Security Policy Architecture are discussed in more detail in the following chapter. A further problem w ith Organization -X’s Information Security
Policy Architecture is that there is no direct relationship between the various IT/security policies, guidelines and procedures. When viewing the IT/security policies, towards the end of
each IT/security policy, th ere is a statement detailing that further related guidelines and
procedures can be found by following the hyperlink at the end of the policy . However, within
the IT/security policies, it is not stated which guidelines and procedures are related to the
current policy. At the same time, the hyperlinks at the end of the IT/security policies do not
retrieve only the relevant guidelines and/or procedures, but a webpage consisting of all guidelines and procedures. To complicate this matter even more, IT/security guidelines and
procedures do not detail which IT/security policy they originate from.
Without a clear differentiation and apparent relationship amongst the various components of
an Information Security Policy Architecture, managing an Information Security Policy
Architecture could be problematic. For example, changes in one component could necessitate changes in another related component. This would be a daunting task without clear
relationships amongst the various components. Further, for Information Security Governance
purposes, the lack of clear relationships and levels within an Information Security Policy
Architecture could result in the various management levels not being properly addressed.
Therefore, the issue of not having clear relationships between the various components and not
separating the various components according to the relevant organizational levels, could negatively impact Information Security Governance ( Von Solms et al., 2011) .
100
Further, another issue identified with Organization- X’s Information Security Policy
Architecture is the lack of comprehensiveness. According to this research study, not all necessary components are sufficient ly available within Organization -X’s Information Security
Policy Architecture. Specifically, the technical audience related documentation is not sufficiently available within Organization -X’s Information Security Policy Architecture. As
was discussed in Ch apter 4, Section 4.3.3, this could be caused by the misconception that the
technical audience should already be acquainted with what is required of them with regard to
information security. As much as this is true to a large extent, there is still a need f or detailed
documentation specifically targeted to the technical audience to be included in an organization’s Information Security Policy Architecture. There are a number of reasons why
documentation specifically targeted to the technical audience should be included. Firstly,
standardization would be facilitated, ensuring uniformity in managing the organization’s
systems. Secondly, alignment between strategic business objectives and IT/security objectives
would be facilitated. Thirdly, costs, complexity and burden of managing the organization’s
systems would be reduced. Lastly, in case the current technical audience would leave the organization, the new technical audience would not have to re -invented new methods, but use
already existing methods in conducti ng information security activities.
Without documentation specifically targeted to the technical audience, it would be
challenging for an organization to claim full control of its information security initiatives at
the Operational L evel. If complete cont rol cannot be ensured at the Operational L evel, it
would be difficult to claim control at all management levels. If control cannot be maintained at all levels, then there is a gap in the Information Security Governance strategy of an
organization. The foll owing section concludes this case study chapter.
5.7 Conclusion
After the above discussion, it can be concluded that the Information Security Policy
Architecture of Organization -X is not sufficiently comprehensive, as it does not consist of all
the necessary components, and does not have clear relationships between the existing
components. In turn, this would most likely hinder proper management of Organization- X’s
101
Information Security Policy Architecture. By having a comprehensive and properly managed
Information Security Policy Architecture, Organization -X could improve its Information
Security Governance, which would assist the organization in achieving its mission, vision, and values due to reduced risks facing the organization.
Therefore, as can be seen from this chapter and Chapter 4, both in literature and in pra ctice, a
variety of issues exist with regard to Information Security Policy Architectures. Information Security Policy Architectures are, to a large extent, not sufficiently comprehensive, and are
not adequately managed. Therefore, there is a need for a fr amework to assist in this regard. As
a result, the primary objective of this dissertation, as outlined in Chapter 1, Section 1.4, is to propose a holistic framework for developing and managing a comprehensive Information
Security Policy Architecture. The p roposed framework is detailed in the following chapter.
102
Chapter 6: Information Security Policy
Framework
6.1 Introduction
It is vital for an organization to protect its information assets, and Information Security
Governance plays an important role in this protection. Information Security Governance is the
strategic means by which an organization’s information security initiatives are directed and
controlled (Ohki et al., 2009) . Information Security Governance is largely reliant on an
organization’s Information Security Policy Architecture. An Information Security Policy Architecture is a hierarchical representation of all information security policies and related
documentation that an organization has implemented (Bacik, 2008; Palmer et al., 2001; Von
Solms et al. , 2011) . Therefore, a comprehensive and properly managed Information Security
Policy Architecture could enhance Information Security Governanc e within an organization
(Von Solms et al. , 2011) .
However, as confirmed by the qualitative content analysis conducted in Chapter 4, Section
4.3, Information Security Policy Architectures are not adequately addressed in literature. In
practice, according to the case study conducted in Chapter 5, the organization’s Information
Security Policy Architecture is not adequately addressed. Fir stly, Information Security Policy
Architectures are not sufficiently comprehensive. Secondly, the relationships that should exist among the various components of an Information Security Policy Architecture are not clear.
Lastly, Information Security Policy Architectures are not properly managed. Therefore, this
dissertation proposes a holistic framework to address these issues, as discussed next.
6.2 Information Security Policy Framework
This section proposes a holistic framework for a comprehensive Information Security Policy
Architecture. Where relevant, to facilitate understanding of some of the components of the proposed framework, password management examples are used.
103
Before any i nformation security initiatives are implemented within an organization, it is
always recommended that these initiatives be based on internationally -recognized best
practices and standards ( Von Solms, 2005) . Therefore, as the first consideration towards the
proposed framework, the next sub- section discusses the concept of using best practices and
standards as t he foundation before implementing an Information Security Policy Architecture.
6.2.1 IT/Security Best Practices and Standards
As was discussed in Chapter 3, Section 3.4.2, best practices and standards form one of the dimensions of Information Security Governance. Best practices and standards consist of
well tested theoretical and practical solutions gathered over a long period of time by
various qualified a nd experienced individuals. B est practices and standards enable
organizations to use already existing knowledge with regard to how best to conduct information security initiatives. As a result, an organization using internationally –
recognized best practices and standards is more likely to holistically address its IT/security needs (Poore, 2001; B. Von Solms, 2005) .
However, these best practices and standards can be broad and generic in nature as they are
aimed to be used by a diverse number of organizations. Therefore, an organization should
ensure that best practices and standards are tailored to the organization’s specific environment and operations. While multiple best practices and standards can be used
simultaneously to complement one another, an organization should avoid using
unnecessary best practices and standards as this could lead to unnecessary burdens and
ineffective information security initiatives (Poore, 2001; Siponen & Willison, 2009; Von
Solms, 2005) .
Without best practices and standards, information security professionals could easily make
decisions that a re based on a number of incorrect factors such as bias, ignorance or
personal motives. However, with relevant best practices and standards being used, an
organization can significantly reduce the risks that an organization is potentially faced
with as information security decisions would be based on sound knowledge. Moreover,
104
best practices and standards assist in establishing international consensus on terminology,
which greatly strengthens international interoperability with regard to information security
solutions (Poore, 2001; Tsohou et al., 2010) .
Therefore, before an Information Security Policy Architecture is developed, it is important
for an organization to ensure that relevant best practices and standards are used as the
underlying foundation for developing information security policies and related
documentation. A few examples of such best practices and standards include ISO/IEC
13335- 1 (2004) and ISO/IEC 27002 (2005) . Even though these best practices and
standards do not provide comprehensive guidelines with regard to an Information Security Policy Architecture, they provide a solid foundation for activities related to an Information
Security Policy Architecture within an organization.
After the consideration of best practices and standards, the next important aspect to be
considered before developing an Information Security Policy Architecture s hould be
comprehensiveness. It is vital that an Information Security Policy Architecture takes into account all the different types of activities within an organization. Organizational
activities are normally categorized based on the level of management re sponsible for those
activities within an organization. For example, strategic activities are normally facilitated by strategic management. The different management levels were introduced in Chapter 3,
Section 3.4 with regard to Information Security Governa nce and the following sub- section
describes the different management levels with regard to an Information Security Policy Architecture.
6.2.2 Organizational Management Levels
As has already been discussed in Chapter 3, Section 3.4, there are three differe nt levels of
activities within an organization. Firstly, there are activities that are concerned with the
overarching strategic initiatives of an organization. Activities conducted at this high -level
are aimed at ensuring the overall success of an organization by managing the organization’s strategic initiatives and are normally long term strategies. Management that
resides at this level typically consists of the organization’s highest level of management,
105
including the CEO, the board of directors, and othe r C-level executives. As a result, this
organizational management level is most commonly referred to as the Strategic Level
(Eloff & Eloff, 2005; Von Solms & Von Solms, 2006b) .
Secondly, the above Strategic Level initiatives should then be expanded into a number of
activities that are more detailed and specific, and targeted to a different organizational
management level than the Strategic Level. The organizational management level
responsible for activities at this level is referred to as the Tactical Level. Unlike the
Strategic Level, activities at the Tactical Level are interm ediate activities that are normally
medium to long term strategies. Further, Tactical Level activities require a well- planned
and methodological approach in order to be adequately addressed (Eloff & Eloff, 2005;
Von Solms & Von Solms, 2006b) .
Lastly, cascading from the Tactical Level, there are activities that are concerned wit h the
daily operations of an organization. These operational activities are the responsibility of the management level referred to as the Operational Level. Activities at the Operational
Level are usually short term activities which consist of instructions of how Strategic and
Tactical Level objectives should be executed within an organization (Eloff & Eloff, 2005; Von Solms & Von Solms, 2006b) .
Even though it may appear as if these different management levels are clearly delineated,
it is not always the case. In reality, there is usually an overlap between these different
management levels (Von Solms & Von Solms, 2006b) . Before an organization’s
Information Security Policy Architecture can be comprehensively managed, the above mentioned organizational management levels should all be conside red (Von Solms et al. ,
2011) .
