Book All Semester Assignments at 50% OFF! ORDER NOW

Information Security Policy and Governance

Table of Contents


Main body.

The need for sound information security management in SMEs.

Statistics of cybersecurity threats targeting the large organization.

Statistics of cybersecurity threats targeting SMEs organizations.

Implementation of information security frameworks in management of information security.

Data privacy issues in information security management

Smartphone security management

Implementation of business continuity in the current COVID-19 crisis.



Introduction to Organizational Information Security Policies

Information security management (ISM) discuss the control that a business enterprise requires to implement to make sure that it is sensibly protecting the availability, integrity and confidentiality of the assets from vulnerabilities and threats. An information security management (ISMS) is the procedures and policies set for managing a company sensitive data (Karlsson, Hedström, & Goldkuhl, 2017) systematically. Further, it is a vital factor for all companies under the current scenario of business globalization. Internet is growing at a faster pace over the past few decades—both small-to-medium sized and large-sized business substantial invested resources to make their presence on the global network. Crucial factors of any information security system are the cost linked with its development, decommissioning, design and implementation. An ISMS lends and includes effective mitigation and risk management strategies. Its purpose is to reduce the risk and make sure that continuity of business by pro-actively limiting the influence of a security breach.

The current essay is based on The Need for Information Security Management for Small to Medium Size Enterprises. It further reflects on the information security framework implementation in ISMS, data privacy problems in ISMS, Smartphone security management and implementation of continuity of business in the COVID-19 crisis.

Main Body of Organizational Information Security Policies

The Need for Sound Information Security Management in SMEs

The information system (IT) infrastructure has brought enormous opportunities in improving the productivity towards SMEs and enabling them to compete against large business adversaries. They invest generally lesser resources and posses less expertise in maintaining and establishing IT security strategies and policies. This information policies awareness deficiency and accurate information security policies lack by SMEs create them easy prey for the cyber-terrorists. Despite the threats and challenges faced by small to medium enterprises, their reliance and employment on information technology are increasing rapidly, and the goals of the business are being linked directly with the IT utilization (Ávila, Chinchilla, & Pérez, 2019). The information security incorporates four stages in SMEs, i.e. level of organization that involves the process of decision making, security strategies defining and risk management and corporate security culture.

Statistics of Cybersecurity Threats Targeting the Large Organization

Fifty-six per cent of the IT decision-makers stated that targeted phishing attacks are the top security threat. Fifty per cent of phishing sites are using HTTPS now. The social engineering attempts boost more than 500 per cent in 2018 from the first to the second quarter. Further, new workers are most susceptible to socially attacks engineered with IT professionals accounted for 60% citing current hires as being at higher risk. It is identified that 98 per cent of cyber attacks depends on social engineering. The companies account for nearly 31% have experienced attacks on operational infrastructure technology. From 1st January 2015 to 18th April 2018 there have been recorded breaches of 8,854. It is found that there are approx 24,000 malicious mobile applications is blocked each day. The coin mining presented the most significant area of growth in 2017 in cybercrime with detection of antivirus up 8,500% (Purplesec. 2020).

Statistics of Cybersecurity Threats Targeting SMEs Organizations

The cyberattacks target 43 per cent of small business, and 70 per cent of the SMEs are unprepared to deal with the attack. Further, small businesses account 47 per cent at lease on the attack in the past year, and 44 per cent of those had 2-4 attacks. In addition to this, only 14 per cent of SMEs rate the ability to mitigate vulnerabilities, attacks and cyber risks as effective positively. The malicious intent acts result in Forty-eight per cent of data breaches securities. The system failure of human error accounts for the remaining. The cyberattacks in 2018 cost SMEs an average of $34,604. Further, SMEs account for 85 per cent plan to enhance their spending on security services managed (Purplesec. 2020).

Implementation of Information Security Frameworks in Management of Information Security

The framework of information security framework when adequately done, will allow the leader of security to handle their company's cyber risk more intelligently. The framework involves numerous documents that define clearly the adopted processes, procedures and policies by which the entity abides. Traditionally, organizations adopted an approach of bottom-up, where operational workers initiate the method, and their outcomes are propagated subsequently to upper management according to the proposed policies. The core purpose of having a framework of information security in place is to minimize the level of risk and the company exposure to vulnerabilities. It explains effectively to all the parties how services, systems and information are handled in the company (Moghadam, & Colomo-Palacios, 2018).

