The purpose of this research paper is to investigate on how global organizations monitor and evaluate the life cycle of policy formulation and implementation to cultivate sustainable information security policies. Globalization is one of the most important issues facing organizations today. This is a particularly salient issue in global organizations that operate in numerous political, cultural, legal, geographic and economic environments, and by necessity must sometimes delegate decisions to local managers.
In global organizations, some unique challenges can arise in cultivating information security policies, such as policy differences arising through, the various risk acceptance and tolerance levels among business units, internal and external requirements at a country, local and national levels, and culture differences. In some cases global organizations may require region-specific information security policies that may be more restrictive than global information security policies.
In business, an information security policy is a document that states in writing how a company plans to protect the company's physical and information technology assets. An information security policy is often considered to be a "living document", meaning that the document is never finished, but is continuously updated as technology, regulations and business requirements change. The information from systematic monitoring serves as a critical input to evaluation, formulation, and implementation of the information security policies.
The literature review will be used to investigate, explore and to understand the different factors used in monitoring for implementing, evaluating and formulating information security policies to cultivate sustainable information security policies in a global organization.
The Research Problem
The research problem of this study is to investigate how global organizations monitor and evaluate the life cycle of policy formulation and implementation to cultivate sustainable information security policies. The information security of global organizations might be left in a less effective state in situations where dynamic changes in technology, regulations at local, national and regional levels are not followed, reviewed, monitored and evaluated on a timely basis and be formulated and implemented into the organization's information security policies. Monitoring and evaluation is an essential element of an information security policy life cycle, particularly of the process of information security policy formulation and implementation. Global organizations need to cultivate information security policies beyond formulation and implementation.
Importance of research problem
The successful monitoring of information security policies is critical in today's environment of rapid change and challenges in addressing information security policy compliance and effectiveness in global organizations. It is essential that effective information security policy monitoring practices be in place at global organizations to ensure the success of sustainable information security policies.
Information security covers people and process issues as well as technology, so monitoring and evaluation of information security policies in a global organization needs to be integrated into a process that involves input from various regions, regulations and business units.
The results of this study will help practitioners understand how global organizations can cultivate sustainable information security policies through process monitoring and evaluation.
The information security of an organization might be left in a less effective state in situations where information security policies become stale and are not in alignment with business objectives and external, regulatory requirements and best practices. A critical component in the development of information security policies in an organization depends upon external standards such as ISO27001/2. Information security weakness in organizations often occurs as a result of the inability to keep up with dynamic changes in regulatory, technology and industry best practices relevant to global organization's business, senior management and information security policies. The information security of global organizations might be left in a less effective sate in situations where dynamic changes in technology, regulations at local, national and regional levels are not followed, reviewed, monitored and evaluated on a timely basis. One of the ways to implement good information security practices in a global organization is to ensure that a detailed information security policy is in place. The content of the information security policy is particularly significant as it should be monitored for any changes after it is adopted to attain relevance and understanding whether there were changes due to the policy or program.
Definitions of Terms
For the purposes of this paper:
- Evaluation is a specific and in-depth review done after certain time intervals, when substantive steps of information security policy implementation have already been made and tangible changes and policy impacts are expected to have materialized and can be assessed.
- Information Security Policy is defined as the security policy in a document that states in writing how an organization plans to protect the company's physical and information technology assets.
- Impact is defined as the degree to which a security failure has the potential to result in harm or loss.
- Monitoring refers to a continuous observation of the process of policy implementation and of the progress achieved. Policy monitoring can be defined as "the assessment of the functioning of policy, and the results achieved. It addresses, as appropriate, issues of both policy application and compliance.
- Security is defined as the state of being free from unacceptable risk. Thus, information security focuses on reducing the risk of computing and communication systems, especially in regard to the misuse, destruction, modification or inappropriate disclosure of information either by intent or accident.
The main research question for this study is formulated as:
- How to cultivate sustainable information security policies for a global organization.
- What factors impact the elements of policy monitoring?
- How global organizations cultivating sustainable information security policies?
- What are the main challenges that information security face cultivating information security policies in a global organization?
- What are the concepts and approaches applied in cultivating information security policies in a global organization?
- Are the information security policies designed to support the organization's objectives?
- Are the information security policies designed to support the organization's management risks?
This study will answer the following research questions:
- Agarwal, R and Sambamurthy, V. (2002). Principles and models for organizing the IT function. MIS Quarterly Executive, 1(1), 1-16
- Baskerville, R., and Siponen, M. (2002). An information security meta-policy for emergent organizations. Logistics Information Management, 15(5/6), 337-346.
- Eloff JHP, Labuschagne L, Badenhorst KP. (1993) A comparative framework for risk analysis methods. Computers and Security, 12(6), 597-603.
- Lapke M., and Dhillon, G. (2008). Power relationships in information systems security policy formulation and implementation. European Conference on Information Systems, 16, 1358-1369. data-toggle="modal" href="/js/removal.php" data-target="#myModal"