Name: Stephen Frias

BSIT 4

LEARNING MODULE IN APPLICATION DEVELOPMENT AND EMERGING TECHNOLOGIES

SECURITY POLICY

I. Intended Learning Outcomes

Information security officers, practitioners and academics agree that information security policy is the
basis of any organisation’s information security. Information security practitioners share and agree that
it is rare that information security policy bring out the desirable results. In order to study and analyse
this problem, academics have focused on various methods to motivate employees toward policy
compliance, however, they have not paid much attention on employees’ expectations and how they
perceive the information security policy. Also, employees’ satisfaction and awareness of information
security policy is critical as it may improve the security level by decreasing the internal threat risks. In
this thesis, analysing organisation’s employees’ expectation about information security policies based on
a framework that is formed regarding internal threat motivation, consequences, security behaviour and
security countermeasures. Therefore, single case study was adopted in this thesis. The study outcomes
along with the case study findings state that organisation’s employees’ expectations toward an
information security policy should be paid much attention during forming security regulations and even
during implementation of information security policy within organisations. The thesis concludes that
employees’ security behaviour is related to their information security background and awareness, as
well as, security countermeasures, where if the countermeasures perceived negatively, it may negatively
help to increase the risk in terms of internal threat. Finally, security countermeasures must be defined
before taking negative actions toward employees, as well as, information security training should be
scheduled regularly within organisation and they should be arranged regarding to the organisational
groups’ professions.

II. Introduction

Information security field has been a hot topic recently, where studies and researches have taken a
place regarding this field. The field of information security has changed from just technical issues,
technology point of view, into a completely different point of view, where information security has
become a more widely term concerning an organisation’s assets secure management (Pearlson &
Saunders 2009). The organisation’s assets secure management comprises the organisational procedures,
structures, people, and processes. The basis for this assumptions, as presented by researches and
professionals (e.g., Pearlson & Saunders 2009; Siponen & Vance 2010; Von Solms, Thomson & Maninjwa
2011), and information security important considerations (Ward & Peppard 2002) in an organisational
point of view is an IS (Information Security) policy. Considering this basis to build an organisational
information security plan to secure the management of its assets is a challenge for itself (Tipton &
Krause 2008). Also, organisations dedicate important resources to implement IS plans and policies, these
plans are rarely achieve the desired goals or objectives (Klaic & Hadjina 2011). The obstacles are mainly
caused by the employees whom rarely follow the IS policies (Waugh 2008).

Information security policy is mainly implemented to influence the people perceptions in organisations
about IS (Caruso 2003) and to raise awareness amongst them about the critical factors and risks that
involved in the IS. The information security policy is a significant element in any organisation, even
more; it’s affected by the social environment in any organisation, therefore; information security policy
is subject to change (Peltier 2002). If people in any organisation perceive the information security policy
in different way from the organisations information security officers or experts, information security
policy will not be effective, more importantly; overall objectives cannot be achieved (Pearlson &
Saunders 2009). Also; (Siponen & Vance 2010) have suggested that in order to improve the IS police in
any organisation, studying the people perceptions in the organisation is needed.

III. Advanced Organizer

Advanced Organizer Strengths:

1. Advance organizers can only be beneficial if the students comprehend the previous taught topic.

2. Students may see advanced organizers as their main information reference for the topic being taught,
which can lead to less note taking.

3. It is not a teaching tool that can always be used for every topic.

Advance organizers are more beneficial for learners who lack prior knowledge on the subject matter.

Advance organizers creates good visual for the students to use while learning.

IV. Input

Security policies themselves don't solve problems, and in fact can actually complicate things unless they
are clearly written and observed, policy does define the ideal toward which all organizational efforts
should point. By definition, security policy refers to clear, comprehensive, and well-defined plans, rules,
and practices that regulate access to an organization's system and the information included in it. Good
policy protects not only information and systems, but also individual employees and the organization as
a whole. It also serves as a prominent statement to the outside world about the organization's
commitment to security.
V. Assessment

After investing a considerable amount of time and effort in developing good security policies, you need
to be able to determine if your employees understand them and are following them. This section
includes tools and techniques that can be used to give you an indication of your policies’ effectiveness or
help you identify possible avenues for breaches in security. Some of these suggestions can also be used
to help identify areas where additional security and policy awareness training is needed. In addition,
some of the tools described below can be used to help enforce the policies that you develop.

VI. Bibliography

Pearlson, K. and Saunders, C. (2009), Strategic Management of Information Systems, John Wiley & Sons;
4th Edition (Mar 2009)

Siponen M. and Vance A. (2010), NEUTRALIZATION: NEW INSIGHTS INTO THE PROBLEM OF EMPLOYEE
INFORMATION SYSTEMS SECURITY POLICY VIOLATIONS, MIS Quarterly, (Vol. 34, Issue 3, September),
p487-A12

Von Solms, R., Thomson, K. and Maninjwa, M. (2011), Information Security Governance control through
comprehensive policy architectures. IEEE Information Security South Africa (ISSA), 15-17 Aug, pp. 1-6

Tipton, H. and Krause, M. (2008), Information Security Management Handbook, Taylor & Francis Group;
6th Edition (2008)

Klaic, A. and Hadjina, N. (2011), Methods and tools for the development of information security policy —
A comparative literature review, IEEE MIPRO, 2011 Proceedings of the 34th International Convention,
(23-27 May), pp. 1532 – 1537

Waugh B. (2008), Information Security Policy for Small Business, Information Security Writers. [WWW]
Available from: http://www.infosecwriters.com/text_resources/pdf/BWaugh_Policy.pdf [Accessed
07/03/12]

Caruso J. (2003), Information Technology Security Policy: Keys to Success, University of Wisconsin,
volume 2003, issue 23, November.
Peltier, T. (2002), Information Security Policies, Procedures, and Standards, CRC Press