Affiliation:
1. Faculty of Computing and Information Technology (FCIT), King Abdulaziz University, Jeddah 21589, Saudi Arabia
2. Faculty of Computing, Universiti Teknologi Malaysia, Skudai 81310, Malaysia
3. Department of Computer Science, College of Computer Science and Engineering, Taibah University, Medina 41477, Saudi Arabia
4. Department of Information Systems, Faculty of Computing and Information Technology in Rabigh, King Abdulaziz University, Jeddah 21589, Saudi Arabia
Abstract
Information security policy (ISP) plays a crucial role in maintaining the availability, confidentiality, and integrity of sensitive data. However, it is of high complexity and heterogeneity due to the variety and redundancy of security policy practices and complexity of organisational systems. Various and duplicate ISP models and frameworks have been offered in the literature. The duplicate security policy practices, procedures, and processes in the existing models have made ISP disorganised, unstructured, and unclear to organisational users. As a result, there is still a need for a standardised and integrated model to make it simpler to share, manage, and reuse ISP practices amongst the organisations. The main objective of this study is to construct a metamodel to unify, organise, and structure ISP practices. By identifying, recognising, extracting, and combining the common information security policy practices from various ISP models in a built ISP metamodel called ISPM, we seek to make it simple for users and field specialists to derive/instantiate security policy models for their organisations. The development and validation process of the ISPM is based on the common security frameworks such as ISO 27001 frameworks. The developed ISPM consists of 19 common security practices: organisation, risk management, access control policy, edit, review, compliance, business management, backup and recovery, incident response, SETA program, security awareness, security training, security education, email security policy, cloud security policy, network security policy, website security policy, physical security policy, and privacy security policy. Each common security practice consists of several operations and attributes. The performance of the developed ISPM was compared to that of other models to evaluate its completeness and logicalness. Using ISO 27001 as a framework, the findings confirmed the comprehensiveness of ISPM. Therefore, it can contribute to organisations’ security by helping them to develop their own security policy models.
Funder
Institutional Fund Projects
Ministry of Education and King Abdulaziz University, DSR, Jeddah, Saudi Arabia
Subject
Fluid Flow and Transfer Processes,Computer Science Applications,Process Chemistry and Technology,General Engineering,Instrumentation,General Materials Science
Reference60 articles.
1. Toward a unified model of information security policy compliance;Moody;MIS Q.,2018
2. ISO 27001 risk management and compliance;Brenner;Risk Manag.,2007
3. Structuring knowledge on house Price Volatility through a metamodel;Abdullah;ARPN J. Eng. Appl. Sci.,2006
4. Thakur, K., Ali, M.L., Gai, K., and Qiu, M. (2016, January 9–10). Information Security Policy for E-commerce in Saudi Arabia. Proceedings of the 2016 IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing (HPSC), and IEEE International Conference on Intelligent Data and Security (IDS), New York, NY, USA.
5. Information security practice in Saudi Arabia: Case study on Saudi organizations;Alzamil;Inf. Comput. Secur.,2018
Cited by
3 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献