Implementing a robust framework of information security gives lots of advantages if the management or team members are trying to instil the confidence in the organization or set a strong image with potential customers and business partners. Further, the framework allows the agents to know the management can prevent the services or data from harm. For instance, control objectives for information and related technologies (COBIT) is an integrity framework and organizational security that use processes, management guidelines, maturity modelling and controls objectives to assure IT alignment with the business. It directly maps to standards needed for regulatory compliance. Understanding the security framework landscape of IT can help ideally managed services provider (MSP) to perform their jobs with confidence, establish a good relationship with the customers and even attract customers (Alshare, Lane, & Lane, 2018).

Implementing a framework of information security is essential to minimize risk because it gives emergency methods for security ensuring. Such framework gives a 'what-if' blueprint for the disaster response useful and common concerns of security. As an MSP, it is significant to be familiar with the framework of information security because these guides instil confidence and enhance the image of the organization with the customers. The information security framework implementation in the management of information security helps to prevent all information forms involving paper-based, digital, organizational secrets, intellectual property, personal information and hard copies and date in the cloud and on devices. It also gives a framework for keeping the company details safe and handling it all in one place. Moreover, it prevents the entire enterprise from technology-based risk, more common threats like ineffective methods or poorly informed staff.

Adapting constantly to the changes both in inside the company and in the environment, an ISMS minimizes the continual threat of risk evolving. The analysis and risk assessment approach of ISMS, companies can minimize the cost spent on adding indiscriminately layers of defensive technology that may not work. It is inferred that marinating and implementing ISMS will vitally enhance the business enterprise resilience to cyber attacks. In addition to this, it provides a set of procedures, physical, technical and policies control to prevent the integrity, availability and confidentiality of information. The security frameworks are core for future success, and the decision regarding which to implement must not be left to the team of IT; senior management and boards require being involved fully and responsible (Choi, Martins, & Bernik, (2018). That is due to information security is a risk issue of business, not a problem of IT, and must be addressed at the organization executive level. Therefore, keeping malicious actors, cybercriminals and hackers out of the crucial systems is a constant battle.

Data Privacy Issues in Information Security Management

The data privacy is a data security branch concerned with effective managing of data- notice, regulatory and consent obligations. More specifically, the privacy concern of practical data revolves around often: whether or how the data is exchanged with third parties, how the data is stored or collected legally and regulatory restrictions like CCPA, HIPAA, GLBA or GDPR. Data privacy is a hotter topic as cyber-attacks are enhancing in cost, sophistication and size. As per the report, the cybercrime average cost has enhanced 72 per cent in the last five years and 2018 reaching US$13.0 million (Brooks, 2020). Everyday standard human error can crucially impact protection and data privacy. Most of the security analysts state that human error is the greatest challenge in security and data privacy.

The unaware workers can use weal password, delete data mistakenly, fall for phishing claims, browse websites not under proper consideration and have privileged access of account. Across the complete lifecycle of information security, the management or people can experience hurdles and pitfalls. Both privacy and security set various and complementary domains of tactics, needed a specific speciality stage to create a practice set that materialize and conceptualize the control and access exercise. The information privacy and security develop a challenge for corporate practice and engineering that must attend the company's statement corporate governance where the details are defined as a valuable source and strategic asset to capitalize renewed and new business strategies (Cram, Proudfoot, & D’arcy, 2017).

Recently, data privacy has been addressed as an issue legally that has not been adequately handled by standards of information security. While the confidentiality principle seeks to protect the sensitive data disclosure to the unauthorized companies, it does not concentrate on hiding the owner identity of the data or creating it impossible to link its owner and data. So the information security data like availability, integrity and confidentiality are not equivalent to the features like the must be secured in data privacy like link inability, distinguish inability, the pseudonimia, track inability and anonymity. Thus, while the exercise or protection of information strategies assures proper access, the privacy protection demands the data blurring to avoid finding it, dismantling all the types of links between its owner and data, allowing anonymous access, alternate names and facilitating pseudonyms use (Vinnakota, & Mandaleeka, 2017).

In today’s era, ignoring the issues of data privacy is like a sailor turning a blind eye to growing seas and a falling barometer. GDPR and other regulations breaching like HIPAA and CCPA come with hefty fines. Data privacy becomes hard to manage when the management factor in things such as the Internet of things (IoT), bring your own IT policies device and proliferating internet-connected watches, phones and tablets. When a person brings more devices in the workplace, then he/she end up having more data to handle that is a proliferating devices issue.

