Application 2 – Annotated Bibliography
available at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/cose
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 55 – 63
Aligning the information security policy with the strategic information systems plan
Neil F. Doherty*, Heather Fulford
The Business School, Loughborough University, Ashby Road, Loughborough, Leicestershire LE11 3TU, United Kingdom
a r t i c l e i n f o
Article history:
Received 2 September 2004
Revised 24 February 2005
Accepted 29 September 2005
Keywords:
Strategic information systems
planning
Information security policy
Security breaches
Alignment
Information security management
Information security policy
components
a b s t r a c t
Two of the most important documents for ensuring the effective deployment of informa-
tion systems and technologies within the modern business enterprise are the strategic in-
formation systems plan (SISP) and the information security policy. The strategic
information systems plan ensures that new systems and technologies are deployed in
a way that will support an organisation’s strategic goals whilst the information security
policy provides a framework to ensure that systems are developed and operated in a secure
manner. To date, the literature with regard to the formulation of the information security
policy has tended to ignore its important relationship with the strategic information sys-
tems plan, and vice versa. In this paper we argue that these two important policy docu-
ments should be explicitly and carefully aligned to ensure that the outcomes of
strategically important information system initiatives are not compromised by problems
with their security.
ª 2005 Elsevier Ltd. All rights reserved.
1. Introduction
For the past two decades it has been argued that an ‘informa-
tion revolution’ is taking place that is having a significant im-
pact upon all aspects of organisational life (e.g. Porter and
Millar, 1985; Drucker, 1988). Indeed, it is often contended
that information is now analogous to an organisation’s life-
blood: should the flow of information become seriously re-
stricted or compromised then the organisation may wither
and die. However, if applied effectively as a strategic resource,
information investments can result in the realisation of signif-
icant corporate benefits. As McPherson (1996) argues, ‘informa-
tion is vital to the success of the business and will be accountable for
a significant share of the business’s various indicators of success, in-
cluding its cash flow and market value’. However, such benefits
will not be realised from the utilisation of information if the
* Corresponding author. Tel.: þ44 1509 223128; fax: þ44 1509 223960. E-mail address: [email protected] (N. F. Doherty)
0167-4048/$ – see front matter ª 2005 Elsevier Ltd. All rights reserved doi:10.1016/j.cose.2005.09.009
associated information systems and technologies are applied
in an unfocussed and piecemeal way. As Lederer and Sethi
(1996) note, strategic information systems planning (SISP)
plays a vital role in helping to avoid ‘lost opportunities, dupli-
cated effort, incompatible systems, and wasted resources’. Looked
at in a different way, the process of formulating an informa-
tion systems plan helps to explicitly focus the planners’ atten-
tion on ‘major opportunities for exploiting information’ (Ward and
Peppard, 2002; p. 468).
Whilst a key objective of strategic information systems
planning is to identify opportunities to exploit information,
Ward and Peppard (2002; p. 468) also note that the real ‘chal-
lenge is to ensure that this information is of the highest quality pos-
sible, particularly in terms of timeliness, accuracy, completeness,
confidence in source, reliability and appropriateness’. Unfortu-
nately, in practice, many organisations are failing to
.
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 55 – 6356
consistently provide the high quality information resources
that their managers require, because of unacceptably high
levels of security breaches experienced (Garg et al., 2003). For
example, in the UK, it has recently been found that ‘the number
of security incidents continues to rise’, with 74% of businesses
reporting a security breach in 2004, as compared with only
44% in 2000 (DTI, 2004; p. 1). In a similar vein, Austin and Darby
(2003; p. 121) note that in the United States ‘security breaches af-
fect 90% of all businesses every year, and cost some $17 billion’.
Moreover, Austin and Darby (2003) also suggest that protective
measures can be very expensive: ‘the average company can easily
spend 5%–10% of its IT budget on security’. One important mecha-
nism for protecting corporate information, in an attempt to de-
tect, prevent and respond to security breaches is through the
formulation and application of an information security policy
(InSPy) (Hone and Eloff, 2002; von Solms and von Solms, 2004).
There is therefore an obvious relationship between strate-
gic information systems planning and information security
management, and hence between the two key documents as-
sociated with these activities: the strategic information sys-
tems plan and the information security policy. The former
document is designed to identify what information resources
are required and how they can be exploited, whilst the latter
details how such information can be kept secure and there-
fore readily available to managers. For example, if a strategic
information systems plan were to identify the need for an en-
terprise-wide intranet, then the information security policy
would need to be modified to take account of this highly sig-
nificant change to the way in which corporate information is
to be stored, disseminated and managed.
