Paper Author: Janne Helms
Paper Title: Information Systems Security Policy Management: A Literature Review; Master’s Thesis, Degree Programme in Information Processing Science, Faculty of Information Technology and Electrical Engineering, The University of Oulu,16.06.2019
Statement of Problem: The Management of information security policies can be viewed as a tedious and tiring task, Hence irregularities and discrepancies may arise as it is easily dismissed or done quickly by the policy enforcers. There are several aspects to cover and components in managing information systems policies which makes it a daunting task.
Purpose: The purpose of the thesis as enumerated by the author, is to provide an insight into the management of information security and the information security policy creation through a literary review, by providing a view of the studies concerning information security management and, in some instances, how information security is managed in some organizations.
Critiques: The Author clearly defined the purpose of the thesis with the first few paragraphs of the abstract which was in line with the chosen topic. In defining what information security was, the author repeated several direct words from a single author “Whitman & Mattord, 2011.” which has the same meaning but different synonyms. The literature review was precise and clear as the author enumerated a three-step approach in his research findings and data collection. The steps include creating a plan for the process, identifying the relevant literature as it is important to identify the need for such review as mentioned by (Kitchenham, et al., 2007). and finally Identification of each literature and studying the relevance of such literature with the desired goal.
The author clearly defined various keywords and acronmyms in order to eliminate any ambiguity in the review. Using a keyword table in its appendix, each finding from theoretical and white papers can be retrieved electronically using several search engines. The sources of each information within the review was within reach as all its finding was clearly referenced as advised by (Soomro, Shah, & Ahmed, 2016) “In order to keep track of the searches performed and results, it is recommended to keep a list of the results”.
The author clearly identified that “When searching for literature, many results were returned by the databases, yet only a small subset was relevant to this review. Instead, a plethora of studies on information security from various other areas was found. Although interesting, they were not relevant to this thesis and were thus discarded”(Helms, J., 2019). The Author, therefore, classified his findings empirical and conceptual categories respectively. These categories were the most re-occurring. Using the findings from the research the aim and objective of the review were achieved to a reasonable extend.
Conclusion: This research revealed that the most vital component in information security management is, in fact, the management of various policies and tasks and not just implementing the policies in information system management.
- Kitchenham, B., Charters, S., Budgen, D., Brereton, P., Turner, M., Linkman, S., … Visaggio, G. (2007). Guidelines for performing Systematic Literature Reviews in Software Engineering. EBSE Technical Report
- Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs a more holistic approach: A literature review. International Journal of Information Management, 36, 215–225. http://dx.doi.org/10.1016/j.ijinfomgt.2015.11.009
- 1. Helms, J., 2019. Information Systems Security Policy Management: A Literature Review.
- Whitman, M. E., & Mattord, H. J. (2011). Principles of Information Security (4th ed.). Cengage Learning.