Information Security Policy: A Management Practice Perspective

Moneer Alshaikh, Department of Computing and Information Systems, Melbourne School of Engineering, University of Melbourne, Victoria, Australia
Sean B. Maynard, Department of Computing and Information Systems, Melbourne School of Engineering, University of Melbourne, Victoria, Australia
Atif Ahmad, Department of Computing and Information Systems, Melbourne School of Engineering, University of Melbourne, Victoria, Australia
Shanton Chang, Department of Computing and Information Systems, Melbourne School of Engineering, University of Melbourne, Victoria, Australia

Abstract

Considerable research effort has been devoted to the study of Policy in the domain of Information Security Management (ISM). However, our review of ISM literature identified four key deficiencies that reduce the utility of the guidance to organisations implementing policy management practices. This paper provides a comprehensive overview of the management practices of information security policy and develops a practice-based model. The model provides comprehensive guidance to practitioners on the activities security managers must undertake for security policy development and allows practitioners to benchmark their current practice with the models suggested best practice. The model contributes to theory by mapping existing information security policy research in terms of the defined management practices.