Information security landscape and maturity level: Case study of Malaysian Public Service (MPS) organizations

Government Information Quarterly

Volumn 26, Issue 4, 2009, Pages 584-593

  Dzazali, Suhazimah ^a   Sulaiman, Ainin ^a   Zolait, Ali Hussein ^a  

^a UNIVERSITY OF MALAYA   (Malaysia)

Author keywords

Information security; Public Service organizations; Security management

Indexed keywords

EID: 69049098736     PISSN: 0740624X     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.giq.2009.04.004     Document Type: Article

References (54)

1. Aceituno, V. C. (2004). ISM31.0. - Information security management maturity model, Institute for Security and Open Methodology. Retrieved January 10, 2005, from http://isecom.securenetltd.com/Security_Maturity_Model_v3.0.pdf
2. Andersen W.P. Information security governance. Information Security Technical Report 6 3 (2001) 60-70
3. Backhouse J., and Dhillon G. Information security management in the new millennium. Communications of the ACM 43 (2000) 125-128
4. Baskerville R. Designing information system security (1998), John Wiley & Sons, UK
5. Berinato, S. (2003). After the storm, reform. CIO Magazine. Retrieved October 19, 2004, from http://www.cio.com/archive/121503/securityfuture.html
6. Bhaskar K.N. Computer security: Threat and countermeasures (1993), NCC-Blackwell, Oxford, UK
7. Brynes, C. (2005). The Gartner Group: Information Security Trends 2005-2007. Retrieved July 20, 2006, from http://www.gartner.com
8. BS7799 (British Standard on Information Security System Management) (2000). Retrieved August 10, 2003, from http://www.bsi-global.com/Corporate/17799.xalter
9. Caralli, R. A. & Wilson, W.R. (2003). The challenges of security management. Carnegie-Mellon University. Software Engineering Institute. Retrieved October 19, 2004, from http://www.cert.org/archive/pdf/Esmchallenges.pdf
10. COBIT (2000). Control objectives for information and related technology: Management guidelines. Information Systems, Audit, and Control Foundation. Illinois: ISACA, 1997. Retrieved April 20, 2004, from http://www.isaca.org/cobit.htm
11. COBIT (2002). Control objectives for information and related technology, by the Information Systems, Audit, and Control Foundation. Illinois: ISACA, 1997. Retrieved April 20, 2004, from http://www.isaca.org/cobit.htm
12. Eloff J.H.P. (2002). What do international standards say on information security policies? Retrieved April 20, 2003, from http://www.cio.org
13. Eloff M.M., and Solms S.H. Information security management: A hierarchical framework for various approaches. Computers and Security 19 3 (2000) 243-256
14. Ernst and Young (2004). Ernst and Young Global Information Security Survey 2004. Retrieved March 15, 2005, from http://www.ey.com
15. Ezingeard, J. N. & Bowen-Schrire, M. (2003). Information security: A strategic issue. A conjoint report study, Hanley Management College, UK and Dataföreningen, Sweden. Retrieved November 20, 2004, from http://www.henley.se
16. Fulford H., and Doherty N.F. The application of information security policies in large UK-based organizations: An exploratory investigation. Information Management & Computer Security 11 3 (2003) 106-114
17. Gordon, L. A., Loeb, G. M., Lucyshyn, W. & Richardson, R. (2004). 9th Annual FBI/CSI Computer Crime and Security Survey 2004. Retrieved June 24, 2004, from http://GoCSI.com
18. Hare C. Policy development. In: Tipton H.F., and Kraus M. (Eds). Information security management handbook. 4th ed. Vol. 3 (2002), Auerbach Publications, New York
19. Hong K.S., Chi Y.P., Chao L.R., and Tang J.H. An integrated system theory of information security management. Information Management & Computer Security 11 5 (2003) 243-448
20. ISO/IEC 17799 (2005). Information technology - Code of practice for information security management. Geneva: International Organization for Standardization. Retrieved June 24, 2004, from http://www.iso.org
21. IT Governance Institute (2005). Board briefing on IT governance. Retrieved August 11, 2004, from http://www.itgi.org
22. JPA (2005). Malaysian Public Service Department (Jabatan Perkhidmatan Awam Malaysia). Proceedings of Public Service Conference 2005.
23. Jenkins, J. (2003). Organizational IT security theory and practices: And never the twain shall meet? Retrieved February 27, 2004, from http://www.sans.org/rr/securitybasics/IT_sec2.php
24. Kloman, F. (1998). Integrated risk assessment: Current views of risk management. Risk Management Report, December. Retrieved March 27, 2003 from http://www.riskreports.com/htdocs/riskassessment.html
25. Knapp, K., Marshall, T., Rainer, R. K. & Morrow, D. (2004). Top ranked information security issues: The 2004 International Information System Security Certification Consortium (ISC) 2 Survey Results. Retrieved March 20, 2005, from www.isc2.org
