Pacific Asia Journal of the Association for Information Systems


The technological scenario always played a critical role in Information Security. However, in recent years, this scenario has changed substantially, in ways not known so far. Characterized by different technological trends, like IT infrastructure outsourcing, cloud computing and mobility, this scenario created several new security challenges. The usual approach to deal with change in Information Security Management Systems (ISMS) is to execute a risk assessment review and to deploy new security controls. However, because of the disruptive nature of the technological scenario, that is not enough – new ways to plan the ISMS itself seem to be required. In this paper, these needed changed are identified and detailed, using ISO/IEC 27001 as a key reference. Based on risks mapped in the literature for key technological trends, checkpoints were created and inserted into the basic processes for important ISMS planning activities. The result is a support framework designed specifically for Security Policy definition and Risk Management. By modifying the usual process for each activity, the framework drives the creation of a security culture based on the awareness of the external scenario new risks. Applicability tests executed in a medium-sized organization showed that the framework can be easily plugged into real world situations. The main contribution of this research is the definition of new tool to help security practitioners better cope with the security challenges created by a disruptive technological scenario.

Available at: https://aisel.aisnet.org/pajais/vol5/iss3/4/