Higgins (1999) argues that the information security ‘policy is
the start of security management’. Whilst supporting this senti-
ment, we would add the caveat that the strategic information
systems plan is a critical prerequisite for policy formulation,
as it defines the business context in which information security
will be managed and therefore the objectives of, and priorities
for, security management. Unfortunately, whilst the relation-
ship between these two key business documents appears clear,
a thorough review of the literature suggests that this subject has
been given little explicit coverage in academic or practitioner
publications. Consequently, the broad aim of this paper is to
fill this gap in the literature by exploring how and why the infor-
mation security policy should be explicitly aligned with the stra-
tegic information systems plan. To explore the issue, the
remainder of the paper has been organised into a further four
sections. The first section ‘‘The relationship between the infor-
mation security policy and the strategic information systems
plan’’ reviews the relevant literature, before some common
business cases are used to investigate in more detail the nature
of the relationship, between SISP and the InSPy, in the section
entitled ‘‘Case examples’’. In the final sections, we review the
implications of our findings in the context of the literature.
2. The relationship between the information security policy and the strategic information systems plan
The purpose of this section is to review the aims and scope of
the strategic information systems plan and then the
information security policy, before exploring how the two
might be directly related.
2.1. The role and scope of the strategic information systems plan
As concerns continue to grow about the value and effective-
ness of IT investments, improving strategic information sys-
tems planning practices has rapidly become one of the most
critical issues facing IS executives today (Galliers, 1993; Segars
et al., 1998; Newkirk et al., 2003). Strategic information sys-
tems planning (SISP) has been defined as: ‘the process of identi-
fying a portfolio of computer-based applications to be implemented,
which is both highly aligned with corporate strategy and has the
ability to create an advantage over competitors’ (Doherty et al.,
1999). It is, therefore, an exercise, or ongoing activity, that en-
ables organisations to develop priorities for IS development.
Specific projects are chosen for their alignment with business
objectives or their capacity to create significant impact on the
organisation’s competitive positioning. Whilst the main focus
of SISP – as witnessed by the above definition – is typically
viewed as the identification of new applications, Beynon-
Davies (2002; p. 417) suggests that a SISP exercise may cover
a wider variety of projects. More specifically, he suggests
that SISP facilitates the identification of a prioritised portfolio
of the following types of system and technology related
projects:
� corrections to existing information systems; � enhancements to existing information systems; � major new information systems development projects; � major new infrastructure systems or technologies, for ex-
ample those that attempt to integrate systems across the
organisation;
� research projects investigating innovative and potentially rewarding systems and technologies.
The implementation of any of the above types of project in
a portfolio can have significant implications for the security of
corporate information resources, and consequentially the
organisation’s information security policy. We would, there-
fore, argue that the output of the strategic information plan-
ning process – a comprehensive, fully costed and timetabled
plan – should be used to test the adequacy of the current
InSPy, if one already exists, or to provide focus for the creation
of an initial policy, if it does not exist. A fuller discussion of the
process of information systems planning, and how the review
of the information security policy might usefully be incorpo-
rated, is presented in the section ‘‘The relationship between
the information security policy and the strategic information
systems plan’’.
2.2. The role and scope of the information security policy
Gaston (1996; p. 175) suggests that the information security
policy can be defined as the ‘broad guiding statements of goals
to be achieved’ with regard to the security of corporate informa-
tion resources. This definition is broadly in line with the Inter-
national Standard on ‘Information Security Management’ (ISO
17799, 2000; p. 1), which suggests that the InSPy document
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 55 – 63 57
should ‘provide management direction and support for information
security’. As such, InSPys typically include ‘general statements of
goals, objectives, beliefs ethics and responsibilities, often accompa-
nied by the general means of achieving these things (such as proce-
dures)’ (Wood, 1995). The information security policy has
become the focus of an increasing amount of academic scru-
tiny, over the past 10 years or so, as its critical role in prevent-
ing, detecting and responding to security breaches has
become more apparent. The aim of this section is to provide
a review of this body of literature, paying particular attention
to the importance and scope of such policies.
There is a growing consensus both within the academic
and practitioner communities that the information security
policy is the basis for the dissemination and enforcement of
sound security practices, within the organisational context
(e.g. Baskerville and Siponen, 2002; Doherty and Fulford,
2005). As David (2002) notes: ‘it is well known, at least among
true security professionals, that formal policy is a prerequisite of se-
curity’. Similarly, Lindup (1995) asserts:
‘ten years ago, information security policies were more or
less unheard of outside the world of secret military and
government networks. Now they are regarded by security
professionals as one of the most important foundations
of information security’.
The primary reason that the InSPy has become the ‘prereq-
uisite’ or ‘foundation’ of effective security practices has been
suggested by Higgins (1999), who notes: ‘without a policy, secu-
rity practices will be developed without clear demarcation of objec-
tives and responsibilities’.