26. Malhotra N.K. Marketing research: An applied orientation. 4th ed. (2004), Pearson-Prentice Hall, New York
27. MAMPU, (2001). Malaysian Administrative Modernization and Management Planning Unit, Mekanisme Pelaporan Insiden Keselamatan Teknologi Maklumat dan Komunikasi (Information and Communications Technology Security Incident Reporting Mechanism), Malaysia Government General Circular No. 1 of 2001. http://www.mampu.gov.my/mampu/bm/program/Circulars/Security/SPAm012001.html
28. MAMPU, (2002). Malaysian Administrative Modernization and Management Planning Unit, Malaysian Public Service Management of ICT Security Handbook (MyMIS), Prime Minister's Department, Government of Malaysia, Percetakan Nasional Malaysia.
29. MAMPU, (2003). Malaysian Administrative Modernization and Management Planning Unit, Malaysia, Public Service ICT Strategic Plan Executive Summary. Retrieved August 23, 2005, from www.mampu.gov.my/mampu/bi/program/ict/ISPlan/ISPlan.htm
30. MAMPU, (2005). Malaysian Administrative Modernization and Management Planning Unit, Director General Briefing on Organization Structure, INTAN. Retrieved September 9, 2005, from http://www.intanbk.gov.my
31. Marsh, J. (2003). Myths managers believe about security. Retrieved February 27, 2003, from http://www.sans.org/rr/start/myths.php and http://www.giac.org/practical/gsec/Jerry_Marsh_GSEC.pdf
32. McAdams A.C. Security and risk management: A fundamental business issue. Information Management Journal (2004) 36-44 July/Aug
33. Menkus B. Control is fundamental to successful information security. Computers & Security 10 1 (1991) 293-297
34. Murine G.E., and Carpenter C.L. Measuring computer system security using software security metrics. Proceedings of the 2nd IFIP international conference on computer security (IFIP/Sec"84), Toronto, Ontario, Canada (1984)
35. Musekura, J.B. & Ekh, R. (2003) Information security issues - Difference between perception and practice in organizations, Orebro University, Sweden. Retrieved November 20, 2005, from http://www.oru.se/oru-upload/
36. Nakra P. Info-terrorism in the age of the internet: Challenges and initiatives. Journal of Competitive Intelligence and Management 1 2 (2003) 1-10 Summer 2003
37. NISER (2004). NISER ICT Security Survey for Malaysia 2004. Retrieved May 10, 2005, from http://www.niser.org
38. Parker. Fighting cyber crime: A new framework for protecting information (1998), John Wiley & Sons, New York
39. Peltier T.R. Information security risk analysis (2001), Auerbach Publications, New York
40. PWC (2004). Price Waterhouse Coopers - 2004 ISC2 top issues report. Retrieved March 15, 2005, from http://www.pwc.com
41. Richardson, R. (2003). 8th Annual CSI/FBI Computer Crime and Security Survey 2003. Retrieved February 5, 2004, from http://GoCSI.com
42. Schneier B. Secrets and lies - Digital security in a networked world (2000), Wiley Computer Publishing, New York
43. Siponen M. Towards maturity of information security maturity criteria: Six lessons learned from software maturity criteria. Information Management and Computer Security 10 5 (2002) 210-224
44. Solms S.H. Corporate governance and information security. Computers and Security 20 3 (2001) 215-218
45. Solms B., and Solms R. The 10 deadly sins of information security. Computers and Security 23 5 (2004) 371-376
46. Sommer, R. (2003). How to buy information security. Retrieved July 24, 2004, from http://www.virtualcity.co.uk.hottobuy.htm
47. SSE-CMM (1998). System Security Engineering Capability Maturity Model V.3.0. Carnegie Mellon University. Retrieved January 20, 2005, from http://www.sse-ccm.org/model/model.asp
48. Stacey T.R. Information security program maturity grid. Information System Security 5 (1996) 22-33
49. Starr, R., Newfrock, J. & Delurey, M. (2003). Enterprise resilience: Managing risk in the networked economy. Strategy & Business, Spring 2003. Retrieved May 20, 2005, from http://www.strategy-business.com
50. Tudor J.K. Information security architecture: An integrated approach to security in the organization (2001), CRC Press, LLC
51. Turban E., King D., Lee J., and Viehland D. Electronic commerce 2004 - Managerial perspective. International Edition (2004), Pearson Education, Inc, New York 1-34
52. Vaughn E.J. Risk management (1997), John Wiley and Sons, Inc, New York
53. Wallace L., Keil M., and Rai A. How software project risk affects project performance: An investigation of the dimensions of risk and an exploratory model. Decision Sciences 35 2 (2004) 289-320 Spring 2004
54. Waring, A. & Glendon, A. I. (1998). Managing risk - Critical issues for survival and success into the 21st century. UK: Thompson Learning.