In addition to this, the entity must be able to handle data privacy and compliance from any source, various multiple apps and operating system. To overcome this, the management must make sure the proper procedure of data governance in place. Another issue is the ever-increasing data scale (von Solms & von Solms, 2018). As computing and cloud storage costs come down, businesses are swimming in data now. Indeed, as the global data amount grows, the managing challenge of these data ocean is enormous. So with the millions of data records and hundreds of systems, the management needs a solution that can manage the scale.

Smartphone Security Management

It has been identified that mobile security management plays a vital role in the current scenario for protecting user data and information of an individual. The security of smartphones is divided into three layers that include protection of data, protection of device, and app management security. It has been observed that the security of smartphone not only depend on phones but also on mobile device management (MDM) technology that is installed on the servers of the company with the help of which security can be managed within the device. It is essential that for adequate security, both mobile and device technology has to work together.

This can be explained with the example as Blackberry phones are designed for business purpose because it has an excellent security system through which the company can straightforwardly protect data (Kaspersky, 2020). On the other hand, regular smartphones are for personal use through which shopping and banking transaction is being done so at that time. Also, security is needed, as well. It has been evaluated that more devices are being used and linked with each other through cloud technology. More concern is needed for the overall security of mobile networks. In addition to this, more and more applications come into the market; more and more security is required for protecting user information and data.

It has been observed that popular iOS and Android phones security concern is growing day by day due to advanced technology. Apart from this, it has been observed that smartphones have more risk in some areas such as hotels, airports, coffee shops, etc. Along with this, Wi-Fi connections also have risk areas if users did not adopt proper security for them. An attacker can easily steal confidential information and data such as mobile application passwords, professional data, etc. To protect data, users have to adopt different security applications such as McAfee total protection, avast mobile security, etc. Through these mobile applications, data and information of the user can be protected.

Security of mobile devices threats are increasing day by day due to the adoption of advanced technology through which data can be leaked effortlessly. It has been identified in the year 2020 the top mobile security threats are leakage of data, unsecured Wi-Fi, network spoofing, Phishing attacks, spyware, etc. All these are considered as essential threats for mobile devices that support stolen private data and information. In addition to this, at the workplace, while using a mobile phone, some risks may arise, such as malicious code, physical access, device attacks, insider threats, and communication interception (O'Leary and et al. 2017). So, for protection from all these risks, security management is taken into consideration within the organization for mitigating these risks for the future.

Furthermore, it has been noticed that some smartphone functionalities such as Siri on the iPhone, so with the help of this feature, users can gain control for protecting its data and information. For protecting smartphones from threats, different applications can be installed for monitoring malicious activities on the phone. Apart from this, for protection, smartphones have to be updated frequently to protect data from outside threats and attacks. Thus, a smartphone user needs to cater to proper security for the protection of its data and information.

Implementation of Business Continuity in The Current COVID-19 Crisis

The COVID-19 crisis presents a serious threat to businesses, economies and people across the globe. It is identified that 12% of companies are prepared highly for the coronavirus impact. Excellent and smart leaders must concentrate on how they can best prevent their people; serve the consumers, and stabilize continuity of business. To support the organization give safe working environment, some municipal governments are performing with bid data amassed by the technology organizations and mobile operators to create a health QR code system that aids people to track over the previous 14 days their movements to prove that they have not visited any areas of high risk (Accenture. 2020).

The service providers and cybersecurity technology are shifting priorities to help existing needs, perform remotely, and transition planning and business continuity to the next normal. Few functions of corporate moved their priorities when the COVID-19 crisis stuck as operations of cybersecurity business and the providers of technology that help them perform.

Further, CISOs also has undertaken actions to protect new threats of the network that earmark employees remotely and to bolster organizations facing operations as well as e-commerce after online shopping rush during the pandemic lockdowns. The crisis reacts to press budgets of units and limit the resources for others.

In addition to this, the challenges the organization of cybersecurity face have to overturn to the providers of technology. The organizations that have completed their pivots to keep with the shift needs of the consumers and to institute new manners of performing operations. To succeed in the era of post-COVID-19, the providers of technological advancement should rethink their strategies and serving to offer a new landscape of security and must regularly monitor the needs of customers and adjust service, training and sales as required.

More than CISPs and buyers of security of 70% believe that the budgets by 2020 end will shrink but program to ask for vital enhance in 2021 (Anant, Caso & Schwarz, 2020). As an outcome, assisting new actions to safeguard the companies is anticipated to outlays the limit for such things as tools of risk, governance, and compliance. The financial services organization postponed 'red staff' in the application of remote work exercises to close vulnerabilities. The crisis has offered organizations with a growth to drive cybersecurity home significance to the workers, especially frontline workers.