Whilst a great deal has been written about the importance
and role of the information security policy, and approaches
to its formulation and dissemination, there is relatively
little academic material that explicitly addresses the scope
or content of security policies. One recent attempt to explic-
itly fill this gap synthesised the key themes from the litera-
ture – in particular the international standard (ISO 17799,
2000) – into a list of specific issues to be addressed by the
information security policy. This provisional list was then vali-
dated through an empirical study of the use of the InSPy, within
large UK-based organisations (Fulford and Doherty, 2003). Given
that these issues will form the framework for analysing our
case examples, in the section ‘‘Case examples’’, we have
provided the following working descriptions for each of these
individual components of the information security policy:
1. Personal usage of information systems: The information se-
curity policy should clearly articulate the individual
employee’s rights and responsibilities in their use of
organisational information systems.
2. Disclosure of information: Information systems increasingly
allow employees direct access to significant amounts of
information – much of which may be confidential. The se-
curity policy must therefore highlight any restrictions
with regard to the disclosure or use of such information.
3. Physical security of infrastructure and information resources: It
has been noted that ‘equipment should be physically pro-
tected from security threats and environmental hazards’ (ISO
17799, 2000; p. 16). It is, therefore, important that the
policy explicitly articulates how infrastructure and infor-
mation resources are to be protected.
4. Violations and breaches of security: As noted in the introduc-
tion to this paper security breaches are still a common,
and potentially very damaging, occurrence. The policy doc-
ument must therefore indicate the steps to be taken to re-
cover from a breach or violation and the requirements for
recording such security incidents (ISO 17799, 2000; p. 16).
5. Prevention of viruses and worms: The rapid proliferation of
viruses, worms and trojans present an increasingly po-
tent threat to the security of corporate information re-
sources (Post and Kagan, 2000; Hinde, 2002). The
organisation’s policy with regard to the application of vi-
rus checking software, the use of attachments and the
sharing of information must therefore be made clear.
6. User access management: It has been noted that ‘access to in-
formation and business processes should be controlled on the
basis of business and security requirements’ (ISO 17799,
2000; p. 33). The information security policy should,
therefore, provide a ‘clear statement of the business require-
ments to be met by access controls’ (ISO 17799, 2000; p. 33).
7. Mobile computing: The use of notebooks, palmtops and lap-
tops away from the traditional working environment
makes them particularly vulnerable, as they are more dif-
ficult to protect using conventional security controls. The
policy must therefore highlight the practices that must be
adopted to ensure that ‘business information is not compro-
mised’ (ISO 17799, 2000; p. 46).
8. Internet access: As the use of the Internet – in the work-
place – continues to grow rapidly, it is important that
the policy explicitly addresses the issue of Internet ac-
cess, particularly with respect to issues such as the view-
ing of pornography and personal browsing.
9. Software development and maintenance: As many security
problems can be directly attributed to errors and over-
sights in the development of information systems, the
policy must present guidelines for ensuring that effective
security controls and procedures are built into all new
systems.
10. Encryption: The growth of electronic commerce and mo-
bile computing has inevitably increased the amount of in-
formation that is being communicated across public – and
potentially less secure – networks. The organisation’s re-
quirements for the encrypting of such information must
therefore be clearly addressed in the information security
policy.
11. Contingency/continuity planning: It is essential that all orga-
nisations have a contingency plan in place to specify how
to cope with and recover from a significant security
breach, such as a natural disaster or a serious virus. The
information security policy must specify how such con-
tingency plans are to be written, tested, maintained,
and ultimately implemented.
The above review has attempted to identify and describe
the issues that will commonly be addressed in the informa-
tion security policy. However, it cannot claim to be either a de-
finitive or generic list, as the range of issues to be covered in
a specific policy will very much depend upon the host organ-
isation’s particular circumstances and security priorities. It is
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 55 – 6358
likely that any significant modification to an organisation’s IT
infrastructure and applications – engendered by a new infor-
mation systems plan – will have an impact on the majority,
if not all of the above issues.
2.3. The relationship between the information security policy and the strategic information systems plan
A review of the literature suggests that researchers and practi-
tioners are beginning to recognise that the information secu-
rity policy should relate in some way to corporate objectives.
For example, the International Standard (ISO 17799, 2000; p.
xi) suggests that the ‘security policy should reflect business objec-
tives’. However, the standard goes on to suggest that a review
of the information security policy should take place ‘in response
to any changes affecting the basis of the original risk assessment, e.g.
significantsecurity incidents, new vulnerabilities or changes to the or-
ganizational or technical infrastructures’ (ISO 17799, 2000; p. 2).
