Search results
1 – 10 of 163Giovanna Culot, Guido Nassimbeni, Matteo Podrecca and Marco Sartor
After 15 years of research, this paper aims to present a review of the academic literature on the ISO/IEC 27001, the most renowned standard for information security and the third…
Abstract
Purpose
After 15 years of research, this paper aims to present a review of the academic literature on the ISO/IEC 27001, the most renowned standard for information security and the third most widespread ISO certification. Emerging issues are reframed through the lenses of social systems thinking, deriving a theory-based research agenda to inspire interdisciplinary studies in the field.
Design/methodology/approach
The study is structured as a systematic literature review.
Findings
Research themes and sub-themes are identified on five broad research foci: relation with other standards, motivations, issues in the implementation, possible outcomes and contextual factors.
Originality/value
The study presents a structured overview of the academic body of knowledge on ISO/IEC 27001, providing solid foundations for future research on the topic. A set of research opportunities is outlined, with the aim to inspire future interdisciplinary studies at the crossroad between information security and quality management. Managers interested in the implementation of the standard and policymakers can find an overview of academic knowledge useful to inform their decisions related to implementation and regulatory activities.
Details
Keywords
Matteo Podrecca and Marco Sartor
The aim of this paper is to present the first diffusion analysis of ISO/IEC 27001, the fourth most popular ISO certification at global level and the most important standard for…
Abstract
Purpose
The aim of this paper is to present the first diffusion analysis of ISO/IEC 27001, the fourth most popular ISO certification at global level and the most important standard for information security.
Design/methodology/approach
To achieve the purposes, the authors applied Grey Models (GM) – Even GM (1,1), Even GM (1,1,α,θ), Discrete GM (1,1), Discrete GM (1,1,α) – complemented by the relative growth rate and the doubling time indexes on the six most important countries in terms of issued certificates.
Findings
Results show that a growing trend is likely to be expected in the years to come and that China will lead at country level.
Originality/value
The study contributes to the scientific debate by presenting the first diffusive analysis of ISO/IEC 27001 and by proposing a forecasting approach that to date has found little application in the field of international standards.
Details
Keywords
Federico Accerboni and Marco Sartor
In the context of the globalization of markets and free trade, the importance of the Internet in the systems of negotiation, communication, and data exchange grows, which puts the…
Abstract
In the context of the globalization of markets and free trade, the importance of the Internet in the systems of negotiation, communication, and data exchange grows, which puts the problem of information security at the forefront. Actions and improvement activities on the management of confidential information are becoming increasingly important in organizations.
However, information is not just stored in computers; information can be on paper, on a disc, and in the minds of those who work for the organization. Information becomes part of the heritage, and it must be preserved throughout its entire life cycle.
Nowadays, the mere use of some information defence technology is no longer enough; therefore, it becomes essential to implement an efficient Information Security Management System (ISMS) to guarantee a competitive advantage compared to competitors. ISO/IEC 27001 standard outlines the structure for implementing an ISMS and helps organizations manage and protect information assets.
Details
Keywords
This study aims to identify the implications of security behaviour determinants for security management to propose respective guidelines which can be integrated with current…
Abstract
Purpose
This study aims to identify the implications of security behaviour determinants for security management to propose respective guidelines which can be integrated with current security management practices, including those following the widely adopted information security standards ISO 27001, 27002, 27003 and 27005.
Design/methodology/approach
Based on an exhaustive analysis of related literature, the authors identify critical factors influencing employee security behaviour and ISP compliance. The authors use these factors to perform a gap analysis of widely adopted information security standards ISO 27001, 27002, 27003 and 27005 and identify issues not covered or only partially addressed. Drawing on the implications of security behaviour determinants and the identified gaps, the authors provide guidelines which can enhance security management practices.
Findings
The authors uncover the factors shaping security behaviour barely or partly considered in the ISO information security standards ISO 27001, 27002, 27003 and 27005, including top management participation, accommodating individual characteristics, embracing the cultural context, encouraging employees to comply out of habit and considering the cost of compliance. Furthermore, the authors provide guidelines to security managers on enhancing their security management practices when implementing the above ISO Standards.
Practical implications
This study offers guidelines on how to create and design security management practices whilst implementing ISO standards (ISO 27001, ISO 27002, ISO 27003, ISO 27005) so as to enhance ISP compliance.
Originality/value
This study analyses the role and implications of security behaviour determinants, discusses discrepancies and conflicting findings in related literature, provides a gap analysis of commonly used information security standards (ISO 27001, 27002, 27003 and 27005) and proposes guidelines on enhancing security management practices towards improving ISP compliance.
