Abstract
The development of an information security policy involves more than mere policy formulation and implementation. Unless organisations explicitly recognise the various steps required in the development of a security policy, they run the risk of developing a policy that is poorly thought out, incomplete, redundant and irrelevant, and which will not be fully supported by the users. This paper argues that an information security policy has an entire life cycle through which it must pass during its useful lifetime. A formal content analysis of information security policy development methods was conducted using secondary sources. Based on the results of the content analysis, a conceptual framework was subsequently developed. The proposed framework outlines the various constructs required in the development and implementation of an effective information security policy. In the course of this study, a survey of 310 security professionals was conducted in order to validate and refine the concepts contained in the key component of the framework: the ISPDLC.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