Consequently, the Standard appears to emphasise a reactive
form of policy review, and it certainly offers no explicit advice
on how the policy might best be aligned with corporate objec-
tives. Zuccato (2004; p. 67) also suggests that the point of depar-
ture for the preparation of a security requirements model is the
specification of a vision and goals, but he does not specify
whether this is the organisational vision and goals, or the vi-
sion and goals of the modelling exercise. Whilst Baskerville
and Siponen (2002) recognise that information security policies
should be ‘approved by a steering committee of managers, which
may include specialists in information security, design and develop-
ment and strategic planning1, they make no explicit link between
the information security policy and corporate objectives.
In summary, whilst there have been isolated calls in the lit-
erature for a link between corporate objectives/strategic plan-
ning and the formulation of the information security policy,
there has been no focussed discussion of how this link might
be established and operationalised. One obvious approach –
that to the best of our knowledge has not been addressed in
either the academic or practitioner literatures – would be to
closely and explicitly align the information security policy
with the strategic information systems plan, which in turn
should be based upon corporate objectives.
Fig. 1 presents a highly summarised view of how the process
of reviewing the information security policy might be accom-
modated within the strategic information systems planning
process. In Fig. 1a, we see the traditional process by which
the strategic information systems plan is formulated: an ap-
propriate planning team is assembled, the situation analysis
is conducted and a strategy is formulated and then imple-
mented. Having implemented the new strategic plan, it will
be periodically reviewed and modified to ensure that it is perti-
nent to the organisation’s changing needs. In Fig. 1b this tradi-
tional process for formulating the IS plan has been modified to
accommodate the information security policy.2 In this case,
1 Our emphasis. 2 There is an underlying assumption in our basic model that the
organisation already has an information security policy. How- ever, for those organisations that do not, the process of formulat- ing a new IS plan should act as a stimulus for developing an initial information security policy.
once the new strategy has been formulated, its impact on the
information security policy will be reviewed – and if necessary
the security policy will be modified – prior to the implementa-
tion of the strategy. Similarly, when reviewing a new strategy,
once it is operational, the impact of any changes on the infor-
mation security policy will be reviewed, before implementing
any changes to the strategy.
As the ‘review/modify information security policy’ phase, on
the revised version of the SISP, is probably the most impor-
tant, in the context of this paper, it warrants some further ex-
planation. It is envisaged that this activity should be
operationalised by firstly assembling a group of appropriate
personnel – IT, information security, strategic planning and
commercial specialists – to review the security implications
of the strategy. More specifically, this group should assess
the ways in which each individual IT project – documented
in the SISP – might be used and abused, once operational,
and consequently how each might threaten the security of
the organisations’ information resources. Having generated
a list of potential security threats, in terms of both their likeli-
hood and significance, the existing information security policy
must then be critically reviewed to assess whether each of
these potential threats is adequately countered by the existing
policy. If it is not, then each of the inadequate components
must be modified to effectively counter the newly identified
threat. Whilst the key focus of this exercise will be the align-
ment of the strategic information systems plan, and the InSPy,
it is recommended that the corporate objectives are also con-
sidered, in case there are any changes to the wider corporate
strategy that might impact upon information security, even
if these haven’t been reflected in the SISP. For example, a stra-
tegic drive to increase the number of customers using an orga-
nisation’s website might not warrant any explicit changes to
the organisation’s IS/IT provision, but it might have indirect
implications for information security.
In situations where a policy is not currently in use, this ex-
plicit link between SISP and information security, will not only
help to get information security on senior managers’ agendas,
it will also act as a very strong cue for organisations to formu-
late an initial policy. Indeed, this eventuality is highly likely,
as recent findings with respect to the uptake of information
security policies within the UK suggest that nearly two-thirds
of all companies are still failing to implement a policy (DTI,
2004). Even amongst larger organisations [250þ employees], the level of uptake is still a potential cause of concern (DTI,
2004; Fulford and Doherty, 2003). The most likely explanation
for this low level of adoption is that information security is
simply not ‘high on the agenda of those at board level’ (May,
2003; p. 13).
It could be argued that the review of the information secu-
rity policy does not need to be so explicitly integrated into the
SISP formulation process, as there is likely to be a significant
time lag between the formulation of a new strategic IS plan,
and any resulting implications for the management of infor-
mation security. However, we believe that this proactive ap-
proach can be defended on the grounds that there may be
instances where the introduction of a new strategy will have
such a significant impact on the management of information
security that it will require changes to the strategy before it is
implemented. For example, a new strategy in support of the
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 55 – 63 59
Review / modify Information
Security Policy
Create / modify Information
Security Policy
b Bringing the information security policy into the IS strategy formulation Process
Modify strategy
Implement strategy
Formulate strategy
Conduct situation analysis
Review strategy
Assemble Strategy Team
The traditional IS strategy formulation Process
Modify strategy
Implement strategy
Formulate strategy
Conduct situation analysis
Review strategy
Assemble Strategy Team
a
Fig. 1 – From traditional SISP to security-oriented SISP.
introduction of an enterprise-wide intranet might have such
significant implications for information security, that it war-
rants the introduction of a completely new IT infrastructure,
which will, in turn, require a significant change to the new
strategy to accommodate this. In extreme cases, it could
even be that the implications of a new strategic initiative are
so potentially dangerous, that the strategy has to be shelved.
