Information is widely exchanged in business transactions among employees, partners, customers, and other stakeholders. The technological capabilities of the internet enable a wealth of information to be gathered, combined, and disseminated, with relative ease. Despite government oversight, consumers continue to be concerned about the security of personal information used by corporations. Consumer concerns give rise to the necessity for corporations to manage information security. Organizations have a responsibility to protect consumer and organizational proprietary information while ensuring compliance with laws and regulations (Sipior, 2007). However, internet use has brought about an escalation of concerns including consumer confidence in online business activities, threats to data integrity, legal liability, and risk of financial loss. These, and other concerns, result in ever-increasing threats to organizations by terrorists, hackers, and even employees.
Information security management (ISM) may be defined as "a systematic approach to encompassing people, processes, and Information Technology (IT) systems that safeguards critical systems and information, protecting them from internal and external threats" (Barlas, Queen, Radowitz, Shillam, & Williams, 2007). Research on ISM generally addresses two areas, the technical computer security and non-technical security management, while some researchers span both areas (Baskerville & Siponen, 2002). Within the technical computer security literature, security policy is used as a synonym for overall security architecture of operating systems; while non-technical security management literature addresses the access control rules for a computer system. The focus of this paper is primarily on non-technical security management.
ISM is increasingly important within organizations, becoming a strategic imperative as security threats continue to escalate (Okin, 2006). Security and privacy is among the top ten IT management concerns, according to a 2005 survey of executive IT managers (SIM, 2006). For Certified Public Accountants, ISM has topped the list of the American Institute of Certified Public Accountants' (AICPA) annual top technology initiatives, expected to have the greatest impact in the coming year, for the past five years (Barlas et al., 2007). Proper management of information security requires a formal structure and resources (Mogul, 2002). The absence of a well-defined information security policy is currently regarded as the most serious problem with security in organizations today (Biegelman & Bartow, 2006). The vice president of security at Openheimer Funds recognizes that "senior managers need to assume an active role in addressing the security on their systems" (McCarthy, 2003, p.35).
Navigating the multitude of existing security standards, including dedicated standards for information security and frameworks for controlling the implementation of IT, presents a challenge to organizations. Adding to the challenge is the increase in activities of terrorist groups and organized criminal syndicates. A strategic approach to ISM will promote a focus on proper management of information as a key resource in global competition. In response, we propose our ISM framework which considers global, national, organizational, and employee standards to guide the management of information security. This framework can be used by international, national, and regional corporations to guide the formulation, implementation, enforcement, and auditing information security policies and practices.
The Information Security Management Framework
The ISM framework considers global, national, organizational, and employee standards to guide ISM. This framework is intended to promote a cohesive approach which considers a process view of information within the context of the entire organizational operational environment. …