For an organization’s Information Security Policy Architecture to be comprehensively
managed further, it should be properly planned, formulated, implemented, monitored and
maintained, as has been discussed in Chapter 4, Section 4.2.3. These cyclic stages were
collectively referred to as the Information Security Policy Lifecycle, covering everything
106
that needs t o be considered before, during, and after the implementation of an
organization’s Information Security Policy Architecture. The Information Security Policy
Lifecycle forms part of the proposed framework, as discussed below .
6.2.3 Information Security Policy Lifecycle
As was detailed in Chapter 4, Section 4.2.3, for effective and comprehensive management, an organization’s Information Security Policy Architecture should go through an
Information Security Policy Lifecycle consisting of the Plan, Formulate, Implement,
Monitor, and Maintain phases. Further, the Information Security Policy Lifecycle should
cover all of the management level s already discussed in S ection 6.2.2 above. The different
stages of the Information Security Policy Lifecycle in context of the proposed framework are discussed below.
i. Plan
This phase includes attaining top management approval and support, conducting a high-level Business Impact Analysis, and conducting a detailed Risk Management
process . These processes are aimed to ensure that an organization’s Information
Security Policy Architecture is relevant to the organization’s specific business
objectives and risks.
Planning should be conducted across all management levels. Further, according to
the direct -control principles of In formation Security Governance, planning
constitutes directing. The reason for this is that planning should start from the Strategic Level, through the Tactical Level, to the Operational Level in a top -down
manner, in order to ensure that an organization’s Information Security Policy
Architecture effectively gathers management directives.
After the planning phase, the various components of an Information Security
Policy Architecture can then be formulated.
107
ii. Formulate
After the planning phase has been comple ted, the next phase should be to
formulate the various components of an Information Security Policy Architecture.
With regard to Information Security Governance, formulation, like planning, also
constitutes directing. The reason for this is that the formul ation of an Information
Security Policy Architecture should start from the Strategic Level, through the Tactical Level, to the Operational Level, in a top -down manner, ensuring that
management directives are properly documented. The actual components of an
Information Security Policy Architecture that should be formulated form the crux
of the proposed framework, and are therefore discussed in detail later in this
chapter.
With regard to the formulation stage, this dissertation does not discuss the actual
contents that should be found within the various Information Security Policy
Architecture components. The exact contents that should constitute the various documents within an organization’s Information Security Policy Architecture are
beyond the scope of t his research project.
After formulating the various components of an Information Security Policy
Architecture, the next phase should be to implement them, as discussed next.
iii. Implement
After formulation, the various components of the Information Security Policy
Architecture should be implemented into the daily operations of the organization. Based on Information Security Governance principles , the implementation phase
of the Information Security Policy Lifecycle constitutes the execution of management directives. As was discussed in Chapter 4, Section 4.2.3, the
implementation phase should cover all types of audiences within an organization,
namely, end-users, management and the technical audience.
108
After the implementation phase, the next phase should be to monitor and ensure
that the implemented Information Security Policy Architecture is being adhered to.
iv. Monitor
With reference to Information Security Governance, all of the stages within the
Information Security Policy Lifecycle discussed thus far are either concerned with
directing (defining management directives) or execution (implementing
management directives). The monitoring ph ase is concerned with controlling
(ensuring adherence to management directives) and is aimed at ensuring that an Information Security Policy Architecture is being adhered to.
To facilitate monitoring, a bottom -up approach should be followed, starting from
the Operational Level, where measurement data should be collected to measure compliance at the Operational Level. In turn, this should facilitate compliance
measurement at the Tactical Level and ultimately at the Strategic Level.
Feedback from this monit oring phase should be used as one of the means to
determine points for further improvement in order to continuously maintain the
Information Security Policy Architecture.
v. Maintain
The last stage of the Information Security Policy Lifecycle is maintaining the Information Security Policy Architecture, which could be based on a number of
criteria, such as feedback from the monitoring phase, recent major changes in the
organization’s infrastructure, activities, obligations, or based on predetermined
maintenanc e intervals , for example, annually . This way, the organization’s
Information Security Policy Architecture remains relevant and grows with the
organization always supporting the organization’s strategic objectives.
According to the Information Security Governance principles, like monitoring,
maintaining also constitutes controlling. The reason for this is that the maintenance
109
phase ensures that the organization’s Information Security Policy Architecture
remains relevant and facilitates the achievement of th e organization’s business
objectives.
Thus far, it should be clear that an Information Security Policy Architecture should be
based on a solid foundation of IT/Security Best Practices and Standards . Further, an
Information Security Policy Architecture sh ould cover all the various Organizational
Management Levels within an organization, namely, S trategic Level, T actical Level, and
Operational Level . Within these Organizational Management Levels , an Information
Security Policy Architecture should consider all types of audiences, namely, end-users ,
management and the technical audience. Lastly, for comprehensive management, an
Information Security Policy Architecture should continuously be managed according to
the Information Security Policy Lifecycle, as has already been discussed above.
Now that all of the above supporting structures for an Information Security Policy
Architecture have been discussed within the proposed framework, the remaining sub-
sections discuss the actual components that should constitute an organization’s
Information Security Policy Architecture. Furthermore, how these different components
should be related to one another is also discussed. As best practice, all information
security endeavours should start at the highest m anagement level within an organization.
Therefore, the first component of an Information Security Policy Architecture should consist of strategic business objectives of an organization, as discussed in the f ollowing
sub-section.
6.2.4 Strategic Objectives
Information security must be aligned with the overall Strategic Objectives of an organization. Von Sol ms and Von Solms (2005) reiterate this by referring to information
security as business security. They further state that if information security is not treated as business security, then information security initiatives are most likely to be ineffectiv e.
Therefore, from a strategic viewpoint, it is vital that an organization’s Information Security Policy Architecture takes into account the mission, principles, objectives and
110
unique business requirements of an organization that have already been document ed
within an organization. This way, the information security function will be a driver of the
organization’s business processes (ISO/IEC 27002, 2005, p. ix ; Whitman & Mattord,
2010, p. 3) .
After the Strategic Objectives of an organization have been documented as part of an
organization’s Information Security Policy Architecture, the next component should
comprise of Strategic IT/Security Objectives that facilitate the manifestation of the
Strategic Objectives of an organization.
6.2.5 Strategic IT/Security Objectives
In order for information security initiatives to be most effective, they should first be
recognized and appreciated by the highest level of management in an organization, usually
the board of directors. The board of directors should realize the important r ole information
security plays in the strategic vision of the organization. After this realization, the board of directors should issue directives to the whole organization with regard to information
security (Von Solms & Von Solms, 2009, p. 63) .
In issuing directives, the board of directors, with the help of executive IT/security
management, should consider the following factors which are the drivers of information security (Von Solms & Von Solms, 2009, p. 34; Von Solms & Von Solms, 2006b) .
Firstly, external factors should be considered, such as legal and regulatory requirements, and any external risks specific to the organization. Secondly, internal factors should be
considered, such as IT ali gnment with the organization’s Strategic O bjectives, and any
internal risks. Lastly, relevant IT/Security Best Practices and Standards should always be
consulted to ensure that the organization does not re -invent information security methods
and techniques, but rather use existing common body of knowledge.
Strategic IT/Security Objectives from the board of directors should be documented and
form part of the organization’s Information Security Policy Architecture. In a top- down
111
manner, this set of directives should form the thrust to the next component of an
Information Security Policy Architecture, discussed below.
6.2.6 Corporate Information Security Policy
Strategic IT/Security Objectives from the board of directors should be expanded into a
Corporate Informat ion Security Policy, which is a high- level, overarching information
security policy document that should form the basis for all lower -level components of an
Information Security Policy Architecture. As a result, a comprehensive Corporate
Information Securi ty Policy contributes towards a comprehensive Information Security
Policy Architecture (Von Solms & Von Solms, 2009, 64) .
There are a number of p rinciples that should be considered when developing a Corporate
Information Security Policy. Firstly, the Corporate Information Security Policy should never contradict the organization’s mission and principles, but should always support the
organization’s Strategic O bjectives. Secondly, it should be a brief, concise, and non-
technical document, containing high -level statements with regard to information security.
This way, the Corporate Information Security Policy will be stable and less prone to rapid
need for change. The main factor that should determine the need for the Corporate
Information Security Policy to change should be changes in the Strategic Objectives or Strategic IT/Security Objectives of the organization. Thirdly, the Corporate Information
Security Policy should be approved and signed by the organization’s CEO in order to
carry the message to all end -users more effectively. Lastly, the Corporate Information
Security Policy should contain a compliance clause which determines possible
disciplina ry actions for non- compliance with this policy and any related lower -level
components (Kadam, 2007; Von Solms & Von Solms, 2009, p. 64; Whitman & Mattord,
2010, p. 122) .
In developing and managing an organization’s Corporate Information Security Policy,
IT/Security Best Practices and Standards should be used as a solid foundation. For
example, the well -known ISO/IEC 27002 (2005, pp. 7- 8) consists of comprehensive and
112
practical guidelines on wha t an organization’s Corporate Information Security Policy
should constitute.
Further, Information Security Governance principles already discussed in this dissertation
suggest that the Corporate Information Security Policy should also reside at the Strate gic
Level, and is also part of directives issued by management in a top- down manner
(directing). The compliance clause on the Corporate Information Security Policy signifies
controlling, which is used to attempt to ensure that management directives are ad hered to
(Von Solms & Von Solms, 2009, p. 64; Von Solms & Von Solms, 2006b) .
Using password management as an example, an organization’s Corporate Information
Security Policy could contain a single statement detailing the necessity for identity and
password management within an organization. For example, such a statement could be as
follows: “All employees within Organization -X should be uniquely identified to ensure
accountability”. This high- level statement should be further expanded into a set of
Detailed and Issue- Specific Policies, as discussed in the next sub -section.
6.2.7 Detailed and Issue-Specific Policies
These sets of information security policies are normally referred to in a number of ways,
such as secondary policies, sub- policies, lower -level policies, detailed policies, or issue –
specific policies. These policies should be used to implement the policy statements from
the Corporate Information Security Policy. These policies should provide detailed and targeted guidance to facilitate common understanding with regard to the use of the
organiz ation’s processes, techn ologies and systems. In turn, this protects both the
organization and the end- users from inefficiency and ambiguity (Von Solms & Von
Solms, 2009, p. 68; Whitman & Mattord, 2010, p. 124) .
Depending on the organization’s objectives and risks, some of the aspects that these
Detailed and Issue -Specific Policies should address include, but are not limited to,
electronic mail use, Internet use, incident response, disaster planning and business continuity. Due to these policies having to address technology, they change frequently as a
113
result of technology being continuously updated. Further, e ach of these policies should
have a compliance clause detailing possible disciplinary actions due to non- compliance
(Von Solms & Von Solms, 2009, p. 68; Whitman & Mattord, 2010, p. 124) .
Most important to note at this level of the Information Security Policy Architecture is that,
no unrelated policy should appear. Any policy on this le vel should be traceable back to the
Corporate Information Security Policy. Ensuring that all information security policies and related documentation are properly linked together is one of the main objectives of an
Information Security Policy Architecture (Von Solms & Von Solms, 2009, p. 68) .
In developing and managing these Detailed and Issue- Specific Policies, IT/Security Best
Practices and Standa rds should be used to provide a firm foundation. For example, with
regard to the password management example, before creating a password policy (or
password management aspects within a certain policy), an organization should consult
IT/Security Best Practi ces and Standards to determine what is commonly accepted with
regard to password management ( Von Solms, 2005) . A password policy, or password
management aspects wi thin a certain policy, could expand on the statement from the
Corporate Information Security Policy which was as follows: “All employees within Organization -X should be uniquely identified to ensure accountability”. This could be
further expanded to define what a password is, what it is used for, and most importantly,
why it is needed. Then, roles and responsibilities could be set detailing the roles of end –
users in managing their passwords, as well as the role of the technical audience in ensuring that pas swords are properly managed throughout the whole organization.
Further, according to Information Security Governance principles, Detailed and Issue –
Specific Policies should reside at the Tactical Level, and also form part of management directives cascaded down in a top -down manner (directing). Likewise, the compliance
clause on these policies should exist, signifying control, which is used to ensure adherence to these policies (Von Solms & Von Solms, 2009, p. 64; Von Solms & Von Solms,
2006b) .
114
Even though these Detailed and Issue -Specific Policies are supposed to be comprehensive
and detailed, they still need further documentation to ensure complete implementation.
The reason for this is that Detailed and Issue -Specific Policies discuss what n eeds to be
done at a high- level and do not discuss how exactly this should be accomplished.
Therefore, there is a need for an organization’s Informat ion Security Policy Architecture
to include more components after the Detailed and Issue -Specific Policies. These lower –
level components should be targeted at two different audiences, namely, the technical
audience and end -users. The following sub -section discusses end -user related components.
6.2.8 End -User Directives and Guidelines
According to the proposed framework, an Information Security Policy Architecture should
consist of End- User Di rectives and Guidelines aimed at assisting the organization’s end –
users with the proper implementation of, and adherence to, the Detailed and Issue -Specific
Policies. End- User Directives and Guidelines should give details about what the
organization’s end- users should consider when using the organization’s systems. This
documentation should provide more measurable and auditable guidance with regard to the
relevant policies from the Detailed and Issue -Specific Policies. However, exactly how
end-users should use the organization’s systems should be a separate topic covered in
further, lower -level components of an Information Security Policy Architecture, discussed
in a subsequent section. Further, End- User Directives and Guidelines should enable end-
users to i mplement operations uniformly. This way, a culture of information security can
be facilitated as there would be standardized methods for securely implementing
operations within an organization (Bacik, 2008, p. 50; Kadam, 2007; Killmeyer, 2006, p.
78).
Depending on the organization, these End- User Directives and Guide lines could be
suggestions or they could be mandatory. Further, these might also evolve as a result of lessons learnt due to past problems in secure implementation of operations within an
organization. However, these directives and guidelines should be bas ed on IT/Security
Best Practices and Standards to ensure a solid foundation. In this way, End- User
Directives and Guidelines are most likely to be effective. The need for the existence and
115
effectiveness of End -User Directives and Guidelines cannot be overe mphasized. Without
this documentation, there is a possibility of increased risks due to the increased potential
of the organization’s end -users not using the organization’s systems in the way intended
(Bacik, 2008, p. 50; Kadam, 2007; Killmeyer, 2006, p. 78) .
In relation to the various Organizational Management Level s, End-User Directives and
Guidelines overlap between the Tactical Level and the Operational Level. This is because this documentation closes the gap between the Detailed and Issue -Specific Policies and
the lower -level implementation documentation residing at the Operational Level.
Considering the password management example introduced earlier, End -User Directives
and Guidelines should discuss an organization’s uniform approach that should be followed by end -users when, for example, creating a strong passw ord. End- User Directives and
Guidelines should explicitly di scuss what is meant by a “strong password” . Details should
be given on what the end -users should configure as a strong password. How the end- users
should configure a password on their computers should be discussed in further lower -level
components of an Information Security Policy Architecture, as is discussed later in this
framework.
Besides directives and guidelines targeted to end- users, an organization’s Information
Security Policy Architectur e should also consist of directives and guidelines targeted to
the technical audience, as discussed in the following sub- section.
6.2.9 Technical Directives and Guidelines
All the principles of End -User Directives and Guidelines discussed in the previous section
also apply to the Technical Directives and Guidelines. The reason for this is both of these components of an Information Security Policy Architecture should achieve the following.
Firstly, they should detail what should be configured or considered when using the
organization’s systems. Secondly, they should ensure that there is uniformity in how the organization’s systems are configured and used. All of this should be done to ensure
effective implementation of the Detailed and Issue -Specific Policie s. Like the End- User
116
Directives and Guidelines above, this documentation should provide more measurable and
auditable guidance with regard to the relevant policies from the Detailed and Issue-
Specific Policies. The only difference between the End -User Dire ctives and Guidelines
and the Technical Directives and Guidelines is the target audience, with the Technical Directives and Guidelines targeted to the technical audience, rather than general end –
users. As such, the content will differ accordingly so that e ach specific audience is able to
effectively implement the Detailed and Issue -Specific Policies.
Within an Information Security Policy Architecture, Technical Directives and Guidelines
might be considered suggestions or could be mandatory depending on the organization.
Further, Technical Directives and Guidelines should provide effective and uniform methods that the technical audience should employ during technological implementations.
This way, an organization could greatly reduce costs when implementing the
organization’s processes, technologies or systems. If this documentation is not used during
technological implementations, there might be increased costs due to the possibility of
increased spending and implementation burden. Further, there is also a possibility of
increased risks due to the increased potential of not adhering to the Detailed and Issue-
Specific Policies during technological implementations (Bacik, 2008, p. 50; Kadam, 2007;
Killmeyer, 2006, p. 78 ).
With regard to the technical audience, it is extremely important for their documentation to
consider internationally -recognized IT/Security Best Practices and Standards as the
technical audience controls the organization’s technological systems. These technological systems contain the organization’s information assets which enable an organization to
achieve its business mission. In addition to IT/Security Best Practices and Standards ,
experience and lessons learnt can also be used as input in the creation and management of the Technical Directives and Guidelines ( Von Solms, 2005) .
Like End- User Directives and Guidelines, Technical Directives and Guidelines, also
overlap between the Tactical Level and the Oper ational Level. This is because Technical
Directives and G uidelines close the gap that exists between the Detailed and Issue-
117
Specific Policies and the lower -level implementation documentation residing at the
Operational Level.
Practically, this documentation should consist of guidance targeted to the technical
audience on the organizational uniformity that should be followed when configuring and
managing the organization’s systems. For example, this documentation could mention that the organization’s systems should be configured to force or advise the end- users on how
to properly create and manage their passwords. However, Technical Directives and
Guidelines should not give detailed instructions on how the organization’s systems should
be configured or managed, but what must be configured on these systems. Further
documentation, however, defining detailed instructions on how the organization’s systems
must be configured should also form part of an Information Security Policy Architecture,
as discussed in the following sub- section.
6.2.10 Technical Procedures
A Technical Procedure is a step -by-step set of detailed instructions of exactly how to
implement aspects of the Detailed and Issue -Specific Policies in section 6.2.7 above. The
Technical Directives and Guidelines discussed what should be configured, and these Technical Procedures should detail how systems should be configured. Most of the time,
each of the Detailed and Issue- Specific Policies have one or more procedures specifying
exactly how these policies should be implemented (Killmeyer, 2006, p. 78; Von Solms &
Von Solms, 2009, p. 71) .
With regard to the Organizational Management L evels, Technical Procedures are
positioned at the Operational Level. The reason for this is that these Technical Procedures consist of instructions about the daily operations of the organization’s systems. Further,
this documentation is responsible for the actual execution of management directives (Von
Solms & Von Solms, 2006b) .
According to Von Solms and Von Solms (2009, p. 71) , procedures should have a
compliance clause detailing possible disciplinary actions should the Technical Procedures
118
not be followed. The reason for a compliance clause is that procedures are a means of
directly implementing Detailed and Issue -Specific Policies. These Detailed and Issue –
Specific Policies are mandatory. Therefore, procedures should also be mandatory (Killmeyer, 2006, p. 78; Von Solms & Von Solms, 2009, p. 71) .
Considering the password management example, and also based on the guidelines from
the Technical Directives and Guidelines above, a Technical Procedure would consist of
detailed step -by-step instructions detailing exactly how systems should be configured to
enforce proper password creation and password management by end -users. The Technic al
Procedures discussed in this sub- section are targeted to the technical audience. The
following sub- section discusses procedures that should be targeted to everyone in an
organization.