For example, concerns about ensuring the security of online
transactions might dissuade a retailer from developing
a web-based ordering facility. Whilst we have argued strongly
that the InSPy should be reviewed and updated, in a proactive
manner, as an integral part of the strategic information sys-
tems planning process, we also recognise that there will still
be circumstances where the InSPy will need to be modified
in response to a given set of circumstances. For example, if
an organisation’s information security procedures have been
seriously compromised by hackers or viruses, then it may be
necessary to immediately modify the policy to reduce the like-
lihood of repeat occurrences.
3. Case examples
The aim of this section is to explore how the strategic infor-
mation systems plans for some common types of information
systems and technology implementation projects might affect
the information security policy of a large manufacturing orga-
nisation.3 For each of these hypothetical projects, the broad
strategic objectives of the initiative will be explored, before
the implication of each for the formulation of the InSPy is in-
vestigated, and in some cases vice versa. The projects outlined
range from relatively simple introductions of new hardware or
software to a small section of an organisation, through to
more complex systems initiatives that are likely to have
3 A manufacturing context was explicitly chosen, as manufac- turers typically invest in a wide range of often highly sophisti- cated systems that can have very significant security implications.
a considerable impact on working practices across the organi-
sation as a whole, as well as on the organisation’s trading
partners (suppliers and customers).
3.1. Example 1: introduction of Internet access to the R&D department
Organisations are increasingly using the Internet for infor-
mation retrieval purposes, rather than relying on more
conventional paper-based information repositories (DTI,
2004). The introduction of Internet access to the R&D depart-
ment of a manufacturing organisation would, for example,
permit rapid and extensive competitor analysis, and product
comparisons. However, as it is typically difficult to restrict
Internet usage to very narrowly defined domains, its use,
and indeed abuse, can have significant security implications.
For example, users may download insecure data and files,
view illegal material (e.g. pornography), or simply waste
time in non-productive activities. Consequently, those areas
of the policy relating to personal IT usage and Internet ac-
cess will require particularly close scrutiny, as the potential
security impacts are likely to be most significant in these
areas.
3.2. Example 2: introduction of laptops to the sales team
The use of mobile computing facilities, such as laptops, has
been a boon for many organisations, allowing their staff to
keep in touch with the office whilst off-site, and also giving
them remote access to corporate facilities, such as product da-
tabases, whilst visiting clients, attending trade fairs, and so
on. However, the introduction of laptops and other mobile
computing devices has a number of major security implica-
tions (Ahlberg, 2004). For example, there is the problem of
physical security: the equipment is more vulnerable to theft
and damage while staff are away from their office base. There
is also the issue of remote access to corporate data resources,
which can be vulnerable to attacks from outside as the net-
works are not likely to be as secure as those used within the
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 55 – 6360
organisation itself. Indeed, a recent survey (Ahlberg, 2004)
showed that a third of users do not even use simple password
protection facilities on their mobile computing devices, whilst
two-thirds of mobile computing users did not have their data
encrypted. Moreover, as with the previous example, there are
likely to be concerns with regard to users’ personal use of
organisational systems and remote access to the Internet.
However, in the case of mobile computing, these concerns
may be exacerbated, as staff are away from the normal in-
house controls and monitoring regimes. Problems of disclos-
ing information may also be more likely, in situations where
users are working off-site, often in close proximity to trading
partners. Again, all those areas of the information security
policy dealing with these specific security threats will need
to be thoroughly reviewed, and where necessary modified,
particularly personal usage, mobile computing and Internet
access, where the impacts of mobile computing are likely to
be most significant.
3.3. Example 3: ERP implementation
An enterprise resource planning (ERP) system is a software
package with integrated modules that support all major
business functions across an organisation. ERP systems
have become increasingly popular amongst many commer-
cial organisations, particularly those operating in the
manufacturing sector, where they can deliver many benefits
(Spathis and Constantinides, 2003). It is very likely that the
adoption of an ERP system, within a manufacturing organisa-
tion, would have significant implications for the manage-
ment of corporate information, and in particular the
safeguarding of its security. In addition to those security
areas already discussed under the first two examples, the or-
ganisation is likely to review areas associated with informa-
tion disclosure, as the ERP will make information more
widely available to different types of users across the organi-
sation. Moreover, the organisation may need to establish
more comprehensive contingency plans, as an ERP is likely
to make the organisation more dependent on its IT resources.
