ADOPTION OF INFORMATION SECURITY MEASURES IN PUBLIC RESEARCH INSTITUTES

Albuquerque Junior, Antonio Eduardo de; Santos, Ernani Marques dos

doi:10.4301/S1807-17752015000200006

Acessibilidade / Reportar erro

Brasil

JISTEM - Journal of Information Systems and Technology Management

Español English

Brasil

Español English

sumário « anterior atual seguinte »

Sumário

Original Article • JISTEM J. Inf. Syst. Technol. Manag. 12 (2) • May-Aug 2015 • https://doi.org/10.4301/S1807-17752015000200006 copy

ADOPTION OF INFORMATION SECURITY MEASURES IN PUBLIC RESEARCH INSTITUTES

ADOÇÃO DE MEDIDAS DE SEGURANÇA DA INFORMAÇÃO EM INSTITUTOS DE PESQUISA PÚBLICOS

Authorship SCIMAGO INSTITUTIONS RANKINGS

ABSTRACT

There are several Information Security measures recommended by international standards and literature, but the adoption by the organizations should be designated by specific needs identified by Information Security Governance structure of each organization, although it may be influenced by forces of the institutional environment in which organizations are inserted. In public research institutes, measures may be adopted as a result of pressure from Government and other agencies that regulate their activities, or by the influence of Information Security professionals, or simply adopting the same measures of leading organizations in the organizational field. This study aimed to investigate whether in public research institutes the adoption of Information Security measures is influenced by organizational factors relating to Information Security Governance, and by external factors relating to its institutional environment. The results show that these organizations are subject to institutional influences more than organizational influences.

Keywords
information security; governance; adoption; measures; research institutes

Organizational Dimension
Component	Indicators
Information Security Governance	IG01 - Formal definition of rules and responsibilities on Information Security for managers and other members of the organization
	IG02 - Strategies and objectives of Information Security defined and documented
	IG03 - Risk evaluation and management processes
	IG04 - Processes of analysis of resources management to Information Security
	IG05 - Control mechanisms for Information Security compliance with laws and agreements
	IG06 - Communication processes on Information Security with funding organizations and partners
	IG07 - Directives, actions and formal declaration of commitment by leaders and managers to Information Security
	IG08 - Information Security organizational structures
	IG09 - Information Security awareness processes
	IG10 - Formal and published Information Security Policy
	IG11 - Documented Information Security organizational procedures
	IG12 - Documented Information Security internal regulations and standards
	IG13 - Control mechanisms for organizational actions compliance with Information Security
Institutional Dimension
Components	Indicators
Government, Regulatory Organizations, and Funding Organizations for Research	IC01 - Laws, decrees, norms, resolutions and other regulations published by the Government
	IC02 - Existence of agreements signed with other organizations that develop or fund research requiring the adoption of Information Security measures
Professionalization of IT and Information Security	IN01 - Use of international norms and standards as Information Security models
	IN02 - Use of criteria that require training or specific knowledge on Information Security for hiring professionals
	IN03 - Participation of IT and Information Security professionals in information and knowledge sharing networks for Information Security
Other Organizations of the Organizational Field	IM01 - Use of experiences of successful public organizations in the organizational field as models
Other Organizations of the Organizational Field	IM02 - Use of experiences of successful research organizations in the organizational field as models

Indicators	Technical Procedures	Methods Used for Data Collection
IG01	Document analysis	Consultation in Information Security Policies and Information Security Management Systems
IG02	Document analysis	Consultation in Information Security Policies, Information Security Plans, and IT Master Plans
IG03	Survey	Question in electronic form
IG04	Document analysis	Consultation in Information Security Plans or IT Master Plans
IG05	Survey	Question in electronic form
IG06	Document analysis	Consultation in agreements and cooperation documents
IG07	Document analysis	Consultation in Information Security Policies, Information Security Plans, and IT Master Plans
IG08	Survey	Question in electronic form
IG09	Survey	Question in electronic form
IG10	Survey	Question in electronic form
IG11	Survey	Question in electronic form
IG12	Survey	Question in electronic form
IG13	Survey	Question in electronic form
IC01	Survey	Question in electronic form
IC02	Document analysis	Consultation in agreements and cooperation documents
IN01	Survey	Question in electronic form
IN02	Survey	Question in electronic form
IN03	Survey	Question in electronic form
IM01	Survey	Question in electronic form
IM02	Survey	Question in electronic form

#	Questions
1	The institute is an autarchy, public foundation, mixed-capital company or public company?
2	Is the research institute subordinate to which level of government?
3	What is your position in the research institute?
4	What is the role you play in the research institute?
5	What is the area of expertise of the research institute?
6	What are the organizations that regulate the activities developed by the research institute?
7	What are the Information Security measures adopted by the research institute?
8	consider risk assessment and management processes?
9	IG05 – When adopting Information Security measures, are internal mechanisms of control of compliance with the laws considered?
10	IG08 – Do the Information Security Committee, Office or Manager of the research institute participate in decisions on the adoption of Information Security measures?
11	IG09 – Is the adoption of Information Security measures in the research institute preceded by awareness processes for users?
12	IG10 – Do decisions on the adoption of Information Security measures consider the Information Security Policy of the research institute?
13	IG11 – Does the adoption of Information Security measures by the research institute consider existing Information Security procedures?
14	IG12 – Does the adoption of Information Security measures consider internal Information Security regulations and standards adopted by the research institute?
15	IG13 – Have decisions on the adoption of Information Security measures been considering control mechanisms of compliance in with the Information Security Policy?
16	IC01 – Were Information Security measures of the research institute adopted based on laws, decrees or other resolutions published by the Government or other organizations that control its activities?
17	IN01 – Does the research institute adopt Information Security measures based on models of guidelines, international norms and standards widely accepted?
18	IN02 – Does the organization select professionals to participate in decisions concerning the adoption of measures requiring specific knowledge or training about Information Security?
19	IN03 – Do professionals working with Information Security at the research institute exchange information and experiences about the adoption of Information Security measures with professionals from other organizations?
20	IM01 – When making decisions on the adoption of Information Security measures in the research institute, are the experiences of successful public organizations used as a model?
21	IM02 – When making decisions on the adoption of Information Security measures in the research institute, are the experiences of successful research organizations used as a model?

TECSI Laboratório de Tecnologia e Sistemas de Informação - FEA/USP Av. Prof. Luciano Gualberto, 908 FEA 3, 05508-900 - São Paulo/SP Brasil, Tel.: +55 11 2648 6389, +55 11 2648 6364 - São Paulo - SP - Brazil
E-mail: jistemusp@gmail.com

Acompanhe os números deste periódico no seu leitor de RSS

[1] Address for correspondence / Endereço para correspondência Antonio Eduardo de Albuquerque Junior, Mestre em Administração, estudante de Doutorado da Escola de Administração, Universidade Federal da Bahia, Av. Reitor Miguel Calmon, Salvador, Bahia, Brasil E-mail: eduardo.albuquerque@bahia.fiocruz.br