The enterprise information security policy as a strategic business policy within the corporate strategic plan (extended abstract)

Information security has been recognized as a core requirement for corporate governance that is expected to facilitate not only the management of risks, but also as a corporate enabler that supports and contributes to the sustainability of organizational operations. In implementing information security, the enterprise information security policy is the set of principles and strategies that guide the course of action for the security activities and may be represented as a brief statement that defines program goals and sets information security and risk requirements. The enterprise information security policy (alternatively referred to as security policy in this paper) that represents the meta-policy of information security is an element of corporate ICT governance and is derived from the strategic requirements for risk management and corporate governance. Consistent alignment between the security policy and the other corporate business policies and strategies has to be maintained if information security is to be implemented according to evolving business objectives. This alignment may be facilitated by managing security policy alongside other corporate business policies within the strategic management cycle. There are however limitations in current approaches for developing and managing the security policy to facilitate consistent strategic alignment. This paper proposes a conceptual framework for security policy management by presenting propositions to positively affect security policy alignment with business policies and prescribing a security policy management approach that expounds on the propositions.

Small Business and entrepreneurship policy

There are two key approaches to entrepreneurship, each of which has different implications for small business policy (Danson 2002). The first conceives of entrepreneurship as an economic process and can be traced to the work of Joseph Schumpeter who developed the concept of creative destruction to describe the entrepreneurial process that led to the simultaneous elimination of old industries and activities and the creation of new activities through the commercial application of new ideas. While entrepreneurship as a process of creative destruction might include start up activity amongst small firms, it does not exclusively involve small firms as large firms may contribute to the entrepreneurial process through the generation of new knowledge and by assisting in financing the development of new ideas amongst small firms. Although innovation occurs in large as well as small firms, the literature on small enterprise innovation draws heavily on Schumpeter’s depiction of the central role of the entrepreneur in the process of creative destruction, whereby the economic system is transformed from within and new cycles in economic life emerge in which new industries and markets replace old industries and markets. Schumpeter argued that entrepreneurs drove the process of innovation and that innovation was a stimulus to economic development and involved the development of new products, processes, methods of production or new forms of commercial or financial organisation (Schumpeter 1911). At a time when technological development and structuraleconomic change are occurring at a rapid pace, small firm innovation is seen to be critically important because empirical evidence, although not undisputed, indicates that SMEs make an important contribution to radical innovations in new industries (Nooteboom 1994). The second view of entrepreneurship focuses on the individual entrepreneur more than the entrepreneurial process. The entrepreneur is depicted as an owner of small businesses, and is regarded as having particular personal characteristics such as self-reliance, individual initiative and self-motivation. Entrepreneurs are also considered to have a behavioural orientation towards the exploitation of new ideas and opportunities. They are the risk takers who are able to see an opportunity and pursue it commercially despite the uncertainty of rewards. The capacity to plan, manage and lead is also seen to be identifying characteristics of entrepreneurs. Different small business policy approaches arise from these different perspectives on entrepreneurship. Small business policy approaches that emphasise the process by which new ideas are generated and applied commercially arise from the first and broader view of entrepreneurship. Policies designed to generate a population of risk taking and self-motivated individuals with highly developed management and commercial skills are more in keeping with the second approach, which is focused on the individual entrepreneur rather than the entrepreneurial process.

Boards of directors' contribution to strategy : a literature review and research agenda

Research Question/Issue: Over the last four decades, research on the relationship between boards of directors and strategy has proliferated. Yet to date there is little theoretical and empirical agreement regarding the question of how boards of directors contribute to strategy. This review assesses the extant literature by highlighting emerging trends and identifying several avenues for future research. Research Findings/Results: Using a content-analysis of 150 articles published in 23 management journals up to 2007, we describe and analyze how research on boards of directors and strategy has evolved over time. We illustrate how topics, theories, settings, and sources of data interact and influence insights about board–strategy relationships during three specific periods. Theoretical Implications: Our study illustrates that research on boards of directors and strategy evolved from normative and structural approaches to behavioral and cognitive approaches. Our results encourage future studies to examine the impact of institutional and context-specific factors on the (expected) contribution of boards to strategy, and to apply alternative methods to fully capture the impact of board processes and dynamics on strategy making. Practical Implications: The increasing interest in boards of directors’ contribution to strategy echoes a movement towards more strategic involvement of boards of directors. However, best governance practices and the emphasis on board independence and control may hinder the board contribution to the strategic decision making. Our study invites investors and policy-makers to consider the requirements for an effective strategic task when they nominate board members and develop new regulations.

Internet and e-commerce law, business and policy

Over the last two decades, the internet and e-commerce have reshaped the way we communicate, interact and transact. In the converged environment enabled by high speed broadband, web 2.0, social media, virtual worlds, user-generated content, cloud computing, VoIP, open source software and open content have rapidly become established features of our online experience. Business and government alike are increasingly using the internet as the preferred platform for delivery of their goods and services and for effective engagement with their clients. New ways of doing things online and challenges to existing business, government and social activities have tested current laws and often demand new policies and laws, adapted to the new realities. The focus of this book is the regulation of social, cultural and commercial activity on the World Wide Web. It considers developments in the law that have been, and continue to be, brought about by the emergence of the internet and e-commerce. It analyses how the law is applied to define rights and obligations in relation to online infrastructure, content and practices.

BP-XACML: An authorisation policy language for business processes

XACML has become the defacto standard for enterprise- wide, policy-based access control. It is a structured, extensible language that can express and enforce complex access control policies. There have been several efforts to extend XACML to support specific authorisation models, such as the OASIS RBAC profile to support Role Based Access Control. A number of proposals for authorisation models that support business processes and workflow systems have also appeared in the literature. However, there is no published work describing an extension to allow XACML to be used as a policy language with these models. This paper analyses the specific requirements of a policy language to express and enforce business process authorisation policies. It then introduces BP-XACML, a new profile that extends the RBAC profile for XACML so it can support business process authorisation policies. In particular, BP-XACML supports the notion of tasks, and constraints at the level of a task instance, which are important requirements in enforcing business process authorisation policies.

Authorisation management in business process environments: An authorisation model and a policy model

This thesis provides two main contributions. The first one is BP-TRBAC, a unified authorisation model that can support legacy systems as well as business process systems. BP-TRBAC supports specific features that are required by business process environments. BP-TRBAC is designed to be used as an independent enterprise-wide authorisation model, rather than having it as part of the workflow system. It is designed to be the main authorisation model for an organisation. The second contribution is BP-XACML, an authorisation policy language that is designed to represent BPM authorisation policies for business processes. The contribution also includes a policy model for BP-XACML. Using BP-TRBAC as an authorisation model together with BP-XACML as an authorisation policy language will allow an organisation to manage and control authorisation requests from workflow systems and other legacy systems.

Work/Family Balance: HRM Policy and Practice in Australia

An employee's inability to balance work and family responsibilities has resulted in an increase in stress related illnesses. Historically, research into the nexus between work and family has primarily focused on the work/family conflict relationship, predominately investigating the impact of this conflict on parents, usually mothers. To date research has not sufficiently examined the human resource management practices that enable all parents to achieve a balance between their work and family lives. This paper explores the relationship between contemporary family friendly HRM policies and employed parents perceptions of work/family enhancement, work/family satisfaction, propensity to turnover, and work/family conflict. Self-report questionnaire data from 326 men and women is analysed and discussed to enable organisations to consider the use of family friendly policies and thus create a convergence between the well-being of employees and the effectiveness of the organisation.