A CHANGE STRATEGY FOR ORGANISATIONAL SECURITY - The Role of Critical Success Factors

Sue Foster, Kate Lazarenko, Paul Hawking, Andrew Stein

Abstract

The focus for any organization should be in securing the critical components that are important to business survival This can be accomplished by adopting technical and non technical approaches. The non technical approaches however tend to be more problematic and include changing the way employees perceive enterprise security. People issues have always posed problems when implementing new systems, and an enterprise security strategy is no exception. The identification and adoption of critical success factors to support a sound security strategy could provide a successful security outcome. In this paper a security framework is developed from the literature and each part of the framework provides the opportunity to identify critical success factors. It is contended that by using this framework organizations are able to build a strong security base for their enterprise.

References

  1. Alberts, C. and Dorofee, A. (2001). OCTAVE criteria, version 2.0. Technical report. December 2001.
  2. Alberts, C. and Dorofee, A. (2002). Managing Information Security Risks: the OCTAVE approach. NY City: Addison-Wesley.
  3. Allen, J. (2005a). Governing for enterprise security. (CMU/SEI-2005-TN-023).
  4. Allen, J. (2005b). How Do I Know If I Have a Culture of Security? Enterprise Risk Management and Governance E-Mail Advisor, Cutter Consortium, April 2005.
  5. Allen, J. (2004). Building a practical framework for enterprise-wide security management. Carnegie Mellon University.
  6. AusCERT Survey (2006). Australian Computer Emergency Response team. Retrieved on October 8, 2006, located at www.AusCERT.org.au/
  7. Boynton, A. (1984). An assessment of Critical Success Factors. Sloan Management Review.
  8. Caralli, R. (2004a). The critical success factor method: establishing a foundation enterprise security management. Technical Report, (CMU/SEI-2004-TR010).
  9. Caralli, R. (2004b). Managing for Enterprise Security. Technical Note, (CMU/SEI-2004-TN-046).
  10. Caralli R. and Stevens, J. (2005). Focus on Resiliency: a process-oriented approach to security. 32nd Annual CSI Conference and Exhibition, November 14 - 16, 2005 Washington, DC
  11. Caralli, R. and Wilson, W. (2004). Applying CSFs to Information security planning. Carnegie Mellon University
  12. Dalton, D. (1995). Security management: business strategies for success. Butterworth-Heinemann: USA.
  13. Dalton, D. (1997). The art of successful security management. Butterworth-Heinemann: USA.
  14. Dalton, D. (2003). Rethinking corporate security in the post 9/11 era. Butterworth-Heinemann: USA.
  15. Foster, S. V, Hawking, P., Stein, A., (2004). The Forgotten Critical Success Factor in Enterprise Wide System Implementations, Proceedings of the 15th Australasian Conference on Information Systems 2004, pp. 1-10.
  16. Herold, R. (2004a). The practical guide to securing assets. Realtimepublishers.com.
  17. Herold, R. (2004b). The practical guide to managing risk. Realtimepublishers.com
  18. Information Security Forum (ISF) (2005). The standard of good practice for information security. Retrieved May 18, 2006, from www.isfsecuritystandard.com/pdf/standard.pdf.
  19. Information Systems Security Alliance (ISSA) (2004). Generally Accepted Information Security Principles (GAISP) V3.0. Retrieved May 17, 2006, from www.issa.org/gaisp/_pdfs/v30.pdf .
  20. International Standards Organization (ISO) (2005). ISO/IEC 17799 (2nd Ed.). Geneva, Switzerland: ISO.
  21. IT Governance Institute (ITGI) (2005). COBIT 4.0. Rolling Meadows, Illinois: IT Governance Institute.
  22. IT Governance Institute (ITGI) (2006). Information security governance: guidance for boards of directors and executive management (2nd Ed.). Rolling Meadows, Illinois: IT Governance Institute.
  23. McCarthy, L. (2003). IT security: risking the corporation. Upper Saddle River, New Jersey: Prentice-Hall.
  24. Millard, E. (2004). The Proactive vs. Reactive Security Approach. Processor, Vol.26 Issue 8
  25. Rockart, J. F. (1979). Chief executives define their own data needs. Harvard Business Review
  26. Rockart, J. F. and Bullen, C. V. (1981) A primer on critical success factors. CISR Working Paper, 69.
  27. Schein, E. (1988). Defining Organisational Culture. Jossey-Bass: London.
  28. Saint-Germain, R. (2005). Information security management best practice based on ISO/IEC 17799. The Information Management Journal, July/August 2005, 60-66.
  29. Starr, R., Newfrock, J., and Delurey, M. (2003). Enterprise resilience: managing risk in the networked economy. Retrieved May 17, 2006, from www.boozallen.com/media/file/139766.pdf.
  30. Straub, D. W. and Welke, R. J. (1998). Coping with systems risk: security planning models for management decision making. MIS Quarterly, 22(4), 441-46
Download


Paper Citation


in Harvard Style

Foster S., Lazarenko K., Hawking P. and Stein A. (2007). A CHANGE STRATEGY FOR ORGANISATIONAL SECURITY - The Role of Critical Success Factors . In Proceedings of the Ninth International Conference on Enterprise Information Systems - Volume 3: ICEIS, ISBN 978-972-8865-90-0, pages 375-380. DOI: 10.5220/0002380003750380


in Bibtex Style

@conference{iceis07,
author={Sue Foster and Kate Lazarenko and Paul Hawking and Andrew Stein},
title={A CHANGE STRATEGY FOR ORGANISATIONAL SECURITY - The Role of Critical Success Factors},
booktitle={Proceedings of the Ninth International Conference on Enterprise Information Systems - Volume 3: ICEIS,},
year={2007},
pages={375-380},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002380003750380},
isbn={978-972-8865-90-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the Ninth International Conference on Enterprise Information Systems - Volume 3: ICEIS,
TI - A CHANGE STRATEGY FOR ORGANISATIONAL SECURITY - The Role of Critical Success Factors
SN - 978-972-8865-90-0
AU - Foster S.
AU - Lazarenko K.
AU - Hawking P.
AU - Stein A.
PY - 2007
SP - 375
EP - 380
DO - 10.5220/0002380003750380