Security Audit and Compliance - Article Example

Security Audit and Compliance. An evaluation of the factors that support and inhibit the creation of an information security culture within organizations. Name; Number; Course; Code; Date; Lecturer; Abstract In order to establish or create strong and reliable information security culture in an organization. It is important to identify factors that support and those that hinder the process of creating organizational information culture. The article provides the findings of a research on the evaluation of the factors determining the creation of information security culture in an organization. The research was done by carrying out a literature review on past journals, articles and books that have explained and expounded what information security and information security culture is. This review provides a theoretical framework for the study by giving a better understanding of the topic. From the literature review, several factors were identified that influence the creation of information security culture and practices in an organization. Some of the evaluated factors include; organizational culture, corporate citizenship, legal and regulatory framework, corporate governance, culture, security controls and technology. The review showed that human factors and behaviours and technical factors always play a significant role in the Implementation of security measures in any particular organization. They greatly determine the success of information security in an organization by influencing the creation of information security culture in an organization. Keywords. Information security culture, information security, information security awareness. Table of Contents Abstract 2 1Introduction 4 1.1Problem statement. 4 2Conceptual Framework. 6 2.1Concept of Information Security. 6 2.2Compromise to Information Security. 7 3Evaluation of the Determinants of Information Security Culture. 8 3.1Organizational behaviour. 8 3.2Corporate Citizenship. 10 3.3Legal and regulatory environment/framework. 10 3.4Corporate Governance. 11 3.5Culture. 12 3.6Security controls. 12 3.7Technology advancement. 13 4Conclusion. 13 Reference 15 1 Introduction The article evaluates the factors that support and inhibit the creation of an information security culture within an organization. To achieve this, the study looks at the literature review of the factors that affect the creation of an information security culture in health care sector. 1.1 Problem statement. Information security has become a crucial matter in today’s information age; this is because most information systems are currently facing increased privacy and security issues. The increase is mainly attributed to advancement in technology, human behaviour and the loose strings inherent in existing policies and regulations. As a result, most organizations in both the private and public realm must enforce stringent measures aimed at enhancing information security (Appari & Johnson, 2010). Over the years, studies have been done and several process and strategies to enhance information security have been proposed and are currently used in most organizations. Among the main strategies is to have an information security framework that involves use of policies and regulations regarding the use of information, information systems and resources in the organization (Appari & Johnson, 2010). Despite the availability of these strategies there are still reported cases of information security breach in many organizations. Consequently, to ensure that there is improved security in organizations, companies must establish and enforce an information security culture both internally and externally. The strategy is aimed at ensuring that observation and acceptance of existing policies and regulations with regard to information security is increased (Eloff & Solms, 2000). The article aims to determine and elaborate some of the factors that support the creation of information security culture in any organization and also identify some of the factors that hinder the creation or establishment of information security culture. To critically evaluate these factors, this article is structured in three sections. Introduction: This section provides an introduction of the article and identifies the challenges to be addressed. Additionally it provides the structure of the article. Conceptual and theoretical framework: This section provides a description of the concept information security culture as well as review of previous studies and literature on information security culture in the health sector. Additionally, the section explains the compromise to information security. Evaluation of determinants of Information security culture: This section provides an evaluation of the factors that support the creation of information security culture in health facilities. Additionally, the factors inhibiting the creation of information security culture in the organization will be evaluated in this section. Under this evaluation, an assessment of the external factors that mainly have huge impacts on the information security culture such as mobile technology and BYOD is provided. Conclusion: Finally, there is a conclusion that provides a synthesis and analysis of the main issues that are illustrated extensively in the case study. 2 Conceptual Framework. 2.1 Concept of Information Security. Information security can be defined as the process of preventing and the recovery of information from unauthorized access, disclosure, modification or destruction of information and information resources (Eloff & Solms, 2000). On the other hand, information security culture can be defined as the set of information security characteristics which the organization values. Basically, according to Kraemer & Carayon (2005), Information security culture is the assumption of what is and what is not acceptable regarding information security; the assumption of what information security behaviour among all people in the organization is acceptable and what is not and the manner in which people behave towards information security in an organization. According to Von Solms (2000), there are four different waves of development regarding information security that have different characteristics. In the first wave information security is characterized by wholly technical issues that were best left to the information technology technical experts. The second phase was characterized by a realization that the management and other important personnel in the organization have a crucial role in information security. They are important in making decisions, policy implementation among other activities. On the third phase Von Solms explains that there were some strides towards enhancement of information security. There was need to have standardization of information security in companies, establish best practices, information security culture and certification. It is at this phase of information security development that information security became a critical and important aspect of any organization (Von Solms, 2000). Finally, in the fourth phase more advanced and reliable information security strategies were realized. This phase was marked by the introduction of information security governance. Technologies such as passwords and firewalls were deployed to enhance information security (Von Solms, 2000). 