6.2.11 End -User Procedures
End-User Procedures should form the last component of an Information Security Policy
Architecture. Almost all of the principles that hold for the Technical Procedures discussed in Section 6.2.10 above also hold for End- User Procedures. The only difference is that,
unlike Technical Procedures whic h are targeted only to the technical audience, End- User
Procedures are targeted to everyone within an organization. End- User Procedures should
provide detailed step- by-step instructions of how end- users should implement aspects of
the Detailed and Issue- Specific Policies whilst using the organization’s systems
(Killmeyer, 2006, p. 78; Von Solms & Von Solms, 2009, p. 71) . Further, with regard to
the password management example, an End -User Procedure could be a detailed step -by-
step set of instructions of how an end- user should change their password on a computer.
Lastly, according to the propose d framework, besides being influenced by End- User
Directives and Guidelines, End- User Procedures are also directly influenced by Technical
Directives and Guidelines, and by the Technical Procedures. The reason for this influence
is that most of what the te chnical audience does is always to ensure that end -users abide
with the organization’s Detailed and Issue -Specific Policies. As a result, Technical
Procedures will determine the contents of End -User Procedures.
119
To conclude, this section has presented the components of an Information Security Policy
Framework for a comprehensive Information Security Policy Architecture. The following
section summarizes and diagrammatically illustrates the proposed Information Security Policy
Framework, whilst further highli ghting the relationships that should exist among the various
components of an Information Security Policy Architecture.
6.3 Framework Overview
The following diagram, Figure 6.1, shows an overview of the Information Security Policy
Framework already discus sed in the previous section. Following this framework diagram is an
overview of the different components of this framework.
120
Figure 6.1: Information Security Policy Framework
Monitor / Maintain
Plan / Formulate
Implement
Strategic
Level Tactical
Level Operational
Level
IT/Security Best P ractices and Standards
Strategic Objectives
Strategic IT/Security Objectives
Corporate Information Security Policy
Detailed and I ssue-Specific P olicies
Technical Directives and Guidelines
Technical Procedures
End-User Procedures End-User Directives and Guidelines
121
121
i. IT/Security Best P ractices and Standards
The first component of the proposed Information Security Policy Framework is the
IT/Security Best Practices and Standards. As has been discussed in the detailed
discussion of the proposed framework in Section 6.2, initiatives based on
internationally -recognized best practices and standards ensure a sound foundation for
the organization’s Information Security Policy Architecture and its supporting
structures. This has been illustrated in Figure 6.1 by IT/Security Best Practices and
Standards being positioned at the bottom of the proposed framework, and everything
else being built on top of this solid foundation.
ii. Organizational Management L evels
For a comprehensive approach towards the management of an Information Security
Policy Archi tecture, all three organizational management levels sho uld be considered,
namely, the Strategic Level, Tactical Level, and the O perational Level. The various
components of an Information Security Policy Architecture should be grouped according to the relev ant management level as illustrated in Figure 6.1. As has been
discussed in the detailed discussion of the proposed framework in Section 6.2, there is normally much overlap between the components in the different management levels.
The two components that overlap in Figure 6.1 are the End- User Directives and
Guidelines and the Technical Directives and Guidelines. These components overlap between the Tactical Level and the Operational Level.
iii. Information Security Policy Lifecycle
For further comprehensive ma nagement, an organization’s Information Security
Policy Architecture should be facilitated by a complete Information Security Policy
Lifecycle. This lifecycle includes everything that should be considered before, during,
and after the Information Security Policy Architecture has been implemented. The
various phases of the Information Security Policy Lifecycle have been discussed in
Section 6.2.3 above.
122
122
In context of the proposed framework, Plan/Formulate have been combined in Figure
6.1 as they both consti tute directing, which ensures that management directives are
gathered and issued throughout all Organizational Management L evels in a top -down
manner. Further, Implement constitutes of the execution of management directives
into the daily operations of the organization. Lastly, Monitor/Maintain have been
combined as they both constitute controlling, which ensures that management directives are adhered to throughout all Organizational Management L evels in a
bottom -up manner.
The Information Security Policy Lifecycle should be undertaken in an anticlockwise
manner, from Plan/Formulate to Implement and lastly to Monitor/Maintain. This
cyclic nature is due to the continuous task of managing an Information Security Policy
Architecture. Therefore, in Figure 6.1, the Monitor/Maintain and the Plan/Formulate
arrows had to be linked on top to reveal this cyclic nature of the management of an
Information Security Policy Architecture. Following is an overview of the various
components that should constitute an organizat ion’s Information Security Policy
Architecture.
iv. Strategic O bjectives
To be effective, an Information Security Policy Architecture should be in alignment
with the organization’s Strategic Objectives that are already in existence within an
organization. The refore, at the Strategic Level, the Information Security Policy
Architecture should consist of documentation detailing the organization’s overall business mission, vision, objectives and strategies. The ultimate aim of all the
components of an Information Security Policy Architecture should be to facilitate the
achievement of these Strategic Objectives. Based on the Strategic Objectives,
Strategic IT/Security Objectives should be included within an organization’s
Information Security Policy Architecture as discussed next.
123
123
v. Strategic IT/Security O bjectives
The highest level of management within an organization, normally the board of
directors, with the help of senior IT/security executives, should issue Strategic
IT/Security Objectives that provide strategic direction for information security. At the
Strategic Level, the Strategic IT/Security Objectives should be directed from the
Strategic Objectives of an organization in a top- down manner. This has been
illustrated in Figure 6.1 by the downward arrow connect ing the Strategic Objectives
and the Strategic IT/Security Objectives. The upward arrow symbolizes control, which
indicates that Strategic IT/Security Objectives should ensure the achievement of
Strategic Objectives.
vi. Corporate Information Security P olicy
The directives from the Strategic IT/Security Objectives above should then be
expanded into a more concrete set of directives documented into a Corporate
Information Security Policy, still in a top -down manner symbolizing directing. This
has been shown in Figure 6.1 by the downward arrow between the Strategic
IT/Security Objectives and the Corporate Information Security Policy. The Corporate
Information Security Policy should be a high- level information security policy
document which should be the root of a ll other information security policies and
related documentation forming part of an organization’s Information Security Policy
Architecture. Moreover, the Corporate Information Security Policy is the last
component at the Strategic Level. For control purposes, the Corporate Information
Security Policy should ensure the achievement of management directives from the
Strategic IT/Security Objectives. One way of accomplishing this is by having a
compliance clause within the Corporate Information Security Policy . This compliance
clause would detail possible disciplinary actions towards non- compliance to the
Corporate Information Security Policy within an organization. Control has been
symbolized by the upward arrow between the Corporate Information Security Polic y
and the Strategic IT/Security Objectives in Figure 6.1. However, as the Corporate Information Security Policy should be a brief, high- level, and overarching information
security policy, more focused and detailed policies should exist as detailed below.
124
124
vii. Detailed and Issue -Specific P olicies
Depending on the organization’s specific business objectives and risks, the Corporate
Information Security Policy above should be cascaded into a series of Detailed and
Issue -Specific Policies. These policies should provide common understanding within
an organization with regard to the use of the organization’s processes and systems. These Detailed and Issue -Specific Policies should reside at the Tactical Level as
shown in Figure 6.1, as they are a responsibility of middle -level management.
Therefore, it is the responsibility of management at the Tactical Level to ensure that
directives from the Corporate Information Security Policy are properly directed into Detailed and Issue -Specific Policies in a top -down manner. This has been illustrated
by the downward arrow between the Corporate Information Security Policy and the Detailed and Issue- Specific Policies in Figure 6.1. Furthermore, for control purposes,
all policies at this level should be traceable back to the Corporat e Information Security
Policy. Also, each policy should have a compliance clause detailing possible actions
as a result of non- compliance. This control feature has been represented by the upward
arrow between the Detailed and Issue- Specific Policies and th e Corporate Information
Security Policy in Figure 6.1. However, the Detailed and Issue -Specific Policies still
need to be implemented further. The implementation of the higher -level components
of the Information Security Policy Architecture, as detailed th us far, is facilitated by
the lower -level components of the Information Security Policy Architecture as
discussed next.
viii. End-User Directives and G uidelines
To uniformly implement aspects of the Detailed and Issue -Specific Policies, there
should be document ation targeted to everyone within an organization, acting as the
organization’s standard or guideline. Stemming from the Detailed and Issue -Specific
Policies, this documentation should be directed to end- users on what they should
consider when using the or ganization’s systems. This has been symbolized by the
downward arrow between the Detailed and Issue -Specific Policies and End -User
Directives and Guidelines as shown in Figure 6.1. Further, this documentation should
125
125
provide more measurable and auditable guidance with regard to the relevant Detailed
and Issue -Specific Policies. In turn, this measurability and auditability could facilitate
controlling which ensures compliance to these End- User Directives and Guidelines. In
turn, compliance measurement at the End -User Directives and Guidelines could
facilitate compliance measurement at the Detailed and Issue -Specific Policies. This
control aspect has been illustrated in Figure 6.1 by the upward arrow between the End-
User Directives and Guidelines and the Detail ed and Issue -Specific Policies. However,
depending on the organization, these End- User Directives and Guidelines could either
be suggestions or mandatory. Whatever the case may be, directives and guidelines
could assist end- users in adhering to the higher -level policies. Further, regarding the
various Organizational Management L evels, End- User Directives and Guidelines
overlap between the Tactical Level and the Operational Level. This is because this
documentation closes the gap between the Detailed and Iss ue-Specific Policies and the
lower -level implementation documentation residing at the Operational Level. To
further facilitate the implementation of the Detailed and Issue -Specific Policies,
besides the directives and guidelines targeted to everyone as det ailed here, there
should be directives and guidelines specifically targeted to the technical audience, as
discussed next.
ix. Technical Directives and G uidelines
The Information Security Policy Architecture should contain documentation that
specifically targe ts the technical audience as directives detailing what must be
configured into the organization’s systems, and what must be done in managing the organization’s systems. In essence, the Technical Directives and Guidelines should
follow the same principles a s the End- User Directives and Guidelines as both facilitate
adherence to the Detailed and Issue -Specific Policies. The only difference is the
targeted audience. Whereas end -users were being guided by what they should consider
when using the organization’s systems, the technical audience is guided by what they should configure and what they should consider when managing the organization’s
systems. However, these directives and guidelines only detail what must be
accomplished at a low level, but do not detail exactly how this must be accomplished.
