Integrating information security policy management with corporate risk management for strategic alignment
Corpuz, Maria & Barnes, Paul H. (2010) Integrating information security policy management with corporate risk management for strategic alignment. In Proceedings of the 14th World Multi-Conference on Systemics, Cybernetics and Informatics (WMSCI 2010), Orlando, Florida.
Information security policy defines the governance and implementation strategy for information security in alignment with the corporate risk policy objectives and strategies. Research has established that alignment between corporate concerns may be enhanced when strategies are developed concurrently using the same development process as an integrative relationship is established. Utilizing the corporate risk management framework for security policy management establishes such an integrative relationship between information security and corporate risk management objectives and strategies. There is however limitation in the current literature on presenting a definitive approach that fully integrates security policy management with the corporate risk management framework. This paper presents an approach that adopts a conventional corporate risk management framework for security policy development and management to achieve alignment with the corporate risk policy. A case example is examined to illustrate the alignment achieved in each process step with a security policy structure being consequently derived in the process. It is shown that information security policy management outcomes become both integral drivers and major elements of the corporate-level risk management considerations. Further study should involve assessing the impact of the use of the proposed framework in enhancing alignment as perceived in this paper.
Impact and interest:
Citation countsare sourced monthly fromand citation databases.
These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.
Citations counts from theindexing service can be viewed at the linked Google Scholar™ search.
Full-text downloadsdisplays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.
|Item Type:||Conference Paper|
|Keywords:||Information Security, Security Management, Security Policy, Risk Management, Risk Policy|
|Subjects:||Australian and New Zealand Standard Research Classification > COMMERCE MANAGEMENT TOURISM AND SERVICES (150000) > BUSINESS AND MANAGEMENT (150300) > Business Information Systems (150302)|
|Divisions:||Current > QUT Faculties and Divisions > QUT Business School|
Past > Institutes > Information Security Institute
Current > Schools > School of Management
|Copyright Owner:||Copyright 2010 [please consult the authors]|
|Deposited On:||28 Oct 2010 07:49|
|Last Modified:||01 Mar 2012 00:25|
Repository Staff Only: item control page