2.2 Compromise to Information Security. Despite the increased deployment and use of technology in an attempt to enhance information security, cases of information security threats are still on the rise. Hence, ascertaining that lack of technology or faulty technology contributes to insignificant amount of losses; faulty human behaviours and users of this information are the major contributors to threats to information security (Whitman, 2003). Despite their efforts to ensure information security by implementing all available technical solutions, organizations still report high rates of internal breach to information resources. This can only be attributed to human activities that greatly contribute to computer-related losses than any other source. Consequently, it is important to consider the fact people are an integral part of any organization and as such they will greatly determine the creation of an information security culture in an organization (Whitman, 2003). Technical issues also contribute to loss of information and information resources in the organization. Technical security controls must be developed, designed, correctly specified, configured, implemented, used and maintained to ensure they effectively provide security of information (Whitman, 2003). With the incorporation of digital information systems to collect, store, manipulate and manage patient and doctor records, the need for information security in the health sector is now important. Human behaviour together with technical security controls will either provide effective security or result in the breach if information security. As a result, health care facilities must provide advanced information security awareness to all levels and departments of the organization, in an aim to create an effective information security culture in the organization (Kraemer & Carayon, 2005). 3 Evaluation of the Determinants of Information Security Culture. Just as there are different personalities with different people, different organizations have different information security cultures. Organizations with positive and effective information security cultures have a greater potential of minimizing threats to information security and ensuring there is more security while interacting with information systems in the organization (Kraemer & Carayon, 2005). Consequently, it is recommended that organizations create and establish positive information security cultures. There are several factors that will, therefore, determine the creation of a positive information culture in an health care facility. 3.1 Organizational behaviour. Development of an information culture is greatly determined by organizational behaviour. An organizational culture will determine what is acceptable and what is not with regard to information security in the organization. Therefore, to determine an acceptable culture within the organization, it is important to assess the organizational behaviour of all the employees. The actions and behaviours of employees can greatly be impacted by the type of information culture in the organization (Schlienger & Teufel, 2003). For instance, in an organization with a culture of bureaucracy that requires each employee to follow rules and procedures, employees may be forced to follow the available information security policies more strictly than in a less bureaucratic and individual organizational behaviour. Additionally, the organizational structure determines the development and the subsequent implementation of the information security culture in the organization. Different organizations have different organization structures that entail different management levels and different employee roles. The health care sector has an elaborate organization structure in which Information security culture must be inherent in all the levels in the organization. These include the individual level, group level, and the organization level. Each of these levels of the organizational structure incorporates different key information security issues (Eloff & Solms, 2000). At the individual level, the key issues are ethical conduct and awareness. Everyone is expected to conduct themselves in an ethical manner while interacting with information in the organization. They must also be aware of the security measures and the importance of ensuring confidentiality of patient information and company information (Eloff & Solms, 2000). Additionally, they must be aware of what is considered acceptable and not acceptable in the organization information security. At the group level, management is a key issue where there must be trust among all the employees in the organization, as well as the patient- doctor trust that each party will play their role and ensure privacy, confidentiality and accuracy of information (Ternesgen, 2011). Finally, at the organization level there are several activities that normally impact how activities are run in the organization. These include establishment of policies and procedures, risk analysis, benchmarking and budgeting among other key activities (Eloff & Solms, 2000). The organization behaviour and particularly the organization structure plays an important role in determining the creation of an information security culture in the health care industry. They impact on the entire process of creation, development, and implementation of the security culture. 3.2 Corporate Citizenship. According to Senge (2009) the second factor that impact on creation of information security cultures and practices in health care organizations is corporate citizenship. Corporate citizenship is primarily concerned with the way employees in the health facility will gain an understanding of the appropriate information security cultures in the organization. This can be achieved through training and raising awareness. The information security awareness in the organization is where the users and all employees in the organization are aware and are also committed to their security missions (Senge, 2009). Corporate citizenship, therefore, affects the awareness and training programs in the organization. As such, the implementation of trainings and providing enough awareness on security issues in the organization will greatly impact on security of information in the organization. If the organization creates a culture of providing continuous and effective training and awareness, the security of information in the organization will greatly improve (Appari & Johnson, 2010). Once each employee has an in-depth awareness of the importance of information security and what they are supposed to do to ensure security of information they can easily promote information security culture created in the organization. 3.3 Legal and regulatory environment/framework. The other important determinant of creation of information security culture and practice in the organization is the legal and regulatory framework or environment. The most prominent component in the legal and regulatory framework is the information security policy of the organization. Information security policy primarily determines and stipulates the roles and responsibilities of each and every user in the organization with regard to the access and use of information. Policies are used as a guide to ensuring that there is order and accountability in the use of information in the organization (Dhillon and Torkzadeh, 2006). Legal and regulatory frameworks thus determine the behaviour of employees and therefore greatly support the creation of information security culture and practices and their subsequent implementation within the organization. 