Improving an organisations existing information technology policy to increase security

Document Type

Conference Proceeding

Publisher

School of Computer and Information Science, Edith Cowan University

Faculty

Faculty of Computing, Health and Science

School

School of Computer and Security Science / Centre for Security Research

RAS ID

8597

Comments

Talbot, S., & Woodward, A. (2009, December). Improving an organisations existing information technology policy to increase security. In Proceedings of the 7th Australian Information Security Management Conference (p. 120-128). Perth, Western Australia: School of Computer and Information Science, Edith Cowan University. Available here

Abstract

A security policy which includes the appropriate phases of implementation, enforcement, auditing and review is vital to protecting an organisations information security. This paper examined the information security policy of a government organisation in response to a number of perceived shortcomings. The specific issues identified relating to the organisations security policy as a result of this investigation were as follows: a culture of ignoring policies, minimal awareness of policies, minimal policy enforcement, policy updating and review ad hoc at best, policy framework, lengthy policy development and approval process, no compliance program, no formal non-compliance reporting and an apparent inconsistent enforcement across the whole of the organisation. In response to these identified issues, the following recommendations were made to improve the information security of the organisation: changing the organisations culture, creating an awareness mechanism for policies, improving the organisations culture, create an ICT policy awareness programme, review and re-write existing policies, policy enforcement, policy compliance, policy noncompliance reporting, policy updating and review, improve the policy development and approval process, policy compliance checking and uniform policy enforcement. Whilst it is also likely that a lack of governance contributed to these issues, this aspect was not addressed in this paper. It is hoped that timely implementation of the remedies presented here will increase the organisations information security.

DOI

10.4225/75/57b416db30df3

Access Rights

free_to_read

Share

 
COinS
 

Link to publisher version (DOI)

10.4225/75/57b416db30df3