126
126
This is the responsibility of further low -level documentation within an Information
Security Policy Architecture, discussed next.
x. Technical P rocedures
The Information Security Policy Architecture should consist of documentation
targeted to the technical audience that gives detailed step -by-step information of
exactly how the Technical Directives and Guidelines above should be configured into the organization’s systems, and how these systems should be managed. Procedures are
a direct implementation of the higher -level components of an Information Security
Policy Architecture. Further, procedures reside at the Operational Level and are based on directives from the Technical Directives and Guidelines in a top- down manner as
illustrated in Figure 6.1 by the downward arrow between the Technical Directives and Guidelines and the Technical Procedures. For control purposes, Technical Procedures
must have a compliance clause detailing possible disciplinary actions for non-
compl iance. In a bottom -up approach, compliance measurement at this level should
facilitate compliance measurement at the above levels as shown by the upward arrow between Technical Procedures and Technical Directives and Guidelines in Figure 6.1.
Closely linke d to the Technical Procedures, the last component of the proposed
Information Security Policy Framework consists of the End- User Procedures,
discussed next.
xi. End-User P rocedures
After all end -users are made aware of what must be done when using the
organiz ation’s systems, the next step should be to provide detailed step- by-step
procedures of exactly how they should use the organization’s systems. All the
principles that hold for Technical Procedures also hold for End- User Procedures.
There are only two diff erences though. Firstly, it is the targeted audience, as End- User
Procedures are targeted to everyone. Secondly and most importantly, the End- User
Procedures are not only influenced by End -User Directives and Guidelines, but also by
the Tech nical Directive s and Guidelines and the Technical Procedures. This has been
illustrated in Figure 6.1 by the direct and control arrows between the End- User
127
127
Procedures and both the End- User Directives and Guidelines as well as the Technical
Procedures. The reason for End- User Procedures to be influenced by Technical
Procedures is that all information security endeavours are aimed at ultimately
influencing end -users to adhere to information security procedures. Therefore,
Technical Procedures will eventually determine the contents of End- User Procedures.
In conclusion, to reiterate how the above identified Information Security Policy Architecture
components should be related to one another, Information Security Governance principles
need to be revisited. According to Inform ation Security Governance principles, management
directives should be issued in the form of the Information Security Policy Architecture components discussed above, and this should be done in a top- down manner (directing).
Further, techniques should be in place to ensure that management directives are being adhered to, and this should be done in a bottom -up manner (controlling). Therefore, the relationship
between the various components should be a two- way relationship through directing and
controlling that should be facilitated as shown by the double -sided arrows between the various
components of an Informati on Security Policy Architecture as illustrated in Figure 6.1.
6.4 Conclusion
This chapter proposed a holistic Information Security Policy Framework fo r a comprehensive
and properly managed Information Security Policy Architecture. The originality of this framework lies in the comprehensiveness of the identified components, the relationships
between the identified components, and the integration of the m anagement processes of how
to properly manage an Information Security Policy Architecture.
The above proposed framework could assist in creating a more comprehensive Information
Security Policy Architecture and enhancing its management. In turn, this could positively
influence Information Security Governance as this framework has comprehensively addressed
how management directives should be directed, executed, and controlled. Consequently, all
this should enhance an organization’s information security program, and therefore business
objectives would be efficiently achieved due to fewer disruptions of the organization’s
processes as a result of information assets being compromised.
128
128
Therefore, this chapter has achieved the primary objective of this dissertation, as well as two
of the secondary objectives as outlined in Chapter 1, Section 1.4. The primary research
objective of this study was to propose a holistic framework that encompasses all components
of an Information Security Policy Architecture and highlights the relationships between these
components. In order to achieve this primary objective, one of the secondary objectives of this
dissertation achieved in this chapter was to identify the various components that should
constitute an organization’s Information Security Policy Architecture. Further, another
secondary objective of this dissertation achieved in this chapter was to define the relationships that should exist between the identified Information Security Policy Architecture components.
In conclusion, the following chapter summarizes the main findings of this dissertation, and
presents any limitations and possible future research opportunities leading directly from the work of this dissertation.
129
129
Chapter 7: Conclusion
7.1 Introduction
This dissertation presented a study that was conducted to propose a comprehensive
Information Security Policy Architecture. In this study, it is argued that in order for
Information Security Governance within an organization to be more effective, an
organi zation’s Information Security Policy Architecture should be as comprehensive as
possible. An organization’s Information Security Policy Architecture should consist of all the necessary components relevant to the organization, detailing the relationships be tween the
various components of the architecture. Further, an organization’s Information Security Policy Architecture should be properly managed. This includes everything that should be
considered before, during, and after an Information Security Policy Ar chitecture has been
implemented.
However , Information Security Policy Architectures are not sufficiently addressed, both in
literature and in practice. To address this problem, in Chapter 1, Section 1.4 of this dissertation, research objectives were outli ned. The following section evaluates whether these
research objectives have been achieved in this dissertation.
7.2 Evaluation of the Research Outcomes
The primary research objective of this study was to propose a holistic framework that encompasses all n ecessary components of an Information Security Policy Architecture and
highlights the relationships between these components. In order to achieve this primary research objective, a number of secondary research objectives had to be achieved. These
secondary research objectives, together with how and where they were achieved in this
dissertation, are discussed next:
• To define an Information Security Policy Architecture and its importance – This
secondary research objective was achieved in Chapter 4, Section 4.2.1. A detailed
130
130
discussion was conducted, defining an Information Security Policy Architecture, its
importance and its target audiences. An Information Security Policy Architecture was
defined as a hierarchical representation of all the information secur ity policies and
related documentation that an organization has implemented. Moreover, the main importance of an Information Security Policy Architecture as a means to facilitate
Information Security Governance was also detailed. It was argued that an
organization’s Information Security Policy Architecture needs to be comprehensive
and targeted to all different types of audiences within an organization.
• To define the various components that should constitute an organization’s
Information Security Policy Architecture – This secondary research objective was
achieved in Chapter 6, Section 6.2. A framework was argued towards that holistically
identified the various components that should constitute an organization’s Information Security Policy Architectur e. The first component was the Strategic Objectives of an
organization which should be considered as the highest -level component that
constitutes an organization’s Information Security Policy Architecture. The reason
being that the main objective of any inform ation security endeavour should be to assist
an organization in achieving its strategic business objectives. Based on the Strategic
Objectives, the second component, S trategic IT/Security Objectives , should be
considered, which details the strategic direct ion for information security within an
organization. Based on the S trategic IT/Security Objectives, the third component, a
Corpor ate Information Security Policy , should be included within an organization’s
Information Security Policy Architecture. All of the above components should reside
at the Strategic Level. As the fourth component, residing at the T actical Level and
based on the Corpor ate Information Security Policy, there should exist Detailed and
Issue -Specific Policies . These policies should provide common understanding within
an organization with regard to the use of the organization’s processes and systems. At this point, there is a need to separate the components to follow as either being targeted
to end- users or specifically the technical audienc e. Overlapping between the Tactical
Level and the Operational Level, the components that follow are aimed at providing
Directives and Guidelines of how end -users should adhere to, or what the technical
131
131
audience should configure in ord er to ensure adherence to, the Detai led and Issue –
Specific Policies . Lastly, at the Operational Level, there should be information
security procedures targeted to both end -users and the technical audience. End -User
Procedures should detail step -by-step instructions of how end- users should use the
organization’s systems. Moreover, Technical Procedures should detail step- by-step
instructions of how the technical audience should configure the organization’s
systems. Important to note is that the Technical Procedures influence End- User
Procedures as they are configurations of what end- users can and cannot do. Therefore,
End-User Procedures should form the lowest -level component of an organization’s
Information Security Policy Architecture as information security endeavours are ultima tely aimed at ensuring that end- users adhere to information security procedures.
• To define the relationships that should exist between the various components of an
Information Security Policy Architecture – This secondary research objective was
achieved i n Chapter 6, Section 6.3. The proposed framework argued towards the
relationships that should exist between the various components of an organization’s
Information Security Policy Architecture. It was argued that, according to Information
Security Governan ce principles, these components should be issued or directed in a
top-down approach from the Strategic Level, through the Tactical Level, to the
Operational Level. Conversely, adherence to these components, i.e. controlling, should
be measured in a bottom -up approach starting from the Operational Level, through the
Tactical Level, and ultimately ensuring adherence to the Strategic Level directives. This way, Information Security Governance could potentially be facilitated.
• To define the complete lifecycle that an organization’s Information Security Policy
Architecture should undergo for proper management – This secondary research
objective was achieved in Chapter 4, Section 4.2.3 and re -emphasized on in context of
the proposed framework in Chapter 6, Sections 6.2 and 6.3. The various phases that an
organization’s Information Security Policy Architecture should go through for proper
management were argued. These phases include planning, formulating, implementing,
monitoring, and maintaining an Information Security Policy A rchitecture. Based on
132
132
Information Security Governance principles, planning and formulating should
constitute directing, and therefore should be conducted in a top- down approach from
the Strategic Level, through the Tactical Level, to the Operational Level. Furthermore,
implementation should constitute the execution of management directives. Lastly,
monitoring and maintaining should constitute controlling, and should therefore be
conducted in a bottom -up approach. It was noted that for effective management, it is
important for an organization’s Information Security Policy Architecture to continuously go through this Information Security Policy Lifecycle. Further, as with
all other information security initiatives, the management of an organization’s
Informati on Security Policy Architecture should be based on internationally -accepted
best practices and standards.
By achieving all of the above mentioned secondary research objectives, the primary objective was achieved. A representation of the achieved primary r esearch objective has been detailed
in Chapter 6, Sections 6.2 and 6.3. The following section discusses the significance of achieving all of these research objectives.
7.3 Significance of Study
This study proposed a comprehensive Information Security Poli cy Architecture, with clear
relationships between the various constituting components. Furthermore, this study argued
towards the proper management of an organization’s Information Security Policy
Architecture.
By having a comprehensive and well -managed I nformation Security Policy Architecture
according to the framework proposed in this study, an organization would potentially increase the effectiveness of its information security policies and related documentation. The reason
being that the proposed frame work includes a comprehensive coverage of the necessary
aspects to consider before, during, and after information security policies and related documentation are implemented.
133
133
Further, by having effective information security policies and related documenta tion,
Information Security Governance within an organization is most likely to be enhanced. This is
because the basic principle of Information Security Governance is to strategically direct and
control information security initiatives, which is accomplishe d via information security
policies and related documentation. Therefore, enhancing an organization’s Information Security Policy Architecture could potentially improve Information Security Governance
within an organization.
By improving Information Secur ity Governance within an organization, the whole process of
information security could be enhanced. Information security ensures the confidentiality, integrity, and availability of the organization’s information assets, which business processes
depend on t o be successful. By ensuring security of information assets, the achievement of
business objectives would be facilitated due to fewer disruptions as a result of internal and external risks to information assets materializing.
As all research studies posse ss some limitations, the following section discusses the
limitations of this study, together with possible further enhancements.
7.4 Limitations and Possible Further Enhancements
There are a number of limitations within this study which could potentially be addressed by
future studies. Firstly, there are some limitations with regard to the case study that was
conducted to determine to what extent Information Security Policy Architectures have been addressed in practice. This case study was an exploratory s ingle -case study. Future studies
could conduct more detailed, multi -case studies, which could provide solid solutions towards
the enhancement of an organization’s Information Security Policy Architecture.
Secondly, the proposed framework has not been impl emented or tested for effectiveness.
Therefore, empirical studies to determine the effectiveness of the proposed framework could make a significant contribution towards the knowledge available with regard to Information
Security Policy Architectures.
134
134
However, the above limitations do not undermine the value behind the concept of the
proposed framework, but could rather be points for possible future research.
7.5 Epilogue
As has been discussed throughout this dissertation, it is important for an organi zation’s
Information Security Policy Architecture to be comprehensive, with clear relationships, properly targeted to the correct audiences, and properly managed. In turn, this would enhance
Information Security Governance within an organization, which would help organizations in
achieving their business objectives due to reduced risks towards information assets.
Hence this study has proposed a holistic framework for achieving a more comprehensive
Information Security Policy Architecture. This framework co uld assist organizations in
defining a comprehensive and properly targeted Information Security Policy Architecture that is both relevant to an organization and offers a return on investment herein. Furthermore, this
framework could assist organizations in defining the relationships that should exist among the
various components of its Information Security Policy Architecture. Lastly, the proposed framework could assist an organization in properly managing its Information Security Policy
Architecture.
135
135
References
Abu-Musa, A. (2010). Information security governance in Saudi organizations: an empirical
study. Information Management & Computer Security , 18(4), 226- 276. doi:
10.1108/09685221011079180.
Ashenden, D. (2008). Information Sec urity management: A human challenge? Information
Security Technical Report , 13(4), 195- 201. Elsevier. doi: 10.1016/j.istr.2008.10.006.
Bacik, S. (2008). Building an Effective Information Security Policy Architecture . Boca Raton:
CRC Press.
Bakari, J., Tari mo, C., Yngstrom, L., Magnusson, C., & Kowalski, S. (2007). Bridging the
gap between general management and technicians – A case study on ICT security in a
developing country ☆. Computers & Security , 26(1), 44- 55. doi:
10.1016/j.cose.2006.10.007.
Bakhshi, T ., Papadaki, M., & Furnell, Steven. (2009). Social engineering: assessing
vulnerabilities in practice. Information Management & Computer Security , 17(1), 53- 63.
doi: 10.1108/09685220910944768.
Bernard, R. (2007). Information Lifecycle Security Risk Assessm ent: A tool for closing
security gaps. Computers & Security , 26(1), 26- 30. doi: 10.1016/j.cose.2006.12.005.
Bidgoli, H. (2006). Handbook of information security: Threats, Vulnerabilities, Prevention,
Detection, and Management. Management (3rd ed., Vol. 3). Hoboken: John Wiley &
Sons.
Bishop, M. (2003). What is computer security? Security & Privacy, IEEE , 1(1), 67–69. IEEE.
Retrieved September 1, 2011, from
http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1176998.
Botha, R., & Gaadingwe, T. (2006). Refle cting on 20 SEC conferences. Computers &
Security, 25(4), 247 -256. doi: 10.1016/j.cose.2006.04.002.
Cadbury Report. (1992). Report of the Committe on Financial Aspects of Corporate
Governance. London: Gee.
Changepoint Corporation. (2004). Governance: The Board ʼs and the CIO's Business.
Retrieved January 1, 2005, from http://itresearch.forbes.com/detail/R.
136
136
Chipperfield, C., & Furnell, Steven. (2010). From security policy to practice: Sending the
right messages. Computer Fraud & Security , 2010(3), 13- 19. Elsevier Ltd. doi:
10.1016/S1361- 3723(10)70025- 7.
Choi, N., Kim, D., Goo, J., & Whitmore, A. (2008). Knowing is doing: An empirical
validation of the relationship between managerial information security awareness and
action. Information Managem ent & Computer Security , 16(5), 484- 501. doi:
10.1108/09685220810920558.
Collis, J., & Hussey, R. (2003). Business Research: A Practical Guide for Undergraduate and
Postgraduate Students . Basinstoke, Hampshire, UK: Palgrave Macmillan.
Computer Fraud & Secu rity. (2011). Online Journal. Retrieved November 1, 2011, from
http://www.elsevier.com/wps/find/journaldescription.cws_home/405876/description#description.
Computers & Security. (2011). Online Journal. Retrieved November 1, 2011, from
http://www.journals.e lsevier.com/computers -and-security/.
Creswell, J. W. (1998). Qualitative inquiry and research design: Choosing among five
traditions . Thousand Oaks, CA: Sage Publications Inc.
Da Veiga, A., & Eloff, J. (2010). A framework and assessment instrument for information
security culture. Computers & Security , 29(2), 196- 207. Elsevier. doi:
10.1016/j.cose.2009.09.002.
Deloitte. (2009). 2009 Consumer Business Global Security Study. Retrieved April 7, 2011,
from http://www.deloitte -ftp.fr/lot -3.1-Crscfo/doc/09-
318g_e rs_cb_global_security_report_web_version(481808).pdf.
Dhillon, G. (2007). Principles of information systems security . Hoboken: John Wiley & Sons.
Dictionary.com. (2011). Online Dictionary. Retrieved October 16, 2011, from
www.dictionary.com.
Dlamini, M. T. , Eloff, J.H.P., & Eloff, M. M. (2009). Information security: The moving
target. Computers & Security , 28(3 -4), 189- 198. Elsevier Ltd. doi:
10.1016/j.cose.2008.11.007.
Doherty, N., & Fulford, H. (2006). Aligning the information security policy with the str ategic
information systems plan. Computers & Security , 25(1), 55- 63. doi:
10.1016/j.cose.2005.09.009.
Drugescu, C., & Etges, R. (2006). Maximizing the Return on Investment on Information
Security Programs: Program Governance and Metrics. Information System s Security,
15(6), 30- 40. doi: 10.1080/10658980601051482.
137
137
Eloff, J.H.P., & Eloff, M. M. (2005). Information security architecture. Computer Fraud &
Security, (11), 10 -16. doi: 10.1016/S1361- 3723(05)70275- X.
Ernst & Young. (2009). Outpacing change: Ernst & Young’s 12th Global Information
Security Survey. Retrieved March 23, 2011, from
http://www.ey.com/Publication/vwLUAssets/12th_annual_GISS_pub/$FILE/12th_annual_GISS_AU0383.pdf.
Ernst & Young. (2010). Borderless security: Ernst & Young’s 13th Global Informa tion
Security Survey. Information Security . Retrieved April 26, 2011, from
http://www.ey.com/Publication/vwLUAssets/Global_information_security_survey_2010_advisory/$FILE/GISS report_final.pdf.
Flowerday, S., & Von Solms, Rossouw. (2009). What constitutes information integrity? SA
Journal of Information Management , 9(4). Retrieved August 18, 2011, from
http://sajim.co.za/index.php/SAJIM/article/view/201.
Fulford, Heather, & Doherty, N. F. (2003). The application of information security policies in
large UK -based organizations: an exploratory investigation. Information Management &
Computer Security , 11(3), 106- 114. doi: 10.1108/09685220310480381.
Furnell, S. (2006). Malicious or misinformed? Exploring a contributor to the insider threat.
Computer Fraud & Sec urity , 2006(9), 8 -12. doi: 10.1016/S1361- 3723(06)70419- 5.
Furnell, Steven. (2005). Why users cannot use security. Computers & Security , 24(4), 274-
279. doi: 10.1016/j.cose.2005.04.003.
Furnell, Steven, & Thomson, K.- L. (2009). From culture to disobedience: Recognising the
varying user acceptance of IT security. Computer Fraud & Security , 2009(2), 5- 10.
Elsevier Ltd. doi: 10.1016/S1361- 3723(09)70019- 3.
Gerber, M., & Von Solms, R. (2008). Information security requirements – Interpreting the
legal aspects. Com puters & Security , 27(5 -6), 124 -135. Elsevier Ltd. doi:
10.1016/j.cose.2008.07.009.
Girard, K. (2002). Three big breakdowns of 2001. Retrieved January 1, 2005, from
http://www.findarticles.com/p/articles/.
Govier, T. (2010). A Practical Study of Argument . Belmont: Wadsworth Publishing.
Grobler, T., & Von Solms, Sh. (2004). Assessing the Policy Dimension. Proceedings of the
Information Security South Africa Conference . Retrieved April 6, 2011, from
http://icsa.cs.up.ac.za/issa/2004/Proceedings/Full/051.pdf.
138
138
Gupta, A., & Hammond, R. (2005). Information systems security issues and decisions for
small businesses: An empirical examination. Information Management & Computer
Security, 13(4), 297 -310. doi: 10.1108/09685220510614425.
Hagen, J. M., Albrechtsen, E., & Hovden, J. (2008). Implementation and effectiveness of
organizational information security measures. Information Management & Computer
Security, 16(4), 377 -397. doi: 10.1108/09685220810908796.
Handley -Schachler, M., Juleff, L., & Paton, C. (2007). Corporate governance in the financial
services sector. Corporate Governance , 7(5), 623- 634. doi:
10.1108/14720700710827202.
Haruvy, E., & Stahl, D. O. (2004). Deductive versus inductive equilibrium selection:
experimental results. Journal of Economic Behav ior & Organization, 53(3), 319- 331.
doi: 10.1016/j.jebo.2002.10.001.
Hofstee, E. (2006). Constructing a good dissertation: A Practical Guide to Finishing a
Master’s, MBA or PhD on Schedule . Johannesburg, SA: EPE.
Hong, K. -S., Chi, Y.- P., Chao, L. R., & Tan g, J.-H. (2003). An integrated system theory of
information security management. Information Management & Computer Security ,
11(5), 243- 248. doi: 10.1108/09685220310500153.
Hong, K. -S., Chi, Y.- P., Chao, L. R., & Tang, J.- H. (2006). An empirical study of i nformation
security policy on information security elevation in Taiwan. Information Management & Computer Security , 14(2), 104- 115. doi: 10.1108/09685220610655861.
Hughes, M., & Stanton, R. (2006). Winning security policy acceptance. Computer Fraud &
Secur ity, 2006(5), 17 -19. doi: 10.1016/S1361- 3723(06)70358- X.
Humphreys, E. (2008). Information security management standards: Compliance, governance
and risk management. Information Security Technical Report , 13(4), 247- 255. Elsevier
Ltd. doi: 10.1016/j.istr.2008.10.010.
Hunter, P. (2007). Is now the time to define a mobile security policy? Computer Fraud &
Security, 2007(6), 10–12. Elsevier. Retrieved September 1, 2011, from http://www.sciencedirect.com/science/article/pii/S1361372307700763.
Höne, K., & Eloff, J.H.P. (2002a). What Makes an Effective Information Security Policy?
Network Security, 2002(6), 14- 16. doi: 10.1016/S1353- 4858(02)06011- 7.
Höne, K., & Eloff , J.H.P. (2002b). Information security policy — what do international
information security standards say? Computers & Security , 21(5), 402 -409. doi:
10.1016/S0167- 4048(02)00504- 7.
139
139
IEEE Security & Privacy. (2011). Online Journal. Retrieved November 1, 2011, from
http://www.computer.org/portal/web/computingnow/securityandprivacy.
Information Management & Computer Security. (2011). Online Journal. Retrieved November
1, 2011, from http://www.emeraldinsight.com/products/journals/journals.htm?id=imcs.
Information Security Journal – A Global Perspective. (2011). Online Journal. Retrieved
November 1, 2011, from http://www.tandf.co.uk/journals/uiss.
Institute of Directors South Africa. (2009). King III Code of Governance for South Africa.
Africa .
ISO/IEC 13335- 1. (2004). Information technology — Security techniques — Management of
information and communications technology security Part 1 : Concepts and models for
information and communications technology security management.
ISO/IEC 27001. (2005). Information technolo gy-Security techniques -Information security
management systems -Requirements. Retrieved April 12, 2011, from
http://cdsweb.cern.ch/record/952907.
ISO/IEC 27002. (2005). Information technology — Security techniques — Code of practice
for information security management.
ISO/IEC 27005. (2008). Information technology – Security techniques – Information security
risk management.
ISO/IEC 38500. (2008). Corporate Governance of Information Technology.
IT Governance Institute. (2007). COBIT 4.1: Framework, Control O bjectives, Management
Guidelines, Maturity Models. Retrieved April 26, 2011, from
http://scholar.google.com/scholar?hl=en&btnG=Search&q=intitle:Framework+Control+Objectives+Management+Guidelines+Maturity+Models#4.
Johnston, A. C., & Hale, R. (2009). Improved security through information security
governance. Communications of the ACM , 52(1), 126. doi: 10.1145/1435417.1435446.
Kadam, A. W. (2007). Information Security Policy Development and Implementation.
Information Systems Security , 16(5), 246- 256. doi: 10.1080/10658980701744861.
Karyda, M., Kiountouzis, E., & Kokolakis, S. (2005). Information systems security policies: a
contextual perspective. Computers & Security , 24(3), 246- 260. doi:
10.1016/j.cose.2004.08.011.
Katsabas, D., Furnell, S. M., & Dowland, P . S. (2005). Using human computer interaction
principles to promote usable security. Proceedings of the Fifth International Network Conference (INC 2005) (pp. 5- 7).
140
140
Khansa, L., & Liginlal, D. (2009). Quantifying the benefits of investing in information
security. Communications of the ACM , 52(11), 113. doi: 10.1145/1592761.1592789.
Killmeyer, J. (2006). Information security architecture . Boca Raton: Auerbach Publications.
Knapp, K. J., Franklin Morris Jr., R., Marshall, T. E., & Byrd, T. A. (2009). Informati on
security policy: An organizational -level process model. Computers & Security , 28(7),
493-508. Elsevier Ltd. doi: 10.1016/j.cose.2009.07.001.
Knapp, K. J., Marshall, T. E., Rainer, R. K., & Ford, F. N. (2006). Information security:
managementʼs effect on culture and policy. Information Management & Computer
Security, 14(1), 24 -36. doi: 10.1108/09685220610648355.
Knapp, K., Marshall, T., Rainer, R. K., & Morrow, D. (2006). The Top Information Security
Issues Facing Organizations: What Can Government do to Help? EDPACS , 34(4), 1 -10.
doi: 10.1201/1079.07366981/46351.34.4.20061001/95104.1.
Ko, D., & Fink, D. (2010). Information technology governance: An evaluation of the theor y-
practice gap. Corporate Governance , 10(5), 662 -674. doi: 10.1108/14720701011085616.
Koskosas, I., Pavlitsas, K., & Kakoulidis, K. (2011). Management of Information Systems
Security Based on a Goal Setting Strategy. International Journal of Business
Management and Economic Research (IJBMER) , 2(1), 131- 139. Retrieved April 13,
2011, from http://ijbmer.com/docs/volumes/vol2issue1/ijbmer2011020103.pdf.
Kraemer, S., Carayon, P., & Clem, J. (2009). Human and organizational factors in computer
and information se curity: Pathways to vulnerabilities. Computers & Security , 28(7), 509-
520. Elsevier Ltd. doi: 10.1016/j.cose.2009.04.006.
Krippendorff, K. (2004). Content analysis: An introduction to its methodology (2nd ed.).
California: Sage Publications.
Kritzinger, E. , & Smith, E. (2008). Information security management: An information
security retrieval and awareness model for industry. Computers & Security , 27(5 -6), 224-
231. Elsevier. doi: 10.1016/j.cose.2008.05.006.
Lacey, D. (2010). Understanding and transforming organizational security culture.
Information Management & Computer Security , 18(1), 4 -13. doi:
10.1108/09685221011035223.
Malin, A. (2007). Designing Networks that Enforce Information Security Policies.
Information Systems Security , 16(1), 47- 53. doi: 10.1080/10658980601051490.
Mason, S. (2003). Electronic security is a continuous process. Computer Fraud & Security ,
2003(1), 13–15. Elsevier. Retrieved September 2, 2011, from
http://www.sciencedirect.com/science/article/pii/S1361372303010133.
141
141
McConnell, J. (1994). National Training Standard for Information Systems Security
(INFOSEC) professionals. NATIONAL SECURITY AGENCY/CENTRAL SECURITY
SERVICE FORT GEORGE G MEADE MD. Retrieved April 26, 2011, from http://www.stormingmedia.us/31/3114/A311404.pdf.
NIST 800 -50. (2003). Building an information technology security awareness and training
program. NIST Special Publication. Retrieved May 26, 2011, from http://csrc.nist.gov/publications/PubsSPs.html.
NIST 800 -53. (2009). Recommended security controls for federal information systems and
organizations. NIST Special Publication. Citeseer. Retrieved April 12, 2011, from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.157.7599&rep=rep1&type=pdf.
NIST 800 -53A. (2010). Guide for Assessing the Security Controls in Federal Information
Systems and Organizations. Nist Special Publication. Retrieved April 12, 2011, from http://csrc.nist.gov/publications/PubsSPs.html.
NIST 800 -60. (2008). Guide for Mapping Types of Information and Information Systems to
Security Categories. Nist Special Publication , Vol 1 . Retrieved May 15, 2011, from
http://csrc.nist.gov/publications/nistbul/July -2004.pdf.
Noor, K. B. (2008). Case Study: a strategic research methodology. American Journal of
Applied Sciences , 5(11).
Ohki, E., Harada , Y., Kawaguchi, S., Shiozaki, T., & Kagaya, T. (2009). Information security
governance framework. Proceedings of the first ACM workshop on Information security
governance (p. 1–6). ACM. Retrieved April 4, 2011, from
http://portal.acm.org/citation.cfm?id=1 655170.
Palmer, M. E., Robinson, C., Patilla, J. C., & Moser, E. P. (2001). Information Security Policy
Framework: Best Practices for Security Policy in the E -commerce Age. Information
Systems Security, 10 (2), 1 -15. doi: 10.1201/1086/43314.10.2.20010506/31399.4.
Peltier, T. R. (2004). Developing an Enterprisewide Policy Structure. Information Security
Journal: A Global Perspective , 13(1), 44 –50. Taylor & Francis. Retrieved September 1,
2011, from http://scholar.google.com/scholar?hl=en&btnG=Search&q=intitle :Developing+an+Enter
prisewide+Policy+Structure#0.
Pfleeger, C. P., & Pfleeger, S. L. (2007). Security in computing (4th ed.). Boston: Pearson
Education.
