Universiti Teknologi Malaysia Institutional Repository

A novel administration model for managing and organising the heterogeneous information security policy field

Alotaibi, Fahad Mazaed and Al-Dhaqm, Arafat and Yafooz, Wael M. S. and Al-Otaibi, Yasser D. (2023) A novel administration model for managing and organising the heterogeneous information security policy field. Applied Sciences (Switzerland), 13 (17). pp. 1-18. ISSN 2076-3417

[img] PDF
969kB

Official URL: http://dx.doi.org/10.3390/app13179703

Abstract

Information security policy (ISP) plays a crucial role in maintaining the availability, confidentiality, and integrity of sensitive data. However, it is of high complexity and heterogeneity due to the variety and redundancy of security policy practices and complexity of organisational systems. Various and duplicate ISP models and frameworks have been offered in the literature. The duplicate security policy practices, procedures, and processes in the existing models have made ISP disorganised, unstructured, and unclear to organisational users. As a result, there is still a need for a standardised and integrated model to make it simpler to share, manage, and reuse ISP practices amongst the organisations. The main objective of this study is to construct a metamodel to unify, organise, and structure ISP practices. By identifying, recognising, extracting, and combining the common information security policy practices from various ISP models in a built ISP metamodel called ISPM, we seek to make it simple for users and field specialists to derive/instantiate security policy models for their organisations. The development and validation process of the ISPM is based on the common security frameworks such as ISO 27001 frameworks. The developed ISPM consists of 19 common security practices: organisation, risk management, access control policy, edit, review, compliance, business management, backup and recovery, incident response, SETA program, security awareness, security training, security education, email security policy, cloud security policy, network security policy, website security policy, physical security policy, and privacy security policy. Each common security practice consists of several operations and attributes. The performance of the developed ISPM was compared to that of other models to evaluate its completeness and logicalness. Using ISO 27001 as a framework, the findings confirmed the comprehensiveness of ISPM. Therefore, it can contribute to organisations’ security by helping them to develop their own security policy models.

Item Type:Article
Uncontrolled Keywords:design science method, ISO 27001, metamodel, metamodeling approach, security policy
Subjects:Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Divisions:Computing
ID Code:105129
Deposited By: Widya Wahid
Deposited On:07 Apr 2024 03:54
Last Modified:07 Apr 2024 03:54

Repository Staff Only: item control page