Information security policy development and implementation: The what, how and who

“…Further, a high degree of management involvement (e.g. allocating sufficient resources for the risk assessment process) increases the likelihood of successful process of a security policy construction [6]. This insight is complimented by the observation that also a high degree of employee support (e.g.…”

“…However, some research results show that security policy that is based on monitoring alone is far from ideal in fostering users to comply with security procedures [6]. Thereupon, design of a whole security process, starting with problem statements and risk assessment, through identification of threats and risks, setting and implementing security policies, finalizing with result analysis and benchmarking in more favorable than any other way to mitigate the risks and positively influence the awareness of employees [2,6].…”

“…The organization should leave the responsibility only to the technical managers, but should share the challenges with all the managerial and operational levels, including the Board of Directors and the executive management, who must demonstrate their direction and dedication to the process [5,6]. The management must communicate the importance of the policy via decisive messages delivered to the lower levels in the organization [5,9].…”

“…In order to develop and implement the information security policy properly, management, employees and stakeholders must support the entire process [6]. The organization should leave the responsibility only to the technical managers, but should share the challenges with all the managerial and operational levels, including the Board of Directors and the executive management, who must demonstrate their direction and dedication to the process [5,6].…”

Reshaping Organizational Security Policy upon Corporate Mobile Users

“…Further, a high degree of management involvement (e.g. allocating sufficient resources for the risk assessment process) increases the likelihood of successful process of a security policy construction [6]. This insight is complimented by the observation that also a high degree of employee support (e.g.…”

“…However, some research results show that security policy that is based on monitoring alone is far from ideal in fostering users to comply with security procedures [6]. Thereupon, design of a whole security process, starting with problem statements and risk assessment, through identification of threats and risks, setting and implementing security policies, finalizing with result analysis and benchmarking in more favorable than any other way to mitigate the risks and positively influence the awareness of employees [2,6].…”

“…The organization should leave the responsibility only to the technical managers, but should share the challenges with all the managerial and operational levels, including the Board of Directors and the executive management, who must demonstrate their direction and dedication to the process [5,6]. The management must communicate the importance of the policy via decisive messages delivered to the lower levels in the organization [5,9].…”

“…In order to develop and implement the information security policy properly, management, employees and stakeholders must support the entire process [6]. The organization should leave the responsibility only to the technical managers, but should share the challenges with all the managerial and operational levels, including the Board of Directors and the executive management, who must demonstrate their direction and dedication to the process [5,6].…”

Reshaping Organizational Security Policy upon Corporate Mobile Users

“…Requirements for an information security policy may also originate from known information security issues, an organization's goals and mission, or external stakeholders (Burgemeestre, Hulstijn & Tan 2013, Lopes, Sá-Soares 2010. Requirements for security may be widely different depending on the organization in question (Ølnes 1994), which is why using general templates for policies may be problematic (Flowerday, Tuyikeze 2016).…”

Critical Considerations for Organisation-specific Information Security Policy Development

Study of the Maturity of Information Security in Public Organizations of Ecuador