Poore, R. S. (2001). Information Security Standards: Deluge and Dearth. Information Systems
Security, 10(1), 1 -6. doi: 10.1201/1086/43313.10.1.20010304/31392.4.
142
142
Poore, R. S. (2005). Information Security Governance. Edpacs , 33(5), 1 -8. doi:
10.1201/1079.07366981/45653.33.5.20051101/91005.1.
Post, G., & Kagan, A. (2006). Information Security Tradeoffs: The U ser Perspective.
Information Systems Security , 15(5), 22- 29. doi:
10.1201/1086.1065898X/46353.15.4.20060901/95428.4.
Posthumus, S, & Von Solms, R. (2004). A framework for the governance of information
security. Computers & Security , 23(8), 638 -646. doi: 10.1016/j.cose.2004.10.006.
Posthumus, S, Von Solms, R, & King, M. (2010). The board and IT governance: The what,
who and how. South African Journal of Business Management , 41(3), 23 -32.
Posthumus, Shaun, & Von Solms, Rossouw. (2005). IT oversight: an import ant function of
corporate governance. Computer Fraud & Security . Retrieved September 5, 2011, from
http://www.sciencedirect.com/science/article/pii/S1361372305702220.
Rainer, R. K., Marshall, T. E., Knapp, K. J., & Montgomery, G. H. (2007). Do Information
Security Professionals and Business Managers View Information Security Issues
Differently? Information Systems Security , 16(2), 100- 108. doi:
10.1080/10658980701260579.
Ravenel, J. P. (2006). Effective operational security metrics. Information Systems Security ,
15(3), 10–17. Taylor & Francis Ltd. Retrieved September 1, 2011, from http://scholar.google.com/scholar?hl=en&btnG=Search&q=intitle:Effective+Operational+Security+Metrics#0.
Rees, J. (2010). Information security for small and medium -sized business. Computer Fraud
& Security , 2010(9), 18- 19. Elsevier Ltd. doi: 10.1016/S1361- 3723(10)70123- 8.
Ruighaver, A. B., Maynard, S. B., & Warren, M. (2010). Ethical decision making: Improving
the quality of acceptable use policies. Computers & Security , 29(7), 731- 736. Elsevier
Ltd. doi: 10.1016/j.cose.2010.05.004.
Schultz, E. (2005). The human factor in security. Computers & Security , 24(6), 425- 426. doi:
10.1016/j.cose.2005.07.002.
Sinclair, S., & Smith, S. W. (2010). What ʼs Wrong with Access Control in t he Real World?
Security & Privacy, IEEE , 8(4), 74–77. IEEE. Retrieved September 1, 2011, from
http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5523870.
Siponen, M., & Willison, R. (2009). Information security management standards: Problems
and solutions. Information & Management , 46(5), 267- 270. doi:
10.1016/j.im.2008.12.007.
143
143
Styles, M., & Tryfonas, Theo. (2009). Using penetration testing feedback to cultivate an
atmosphere of proactive security amongst end -users. Information Management &
Computer Secur ity, 17(1), 44- 52. doi: 10.1108/09685220910944759.
Sveen, F. O., Torres, J. M., & Sarriegi, J. M. (2009). Blind information security strategy.
International Journal of Critical Infrastructure Protection, 2(3), 95- 109. Elsevier B.V.
doi: 10.1016/j.ijcip.2009.07.003.
Syamsuddin, I., & Hwang, J. (2010). Visualization of strategic information security decision.
International Journal of Academic Research, 2 (3), 92- 95. Retrieved April 13, 2011, from
http://www.ijar.lit.az/pdf/5/2010(3 -13).pdf.
Tellis, W. (1997). Introduction to Case Study. The Qualitative Report , 3(2).
Thomson, K. L., & Von Solms, R. (2006). Towards an information security competence
maturity model. Computer Fraud & Security , 2006(5), 11–15. Elsevier. Retrieved May
4, 2011, from http://linkinghub.elsevier.com/retrieve/pii/S1361372306703566.
Thomson, K. L., Von Solms, R., & Louw, L. (2006). Cultivating an organizational
information security culture. Computer Fraud & Security , 2006(10), 7–11. Elsevier.
Retrieved May 4, 2011, from
http://linkinghub.el sevier.com/retrieve/pii/S1361372306704304.
Tirado, I. (2008). Business oriented information security requirements development.
Proceedings of the 5th annual conference on Information security curriculum development (p. 56–58). ACM. Retrieved May 4, 2011, f rom
http://portal.acm.org/citation.cfm?id=1456642.
Tsohou, A., Kokolakis, Spyros, Lambrinoudakis, C., & Gritzalis, S. (2010). A security
standards ʼ framework to facilitate best practices' awareness and conformity. Information
Management & Computer Security , 18(5), 350 -365. doi: 10.1108/09685221011095263.
Tsoumas, V., & Tryfonas, Theodore. (2004). From risk analysis to effective security
management: towards an automated approach. Information Management & Computer
Security, 12(1), 91 -101. doi: 10.1108/09685220410518856.
Tuyikeze, T., & Pottas, D. (2010). An Information Security Policy Development Life Cycle.
South African Information Security Multi -Conference (SAISMC 2010) (pp. 165- 176).
Port Elizabeth.
Van Niekerk, J., & Von Solms, R. (2010). Information security culture: A management
perspective. Computers & Security , 29(4), 476- 486. Elsevier. doi:
10.1016/j.cose.2009.10.005.
Verdon, D. (2006). Security policies and the software developer. Security & Privacy, IEEE ,
366(1881), 42- 49. doi: 10.1098/rsta.2008.0142.
144
144
Von Solms, B. (2005). Information Security governance: COBIT or ISO 17799 or both?
Computers & Security , 24(2), 99- 104. Elsevier. doi: 10.1016/j.cose.2005.02.002.
Von Solms, B. (2006). Information Security – The Fourth Wave. Computers & Security ,
25(3), 165- 168. doi: 10.1016/j.cose.2006.03.004.
Von Solms, B. (2001). Information Security –A Multidimensional Discipline. Computers &
Security, 20(6), 504–508. Elsevier. Retrieved May 4, 2011, from
http://linkinghub.elsevier.com/retrieve/pii/S0167404801006083.
Von Solms, B., & Von Solms, R. (2005). From information security to… business security?
Computers & Security , 24(4), 271–273. Elsevier. doi: 10.1016/j.cose.2005.04.004.
Von Solms, R, & Von Solms, B. (2004). From policies to culture. Computers & Secur ity,
23(4), 275- 279. doi: 10.1016/j.cose.2004.01.013.
Von Solms, R., & Futcher, L. (2007). SecSDM: A Model for Integrating Security into the
Software Development Life Cycle. IFIP International Federation for Information
Processing (Vol. 237, pp. 41- 48). Boston: Springer. Retrieved May 24, 2011, from
http://dl.ifip.org/index.php/ifip/article/view/11251.
Von Solms, R., & Von Solms, S. H. (2009). Information Security Governance (p. 134).
Boston, MA: Springer US. doi: 10.1007/978- 0-387-79984- 1.
Von Solms, R., & Von Solms, Sh. (2006a). Information security governance: Due care.
Computers & Security , 25(7), 494–497. Elsevier. Retrieved May 4, 2011, from
http://linkinghub.elsevier.com/retrieve/pii/S0167404806001441.
Von Solms, R., & Von Solms, Sh. (2006b). Informat ion security governance: A model based
on the direct -control cycle. Computers & Security , 25(6), 408–412. Elsevier. doi:
10.1016/j.cose.2006.07.005.
Von Solms, Rossouw, Thomson, K.- L., & Maninjwa, P. M. (2011). Information Security
Governance control through comprehensive policy architectures. Information Security South Africa (ISSA), Johannesburg, South Africa, 15- 17 Aug 2011.
Von Solms, S. (2005). Information Security Governance – Compliance management vs
operational management. Computers & Security , 24(6 ), 443- 447. doi:
10.1016/j.cose.2005.07.003.
Wahsheh, L. A., & Alves -Foss, J. (2008). Security Policy Development: Towards a Life –
Cycle and Logic- Based Verification Model. American Journal of Applied Sciences , 5(9),
1117–1126. Retrieved September 18, 2011, from http://www.freepatentsonline.com/article/American -Journal -Applied-
Sciences/182425021.html.
145
145
Werlinger, R., Hawkey, K., & Beznosov, K. (2009). An integrated view of human,
organizational, and technological challenges of IT security management. Information
Management & Computer Security , 17(1), 4 -19. doi: 10.1108/09685220910944722.
Whitman, M. E., & Mattord, H. J. (2010). Management of information security (3rd ed.).
Boston: Course technology.
Wiant, T. (2005). Information security policy ʼs impac t on reporting security incidents.
Computers & Security , 24(6), 448- 459. doi: 10.1016/j.cose.2005.03.008.
Wing, S. (2006). The importance of incorporating security requirements within system
architecture rather than incorporating retro fitting controls to an insecure design.
Computer Fraud & Security , 2006(10), 12- 15. doi: 10.1016/S1361- 3723(06)70431- 6.
Yin, R. K. (2003). Case Study Research Design an Methods (3rd ed.). California: Sage
Publications Inc.
Zhang, J., Reithel, B. J., & Li, H. (2009). Impact of perceived technical protection on security
behaviors. Information Management & Computer Security , 17(4), 330 -340. doi:
10.1108/09685220910993980.
Copyright Notice
© Licențiada.org respectă drepturile de proprietate intelectuală și așteaptă ca toți utilizatorii să facă același lucru. Dacă consideri că un conținut de pe site încalcă drepturile tale de autor, te rugăm să trimiți o notificare DMCA.
Acest articol: FrameworkControlObjectivesManagementGuidelinesMaturityModels4. [622800] (ID: 622800)
Dacă considerați că acest conținut vă încalcă drepturile de autor, vă rugăm să depuneți o cerere pe pagina noastră Copyright Takedown.