High-Level Self-Sustaining Information Security Management Framework

Information security is one of the key concerns of an enterprise or organization. To assure suitable management of information security a list of information security management frameworks has been developed by a number of institutions and authors. A condensed information in information security management framework is very important to a small and medium enterprise as this type of enterprise usually lacks resources for information security expertise and deep analysis. Despite the fact, the information security management process and its frameworks, on the other hand, are very complex and require a big number of different elements. At the moment the comparison it is very shallow, as all properties of the comparison are treated equally important. In real life, the importance of different criteria of information security management framework and their suitability for small and medium enterprise vary. Therefore we use the Analytic Hierarchy Process to construct a hierarchy of information security management frameworks quality and applicability in small and medium enterprise and define the weights for each of the criteria. Weighted criteria express the importance of the criteria and executed the final comparison of alternatives (five information security management frameworks) is more realistic (similar to experts opinion) comparing to existing comparisons.

Download Full-text

Developing a theory-based information security management framework for human service organizations

Journal of Information Communication and Ethics in Society ◽

10.1108/jices-06-2015-0018 ◽

2016 ◽

Vol 14 (3) ◽

pp. 254-271 ◽

Cited By ~ 1

Author(s):

Sameera Mubarak

Keyword(s):

Organizational Culture ◽

Information Security ◽

Human Service ◽

Security Management ◽

Human Service Organizations ◽

Service Organizations ◽

Security Systems ◽

Information Security Management ◽

Content Type ◽

Management Framework

Purpose This paper aims to identify organizations’ information security issues and to explore dynamic, organizational culture and contingency theories to develop an implementable framework for information security systems in human service organizations (HSOs) based soundly in theory and practice. Design/methodology/approach The paper includes a critical review of global information security management issues for HSOs and relevant multi-disciplinary organizational theories to address them. Findings Effective information security management can be particularly challenging to HSO because of their use of volunteer staff in a borderless electronic environment. Organizations’ lack of recognition of the need for staff awareness of information security threats and for training in secure work practices, particularly in terms of maintaining clients’ privacy and confidentiality, is a major issue. The dynamic theory of organizational knowledge creation, organizational culture theory and contingency theory were identified as the most suitable theoretical perspectives to address this issue and underpin an effective information security management framework for HSOs. Research limitations/implications The theory-based framework presented here has not been tested in practice. Such testing will be carried out in further research. Originality/value Currently, there is no framework for information security systems in HSOs. The framework developed here provides a foundation on which HSO can build information security systems specific to their needs.

Download Full-text

Aligning Two Specifications for Controlling Information Security

International Journal of Cyber Warfare and Terrorism ◽

10.4018/ijcwt.2014040104 ◽

2014 ◽

Vol 4 (2) ◽

pp. 46-62

Author(s):

Riku Nykänen ◽

Tommi Kärkkäinen

Keyword(s):

Information Security ◽

Security Management ◽

Security Requirements ◽

Information Security Management ◽

Security Controls ◽

Information Security Management System ◽

Security Control ◽

High Level ◽

Iec 27001 ◽

Iec 27002

Assuring information security is a necessity in modern organizations. Many recommendations for information security management exist, which can be used to define a baseline of information security requirements. ISO/IEC 27001 prescribes a process for an information security management system, and guidance to implement security controls is provided in ISO/IEC 27002. Finnish National Security Auditing Criteria (KATAKRI) has been developed by the national authorities in Finland as a tool to verify maturity of information security practices. KATAKRI defines both security control objectives and security controls to meet an objective. Here the authors compare and align these two specifications in the process, structural, and operational level, focusing on the security control objectives and the actual controls. Even if both specifications share the same topics on high level, the results reveal the differences in the scope and in the included security controls.

Download Full-text