Information Security: Policy, Processes, And Practices (advances In Management Information Systems)

INFORMATION SECURITY POLICY, PROCESSES, AND PRACTICES Advances in Management Information Systems Advisory Board Eric K. Clemons University of Pennsylvania Thomas H. Davenport Accenture Institute for Strategic Change and Babson College Varun Grover Clemson University Robert J. Kauffman University of Minnesota Jay F. Nunamaker, Jr. University of Arizona Andrew B. Whinston University of Texas INFORMATION SECURITY POLICY, PROCESSES, AND PRACTICES DETMAR W. STRAUB SEYMOUR GOODMAN RICHARD L. BASKERVILLE EDITORS AM S ADVANCES IN MANAGEMENT I N F O R M AT I O N S Y S T E M S VLADIMIR Z WASS SERIES EDITOR M.E.Sharpe Armonk, New York London, England Copyright © 2008 by M.E. Sharpe, Inc. All rights reserved. No part of this book may be reproduced in any form without written permission from the publisher, M.E. Sharpe, Inc., 80 Business Park Drive, Armonk, NY 10504. Library of Congress Cataloging-in-Publication Data References to the AMIS papers should be as follows: Mattord, H. J., and Wiant, T. Information System Risk Assessment and Documentation. D. W. Straub, S. Goodman, and R. L. Baskerville, eds., Information Security: Policy, Processes, and Practices. Advances in Management Information Systems. Volume 11 (Armonk, NY: M.E. Sharpe, 2008), 69–111. ISBN 978–0-7656–1718–7 ISSN 1554–6152 Printed in the United States of America The paper in this publication meets the minimum requirements of American National Standards for Information Sciences Permanence of Paper for Printed Library Materials, ANSI Z 39.48-1984. ~ IBT (c) 10 9 8 7 6 5 4 3 2 1 ADVANCES IN MANAGEMENT INFORMATION SYSTEMS AMIS Vol. 1: Richard Y. Wang, Elizabeth M. Pierce, Stuart E. Madnick, and Craig W. Fisher Information Quality ISBN 978–0-7656–1133–8 AMIS Vol. 7: Murugan Anandarajan, Thompson S.H. Teo, and Claire A. Simmers The Internet and Workplace Transformation ISBN 978–0-7656–1445–2 AMIS Vol. 8: Suzanne Rivard and Benoit Aubert AMIS Vol. 2: Sergio deCesare, Mark Lycett, and Information Systems Sourcing Robert D. Macredie ISBN 978–0-7656–1685–2 Development of Component-Based Information Systems ISBN 978–0-7656–1248–9 AMIS Vol. 9: Varun Grover and M. Lynne Markus Business Process Transformation AMIS Vol. 3: Jerry Fjermestad and Nicholas ISBN 978–0-7656–1191–8 C. Romano, Jr. Electronic Customer Relationship Management AMIS Vol. 10: Panos E. Kourouthanassis and George ISBN 978–0-7656–1327-1 M. Giaglis AMIS Vol. 4: Michael J. Shaw Pervasive Information Systems E-Commerce and the Digital Economy ISBN 978–0-7656–1689–0 ISBN 978–0-7656–1150-5 AMIS Vol. 11: Detmar W. Straub, Seymour Goodman, AMIS Vol. 5: Ping Zhang and Dennis Galletta and Richard Baskerville Human-Computer Interaction and Management Information Security: Policy, Processes, and Practices Information Systems: Foundations ISBN 978–0-7656–1718–7 ISBN 978–0-7656–1486–5 AMIS Vol. 6: Dennis Galletta and Ping Zhang Human-Computer Interaction and Management Information Systems: Applications ISBN 978–0-7656–1487–2 AMIS Vol. 12: Irma Becerra-Fernandez and Dorothy Leidner Knowledge Management: An Evolutionary View ISBN 978–0-7656–1637–1 Forthcoming volumes of this series can be found on the series homepage. www.mesharpe.com/amis.htm Editor in Chief, Vladimir Zwass ([email protected]) CONTENTS Series Editor’s Introduction Vladimir Zwass vii Part I. The Terrain of Information Security 3 1. Framing the Information Security Process in Modern Society Detmar W. Straub, Seymour Goodman, and Richard L. Baskerville 5 Part II. Security Processes for Organizational Information Systems 13