Eighty Articles From Seven Top-Tier Is Journals

¶ … eighty articles from seven top-tier IS Journals and found no comprehensive framework. (Cannoy, 2006). All the research that had been done was largely fragmented and focused on policy and infracture issues. There were few proposals of formal variables and/or hypothesis and the ones that were there were ill-defined and too narrow or broad in scope. Most of the organizations were reluctant to participate in the studies.

It is surprising that there has been little research done for IT issues, but the media has had a lot of issues where IT was concerned. Intentional attacks on IT systems are costing businesses and estimated $15 billion a year and rising. (Myler, 2006). New bills are pending in legislature, including S1408 Identity Theft Protection Act and H.R. 4127 The Data Accountability and Trust Act. There is a greater need to address IT from legal, operational, and compliance perspectives. The Federal Government is working for tighter IT control and accountability on organizations to protect sensitive data and hold them accountable.

ISO 17799 is a standard framework for IT security. It entails nine steps to build a framework, including risk assessment, security policy, asset inventory, accountability, physical security, operating procedure documentation, access controls, coordination of business continuity, and compliance. It also has clauses, such as Clause 10.9 that establishes e-commerce counter measures and Clause 13.1 providing methodology for reporting incidents. Is it not being enforced? Are companies feeling that information should have low security? Do they look at its importance as not that important to protect it with stronger measures? Whatever the reasons are stronger compliance measures need to be implemented to ensure organizations work harder to protect the information systems and research into more effective measures.

Learning

Beyond system installation, information security covers a lot of ground, from policies, training, enforcing, monitoring, and staying abreast on new attacks, whether internal or external. There is a greater need for senior management to take a greater hold of monitoring and enforcing information security than ever before. Even though there has been little research to develop more effective frameworks and methods, information security systems need constant monitoring and evaluation for continual improvement and accountability. Implementing security policies and training employees alone does not cut it. Organizations cannot rely strictly on policies, training, and software to strongly secure an information system. There must be enforcement and continued monitoring for improvement and to spot incidences as they occur.

This course covered a lot of territory where the protection of information systems is concerned, but with little research being done, organizations reluctant to participate in studies where research can be done, and the media being filled with more and more information security issues, there is still more to learn about securing the networks of organizations. Organizations still need more guidance in improving the information systems on a case by case basis. Because businesses are unique in their own way, the information systems need to be unique to the organizational operation and organizational needs.

The two most important things are that information security technology is a small part of the system and the larger part is actually done by humans. Employees can leak information from workstations not being protected, word of mouth, and ignoring issues they see that are vital to information protection, such as a co-worker's wrong doing. Employees going on the internet can cause security violations with viruses and malware, and hackers, etc. Organizations need to implement and enforce strong policies with constant monitoring for improvement and violations.

Gaps Between Research and Practice

"The existence of prescribed security processes in organizations does not mean the goals of the processes are achieved." (Siponen, 2006). The standards have the limitation of giving advice on how the security processes can be accomplished in practice. They do not provide advice on how the desired results are to be achieved and do not say anything about the quality of the process. The content and the quality of the security processes are very important.

There has been a limited amount of research and it has been fragmented with not very clear results. The research that has been done is generally covering policy and infracture. This makes it hard to determine what an appropriate framework is where organizations can meet all the organizational goals and the legal aspects. Organizations have to align standards with practice the best they can and make tough decisions on the importance of how strong the security needs to be. This makes it difficult in determining the quality of the system and how the goals are to be achieved with the information system.