Information Security Policy in Large Public Organizations: A Case Study Through ISO 27002

Information Security Policy in Large Public Organizations: A Case Study Through ISO 27002

DOI: 10.4018/978-1-5225-7826-0.ch009


The aim of this chapter is to study the success factors of the ISO 27002 framework related to the implementation of information security in organizations, with particular emphasis on the different maturity controls of ISO 27002 in the implementation of information security policies in organizations. The purpose of this chapter is to investigate what controls are commonly used and how they are selected to the implementation of an information security in large public organizations in Middle East and North Africa (MENA) through ISO27002, with a specific focus on practical framework for the implementation of an effective information security policy through ISO27002. The finding will help organizations to assess organizations to implement an effective information security policy.
Chapter Preview


Information Systems (IS) are today an integral part of the functioning of public administrations and bodies, the activity of businesses and the way of life of citizens. The security of these information systems has become a major issue for all public or private sectors, which would be very strongly affected in the event of serious malfunctions (T. R Peltier, 2016).

Information security policy is the general term used to describe any document that transmits an element of the security program in order to ensure compliance with the organization's security goals and objectives. Since this definition covers a wide range of security policy documents, it is useful to describe the various types of information security policies that an organization may use. The terms used below to describe these types of information security policies are generally used in the information security industry and will be used consistently throughout this chapter (Ifinedo, 2014). However, it is not unusual for a government organization or agency to have different names for the same types of information security policies. For example, in many organizations and certainly in government departments, the word “policy” is closely associated with laws and regulations (Rees, Bandyopadhyay, & Spafford, 2003). In these cases, a limited number of individuals (e.g., the legislature) have the power to create a policy, so that an information security policy is generally referred to by other names such as “information security statement”, or “information security document” or other terms avoiding the use of the word “policy”. The term used by an organization to describe these documents is irrelevant. The overall organization and completeness of these documents are important (Hong, Chi, Chao, & Tang, 2006).

The security policy is primarily implemented as a means of communication with system users and administrators, issues that must be taken into account when security decisions are made. It defines the explicit expectations and responsibilities of users and administrators, and allows both groups to know what to expect from each other (K. Knapp, Morris, E. Marshall, & Byrd, 2009). It should explain why certain decisions have been made and why they are important, to help all users understand how the policy is designed to benefit them (Flowerday & Tuyikeze, 2016).

The security policy should specifically state the types of data that are considered important enough to warrant protection. This would include user’s personal files in the form of programs, text documents like a thesis or an email message, as well as system-specific configuration files (Yassine, Maleh; Abdelkebir, Sahid; Abdellah, 2017). This helps to allow users to better understand why security measures are in place, and why certain insecure services have been restricted.

A password policy is already in place, however it should most definitely be mentioned in the security policy. This is one of many things the user could do to help keep the system secure, but is probably one of the most important. Other ways that a user could contribute to system security would be properly managing their file and directory permissions or using other software that was designed with the security conscious person in mind (K. Knapp et al., 2009).

Should a security incident occur, the security policy should state who is responsible for restoring the system to a secure state, as well as any procedures that should be followed throughout the course of the repair. If the person in charge of system security detects a break in, who should be notified and what should be done with the compromised machine? Issues like these must be addressed in order to ensure that firstly any disrupted services are restored in a timely manner and secondly so that proof of the incident can be obtained should the legal need arise (Maleh, 2018). The source of the security breach should be determined and fixed so the incident doesn't repeat itself and once the problem has been properly documented, the system administration team should be made aware of what happened.

Key Terms in this Chapter

Integrity: Integrity is the quality of being whole, uncorrupted and complete.

Top Management: High level management.

ISO/IEC 27002:2013: Information security standard (list of controls) published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), entitled Information Technology – Security Techniques – Code of practice for Information Security – Controls.

Authentication: The process of verifying a claim of identity. Three different types of information can be used for authentication: something you know (a PIN, a password, mother's maiden name), something you have (magnetic swipe card) or something you are (biometrics).

Encryption: The action of changing the information by using an algorithm to make it unreadable to anyone.

Asset: Anything that has a value to the organizations.

Risk Assessment: The analysis of the possible hazards that could occur within a workplace and finding a solution to reduce the risk. This is avoiding injury to an individuals and damage to property.

Third Party: Person or body that is recognized as being independent of the organization.

Availability: Information and supporting IT systems should be available to authorized users when needed.

Access Control: Ensures that resources are only granted to those users who are entitled to them.

Information Security Policy: A written, living document outlining the actions and procedures that employees should follow in order to protect an organization’s information security assets, an information security policy outlines the function and tasks of employees in order to protect an organization's information assets.

Incident Management: An Area of the IT service management that help to restore service operation to normal as fast as can be done after an incident has occurred, and reduce the negative impact on business operations.

ISO/IEC 27001:2013: Information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), entitled Information Technology – Security Techniques – Information Security Management Systems – Requirements.

Confidentiality: Data or information prevented from the exposure to unauthorized individuals is labeled as confidential.

Vulnerability: A weakness in the organization, network that can be exploited by a threat.

Complete Chapter List

Search this Book: