Information Security Policy: A Management Practice Perspective
This work offers incremental improvements for organizations implementing information security policy management by addressing specific deficiencies in current literature.
The paper addresses deficiencies in existing guidance for information security policy management by developing a practice-based model that provides comprehensive guidance for practitioners and benchmarks for best practices, while mapping existing research to defined management practices.
Considerable research effort has been devoted to the study of Policy in the domain of Information Security Management (ISM). However, our review of ISM literature identified four key deficiencies that reduce the utility of the guidance to organisations implementing policy management practices. This paper provides a comprehensive overview of the management practices of information security policy and develops a practice-based model that addresses the four aforementioned deficiencies. The model provides comprehensive guidance to practitioners on the activities security managers must undertake for security policy development and allows practitioners to benchmark their current practice with the models suggested best practice. The model contributes to theory by mapping existing information security policy research in terms of the defined management practices.