Integrated Information Security Policy Model for Saudi Arabia Organizations

Abstract

Information Security Policy (ISP) is an important domain used to preserve the confidentiality, integrity, and availability of sensitive data. However, it is an ambiguous and diverse domain due to the diversity of security policies and the multiplicity nature of organization systems. Numerous specific and generic ISP models have been offered for several purposes. The offered models have numerous redundant procedures, concepts, activities, processes, and tasks that make the ASP domain unorganized, unstructured, and ambiguous among domain experts and users. Thus, the structured and integrated model to simplify sharing, managing, and reusing ISP activities and tasks is still missing. This study applied the design science method to develop a unified model for the ISP domain called the Integrated Information Security Policy Model (IISPM). This aims to identify, recognize, extract, and match different ISP processes, concepts, activities, and tasks from different ISP models in a developed IISPM, thus, allowing domain experts and users to derive/instantiate solution models easily. The developed IISPM consists of six main abstract processes: Information security policy process, information security awareness process, access control process, observing the process, agreement process, and plan process. Each introduced process has specific security practices. The output showed that IISPM assists domain experts and users to create their solution models based on their requirements.