3.4 Corporate Governance. Corporate governance includes issues and factors that are related to the top management. Top management are required to support information security efforts if they are to be successfully implemented in the organization. It is the most important factor that affects the information security management in any organization. Therefore, it is one factor that will greatly affect or determine the success or failure of creating an information security culture in the organization. According to a study done by Knapp, Rainer, Morrow and Marshall, corporate governance was ranked top among security issues that affect information security in organizations. Top management is a crucial factor that is particularly important in the implementation of information security policy in the organization. As seen in the previous section, policy is a great determinant in creation of an information security culture (Knapp, Marshall, Rainer, & Morro, 2004). Therefore, its implementation is as equally important towards the creation of information security culture in the organization. 3.5 Culture. According to Schein (2004), there are three levels of organizational culture; artefacts, values, and assumptions. Artefacts are things that can be observed, seen, heard, and felt in the organization. They would include structures and processes that are inherent in the organization. Values are beliefs of principles maintained by an organization such teamwork that is viewed as a great determiner in decision-making process in the organization (Schein, 2004). They also include items such as vision and mission statements. Assumptions, on the other hand, are values and principles that were conceptualized from the beginning and are now taken for granted in the organization (Schein, 2004). Based on Schein’s elaboration of culture in an organization, it can be deduced that culture greatly influences the formation of many security strategies and measures in an organization. These include formation of national and organization information security policies privacy issues as well as information security training and information ethics. Consequently, this factor greatly affects the creation of information security culture and practice in the health care organization (Schein, 2004). 3.6 Security controls. These are countermeasures or safeguards that are aimed at avoiding, minimizing or counteracting security risks. There are many ways available for securing information and the resources in the organization. Some of the controls such as security assessment, user education and awareness, use of policy and standards among others have been used in the recent past to ensure information security (Schlienger & Teufel, 2003). These controls in turn have a great impact in the creation of information security culture in the organization. In essence, they form the platform in which culture can be established. Information security culture in an organization can only be created and effectively maintained only if the right set of security controls and available in the organization. 3.7 Technology advancement. Technology advancements and the radical change in modes of information processing such as the use of social media and mobile technologies have a great impact on information security in most organizations (Whitman, 2003). As a result, they will greatly determine the creation of an information security culture in the organization. Mobile technologies allow access, manipulation, and storage of information from any location hence posing potential threats to confidentiality, privacy and accuracy of information stored in the organization. On the other hand, they also offer convenience in the access to information particularly by doctors and patients alike (Appari & Johnson, 2010). Therefore, the mobile technologies and bring your own device (BYOD) policies must be considered while creating information security cultures. In considering these factors, issues such as the kind of information that can be accessed by different users must be determined. 4 Conclusion. The article has established that the major factors that determine or affect the creation of information security culture in an health care organization are both technically oriented as well as human-oriented. However, the human-oriented factors play a major role in the determination of information security factors. Additionally, one of the most significant factors are organizational behaviour, corporate governance, legal and regulatory framework and security controls. According to Ternesgen (2011)organizations particularly in the health sector should use legal and regulatory principles to create a platform from which the creation of information security cultures can be based. Identifying challenges in information security cultures is the first step towards the development of information security culture in the organization. Security controls and measures towards ensuring security controls in the organization is the next step after identifying the challenges. The controls will then form the basis for creating an information security culture in the organization. A good information security culture is achieved through participation of all employees in the organization. This minimizes the incidences of internal security threats in the organization hence giving the technical team a considerable time to address external threats to security. Reference Appari, A & Johnson, E 2010, Information security and privacy in health care: Current state of research, International Journal of Internet and Enterprise Management. Dhillon, G., & Torkzadeh 2006, Value-focused assessment of information system security in organizations, Information Systems Journal, pp.293 - 314. Eloff, MM. & Solms, SH 2000, Information Security Management: a hierarchical Approach for various frameworks, Computer Security, pp.243 -256. Knapp, K. J., Marshall, T., Rainer, R., & Morro 2004, Top ranked information security Issues: Paper Presented at the 2014 International Information System Security Certification Consortium. Kraemer, S & Carayon, P 2005, Computer and Information Security Culture: Findings from two Studies, Proceedings of the Human Factor and Ergonomics Society 49th Annual Meeting. Schein, E. (2004). Organizational culture and Leadership. San Francisco: The Jossey Bass. Schlienger,T & Teufel, S 2003, Information Security Culture: From analysis to Change. Proceedings of ISSA 2003. Johannesburg, South Africa. Senge, P 2009, The Fifth Discipline: The Art and Practice of the Learning Organization. Doubleday Currency, New York. Ternesgen, G 2011, Information Security Culture in Public Hospitals: The case of Hassawa referral Hospital,The African Journal of Information Systems, PP, 5-16. Von Solms, B 2000, Information Security - The Third Wave, Computers and Security, pp,615 - 620. Von Solms, B 2000, Information Security- The Fourth Wave, Computers and Security, pp,165 - 168. Whitman, E 2003, Enemy at the Gate: Threats to Information Security, Communications of the ACM, pp, 91-95. . Read More