A Generic Framework for Information Security Policy Development Wan Basri Wan Ismail Faculty of Communication, Visual Art and Computing University of Selangor Malaysia wanbasri@unisel.edu.my Raja Ahmad Tariqi Raja Ahmad Faculty of Communication, Visual Art and Computing University of Selangor Malaysia rmtariq@unisel.edu.my Setyawan Widyarto Faculty of Communication, Visual Art and Computing University of Selangor Malaysia swidyarto@unisel.edu.my Khatipah Abd Ghani Faculty of Education and Social Science University of Selangor Malaysia khatisj@unisel.edu.my Abstract—Information security policies are not easy to create unless organizations explicitly recognize the various steps required in the development process of an information security policy, especially in institutions of higher education that use enormous amounts of IT. An improper development process or a copied security policy content from another organization might also fail to execute an effective job. The execution could be aimed at addressing an issue such as the non-compliance to applicable rules and regulations even if the replicated policy is properly developed, referenced, cited in laws or regulations and interpreted correctly. A generic framework was proposed to improve and establish the development process of security policies in institutions of higher education. The content analysis and cross-case analysis methods were used in this study in order to gain a thorough understanding of the information security policy development process in institutions of higher education. Keywords— security policy development, information security policy, information security. I. INTRODUCTION Information security and protection from insider threats are a major challenge in any organization today. Infrastructure technology such as the network perimeter is not a total solution against various threats. No matter how strong and sophisticated these technologies are configured, the flaws in information security always relates to the human factor as the weakest link of information security risks [1]–[11]. Currently, many security experts agree that the implementation and enforcement of security policy is one of the most practical ways to preserve and protect information systems [12] and also one of the keys to a successful security control program ([12]–[17]. However, in order to develop an effective policy, there are two elements in security policy that have a bearing on its effectiveness, which are the development process [9], [18], [19] and the contents of the security policy [20], [21]. Moreover, a good security policy should translate management expectations into clear, specific, and measureable objectives besides illustrating its effectiveness, readability and consistency [22]. Since the security policy should meet the organization’s direction and objectives, security policy is not easy to develop. Duplicating a security policy from another organization might not be sufficient to address certain issues such as compliance with applicable rules and regulations. In certain circumstances, even the duplicated policy that is properly developed, referenced, cited with laws or regulations and interpreted correctly could be insufficient [23]–[25]. Hence, the security policy should be manifested based on the organization’s culture, belief, operation, environment and policy requirement [26]–[29] such as in Institutions of Higher Education (IHE), where different management structures (e.g. faculties, departments) and types of behaviour are practiced [30]. Thus, the security policy formulation and development process must cater for different types of organizations, cultures, technology changes (hardware and software), users and management support [31]. According to [9], [19] most of the studies on security policy are focused on structure and content of the policy but less on developing the process, especially the step-by-step process. Thus, this paper focuses on security policy development in institutions of higher education. This paper is structured as follows: Section 2 discusses the importance of security policy development, Section 3 describes the research methodology, Section 4 covers the constructs of the proposed components and Section 5 discusses the results. II. INFORMATION SECURITY POLICY DEVELOPMENT A. Importance of the Security Policy Development Process Information security policy expresses the organization’s attitude towards internal and external information assets that need to be protected from unauthorized access, disclosure, destruction and modification [32]. The written policies are meant to control the dissemination and misuse of information. International organizations such as SANS and EDUCAUSE provide security policy templates, but these should only be considered as a preparatory platform for policy development [22], [24]. As stated by [8], the process of formulating a security policy is time-consuming, difficult, and also expensive. This statement is also supported by [22], “a good security policy is not a simple ‘‘plug-and-play” component”. Therefore, there are a few reasons why security policies are Proc. EECSI 2017, Yogyakarta, Indonesia, 19-21 September 2017 978-1-5386-0549-3/17/$31.00 ©2017 IEEE . 324 brought to you by CORE View metadata, citation and similar papers at core.ac.uk provided by Proceeding of the Electrical Engineering Computer Science and Informatics