Information security policy framework for a manufacturing firm
Abstract
Information and the supporting processes, systems, and networks are important business assets.
Defining, achieving, maintaining, and improving information security is essential to maintain
competitive edge, cashflow, profitability, legal compliance, and commercial image.
Information Security Policy is necessary to provide management direction and support for
information security in accordance with business requirements and relevant laws and
regulations. Management should set a clear policy direction in line with business objectives and
demonstrate support for, and commitment to, information security through the issue and
maintenance of an information security policy across the organization.
Organizations and their information systems and networks arefaced with security threatsfrom a
wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire
or.flood. Damages caused by events such as malicious code, computer hacking, and denial of
service attacks have become more common, more ambitious, and increasingly sophisticated.
Information security should protect the interests of those relying on information, and the systems
and communications that deliver the information, from harm resulting infailures of availability,
confidentiality, integrity, authenticity, and non-repudiation.
The objective of this research project was to define and develop an Information Security Policy
Framework that is representative of the Kenyan manufacturing setup. The research involved
~valuation of a number of Information Security models; to design a framework that can be
adapted, customized and extended to address all areas of an organization. ISO/IEC 27002: 2005
Information Security model was used to ensure a more comprehensive security framework that is
representative and complete.
This research project also identified gaps in the existing local and global standards by carrying
out a detailed gap analysis to design a security policy framework that addresses all security
requirements of an organization. It also recommended implementation and maintenance
procedures that will ensure that security policyframeworks are complete, practical and effective.
Publisher
School of Computing and Informatics