Encryption rules will need to be thoroughly reviewed if the
organisation is intending to use the ERP to link via electronic
networks to suppliers and customers. The latest DTI security
breaches survey report notes, for example, that ‘greater con-
nectivity’ has increased the ‘exposure of UK businesses to security
threats’ (DTI, 2004).
In the case of a strategic initiative such as ERP implemen-
tation, it is arguably not just the impact of the strategic initia-
tive on the security policy that needs to be reviewed. There
may also be cases where it will be necessary to amend the
strategic information systems plan, to avoid high risk security
problems. For example, most ERP systems are acquired in
packaged form, with a wide variety of security controls built
in. The organisation will need to consider whether such pre-
defined controls are stringent enough for their purposes, and
whether they match the sorts of controls documented in their
existing policy. It may be that the organisation decides, at the
planning and systems development stage, that certain com-
ponents of the ERP package are not sufficiently secure for their
purposes, and they may decide, therefore, not to implement
those components, and perhaps instead to develop their
own bespoke components or systems.
3.4. Example 4: E-commerce initiative
Through its high levels of connectivity, reach and adoption,
the Internet, has probably become the most influential of
the vast array of technologies available to businesses. For
manufacturing organisations it has provided an unprece-
dented opportunity for selling products directly to clients
(Doherty et al., 2003; De Kare-Silver, 2000).
Electronic commerce is particularly vulnerable to network
related threats, such as ‘unauthorised access by outsiders’ and
‘virus infection and disruptive software’ (DTI, 2004). Conse-
quently, it is very likely that the introduction of a significant
e-commerce operation, within a manufacturing organisation,
will have significant implications for the management of cor-
porate information, and in particular the safeguarding of its
security. One of the key concerns here is that the organisation
will be linking itself electronically to its customers, involving
increased external e-mail and other Internet-based traffic,
leading to the possibility of higher levels of virus and worm at-
tacks, hacking incidents, and various denial of service attacks
than were noted in the previous cases. In turn, this means that
the organisation needs to ensure that it has adequate contin-
gency and recovery plans in place, including alternative ar-
rangements for customers to place orders when the web-
based service is out of action, and so on. Indeed, the DTI sur-
vey (2004) found that interruptions to the availability of ser-
vices were a major problem for many UK businesses, with
some organisations suffering a ‘very major disruption to their
business operations for more than a month’. A plan for the intro-
duction of a comprehensive, web-based facility might high-
light security concerns of such a magnitude, that it is
necessary to amend the plan. For example, the introduction
of online order tracking, which would entail giving customers
access to organisational systems, might be judged to be too
risky, as it would expose the organisation to unacceptable se-
curity risks from hackers.
The evidence presented in this section is that there is
a very strong rationale for reviewing the information security
policy in tandem with the formulation of a plan for a
significant new, strategic initiative, regardless of the size
and scope of that initiative. Table 1 provides a summary of
each of the illustrative IT projects, reviewed previously,
highlighting the components of the information security
policy, which are likely to be most significantly affected
by its introduction: the more significant the potential
impact, with regard to a specific policy component, then the
more thoroughly that component will need to be reviewed.
The table highlights the fact that as the IT initiatives increase
in complexity, particularly in terms of their impacts both
within the organisation, and beyond the organisation to trad-
ing partners, the greater the impact on the information secu-
rity policy and the greater the number of policy components
requiring evaluation and possible amendment. It also demon-
strates that the security concerns vary greatly between the
initiatives and therefore the security implications of each
and every new strategy must be judged on its own specific
characteristics.
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 55 – 63 61
Table 1 – The impact of strategic initiatives on information security policy
Policy components Case examples
Internet access for R&D Department
Laptops for sales team
Introduction of ERP
E-commerce project
Personal usage
of information systems
XX XXX X X
Disclosure of information X XX XXX
Physical security
of infrastructure and information
XX XX XX
Violations and breaches
of security
X X XX XXX
Prevention of viruses
and worms
XX XX X XXX
User access management X XX XX X
Mobile computing XXX
Internet access XXX XXX
Software development
and maintenance
XX XX
Encryption X XX XXX
Contingency/continuity planning XXX XXX
Key: X: limited impact; XX: moderate impact; XXX: highly significant impact.
4. Discussion
Unfortunately, it has often been observed that the high
levels of security breaches experienced by commercial
organisations – as discussed in this paper’s introduction –
are failing to raise the organisational profile of information
security management. As Straub and Welke (1998; p. 441)
note:
‘Information security continues to be ignored by top managers,
middle managers, and employees alike. The result of this un-
fortunate neglect is that organizational systems are far less se-
cure than they might otherwise be and that security breaches
are far more frequent and damaging than is necessary’.
