Information security policy framework for a manufacturing firm

Abstract

Information and the supporting processes, systems, and networks are important business assets. Defining, achieving, maintaining, and improving information security is essential to maintain competitive edge, cashflow, profitability, legal compliance, and commercial image. Information Security Policy is necessary to provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. Management should set a clear policy direction in line with business objectives and demonstrate support for, and commitment to, information security through the issue and maintenance of an information security policy across the organization. Organizations and their information systems and networks arefaced with security threatsfrom a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire or.flood. Damages caused by events such as malicious code, computer hacking, and denial of service attacks have become more common, more ambitious, and increasingly sophisticated. Information security should protect the interests of those relying on information, and the systems and communications that deliver the information, from harm resulting infailures of availability, confidentiality, integrity, authenticity, and non-repudiation. The objective of this research project was to define and develop an Information Security Policy Framework that is representative of the Kenyan manufacturing setup. The research involved ~valuation of a number of Information Security models; to design a framework that can be adapted, customized and extended to address all areas of an organization. ISO/IEC 27002: 2005 Information Security model was used to ensure a more comprehensive security framework that is representative and complete. This research project also identified gaps in the existing local and global standards by carrying out a detailed gap analysis to design a security policy framework that addresses all security requirements of an organization. It also recommended implementation and maintenance procedures that will ensure that security policyframeworks are complete, practical and effective.