What Makes an Effective Information Security Policy?

It is a well-known fact that the information security policy is one of the most important controls needed within an organization to manage the implementation and ensure the effectiveness of information security. The information security policy is essentially the direction-giving document in an organization and defines the broad boundaries of information security. Furthermore, it indicates management’s commitment to, and support for, information security in an organization and defines the role it has to play in reaching and supporting the organization’s vision and mission.     

Information Security Policy Development and Implementation

ABSTRACT

Development of the information security policy is a critical activity. Credibility of the entire information security program of an organization depends upon a well-drafted information security policy. Most of the stakeholders do not have time or inclination to wade through a lengthy policy document. This article tries to formulate an approach to the information security policy development that will make the policy document capture the essentials of information security as applicable to a business. The document will also convey the urgency and importance of implementing the policy, not only in letter but also in spirit.     

If someone is watching,I'll do what I'm asked: mandatoriness,control, and information security

Information security has become increasingly important to organizations. Despite the prevalence of technical security measures, individual employees remain the key link – and frequently the weakest link – in corporate defenses. When individuals choose to disregard security policies and procedures, the organization is at risk. How, then, can organizations motivate their employees to follow security guidelines? Using an organizational control lens, we build a model to explain individual information security precaution-taking behavior. Specific hypotheses are developed and tested using a field survey. We examine elements of control and introduce the concept of ‘mandatoriness,’ which we define as the degree to which individuals perceive that compliance with existing security policies and procedures is compulsory or expected by organizational management. We find that the acts of specifying policies and evaluating behaviors are effective in convincing individuals that security policies are mandatory. The perception of mandatoriness is effective in motivating individuals to take security precautions, thus if individuals believe that management watches, they will comply.     

Wireless security policies

Security policies: The phrase that strikes fear in the hearts of many security professionals. Policy and policy enforcement is a critical part of any organization’s security posture. Unfortunately, many administrators find policy mundane or frustrating. When it comes to wireless security, a clear and complete policy is even more critical. Few other technologies can punch a hole into the core of an organization’s network like wireless. Thankfully for security professionals and their employers, wireless networks are new, interesting, and dangerous enough to actually warrant interest in creating and enforcing a policy.     

Value-focused assessment of information system security in organizations

Abstract.  Information system (IS) security continues to present a challenge for executives and professionals. A large part of IS security research is technical in nature with limited consideration of people and organizational issues. The study presented in this paper adopts a broader perspective and presents an understanding of IS security in terms of the values of people from an organizational perspective. It uses the value-focused thinking approach to identify 'fundamental' objectives for IS security and 'means' of achieving them in an organization. Data for the study were collected through in-depth interviews with 103 managers about their values in managing IS security. Interview results suggest 86 objectives that are essential in managing IS security. The 86 objectives are organized into 25 clusters of nine fundamental and 16 means categories. These results are validated by a panel of seven IS security experts. The findings suggest that for maintaining IS security in organizations, it is necessary to go beyond technical considerations and adopt organizationally grounded principles and values.     

Computer security policy: Important issues

A key success factor in implementing computer security is the much discussed and important issue of management commitment. Management commitment is demonstrated through the effective fostering of a computer security policy within the organization. Many textbooks provide guidelines on what to include or exclude in compiling a computer security policy. However, little is said about issues such as accountability, responsibility and the actual scope of computer security. This paper will address various issues of critical importance in compiling a computer security policy.     

Understanding commitment and apathy in is security extra-role behavior from a person-organization fit perspective

This study presents an empirical investigation of employees’ extra-role behaviour in the information security context based on person – organisation fit theory. The perspective of fit evaluates the differences and similarities between information security policy makers and practitioners to provide employees with an approach to decide whether and how to participate in the implementation of extra security actions. We developed a research model and then conducted a survey and PLS-SEM analysis to test the corresponding hypothesis. The results illustrate that perceived demand – ability fit, perceived need – supply fit, and perceived value fit are effective in motivating security commitment. The empirical evidence shows that security commitment is a partial mediator between complementary fits (demand-ability fit and need-supply fit) and participation intention and is a full mediator between supplementary fit (value fit) and participation intention. In addition, apathy reduces motivation to engage in extra-role behaviour, while value fit and security commitment eliminate such apathy.     

一种针对分布式企业的信息安全规划方案

结合分布式企业的具体实际,依照信息安全体系结构相关标准,提出了分布式企业的信息安全规划原则和目标。并依据次原则与目标,按照组织、管理和技术三个方面提出了具体的实现与设计规范原则。最后,依据服务规划目标,提出了信息类分布式企业的信息安全服务规划设计实例。     

Security Functional Components for Building a Secure Network Computing Environment

ABSTRACT

It is difficult to define reliable security policy components that should be applied to validate a secure computing environment. The job gets further complicated when one has to deal with multiple policies in single computing environment. This paper demonstrates how we can overcome the difficulties of defining reliable security components by using evaluation criteria. In this paper we use common criteria to derive the security functional components for a multipolicy-based network computing environment. In the verification process, the derived policy components are related to the specific security objectives of the network communication environment. The evidence listed in the case study supports the claims that the proposed network security policy interpretation framework is a complete and cohesive set of requirements.     

