Paper Type
Complete Research Paper
Description
Information security is mainly a topic that is considered to be information technology related. However, to successfully implement information security, an organization´s information security program should reflect the business strategy. Nowadays information security is in many companies enforced by the information technology department, based on what they think should be in place to protect their business from inside and outside threats and risks. Additionally, information security covers many different subjects. This makes it especially hard for small and medium sized organizations to determine how they should design their information security program. \ \ Therefore, we present the Information Security Focus Area Maturity Model (ISFAM). By identifying dependencies between various aspects of information security and representing them coherently in the ISFAM, the model is capable of determining the current information security maturity level. Involving the ISFAM model in the design process of an organization´s information security program enables organizations to set up high level guidelines based on their current status. These guidelines can be used to incrementally and structurally improve information security maturity within the organization. We have successfully evaluated the ISFAM assessment model through a single case study at a medium sized telecommunications organization.
ISFAM: THE INFORMATION SECURITY FOCUS AREA MATURITY MODEL
Information security is mainly a topic that is considered to be information technology related. However, to successfully implement information security, an organization´s information security program should reflect the business strategy. Nowadays information security is in many companies enforced by the information technology department, based on what they think should be in place to protect their business from inside and outside threats and risks. Additionally, information security covers many different subjects. This makes it especially hard for small and medium sized organizations to determine how they should design their information security program. \ \ Therefore, we present the Information Security Focus Area Maturity Model (ISFAM). By identifying dependencies between various aspects of information security and representing them coherently in the ISFAM, the model is capable of determining the current information security maturity level. Involving the ISFAM model in the design process of an organization´s information security program enables organizations to set up high level guidelines based on their current status. These guidelines can be used to incrementally and structurally improve information security maturity within the organization. We have successfully evaluated the ISFAM assessment model through a single case study at a medium sized telecommunications organization.