Identifying linkages between statements in information security policy, procedures and controls

Purpose – The information security policy document of an organization needs to be translated into controls and procedures at the implementation level. The technical and business personnel in‐charge of implementing the controls and procedures need to consider a large number of security‐related statements from a heterogeneous pool of security documentation and decide on the implementation plan. The purpose of this paper is to propose an approach to analyze a set of security statements to establish an implicit hierarchy and relative importance among them.Design/methodology/approach – A set of statements relevant to e‐mail service security is chosen from the classified documentation of an IT firm. The authors contacted the technical person who was the owner of this service to obtain a one‐on‐one comparison between the policies. These policies and their inter‐relationships are represented as a graph. Centrality measures based on the in and out degrees of a node are used to calculate the relative importance of ...

[1]  Marija Boban,et al.  Information security management — Defining approaches to Information Security policies in ISMS , 2010, IEEE 8th International Symposium on Intelligent Systems and Informatics.

[2]  S. Barman,et al.  Writing Information Security Policies , 2001 .

[3]  Richard Turner A new focus for IT security , 2011 .

[4]  Ji Hu Idea to derive security policies from collaborative business processes , 2009, 2009 13th Enterprise Distributed Object Computing Conference Workshops.

[5]  C. R. Ramakrishnan,et al.  Security policy analysis using deductive spreadsheets , 2007, FMSE '07.

[6]  Mikko T. Siponen,et al.  Information security standards focus on the existence of process, not its content , 2006, CACM.

[7]  Rossouw von Solms,et al.  The 10 deadly sins of information security management , 2004, Comput. Secur..

[8]  Leonard M. Freeman,et al.  A set of measures of centrality based upon betweenness , 1977 .

[9]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[10]  Michael E. Whitman Enemy at the gate: threats to information security , 2003, CACM.

[11]  Karl N. Levitt,et al.  Security Policy Specification Using a Graphical Approach , 1998, ArXiv.

[12]  John Harlow Security policy ‐ an individual view , 2001 .

[13]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[14]  Chang Nian Zhang,et al.  An XML-Based Administration Method on Role-Based Access Control in Distributed Systems , 2004, Int. J. Comput. Their Appl..

[15]  P. Bonacich Power and Centrality: A Family of Measures , 1987, American Journal of Sociology.

[16]  N. Doherty,et al.  Aligning the information security policy with the strategic information systems plan , 2006, Comput. Secur..

[17]  Neil F. Doherty,et al.  Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis , 2005, Inf. Resour. Manag. J..

[18]  Chang Nian Zhang,et al.  An XML-based administration method on role-based access control in the enterprise environment , 2003, Inf. Manag. Comput. Secur..

[19]  Ching-Lai Hwang,et al.  Group decision making under multiple criteria , 1987 .

[20]  James S. Tiller Adaptive Security Management Architecture , 2010 .

[21]  Jan H. P. Eloff,et al.  Feature: What Makes an Effective Information Security Policy? , 2002 .

[22]  Jan H. P. Eloff,et al.  Information Security Policy - What do International Information Security Standards say? , 2002, ISSA.