Integration of Practices for Information Security Policy Compliance

Abstract

With the incorporation of Information and Communication Technologies in organizations, Information Security is key to protect the organization's information assets. The purposes and objectives of the organization related to Information Security are set out in the Information Security Policy document, which are mandatory for the employee to comply with. However, despite the efforts made by the organizations to comply with them, this objective is not always achieved. In response, several authors have proposed practices to be followed in order to ensure compliance with Information Security Policies. This article presents a proposal for the integration of the practices identified in the literature review. These practices have been structured in four phases related to: the establishment of the Information Security Committee, considerations in the elaboration of an Information Security Policy, on the communication of information security policies and the evaluation of security performance. Also, a survey was conducted to evaluate the compliance of ISP. A total of 108 security professional participated in the survey. Consideration of good practices supports the deployment and monitoring of Information Security Policy compliance.