Details
Keywords
Muktesh Chander, Sudhir K. Jain and Ravi Shankar
The purpose of this paper is to identify various information security management parameters and develop a conceptual framework for it.
Abstract
Purpose
The purpose of this paper is to identify various information security management parameters and develop a conceptual framework for it.
Design/methodology/approach
Interpretive Structural Modeling (ISM) and MICMAC approaches have been used to identify and classify the key factors of information security management based on the direct and indirect relationship of these factors.
Findings
The research presents a classification of key parameters according to their driving power and dependence which enable information security management in an organization. It also suggests parameters on which management should pay more attention.
Research limitations/implications
In the paper, 12 parameters were identified based on a literature study and expert help. It is possible to identify some more parameters for ISM development. The help of experts was also used to identify the contextual relationship among the variables for the ISM model. This may introduce some element of bias. Although a relationship model using ISM has been developed, it has not been validated statistically. For future research, it is suggested that the structural equation modelling (SEM) technique may be used to corroborate the findings of ISM. Some of the variables have been grouped together, being a part of a subset due to their similar nature; but it is possible to treat them as independent variables. Future researches may establish their interrelationships also.
Practical implications
The paper has tremendous practical utility for organizations which want to reap the benefits of information and communication technology for their growth but are struggling to find a right approach to deal with information security breach incidents.
Originality/value
Development of a framework for information security management in an organization is the major contribution of this paper. This would be of help to strategic managers in managing information security with emphasis on key parameters identified here.
Details
Keywords
Raydel Montesino, Stefan Fenz and Walter Baluja
The purpose of this paper is to propose a framework for security controls automation, in order to achieve greater efficiency and reduce the complexity of information security…
Abstract
Purpose
The purpose of this paper is to propose a framework for security controls automation, in order to achieve greater efficiency and reduce the complexity of information security management.
Design/methodology/approach
This research reviewed the controls recommended by well known standards such as ISO/IEC 27001 and NIST SP 800‐53; and identified security controls that can be automated by existing hard‐and software tools. The research also analyzed the Security Information and Event Management (SIEM) technology and proposed a SIEM‐based framework for security controls automation, taking into account the automation potential of SIEM systems and their integration possibilities with several security tools.
Findings
About 30 per cent of information security controls can be automated and they were grouped in a list of ten automatable security controls. A SIEM‐based framework can be used for centralized and integrated management of the ten automatable security controls.
Practical implications
By implementing the proposed framework and therefore automating as many security controls as possible, organizations will achieve more efficiency in information security management, reducing also the complexity of this process. This research may also be useful for SIEM vendors, in order to include more functionality to their products and provide a maximum of security controls automation within SIEM platforms.
Originality/value
This paper delimits the boundaries of information security automation and defines what automation means for each security control. A novel framework for security controls automation is proposed. This research provides an automation concept that goes beyond what it is normally described in previous works and SIEM solutions.
Details
Keywords
Tadele Shimels and Lemma Lessa
Information systems' security is more critical than ever before since security threats are rapidly growing. Before putting in place information systems' security measures…
Abstract
Purpose
Information systems' security is more critical than ever before since security threats are rapidly growing. Before putting in place information systems' security measures, organizations are required to determine the maturity level of their information security governance. Literature review reveals that there is no recent study on information systems' security maturity level of banks in Ethiopia. This study thus seeks to measure the existing maturity level and examine the security gaps in order to propose possible changes in Ethiopian private banking industry's information system security maturity indicators.
Design/methodology/approach
Four private banks are selected as a representative sample. The system security engineering capability maturity model (SSE-CMM) is used as the maturity measurement criteria, and the measurement was based on ISO/IEC 27001 information security control areas. The data for the study were gathered using a questionnaire.
Findings
A total of 93 valid questionnaires were gathered from 110 participants in the study. Based on the SSE-CMM maturity model assessment criteria the private banking industry's current maturity level is level 2 (repeatable but intuitive). Institutions have a pattern that is repeated when completing information security operations but its existence was not thoroughly proven and institutional inconsistency still exists.
Originality/value
This study seeks to measure the existing maturity level and examine the security gaps in order to propose possible changes in Ethiopian private banking industry's information system security maturity indicators. This topic has not been attempted previously in the context of Ethiopian financial sector.
