Security Management: Investigating the Challenges and Success Factors in Implementation and Maintenance of Information Security Management Systems

Grenefalk, Lukas, Norén Wallin, Christopher

January 2023

This research aims to investigate the challenges and success factors associated with the implementation and maintenance of Information Security Management Systems (ISMS) in organizations. Despite the increasing importance of information security in today's digital age, research shows that organizations continue to struggle with effectively implementing ISMS and maintaining it up to date. The study will explore the various cultural, strategic, tactical, and operational factors that affect the performance of organizational ISMS. The research will provide insight into the challenges and factors contributing to a successful ISMS implementation and maintenance, filling a gap in the existing literature. In this study, the qualitative survey method was utilized as the research strategy, complemented by semi-structured interviews for data collection. A total of 11 interviews were held with Senior Information Security professionals who have experience in implementing and maintaining Information Security Management Systems. Thematic analysis was then employed to analyze the data from the interviews. The study identified 15 themes related to challenges and success factors within implementation and maintenance of ISMS. Four themes related to implementation challenges, four relating to implementation success factors, three to maintenance challenges and four to maintenance success factors. The themes are Misconceptions of Security, Lack of Top Management Support, Resistance to Change, ISMS Design, Communication, Internal Security Culture, Top Management Support, ISMS Design, Resource Constraints, Continuous Administration, Employee Attitudes, Relationships, Ownership, Accessibility and Compliance.

ISMS

Information Security Management Systems

challenges

success factors

implementation

maintenance

Computer Sciences

Datavetenskap (datalogi)

Information Classification in Swedish Governmental Agencies : Analysis of Classification Guidelines

Anteryd, Fredrik

January 2015

Information classification deals with the handling of sensitive information, such as patient records and social security information. It is of utmost importance that this information is treated with caution in order to ensure its integrity and security. In Sweden, the Civil Contingencies Agency has established a set of guidelines for how governmental agencies should handle such information. However, there is a lack of research regarding how well these guidelines are followed as well as if the agencies have made accommodations of these guidelines of their own. This work presents the results from a survey sent to 245 governmental agencies in Sweden, investigating how information classification actually is performed today. The questionnaire was answered by 144 agencies and 54 agencies provided detailed documents of their classification process. The overall results show that the classification process is difficult, while those who provided documents proved to have good guidelines, but not always consistent with the existing recommendations.

Information Security Management Systems

Information Classification

Classification Guidelines

ISO/IEC 27000

Governmental agencies

Computer and Information Sciences

Data- och informationsvetenskap

Θέματα στην εφαρμογή προτύπων ποιότητας στην ασφάλεια των πληροφοριακών συστημάτων : Η περίπτωση της Εθνικής Τράπεζας της Ελλάδος

Παναγόπουλος, Αιμίλιος-Χρήστος

13 January 2015

Η χρήση των Πληροφοριακών Συστημάτων συνεχώς αυξάνεται. Πλέον οι περισσότεροι οργανισμοί βασίζονται στην λειτουργία τους. Αχίλλειος πτέρνα αυτών είναι η ασφάλεια τους. Στη παρούσα μελέτη παρουσιάζονται τα βασικά θέματα που αφορούν την διαχείριση προσωπικών δεδομένων αναλύοντας την πολιτική ασφαλείας μιας εταιρείας του ελληνικού τραπεζικού τομέα . Αρχικά εντάσσεται η έννοια των Πληροφοριακών Συστημάτων. Ακολουθεί η έννοια της Πολιτικής Ασφάλειας στον ευρύτερο τομέα της Διαχείρισης της Ασφάλειας των Πληροφοριακών Συστημάτων καθώς και οι κατηγοριοποιήσεις των κινδύνων και των ζημιογόνων γεγονότων. Έπειτα προσδιορίζονται οι βασικές αρχές για την ανάπτυξη Πολιτικών Ασφάλειας των Πληροφοριακών Συστημάτων, διευκρινίζοντας το νομικό πλαίσιο προστασίας τραπεζικών δεδομένων και το απόρρητο τους. Η επόμενη ενότητα αφορά την εφαρμογή των Πολιτικών Ασφάλειας στο πλαίσιο της εταιρείας και καταγράφει τα απαραίτητα μέτρα για την επιτυχή και αποτελεσματική εφαρμογή τους. Ακολουθούν τα αποτελέσματα της μελέτης και οι προτάσεις για την βελτιστοποίηση της παρούσας κατάστασης και την αποφυγή μελλοντικών κινδύνων. / The use of Information Systems is constantly increasing. Now most of the organizations rely on them for their operation. Their vulnerable spot is their security. This study presents the main issues related to the management of personal data by analyzing the security policy of a company of Greek banking sector. Firstly, the concept of Information Systems is presented.Then a part of the concept of security policy in the broader field of Safety Management Information Systems and classifications of risks and loss events is presented. Afterwards identifying the key principles for the development of Rules of Security of Information Systems, specifying the legal framework for the protection of bank data and their privacy. The next section involves the implementation of security policies within the company and record the necessary steps for the successful and effective implementation. Then are the results of the study presented and recommendations for optimization of this situation and avoiding future risks.

Πολιτική ασφάλειας

Λογαριασμοί

Απάτη

005.8

Information Systems (IS)

Information security management systems

Security policy

National Bank of Greece

Regulatory compliance

Accounts

Fraud

Credit institutions (CIs)