Developing an information security management framework: case studies on registration office and computer center of a state university

Abstract

Information Technology (IT) provides a wide range of benefits for the companies as well as organizations and institutions. Obtaining fast, efficient and effective operations are among the main benefits. On the other hand, the workflow of business in companies, organizations and institutions are mainly handled via computers; the data are recorded, processed by state-of-art systems and distributed to individuals via fully integrated networks. However, since all data is electronically stored and transferred, maintaining the security of data has become a primary subject for the owners and users of the data. Security breaches, resulting in huge amounts of financial losses and eventually in enforcement of several regulations force information owners to build sound information security systems as well as IT infrastructures. Concurrently, the managerial aspects of these systems have also become one of the main topics for the top management. The aim of this study is to constitute a basic information security management framework based on the standards BS 7799/ ISO 17799 and to apply it via case studies. For the application of the framework, two case study subjects are selected; one registration office and one computer center of a state university. Based on the framework proposed, the information security practices of these two entities are evaluated.