An information security meta‐policy for emergent organizations

There is an increasing movement towards emergent organizations and an adaptation of Web‐based information systems (IS). Such trends raise new requirements for security policy development. One such requirement is that information security policy formulation must become federated and emergent. However, existing security policy approaches do not pay much attention to policy formulation at all – much less IS policy formulation for emergent organizations. To improve the situation, an information security meta‐policy is put forth. The meta‐policy establishes how policies are created, implemented and enforced in order to assure that all policies in the organization have features to ensure swift implementation and timely, ongoing validation.

[1]  Richard Baskerville,et al.  A New Paradigm for Adding Security Into IS Development Methods , 2001, Conference on Information Security Management & Small Systems Security.

[2]  Richard Baskerville,et al.  Growing systems in an emergent organization , 2001 .

[3]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[4]  J. Voas,et al.  The pros and cons of Unix and Windows security policies , 2000 .

[5]  Sebastiaan H. von Solms,et al.  Information Security Management: A Hierarchical Framework for Various Approaches , 2000, Comput. Secur..

[6]  Lech J. Janczewski,et al.  Managing Security Functions Using Security Standards , 2000 .

[7]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[8]  Richard Baskerville,et al.  Growing systems in emergent organizations , 1999, CACM.

[9]  K. Caplan,et al.  Building an international security standard , 1999 .

[10]  Rossouw von Solms,et al.  Information security management: why standards are important , 1999, Inf. Manag. Comput. Secur..

[11]  L Britton,et al.  A Web of Information , 1999 .

[12]  Chris Pounder,et al.  The revised version of BS7799 - so what's new? , 1999, Comput. Secur..

[13]  Ralph Spencer Poore Generally Accepted System Security Principles Release for Public Comment , 1999 .

[14]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[15]  Michael R. Overly E-Policy: How to Develop Computer, E-mail, and Internet Guidelines to Protect Your Company and Its Assets , 1998 .

[16]  Donn B. Parker,et al.  Fighting computer crime - a new framework for protecting information , 1998 .

[17]  Fabio Vitali,et al.  Web information systems , 1998, CACM.

[18]  Gerald L. Kovacich,et al.  The Information Systems Security Officer's Guide: Establishing and Managing an Information Protection Program , 1998 .

[19]  Louise Yngström,et al.  Information Security in Research and Business, Proceedings of the IFIP TC11 13th International Conference on Information Security (SEC '97), 14-16 May 1997, Copenhagen, Denmark , 1997, SEC.

[20]  Dennis Longley,et al.  Code of Practice: A Standard for Information Security Management , 1997, SEC.

[21]  Helen L. James,et al.  Managing information systems security: a soft approach , 1996, Proceedings of 1996 Information Systems Conference of New Zealand.

[22]  Charles Cresson Wood,et al.  A policy for sending secret information over communications networks , 1996, Inf. Manag. Comput. Secur..

[23]  Stuart Henderson Cia The Information Systems Security Policy Statement , 1996 .

[24]  Charles Cresson Wood,et al.  A computer emergency response team policy , 1996, Inf. Manag. Comput. Secur..

[25]  James Backhouse,et al.  Structures of responsibility and security of information systems , 1996 .

[26]  Ross J. Anderson,et al.  A security policy model for clinical information systems , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[27]  Kevin J. Fitzgerald Information security baselines , 1995, Inf. Manag. Comput. Secur..

[28]  Jean Hitchings Achieving an Integrated Design: The Way Forward for Information Security , 1995 .

[29]  Jan H. P. Eloff,et al.  Information security - the next decade : proceedings of the IFIP TC11 eleventh international conference on information security, IFIP/Sec '95 , 1995 .

[30]  Jan H. P. Eloff,et al.  A Methodology for the development of secure Application Systems , 1995 .

[31]  Charles Cresson Wood,et al.  Writing infosec policies , 1995, Computers & security.

[32]  Charles C. Wood,et al.  Information Security Policies Made Easy , 1994 .

[33]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[34]  J. M. Ferris Using standards as a security policy tool , 1994, STAN.

[35]  R. Sandhu,et al.  Access control: principles and practice , 1994, IEEE Commun. Mag..

[36]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[37]  E. H. Sibley Experiments in organizational policy representation: results to date , 1993, Proceedings of IEEE Systems Man and Cybernetics Conference - SMC.

[38]  Santosh Chokhani Trusted products evaluation , 1992, CACM.

[39]  A. R. Warman,et al.  Organizational computer security policy: the reality , 1992 .

[40]  Andrew S. Tanenbaum,et al.  Modern Operating Systems , 1992 .

[41]  Daniel F. Sterne,et al.  On the buzzword 'security policy' , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[42]  J. D. Couger E pluribus computum , 1986 .

[43]  William E. Perry,et al.  Management Strategies for Computer Security , 1985 .

[44]  James A. Schweitzer,et al.  Managing information security: A program for the electronic information age , 1982 .