Isfam: the Information Security Focus Area Maturity Model

Information security is mainly a topic that is considered to be information technology related. However, to successfully implement information security, an organization’s information security program should reflect the business strategy. Nowadays information security is in many companies enforced by the information technology department, based on what they think should be in place to protect their business from inside and outside threats and risks. Additionally, information security covers many different subjects. This makes it especially hard for small and medium sized organizations to determine how they should design their information security program. Therefore, we present the Information Security Focus Area Maturity Model (ISFAM). By identifying dependencies between various aspects of information security and representing them coherently in the ISFAM, the model is capable of determining the current information security maturity level. Involving the ISFAM model in the design process of an organization’s information security program enables organizations to set up high level guidelines based on their current status. These guidelines can be used to incrementally and structurally improve information security maturity within the organization. We have successfully evaluated the ISFAM assessment model through a single case study at a medium sized telecommunications organization.

[1]  Jeffrey A. Hecht,et al.  Business Continuity Management , 2002, Commun. Assoc. Inf. Syst..

[2]  Christine Nadel,et al.  Case Study Research Design And Methods , 2016 .

[3]  Sebastiaan H. von Solms,et al.  Information Security - The Fourth Wave , 2006, Comput. Secur..

[4]  Alan R. Hevner,et al.  Design Science in Information Systems Research , 2004, MIS Q..

[5]  肖欣,et al.  CISSP学习工具和策略如何通过Certified Information Systems Security Professional考试 , 2008 .

[6]  Marlies van Steenbergen,et al.  The Design of Focus Area Maturity Models , 2010, DESRIST.

[7]  Philip J. Hills,et al.  International Journal of Information Management , 2006, Int. J. Inf. Manag..

[8]  Andrew Jaquith Security Metrics: Replacing Fear, Uncertainty, and Doubt , 2007 .

[9]  M. Reiss Change Management , 2012, Encyclopedia of Creativity, Invention, Innovation and Entrepreneurship.

[10]  Duncan C. McFarlane,et al.  Towards an approach to Select an Asset Information Management Strategy , 2008, Int. J. Comput. Sci. Appl..

[11]  Peter Fagan,et al.  Organizational issues in IT security , 1993, Comput. Secur..

[12]  Marco R. Spruit,et al.  Analysing the Security Risks of Cloud Adoption Using the SeCA Model: A Case Study , 2012, J. Univers. Comput. Sci..

[13]  David T. Hulett Key Characteristics of a Mature Risk Management Process , 2001 .

[14]  Paul Veerkamp,et al.  Modeling Design Process , 1990, AI Mag..

[15]  Inge van de Weerd,et al.  A Framework for Process Improvement in Software Product Management , 2010, EuroSPI.