ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Building a Holistic IT Security Policy

Building a Holistic IT Security Policy

Mauricio Rocha Lyra, Ph.D., COBIT Foundation, CTFL, ISO 20000, ITIL, MCSO, OCUP, PMP, RUP and Jose Carlos Ferrer Simoes
| Published: 4/27/2015 9:40 AM | Permalink | Email this Post | Comments (4)

Information technology systems require a security policy that includes both information and communication in a balanced way. This policy should take technical, human and behavioral aspects into account in order to mitigate potential threats and vulnerabilities.

Our recent Journal article aims to present best practices for building a security policy for information and communication (SPIC) within the federal public administration organizations of Brazil. This approach checks how organizations are in compliance with best practices in developing their security policies of information and communication. It also provides a comparative study in order to evaluate the maturity of these essential security policies. The study looks toward a collection of articles and papers on information security policies and communication security policies from federal administration organizations.

The analysis used a sample of only 10 organizations, and it chose organizations from different areas (strategic, essential and special) in order to conduct a comparative analysis of the best practices among the 40 organizations existing in the federal government (presidency of the republic and 39 ministries). In order to better understand if SPIC aspects were addressed, we classified the 12 essential requirements into 3 major groups based on their similar attributes. These groups are regulation, prevention and/or controls, and responsibilities and/or penalties. The results of the analysis suggest a general heterogeneity in SPIC maturity level. While this study looked specifically at the Brazilian government, it can be applied to any facet of the corporate sector.

Read Mauricio Rocha Lyra and Jose Carlos Ferrer Simoes’ recent Journal article:
Checking the Maturity of Security Policies for Information and Communication,” ISACA Journal, volume 2, 2015.

Comments

Congratulations

Parabéns Jose Carlos pelo trabalho realizado no ISG-Brasilia.

Mauricio Lyra at 4/29/2015 6:25 PM

ISG - Brasilia - Brazil

O ISG Brasilia desenvolve trabalhos em várias linhas de pesquisa.
Visite nosso site em www.isg.uniceub.br
Mauricio Lyra at 4/29/2015 6:26 PM

Excelente artigo

Caros Autores,

Primeiramente parabéns pela publicação. Muito esclarecedora e útil para o entendimento do nível de maturidade das nossas Organizações da APF no Brasil.

Vocês pensam em expandir esse trabalho para o nível das empresas públicasda APF? Ao todo estão vinculadas mais de empresas sob gestão do DEST (http://www.planejamento.gov.br/ministerio.asp?index=4&ler=t353) que creio que muitas delas devem ter essa preocupação visto que dados sigilosos são mantidos em suas operações.

Fabiano Mariath
fabiano.mariath at 5/5/2015 4:11 PM

Good Job

For my the key question it's all time the same at all sites in the world

Requeriment 10. ..... Are comunicated to employes so that they are understood..?
Other question .
What's means well comunicated for them?
I believe that for very  well  that best practices are, if you do not communicate well are of little use.
Xavier750 at 5/10/2015 5:00 AM
Email