We would argue that the explicit alignment of the infor-
mation security policy with the strategic information sys-
tems plan might be one constructive way of making
information security more relevant and meaningful to man-
agers, which in turn might help to reduce the incidence
and severity of security breaches. In adopting this approach
organisations can move from a reactive style of security
management to a far more proactive one. More specifically,
it is envisaged that the alignment of these two important
strategic documents might deliver the following six
benefits:
1. The recent DTI (2004) report concluded that ‘all too often, an
organisation’s security policy is out of step with the current
business priorities’. The explicit alignment of the SISP for-
mulation, and the InSPy creation review, processes will
help to give the security policy a far stronger business
orientation.
2. The information security policy can be modified in ad-
vance of a new strategic information systems initiative
to ensure that its implementation does not create any
new and unexpected security risks.
3. A ‘proactive security culture’ is unfortunately very rare
(May, 2003; p. 11), with the consequence that the InSPy
is typically updated in response to security breaches, or
technological changes. The integrated approach will allow
the InSPy to be modified in a more proactive manner, and
in so doing shift the emphasis from rectification, to
prevention.
4. Prior to its implementation, the strategic information sys-
tems plan can be reviewed and modified – from a security
perspective – to avoid the introduction of any information
systems/technology initiatives that would be open to sig-
nificant information security risks.
5. By reviewing the strategic information systems plan and
the information security policy in parallel it will be possi-
ble to flag-up important security controls that need to be
built into new systems that have been identified in the in-
formation system plan, in advance of their development.
In a similar vein, it will also be possible to incorporate se-
curity management issues into user manuals, training
documentation and procedures prior to the introduction
of new systems.
6. It has long been recognised that the real threat from secu-
rity breaches lies in their consequential impact on organ-
isational performance, such as damage to customer
confidence or a loss in sales revenues (e.g. Menzies,
1993). By integrating the InSPy review into information
systems planning, which is a business oriented exercise,
it should be possible to raise managers’ awareness of
the consequential impacts of security breaches and to
consider how they can best be countered through the
InSPy.
In terms of the limitations of the proposed approach, the
key deficiency, at present, is that our proposals are purely
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 55 – 6362
theoretical. Consequently, we need to test our proposal in
practice and gain insights from any organisations that have
already investigated integrating their InSPys into their infor-
mation systems planning process. We also need to develop
a deeper understanding of exactly how the link between the
strategic information systems plan and the information secu-
rity policy might best be operationalised. Moreover, it will be
important to also explore whether there may be any alterna-
tive approaches to the alignment of the InSPy with corporate
objectives. Follow-up research projects, adopting an action re-
search approach, are currently being planned to help fill these
gaps in our knowledge.
5. Concluding remarks
A recent piece of research (Watson, 2004) suggests that the
security of IT systems is the most stressing problem facing
IT Directors. It is envisaged that the explicit integration of
the InSPy review into the strategic information systems plan-
ning process, might provide IT Directors with a powerful and
effective new approach to improving the security of their sys-
tems. In so doing, it should help to ensure that the informa-
tion security policy is not ‘an IT document designed by IT in
isolation from the business’ (Hinde, 2002; p. 315). When review-
ing our proposals, however, it must, be remembered that that
this is an exploratory piece of research designed, at this
stage, to prompt a debate rather than to provide any com-
plete answers.
r e f e r e n c e s
Ahlberg M. Data goes walkabout. The Computer Bulletin 2004; 46(6):24–5.
Austin RD, Darby CA. The myth of secure computing. Harvard Business Review 2003;June:121–6.
Baskerville R, Siponen M. An information security meta-policy for emergent organisations. Information Management and Com- puter Security 2002;15(5/6):337–46.
Beynon-Davies P. Information systems. Basingstoke: Palgrave; 2002.
David J. Policy enforcement in the workplace. Computers & Se- curity 2002;21(6):506–13.
De Kare-Silver M. E-shock 2000, The electronic shopping revolu- tion: strategies for retailers and manufacturers. Basingstoke: Macmillan Business; 2000.
Doherty NF, Fulford H. Do information security policies re- duce the incidence of security breaches: an exploratory analysis. Information Resources Management Journal 2005; 18(4):21–38.
Doherty NF, Marples CG, Suhaimi A. The relative success of al- ternative approaches to strategic information systems plan- ning: an empirical analysis. Journal of Strategic Information Systems 1999;8(3):263–83.
Doherty N, Ellis-Chadwick FE, Hart CA. An analysis of the factors affecting the adoption of the Internet in the UK retail sector. Journal of Business Research 2003;56(11):887–97.
Drucker PF. The coming of the new organisation. Harvard Busi- ness Review 1988; Jan–Feb.
