There is a wide agreem ent w ithin the academic and practitioner communities that a security policy is the basis for the dissemination and enforcement o f sound security practices within a com pany (Doherty and Fulford 2006). Security policy is at the heart o f any inform ation security strategy (Eveloff 2005). It is the start o f security management (Higgins 1999). Security policy is the first and m ost im portant layer o f security available to a com pany (W hitm an 2003).
According to D ’Arcy and Hovav (2007), a security policy includes statements of organisational goals and beliefs, existing controls and em ployees’ responsibilities.
Their purpose is to provide detailed guidance to users regarding acceptable use o f organisational IS resources in order to ensure a safe environment. W alker (1985, p.62) stated that a security policy is “the set o f laws, rules and practices regulating how an organisation manages, protects and distributes sensitive inform ation”. It is a direction-giving docum ent for security within a company, it demonstrates management com m itm ent to and support for information security, as well as defining
* the role information security has to play in reaching the com pany’s objectives (Hone and Eloff 2002). W ood (1995) argued that policies are high-level statem ents intended
to provide guidance for decision makers. Further, Gaston (1996) stated that information security policy is a broad guiding statement o f goals to be achieved with regard to the security o f corporate information resources. Consequently, security policy is a vital part o f a com pany’s strategy for achieving IS security. It explains the need for IS security to all the com pany’s information resource users.
Hong et a l (2003) indicated that an information security policy aims at planning security requirements, form ing consensus in a company, drafting and implementing a policy and reviewing the policy on a regular basis in order to meet the organisational security requirements. W hitm an (2004) also indicated that a good security policy should outline responsibilities, define authorised and unauthorised users o f IS, provide venues for employee reporting o f system threats, define penalties for violations and provide ways for updating the policy.
In addition, Higgins (1999) argued that without a policy, security practices would be developed without a clear distinction o f objectives and responsibilities. Moreover, Wood (1995) pointed out that security policies are important in assuring the proper implementation o f controls, guiding the security product selection and development process, demonstrating m anagem ent support for information security, avoiding liability for inadequately addressing security matters and achieving consistent and complete security within a company.
However, despite the importance and the vital role that the security policy plays in a company, many academics and practitioners have argued that it is not always easy to put this document together. There are often different opinions within a company as to what constitutes a policy. M any questions are asked as to what should be incorporated into this document, what it should look like, how long it should be, who needs to approve it, etc.
First, it is important to know that a com pany’s security policy depends on various factors including, among others, the value and sensitivity o f information, the impact that the loss or misuse o f information would have on the com pany and its legal requirements (Steinke 1997). In addition, Karyda et al. (2005) provided some factors that affect the formulation and implementation o f security policy including the
organisational structure, security culture within a company, managem ent active participation and visible support, ongoing security training and awareness program, and the continuous evaluation o f the effectiveness o f the security policy. It is clear that all these factors are im portant and affect the formulation, im plem entation and adoption o f a com pany’s security policy.
Moreover, the literature reveals that there is no clear agreem ent regarding the procedures involved in establishing a security policy. Lindup (1995) suggested seven steps for developing and im plem enting a security policy that begin with formulating a draft policy, followed by a period o f internal discussion, deciding the final content o f the policy by the inform ation security officer, formally accepting the policy by the CEO, disseminating the policy throughout the company, m onitoring compliance by internal auditors and finally, taking action in case o f non compliance.
In addition, Kabay (1996) presented five procedures for establishing a security policy including assessing and persuading top management, analysing inform ation security requirements, forming and drafting a policy, implementing and m aintaining the policy. Furthermore, K aryda et al. (2005) argued that a security policy must combine technical and organisational guidelines addressing security requirem ents at the organisational level. In addition, the formation o f a security policy includes the process o f policy form ulation, implementation and adoption. However, despite all these steps and procedures for establishing a security policy, a question rem ains as to
“what constitutes a policy?”
There is wide agreem ent in the literature regarding what can be included in a security policy. The DTI Inform ation Security Policy Team (DTI 2004b), the IFAC International Inform ation Technology Guidelines (IFAC 1998) and Trcek (2003) indicated that, as a m inim um , a security policy should include:
- The scope, objectives and importance o f information security to the company;
- A statement indicating m anagem ent support for the security goals and principles;
Brief statements indicating m inimum standards, procedures and requirements for specific security issues e.g. consequences o f security policy violations, legal, regulatory and contractual requirements; security training and awareness, security breach detection, and business continuity planning;
- Definitions o f general and specific security roles and responsibilities;
- Details o f the process for reporting and responding to security incidents; and - References to more detailed security policies, procedures, or standards.
In addition, Hone and E lo ff (2002) have suggested other elements to be included in a security policy such as the approval o f security policy, the purpose o f security policy, the user declaration and acknowledgem ent and other general elements such as the authors, date o f policy and review date o f this policy. Although these elem ents may not be considered the m ain elem ents o f a security policy, they can still ensure its official status within a company.
To achieve its objectives, certain characteristics should be considered in writing a security policy. It should be short and easy to read, the writing style should reflect the organisational culture, the policy should be clear and comprehensible to all users in a company, and it should be reviewed periodically after major technological changes and regulatory requirem ents to ensure that it remains current as well as relevant to the company’s security objectives. Above all, a policy must be realistic (Hone and Eloff 2002).
However, despite all this concern, a security policy sometimes fails to play an important role in a company. Doherty and Fulford (2005) gave some reasons for such ineffective policy im plem entation, namely the difficulties o f raising em ployees’
awareness o f a policy, difficulties o f enforcing the policy, complexity o f applying the policy standards, insufficiency in resources available for policy enforcem ent and a failure to tailor policies as a result o f greater reliance on international standards.
Many previous studies were also conducted to investigate the vital role o f a security policy from different perspectives. Fulford and Doherty (2003) conducted a study to investigate the uptake, content, dissem ination and impact o f information security policies in UK companies. A questionnaire was developed in three sections. The first section investigated the existence, dissemination and the frequency within which a security policy is updated. The second section focused on the coverage o f a security
* policy, and the third section addressed the factors affecting a policy success. In another study, Doherty and Fulford (2005) explored how a variety o f issues relating
to the uptake and application o f security policies for instance existence, age, updating and how the scope o f a security policy impacted upon the incidence o f security breaches within large companies.
Wiant (2005) conducted a study to examine the effectiveness o f an information security policy in influencing the reporting o f both computer abuse incidents and the associated seriousness o f those incidents. In addition, Hong et al. (2006) investigated the dominant factors o f building an information security policy and the effect o f this policy on elevating a com pany’s security level. A questionnaire was developed to collect information about the information security policy establishm ent and the policy’s function, contents and im plementation items.
It can be concluded that the inform ation security policy is one o f the most important documents in a com pany, the heart and basis o f successful security m anagem ent and a guideline that dictates the rules and regulations o f a company regarding all security aspects. Therefore, policies m ust be written with due care.