Investigation into the State-of-Practice of Operations Security Management Based on ISO/IEC 27002

Investigation into the State-of-Practice of Operations Security Management Based on ISO/IEC 27002

Winfred Yaokumah (Department of Information Technology, Pentecost University College, Accra, Ghana)
Copyright: © 2016 |Pages: 20
DOI: 10.4018/IJTD.2016010104
OnDemand PDF Download:
List Price: $37.50
10% Discount:-$3.75


This study assessed information security management in organizations through a questionnaire based on the ISO/IEC 27002, with special focus on operations security. A survey with cross-sectional research design was conducted and data collected from 223 participants from 56 organizations. Overall, the level of operations security maturity was 61.2%, which is the maturity Level 3 (well-defined). This level suggested that operations security controls and processes were documented, approved, and implemented organization-wide. Backups and malware protection were the most implemented security controls, while logging, auditing and monitoring were the least implemented controls. Assessment of inter-organizational operations security found significant differences among the organizations. Financial and Health Care Institutions outperform Educational Institutions and Government Public Service. The study provided insight into maturity levels of operations security controls and the results useful for benchmarking inter-organizational performance, competitiveness and improvement in information security.
Article Preview


Operations security is an extremely important aspect of an organization's information security program (Fisher, 2011) and plays a major role at every stage of information processing cycle. It pertains to activities that take place while keeping computer networks, computer systems, applications, and computing environments up and running in a secure and protected manner; ensuring that people, applications, equipment, and the overall environment are properly and adequately secured (Harris, 2013). Operations security is the centre for all other information system security (Henrya, 2011). Therefore, a high level of confidentiality and integrity should prevail throughout the data processing cycle; when data resides on database systems, on network devices, when transmitted across the network, and when it reaches the designated person.

Organizations, irrespective of type and size, public or private, commercial or non-profit, collect, process, store and transmit information electronically. These activities are carried out through information systems, specifically computer hardware systems, software applications, processes and procedures, communication networks, and people. Information traversing information systems is subject to deliberate and accidental threats since information systems have inherent vulnerabilities (ISO/IEC 27002:2013, 2013). Thus, there is the need for organizations to perform day-to-day operational security activities to keep information systems safe.

Accordingly, organizations are making efforts to protect critical and sensitive data at every state of information (storage, processing, and transmission). The computer crime and security survey conducted by Computer Security Institute (2011) found that 64% of the organizations’ information security program has improved owing to regulatory compliance efforts. Compliance with legal requirements, such as Sarbanes-Oxley (SOX) for financial reporting and governance has impacted IT (information technology) security systems, practices and internal controls (Brown & Nasuti, 2005). The Health Insurance Portability and Accountability Act (HIPPA) also required healthcare organizations to “safeguard the confidentiality, integrity, and availability of electronic protected health information” (Hoffman & Podgurski, 2007, p. 7). Another regulation that influenced information security programs was the Federal Information Security Management Act (FISMA), which required all U.S. federal agencies and international banking industry to develop, document, and implement a program that provides information security for the systems that support its operations and assets (Pabrai, 2006).

Developing countries are not left out in enacted laws and regulations to protect information resources. A recent Data Protection Act 843 of Ghana aims at protecting the privacy of the individual and personal data by regulating the processing of personal information, and the process of obtaining, holding, using or disclosing personal information (Data Protection Act, 2012). The Act ensures protection of the privacy of the individual and personal data. Moreover, the Electronic Transaction Act 772 of Ghana (Electronic Transactions Act 772, 2008) focuses on developing “a safe, secure and effective environment for the consumer, business and the government to conduct and use electronic transactions” (p. 6). Despite these regulatory compliance efforts, a recent survey rather finds decline in fundamental security practices (PWC, 2015). The sub Saharan Africa is increasing becoming notable for cyber fraud. A recent report ranks Ghana second in Africa (after Nigeria) and seventh in the world with respect to internet related crimes (Joy Online, 2013). A similar report also indicates that about 82 cyber crimes occur in Ghana every month; that is on average about 1000 crimes a year (Joy Online, 2013).

Complete Article List

Search this Journal:
Volume 14: 1 Issue (2023): Forthcoming, Available for Pre-Order
Volume 13: 4 Issues (2022): 1 Released, 3 Forthcoming
Volume 12: 4 Issues (2021)
Volume 11: 4 Issues (2020)
Volume 10: 4 Issues (2019)
Volume 9: 4 Issues (2018)
Volume 8: 4 Issues (2017)
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2015)
Volume 5: 4 Issues (2014)
Volume 4: 4 Issues (2013)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing