Article
Article name	MODEL OF EFFECTIVE INFORMATION SECURITY POLICY IN THE CONTEXT OF MANAGEMENT PRACTICE
Authors	Beydina T.. , Kukharsky A.. , Novikova A.. ,
Bibliographic description
Category	Politology
DOI	327
DOI	10.21209/2227-9245-2022-28-1-75-87
Article type
Annotation	The article is devoted to the study of policy in the field of information security management and is relevant, since it contains an assessment of the effectiveness of the information security management model. However, our review of the information security management literature has identified four major weaknesses that reduce the usefulness of recommendation characteristics for state and municipal governments implementing information policy management practices. The aim of this article is to provide a comprehensive overview of information security policy management and to develop a model based on the generalization of practice. Our review of foreign literature shows that it is advisable to characterize an effective model of information policy management for government bodies. However, there is a number of shortcomings that reduce the usefulness and effectiveness of the information policy model for authorities in the implementation of security policy. In the literature, in our opinion: there is no holistic view of the information policy model (deficiency 1); there is no uniformity in terminology and semantics (flaw 2); different levels of detail are used when describing policy management actions (flaw 3); and it is difficult to use information policy management guidance from other practice areas such as risk management, information practice training and security awareness (Gap 4). The authors structure the article as follows. Firstly, it examines the existing lifecycles of information security policy management. Secondly, the authors explain the research methodology used to review and analyze the literature. Thirdly, the authors propose a model of management practices related to information security policy. Fourthly, the authors explain how the proposed model eliminates the identified shortcomings. Two conclusions can be drawn from the study: 1) the model of information security policy management involves the enforcement of power aimed at managing risks; 2) the model is focused on identifying 3 stages of institutionalization - the development, implementation and assessment of management activities.
Key words	Key words: information security policy, security management policy, information security, information protection methods, state and municipal management, effective policy models, management practices, information, management activities, policy life cycle
Article information	Beydina T., Kukharsky A., Novikova A. Model of effective information security policy in the context of management practice // Transbaikal State University Journal, 2022, vol. 28, no. 1, pp. 75-87. DOI: 10.21209/2227-9245-2022-28-1-75-87.
References	1. Ahmad A., Bosua R., Scheepers R. Computers & Security (Computers & Security), 2014, no. 42, рр. 27‒39. 2. Ahmad A., Maynard S. B., Shanks G. A. International Journal of Information Management (International Journal of Information Management), 2015, рр. 717‒723. 3. Al-Mayahi I. H., Sa’ad P. M. Journal of Advanced Management Science (Journal of Advanced Management Science), 2014, no. 2:2. June, рр. 135‒139. 4. Alshaikh M., Ahmad A., Maynard S.B., Chang S. 25th Australasian Conference on Information Systems (25th Australasian Conference on Information Systems). Auckland. New Zealand, 2014, рр. 40‒42. 5. Anderson Consulting. Center for Education and Research in Information Assurance and Security, Purdue University (Center for Education and Research in Information Assurance and Security, Purdue University), 2000, 320 p. 6. Bañares-Alcántara R. Computers & Chemical Engineering (Computers & Chemical Engineering), 2010, no. 34:3, рр. 267‒276. 7. Baskerville R., Siponen M. Logistics Information Management (Logistics Information Management), 2002, no. 15:5/6, рр. 337‒346. 8. Bayuk J. Morristown, NJ, Price Waterhouse (Morristown, NJ, Price Waterhouse), 1997, 385 p. 9. Bin Muhaya F. An Approach for the Development of National Information Security Policies (An Approach for the Development of National Information Security Policies), 2010. 10. CengageBrain. Whitman M. E., Townsend A. M. and Aalberts R. J. Communications of the ACM (Communications of the ACM), 1999, no. 42:6, рр. 101‒108. 11. Doherty N.F., Fulford H. Communications of the ACM (Computers & Security), 2006, no. 25:1, рр. 55‒63. 12. Gaunt N. International Journal of Medical Informatics (International Journal of Medical Informatics), 1998, no. 49:1, рр. 131‒134. 13. Hare C. Information Security Management Handbook Fourth Edition (Information Security Management Handbook Fourth Edition), 2002, vol. 3, CRC Press, рр. 353‒383. 14. Hassan N. H., Ismail Z. Procedia ‒ Social and Behavioral Sciences (Procedia ‒ Social and Behavioral Sciences), 2012, no. 65:0, рр. 1007‒1012. 15. Höne K., Eloff J.H.P. Computers & Security (Computers & Security), 2002, no. 1:5, рр. 402‒409. 16. ISO/IEC27002. Australian/New Zealand Standard: Information Technology  Security Techniques-Code of Practice for Information Security Management (ISO/IEC27002. Australian/New Zealand Standard: Information Technology  Security Techniques-Code of Practice for Information Security Management), 2006. 17. Kadam A.W. Information Systems Security (Information Systems Security), 2007, no. 16:5, рр. 246‒256. 18. Karyda M., Kiountouzis E., Kokolakis S. Computers & Security, 2005, no. 24:3, рр. 246‒260. 19. Klaic A., Hadjina N. Proceedings of the 34th International Convention (Proceedings of the 34th International Convention), 2011, рр. 1532‒1537. 20. Knapp K. J., Ferrante C. J. Journal of Management Policy and Practice (Journal of Management Policy and Practice), 2012, no. 13:5, рр. 66‒80. 21. Knapp K. J., Franklin Morris Jr R., Marshall T. E., Byrd T. A. Computers & Security (Computers & Security), 2009, no. 28:7, рр. 493‒508. 22. Li H., Sarathy R., Zhang J., Luo X. Information Systems Journal (Information Systems Journal), 2014, no. 24:6, рр. 479‒502. 23. Lim Ahmad A., Chang S., Maynard S. PACIS 2010 Proceedings (PACIS 2010 Proceedings), 2010, рaper 43, рр. 463‒474. 24. Lindup K. R. Computers & Security (Computers & Security), 1995, no. 14:8, рр. 691‒695. 25. Lowery J. Developing Effective Security Policies. Dell power solutions (Developing Effective Security Policies. Dell power solutions), 2002, рр. 147‒217. 26. Maynard S., Ruighaver A. Information Systems: The Challenges of Theory and Practice (Information Systems: The Challenges of Theory and Practice), 2003, рр. 366‒393. 27. Ølnes J. Computers & Security (Computers & Security), 1994, no. 13:8, рр. 628‒636. 28. Oost D., Chew E. K. Strategic and Practical Approaches for Information Security Governance: Technologies and Applied Solutions (Strategic and Practical Approaches for Information Security Governance: Technologies and Applied Solutions). IGI Global, 2012, РР. 1‒12. 29. Palmer M. E., Robinson C., Patilla J. C., Moser E. P. Information Systems Security (Information Systems Security), 2001, no. 10:2, рр. 1‒15. 30. Park S., Ruighaver A.B., Maynard S.B., Ahmad A. Proceedings of the International Conference on IT Convergence and Security (Proceedings of the International Conference on IT Convergence and Security), Suwon, Korea. 2012. 31. Patrick D. H. Information Security Management Handbook, Fourth Edition (Information Security Management Handbook, Fourth Edition). Auerbach Publications, 2002, vol. 4, рр. 297‒311. 32. Peltier T. R. CRC Press (CRC Press), 2013. 33. Puhakainen P., Siponen M. Mis Quarterly (Mis Quarterly), 2010, no. 34:4, рр. 757‒778. 34. Ramachandran S., Rao C., Goles T., Dhillon G. Communications of the Association for Information Systems (Communications of the Association for Information Systems), 2012, no. 33:11, рр. 163‒204. 35. Rees J., Bandyopadhyay S., Spafford E. H. Communications of the Association for Information Systems (Communications of the Association for Information Systems), 2003, no. 46:7, рр. 101‒106. 36. Ruighaver Maynard S. B., Chang S. Computers & Security (Computers & Security), 2007, no. 26:1, рр. 56‒62. 37. SANS Institute. Security Policy Roadmap ‒ Process for Creating Security Policies (SANS Institute. Security Policy Roadmap ‒ Process for Creating Security Policies), 2001, рр. 48‒96. 38. Siponen M., Adam Mahmood, M. Pahnila S. Information & Management (Information & Management), 2014, no. 51:2, рр. 217‒224. 39. Siponen M., Pahnila S., Mahmood A. New Approaches for Security, Privacy and Trust in Complex Environments (New Approaches for Security, Privacy and Trust in Complex Environments), 2007, рр. 133‒144. 40. Stahl B. C., Doherty N. F., Shaw M. Information Systems Journal (Information Systems Journal), 2012, no. 22:1, рр. 77‒94. 41. Webb J., Ahmad A., Maynard S.B., Shanks G. A. Computers & Security (Computers & Security), 2014, no. 44, рр. 1‒15. 42. Whitman M. E. Advances in Management Information Systems (Advances in Management Information Systems). London, England Armonk, NY: M. E. Sharpe, 2008. Р. 123‒151. 43. Whitman M. E., Mattord H. J. Management of Information Security (Management of Information Security), 2010. 592 р. 44. Whitman M. E., Townsend A. M., Aalberts R .J. Information Systems Security and the Need for Policy (Information Systems Security and the Need for Policy), 2001. 45. Wood C. C. A Comprehensive Set of Information Security Policies (A Comprehensive Set of Information Security Policies). Houston: InformationShield. Version 10.0. 2005. 46. Wood C.C. Computers & Security (Computers & Security), 1995, no. 14:8, рр. 667‒674. 47. Wood C.C., Lineman D. Information Shield, Inc (Information Shield, Inc), 2009, 478 p.
Full article	MODEL OF EFFECTIVE INFORMATION SECURITY POLICY IN THE CONTEXT OF MANAGEMENT PRACTICE