Implication of Employees in Security Policies Definition
Author(s): DJEROUNI, Myriam
Author(s) keywords: implication of employees, interactive awareness, policy maker, security awareness
Reference keywords: cyberawareness, cybersecurity
Abstract:
A way of awareness is to involve employees in part of the definition of security policies. The purpose of this approach is not to reduce the level of security required and defined by the policies but to consider when it is possible and applicable their comments. In this case, employees accept more easily the application of policies as they have “participated”. Then, the policies should be present to employees during interactive sessions with real cases of security breach, figures, and statistics to illustrate the risks. The benefits of these presentations are to show to employees that risks are not only theoretical and it can really happen. The purpose of this document is to provide guidance on how to create more cybersecurity awareness, topic handled by the CyberEDU in February 2019. This paper presents the implication of employees across the life cycle of the security policies based on the PDCA (Plan-Do-Check-Act) model. The document will address the definition of Information Security Policy (ISP) as well as topic-specific policies and the involvement of the Top Management and employees.
References:
[1]. ISO/IEC 27000:2018 Information technology — Security techniques — Information security management systems — Overview and vocabulary,
[2]. IOS/IEC 27002:2013[2], Information technology — Security techniques — Code of practice for information security controls
[3]. NIST (National Institute of Standards and Technology)- Glossary of Key Information Security Terms published in 2013, https://www.nist.gov/publications/glossary-key-information-security-terms-1
[4]. Verizon Data Breach Investigation Report, https://enterprise.verizon.com/resources/reports/dbir/
Article Title: Implication of Employees in Security Policies Definition
Author(s): DJEROUNI, Myriam
Date of Publication: 2019-06-28
Publication: International Journal of Information Security and Cybercrime
ISSN: 2285-9225 e-ISSN: 2286-0096
Digital Object Identifier: 10.19107/IJISC.2019.01.02
Issue: Volume 8, Issue 1, Year 2019
Section: Advances in Information Security Research
Page Range: 23-29 (7 pages)
Copyright ©2012-2025
The International Journal of Information Security and Cybercrime (IJISC)
All rights reserved
The International Journal of Information Security and Cybercrime is a trademark of the Romanian Association for Information Security Assurance (RAISA).
No part of this publication may be reproduced, stored in a retrieval system, photocopied, recorded or archived, without the written permission from RAISA. When authors submit their papers for publication, they agree that the copyright for their article be transferred to the Romanian Association for Information Security Assurance, if the articles are accepted for publication. The copyright covers the exclusive rights to reproduce and distribute the article, including reprints and translations.