DTI. Information security breaches survey. Department of Trade & Industry; 2004.
Fulford H, Doherty NF. The application of information security policies in large UK-based organisations: an exploratory analysis. Information Management and Computer Security 2003;11(3):106–14.
Galliers RD. Research issues in information systems. Journal of Information Technology 1993;8:92–8.
Garg A, Curtis J, Halper H. Quantifying the financial impact of information security breaches. Information Management and Computer Security 2003;11(2):74–83.
Gaston SJ. Information security: strategies for successful man- agement. Toronto: CICA; 1996.
Higgins HN. Corporate system security: towards an integrated management approach. Information Management and Com- puter Security 1999;7(5):217–22.
Hinde S. Security surveys spring crop. Computers & Security 2002; 21(4):310–21.
Hone K, Eloff JHP. Information security policy – what do inter- national security standards say? Computers & Security 2002; 21(5):402–9.
ISO. Information technology. Code of practice for information security management – ISO 17799. International Standards Organization; 2000.
Lederer AL, Sethi V. Key prescriptions for strategic information systems planning. Journal of Management Information Sys- tems 1996;13(1):35–62.
Lindup KR. A new model for information security policies. Com- puters & Security 1995;14(8):691–5.
May C. Dynamic corporate culture lies at the heart of effective security strategy. Computer Fraud & Security 2003;2003(5): 10–3.
McPherson PK. The inclusive value of information. International Federation for Information and Documentation – 48th con- gress. Graz; 1996. p. 41–60.
Menzies R. Information systems security. In: Peppard J, editor. IT strategy for business. London: Pitman Publishing; 1993.
Newkirk HE, Lederer AL, Srinivasan C. Strategic information systems planning: too little or too much? Journal of Strategic Information Systems 2003;12:201–28.
Porter ME, Millar VE. How information gives you com- petitive advantage. Harvard Business Review 1985;Jul– Aug:149–60.
Post G, Kagan A. Management trade-offs in anti-virus strategies. Information & Management 2000;37(1):13–24.
Segars A, Grover V, Teng T. Strategic information systems plan- ning: planning system dimensions, internal co-alignment, and implications for planning effectiveness. Decision Sciences 1998;29(2):303–41.
Spathis C, Constantinides S. The usefulness of ERP systems for ef- fective management. Industrial Management and Data Systems 2003;103(9):677–85.
von Solms B, von Solms R. The ten deadly sins of information security management. Computers & Security 2004;23(5): 371–6.
Straub DW, Welke RJ. Coping with systems risk: security planning models for management decision making. MIS Quarterly 1998; 22(4):441–70.
Ward J, Peppard J. Strategic planning for information systems. Chichester: John Wiley & Sons; 2002.
Watson J. CIO’s feel the strain of business alignment. Computing 26 August 2004:5.
Wood CC. A policy for sending secret information over commu- nications networks. Information Management and Computer Security 1995;4(3):18–9.
Zuccato, A. Holistic security requirements engineering for elec- tronic commerce. Computers & Security 2004;12(1):63–76.
Dr. Neil F. Doherty is a senior lecturer in Information Systems
in the Business School at Loughborough University. In
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 55 – 63 63
addition to information security, his research interests in-
clude the interaction between organisational issues and tech-
nical factors in information systems development,
understanding the reasons for failures of information systems
projects, strategic information systems planning and e-com-
merce. Neil has had papers published in a range of academic
journals, including: European Journal of Information Systems,
Journal of Information Technology, Journal of Strategic Information
Systems, Information Resources Management Journal, IEEE Trans-
actions in Engineering Management, Journal of Business Research,
Journal of End User Computing, Information Technology & People,
Behaviour & IT and Information & Management.
Dr. Heather Fulford is a lecturer in Information Systems in the
Business School at Loughborough University. Her research in-
terests include security management in large and small enter-
prises, electronic commerce adoption, web site design, and
knowledge management. She is currently managing an
EPSRC-funded project investigating the adoption of IT by UK
SMEs, and has also gained government funding for an e-com-
merce adoption project. Heather has had her papers published
in a range of academic journals, including: Information Manage-
ment & Computer Security, Information Resources Management
Journal, International Journal of Retail & Distribution Management
and Terminology.
- Aligning the information security policy with the strategic information systems plan
- Introduction
- The relationship between the information security policy and the strategic information systems plan
- The role and scope of the strategic information �systems plan
- The role and scope of the information security policy
- The relationship between the information security policy and the strategic information systems plan
- Case examples
- Example 1: introduction of Internet access �to the R&D department
- Example 2: introduction of laptops to the sales team
- Example 3: ERP implementation
- Example 4: E-commerce initiative
- Discussion
- Concluding remarks
- References