A formal security model for microprocessor hardware

The paper introduces a formal security model for a microprocessor hardware system. The model has been developed as part of the evaluation process of the processor product according to ITSEC assurance level E4. Novel aspects of the model are the need for defining integrity and confidentiality objectives on the hardware level without the operating system or application specification and security policy being given, and the utilization of an abstract function and data space. The security model consists of a system model given as a state transition automaton on infinite structures and the formalization of security objectives by means of properties of automaton behaviors. Validity of the security properties is proved. The paper compares the model with published ones and summarizes the lessons learned throughout the modeling process     

Dispositional and situational factors: influences on information security policy violations

Insiders represent a major threat to the security of an organization’s information resources. Previous research has explored the role of dispositional and situational factors in promoting compliant behavior, but these factors have not been studied together. In this study, we use a scenario-based factorial survey approach to identify key dispositional and situational factors that lead to information security policy violation intentions. We obtained 317 observations from a diverse sample of insiders. The results of a general linear mixed model indicate that dispositional factors (particularly two personality meta-traits, Stability and Plasticity) serve as moderators of the relationships between perceptions derived from situational factors and intentions to violate information security policy. This study represents the first information security study to identify the existence of these two meta-traits and their influence on information security policy violation intentions. More importantly, this study provides new knowledge of how insiders translate perceptions into intentions based on their unique personality trait mix.     

基于信息流的多级安全策略模型研究

内部威胁是企业组织面临的非常严重的安全问题,作为企业最贵重的信息资产——文档,是内部滥用的主要目标。以往的粗粒度安全策略,如最小权限原则、职责分离等,都不足以胜任文档安全化的内部威胁问题。提出了一个崭新的多级安全策略模型,引入了文档信息流和信息流图概念,并提出了相关算法。它能依据系统上下文环境的变化,动态地产生信息流的约束条件,屏蔽可能产生的隐藏信息流通道。     

A developmental view of system security

Security policy can't be timeless, static, and universal. Security is more of a developmental problem than a technical one. Security should be integrated into an organization in such a way as to enhance and safeguard each facet in the least intrusive yet most effective way possible at a given time. Gradually, as the organization and the technology it uses "grow up together," security should become less intrusive, until at some point it's almost invisible. This article presents a developmental view of system security.     

网络安全系统设计的研究

网络的应用范围越广，来自内部和外部组织的对网络脆弱性的袭击就越大。对一个组织、一个企业来说，构建一个适合自身的网络安全系统是非常必要的。文中在所提出的一种网络安全系统设计的框架的基础上，对其中的网络安全设计进行了详细的分析，给出了体系结构模型和策略管理执行模型，把安全体系结构、安全策略管理的实现和网络安全的实现机制有机地结合在一起，确保高级需求分析到低级系统的实现机制之间的平滑过渡。     

Cyberplagues,IT, and Security: Threat Politics in the Information Age

The swiftness and considerable political impact of the widespread conceptualisation of IT as a security problem makes it a particularly fruitful case for analysing threat politics – how and why some threat images but not others end up on the political agenda. A conceptual framework combining theories of framing, securitisation, agenda setting and policy diffusion is developed, which is applied to the case of IT security policy in Sweden. The analysis emphasises the impact of the end of the Cold War, the uncertainty following the breakthrough of the information age, the tradition of focusing on information and technological development in military affairs, the adaptability to ‘widened security thinking’ within the military‐bureaucratic establishment, and the lack of opposition to the securitisation of IT.     

机密稳健复杂系统安全性评估方法

机密稳健复杂系统具有高机密性要求、持续稳定运行需求、网络结构复杂等特点，但现有评估模型安全目标维度单一，缺乏指标间关联性分析。鉴于此，提出了基于指标关联性分析的综合安全评估模型，确立涵盖产品、系统和服务3个层面的机密性、可用性、可控性、可鉴别性、人员组织、风险管理、企业定级、可持续性8个安全目标。以智慧医疗物联网机密性为例，构建了基于指标关联性的排序确权算法，采用模糊综合评价法，对所选系统进行评估。     

一种基于角色代理的服务网格虚拟组织访问控制模型

给出一种基于角色代理技术的虚拟组织访问控制模型，与同类研究成果相比，在不降低自治域的安全管理效率的情况下，能够实现虚拟组织的细粒度授权和确保自治域的安全策略不被破坏．该模型的一个原型系统已经实现，并通过一个基于网格的低成本电子政务平台中的实例进行了验证．     

信息网络安全评估方法探讨

深入分析和研究网络风险,从风险分析、评估目标、评估范围、评估方法等几方面探讨网络安全评估准则,分析信息网络系统对网络的安全需求,找出企业目前的安全策略和实际需求的差距,消除信息安全潜在威胁,为企业网络规划、设计、实施、运行、优化等提供科学依据。     

Risk Management in Higher Education and Research in the Netherlands

This study examines risk in higher education and research on the basis of a classification into three domains. The practical utility of this division into three domains is that it makes it easier to see what risks are unique to higher education (custodianship of knowledge), what risks are dependent on developments in society (microcosm of society) and what risks faced by an educational establishment are no different from those facing any other organization (education as an organization). The results of a survey of the field (through questionnaires, meetings and interviews) show that higher education institutions still do not routinely have an integrated policy on safety, security and crisis management. Within individual institutions, there is little communication between the three. Institutions, staff and students have limited awareness of the range of risks to which they and their environment are exposed. At the same time, establishments tend not to share their experiences in this field with others. Even within individual institutions, there is often little involvement of staff and students in safety and security policy and its implementation.     

基于隐私保护的策略空间叠加模型研究*

研究了基于隐私保护计算模型的现状,提出多个组织在一个互不信任的分布式环境下合作计算时,任何组织无法获取和保护其他组织的隐私信息及位置隐私的问题。引入了隐私保护策略安全级的概念,给出了隐私保护策略的层次框架,论证了基于角色的策略转换和策略空间叠加的可信性,设计了一种隐私保护策略空间的叠加模型。通过开发的LaMOC（location-aware mobile collaborative system）系统的实验结果表明,位置隐私保护算法在此叠加模型下,具有较高的查询精度和有效性。