Developing an Information Security Policy: A Case Study Approach

Abstract Organisational information and data must be protected from active and passive attacks and secured from illegal access, unwanted interruption, unauthorised alteration or annihilation. Many organisations fall victim to such attacks due to weak information security policies (ISPs). Also, disrupting these IS policies by IT users makes organisations under information security threats. This study explored the implementation of ISPs within a large organisation to evaluate policy adequacy and to determine user awareness and compliance with such policies. Employing a case study approach, this research found that the information security focus areas included in this organisation ISPs are password management; use of email, the Internet and social networking sites; mobile computing; and information handling. However, the maturity levels of these elements varied among focus areas due to a lack of ISP awareness and compliance among users.