Managing Information Security Through Policy Definition: Organizational Implications

  • Moufida Sadok
  • Paolo Spagnoletti
Conference paper


Organizations are more dependent than ever on the effective security of their information systems in order to ensure business continuity, efficiency and compliance with regulatory and governance frameworks. However, security breaches surveys reveal a poor effectiveness of security solutions and procedures implemented by the enterprises. In particular, enterprises experience difficulties in assessing and managing their security risks, applying appropriate security controls, as well as preventing security threats. In this paper we explore the nature of a security policy with a specific focus on managerial and strategic implications of the security policy implementation process. Two examples are provided in order to setup the basis of a method for the definition of security policies aligned with both operational and strategic plans of an enterprise.


Information Security Security Policy Customer Relationship Management Security Solution Security Incident 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Hone, K. and JHP. Eloff (2002) Information security policy –what do international standards say? Computers & Security 21(5):402–9.CrossRefGoogle Scholar
  2. 2.
    Whitman M, Towsend A, Aalberts R. (2001) Information systems security and the need for policy. In: Dhillon G, editor. Information security management: global challenges in the new millennium. Idea Group Publishing.Google Scholar
  3. 3.
    Knapp K.J., R. Franklin Morris, Jr.b, Thomas E. Marshallc, Terry Anthony Byrdc (2009) Information security policy: An organizational-level process model Computers &Security 28: 493–508.Google Scholar
  4. 4.
    Siponen M. (2006) Information Security Standards Focus on the Existence of Process, Not Its Content Communications of the ACM, August 49(8): 97–100.CrossRefGoogle Scholar
  5. 5.
    Karyda et al., (2005) Information systems security policies: a contextual perspective Computers & Security 24, 246–260.Google Scholar
  6. 6.
    Ruighaver A. B., Ruighaver S. B. Maynard and S. Chang (2007) Organizational security culture: Extending the end-user perspective Computer & Security February.Google Scholar
  7. 7.
    Saint-Germain R. (2005) Information Security Management Best Practice Based on ISO/IEC 17799 The Information Management Journal July/August: 60–66.Google Scholar
  8. 8.
    Siponen M. (2006) Information Security Standards Focus on the Existence of Process, Not Its Content Communications of the ACM, August 49(8).Google Scholar
  9. 9.
    Siponen M., R. Willison (2009) Information security management standards: Problems and solutions Information & Management 46: 267–270CrossRefGoogle Scholar
  10. 10.
    Spagnoletti P., Resca A. (2008), The duality of Information Security Management: fighting against predictable and unpredictable threats, Journal of Information Systems Security, Vol. 4 – Issue 3, 2008Google Scholar
  11. 11.
    ISO/IEC 17799:2000 (part 1), Information technology-code of practice for information security management.Google Scholar
  12. 12.
    Hamdi M., N. Boudriga, and M. S. Obaidat (2006), Handbook of Information Security, vol. 3, ch. Security Policy Guidelines, pp. 945–959. John Wiley & Sons, Inc.Google Scholar
  13. 13.
    Åhlfeldt R.M., Spagnoletti P. and Sindre G. (2007) Improving the Information Security Model by using TFI. In “New Approaches for Security, Privacy and Trust in Complex Environments”, IFIP Springer Series, Springer Boston, 232:73–84.Google Scholar
  14. 14.
    Da Veiga A. and J. H. P. Eloff (2007) An Information Security Governance Framework Information Systems Management, 24:361–372.Google Scholar
  15. 15.
    Doherty and Fulford (2006) Aligning the information security policy with the strategic information systems plan Computers & Security 25: 55–63.Google Scholar
  16. 16.
    Sadok M., Spagnoletti P. (2011), “A Business aware Information Security Risk Analysis Method”, in Information Technology and Innovation Trends in Organizations, D’Atri, A. et al (Eds), Springer, Germany.Google Scholar
  17. 17.
    Spagnoletti P., Za S., (2011) Securing virtual enterprises: organizational requirements and architectural choices, International Journal of Electronic Commerce Studies.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  1. 1.Institute of Technology in Communications at TunisArianaTunisia
  2. 2.CeRSI – LUISS Guido Carli UniversityRomeItaly

Personalised recommendations