Details
Keywords
María Belén Ortiz and Stanislav Karapetrovic
Augmentation of an ISO 10001 code system for healthcare worker (HW) satisfaction with ISO/IEC 27701 and ISO/IEC 29184 privacy-related subsystems is shown. Four specific codes…
Abstract
Purpose
Augmentation of an ISO 10001 code system for healthcare worker (HW) satisfaction with ISO/IEC 27701 and ISO/IEC 29184 privacy-related subsystems is shown. Four specific codes regarding the privacy of HWs using electronic devices for hand hygiene (HH) monitoring and the related activities are presented.
Design/methodology/approach
HWs’ concerns involving automated hand hygiene monitoring technologies were identified through a literature review and classified. Privacy codes (PCs) that deal with such concerns were developed. ISO/IEC 27701 requirements for privacy information were mapped to the elements of these codes, labelled as “Healthcare Workers’ Hand Hygiene Privacy Codes (HW-HH-PCs)”. Both ISO/IEC 27701 and ISO/IEC 29184 guidelines for Privacy Notices and consent were linked with the activities for preparing the code resources.
Findings
Components of an ISO/IEC 27701 system, the guidance of ISO/IEC 29184 and the definitions provided in ISO/IEC 29100 can assist the preparation of HW-HH-PCs and the required resources. An ISO/IEC 29184 Privacy Notice can be used as input for developing an Informed Consent Form, which can be implemented to suit two of the four developed HW-HH-PCs.
Practical implications
HW-HH-PCs and the supporting resources, which healthcare organizations could implement to potentially increase quality assurance of an automated HH monitoring service, are illustrated.
Originality/value
Integrative augmentation of ISO 10001:2018, ISO/IEC 27701:2019 and ISO/IEC 29184:2020 within an underlying framework from ISO/IEC 20000–1:2018 for information technology service, together with the related examples of privacy-related customer satisfaction codes and the corresponding resources, is introduced.
Details
Keywords
João Serrado, Ruben Filipe Pereira, Miguel Mira da Silva and Isaías Scalabrin Bianchi
Data can nowadays be seen as the main asset of organizations and data leaks have a considerable impact on the organization’s image, revenues and possible consequences to the…
Abstract
Purpose
Data can nowadays be seen as the main asset of organizations and data leaks have a considerable impact on the organization’s image, revenues and possible consequences to the affected clients. One of the most critical industries is the bank. Information security frameworks (ISF) have been created to assist organizations and other frameworks evolved to update these domain practices. Recently, the European Union decided to create the general data protection regulation (GDPR), applicable to all organizations dealing with personal data of citizens residing in the European Union. Although considered a general regulation, GDPR implementation needs to align with some industries’ laws and policies. Especially in the Bank industry. How these ISF can assist the implementation of GDPR is not clear.
Design/methodology/approach
The design science research process was followed and semi-structured interviews performed.
Findings
A list of practices to assist the bank industry in GDPR implementation is provided. How each practice map with assessed ISF and GDPR requirements is also presented.
Research limitations/implications
As GDPR is a relatively recent subject, it is hard to find experts in the area. It is more difficult if the authors intend to find experienced people in the GDPR and bank industry. That is one of the main reasons this study does not include more interviews.
Originality/value
This research provides a novel artefact to the body of knowledge. The proposed artefact lists which ISF practices banks should implement to comply with GDPR. By doing it the artefact provides a centralized view about which ISF frameworks (or part of them) could be implemented to help banks comply with GDPR.
Details
Keywords
Mohamed Saad Saleh, Abdullah Alrabiah and Saad Haj Bakry
With the widespread of e‐services, provided by different organizations at the internal intranet level, the business extranet level, and the public internet level, compliance with…
Abstract
Purpose
With the widespread of e‐services, provided by different organizations at the internal intranet level, the business extranet level, and the public internet level, compliance with international information security management standards is becoming of increasing importance for establishing a common and safe environment for such services. The purpose of this paper is to examine the development of a mathematical model that enables the investigation of compliance of organizations with the widely acknowledged international information security management standard ISO 17799‐2005.
Design/methodology/approach
The model is based on the strategy, technology, organization, people and environment – STOPE – framework that provides an integrated well‐structured view of the various factors involved. The paper addresses the use of the model for practical investigations; it describes a practical example illustrating possible practical results.
Findings
The results show the strengths and the weaknesses of compliance, with the standard, at different levels: from the level of the measures associated with each of the “131” standard protection controls, up to the level of the STOPE domains.
Originality/value
The paper addresses the use of a mathematical model for practical investigations of compliance with the international information security management standard.
Details