Information Security Policy Framework: Best Practices for Security Policy in the E-commerce Age

“…Consequently, should a user wish to find guidance on their institution's stance on email or copyright infringement, there may well be significant confusion as to the which document[s] should be referenced. The existing literature recognises the need for organisations to develop an explicit framework of security policies, which clearly demonstrates the relationship between security policies and other security related documentation, such as standards, guidelines and procedures [Palmer et al, 2001;Kilman & Stamp, 2005]. The results of our study indicate that whilst frameworks of security documentation are evolving within the HE sector, they are by no means explicit and obvious to the user of such documentation.…”

“…Moreover, best practice suggests that the policy's stated objectives should be tailored to the organisational context in which it will be utilised, so that it is explicitly aligned with the host organisation's strategies, goals and culture, as well as the [5] specific risks that it is likely to face [Kilman & Stamp, 2005;Palmer et al, 2001;Stewart, 2000].…”

“…It clearly shows that the policy relates to an institution's complete IT infrastructure, and not just its Internet and networked resources; it reinforces the point that the policy should reflect both intended and unacceptable behaviours, and perhaps most importantly, it indicates that the policy should ultimately be focussed towards improving the performance of the institution's IT systems. An important area in which there was very little evidence that policies' were conforming to best practice relates to the need to tailor them to take account of organisational objectives and risks [Stewart, 2000;Palmer et al, 2001]. Policy objectives were typically stated in a fairly generic and predictable manner, with very little indication of any contextual tailoring.…”

“…Another policy makes the important point that as it may be very difficult, in a university context, to distinguish between personal and professional use of information resources, the University will rely on its employees to act 'responsibly and judiciously'. suggests that all security policies should be reviewed and revised at regular intervals [Palmer et al, 2001]. …”

Reinforcing the security of corporate information resources: A critical review of the role of the acceptable use policy

“…Consequently, should a user wish to find guidance on their institution's stance on email or copyright infringement, there may well be significant confusion as to the which document[s] should be referenced. The existing literature recognises the need for organisations to develop an explicit framework of security policies, which clearly demonstrates the relationship between security policies and other security related documentation, such as standards, guidelines and procedures [Palmer et al, 2001;Kilman & Stamp, 2005]. The results of our study indicate that whilst frameworks of security documentation are evolving within the HE sector, they are by no means explicit and obvious to the user of such documentation.…”

“…Moreover, best practice suggests that the policy's stated objectives should be tailored to the organisational context in which it will be utilised, so that it is explicitly aligned with the host organisation's strategies, goals and culture, as well as the [5] specific risks that it is likely to face [Kilman & Stamp, 2005;Palmer et al, 2001;Stewart, 2000].…”

“…It clearly shows that the policy relates to an institution's complete IT infrastructure, and not just its Internet and networked resources; it reinforces the point that the policy should reflect both intended and unacceptable behaviours, and perhaps most importantly, it indicates that the policy should ultimately be focussed towards improving the performance of the institution's IT systems. An important area in which there was very little evidence that policies' were conforming to best practice relates to the need to tailor them to take account of organisational objectives and risks [Stewart, 2000;Palmer et al, 2001]. Policy objectives were typically stated in a fairly generic and predictable manner, with very little indication of any contextual tailoring.…”

“…Another policy makes the important point that as it may be very difficult, in a university context, to distinguish between personal and professional use of information resources, the University will rely on its employees to act 'responsibly and judiciously'. suggests that all security policies should be reviewed and revised at regular intervals [Palmer et al, 2001]. …”

Reinforcing the security of corporate information resources: A critical review of the role of the acceptable use policy

“…It provides an enterprise with the basis of a strategy that will define the working culture and the behaviour that is expected of the organisation's employees [5]. Doherty, Anastasakis and Fulford [6] present a study that analyses the structure and content of university security policies.…”

Reflecting on the Ability of Enterprise Security Policy to Address Accidental Insider Threat

Analysing Business Losses Caused by Information Systems Risk: A Business Process Analysis Approach