The programs for remote activities permanent, reopening phased and interaction limited with the non-importance visitors will enhance interest in some good and services cybersecurity but curb it for others. This will lead to how the providers require to interact with the prospects and customers. CISOs faced with the pressure of budget may require revisiting contacts of cybersecurity services to boost cut cost and values (Smallwood, 2019).

Conclusion on Organizational Information Security Policies

From the report, it has been inferred that managing the security of information, in essence, indicates mitigating and handling the different vulnerabilities and threats to assets, at the same time while balancing the effort of management expended on potential vulnerabilities and threats by gauging them the probability of occurring actually. The strategy of information security and training must be integrated with, and the company plan of information security favourably impacts communication by strategies of departmental to assure all personnel. In most of the situations, it is identified that cybersecurity spending at the large companies to bounce back rapidly than that SMEs.

References for Organizational Information Security Policies

Accenture. (2020). Continuity in crisis: how to run effective business services during COVID-19. [Online]. Available through< >. [Accessed on 23rd September, 2020]

Alshare, K. A., Lane, P. L., & Lane, M. R. (2018). Information security policy compliance: a higher education case study. Information & Computer Security.

Anant, V., Caso, J. & Schwarz, A. (2020). COVID-19 crisis shifts cybersecurity priorities and budgets. [Online]. Available through<>. [Accessed on 23rd September, 2020]

Ávila, C., Chinchilla, E. J., & Pérez, T. V. (2019, November). It governance model for state entities, as support for compliance with the information security and privacy component in the framework of the digital government policy. In Journal of Physics: Conference Series (Vol. 1409, No. 1, p. 012005). IOP Publishing.

Brooks, R. (2020). Data privacy trends, issues and concerns. [Online]. Available through<>. [Accessed on 23rd September, 2020]

Choi, S., Martins, J. T., & Bernik, I. (2018). Information security: Listening to the perspective of organizational insiders. Journal of Information Science, 44(6), 752-767.

Cram, W. A., Proudfoot, J. G., & D’arcy, J. (2017). Organizational information security policies: a review and research framework. European Journal of Information Systems, 26(6), 605-641.

Karlsson, F., Hedström, K., & Goldkuhl, G. (2017). Practice-based discourse analysis of information security policies. Computers & Security, 67, 267-279.

kaspersky, (2020). Smartphone security. [Online]. Available through< [Accessed on 23rd September, 2020] 

Moghadam, R. S., & Colomo-Palacios, R. (2018). Information security governance in big data environments: A systematic mapping. Procedia computer science, 138, 401-408.

O’Leary, D., Zimmermann R., Grahn A., Poarch D., Cook M., & Pirc J., (2017). Mobile Device Security in the Workplace: 5 Key Risks and a Surprising Challenge. [Online]. Available through<>. [Accessed on 23rd September, 2020] 

Purplesec. (2020). 2020 cyber security statistics, the ultimate list of stats, data & trends. [Online]. Available through<,attacks%20on%20operational%20technology%20infrastructure.&text=In%202017%2C%20the%20average%20number,records%20by%20country%20was%2024%2C089. >. [Accessed on 23rd September, 2020]

Smallwood, R. F. (2019). Information governance: Concepts, strategies and best practices. John Wiley & Sons.

Vinnakota, T. R., & Mandaleeka, N. G. P. L. (2017). U.S. Patent No. 9,760,849. Washington, DC: U.S. Patent and Trademark Office.

von Solms, B., & von Solms, R. (2018). Cybersecurity and information security–what goes where?. Information & Computer Security.

Remember, at the center of any academic work, lies clarity and evidence. Should you need further assistance, do look up to our Computer Science Assignment Help

Get Quote in 5 Minutes*

Applicable Time Zone is AEST [Sydney, NSW] (GMT+11)
Upload your assignment
  • 1,212,718Orders

  • 4.9/5Rating

  • 5,063Experts


  • 21 Step Quality Check
  • 2000+ Ph.D Experts
  • Live Expert Sessions
  • Dedicated App
  • Earn while you Learn with us
  • Confidentiality Agreement
  • Money Back Guarantee
  • Customer Feedback

Just Pay for your Assignment

  • Turnitin Report

  • Proofreading and Editing

    $9.00Per Page
  • Consultation with Expert

    $35.00Per Hour
  • Live Session 1-on-1

    $40.00Per 30 min.
  • Quality Check

  • Total

  • Let's Start

Get AI-Free Assignment Help From 5000+ Real Experts

Order Assignments without Overpaying
Order Now

My Assignment Services- Whatsapp Tap to ChatGet instant assignment help