Merging Information Security Policies - Requirements and Best Practices

  • Paul Werner Lackner

Student thesis: Master's Thesis

Abstract

Merging information policies in an organisation may be a difficult project. Merging
policies may have various motivations, e.g. to create a more efficient organisation or
to merge multiple subsidiaries and therefore having a need for a consolidated policy.
To successfully complete a merger of policies, strategy needs to be developped that
considers these questions: What are the business goals, what are the requirements to
the policies and the policy system, what is the goal that needs to be reached through
the policies and who are the stakeholders of the policies? A critical part of the merger
is the communication of the policy change. This thesis describes the very basics of risk
management and IT operations to have a unified understanding of the topic. It further
creates a hypothesis and theory on how to do a successful merger and therefore on
how to communicate change of an information security policy effectively to the relevant
stakeholders. The various preconditions of this merger (why it is done), are not evaluated
and described but rather the doings and the results of it. Later on, an experiment is
described an analysed, which will also serve as a basis for a conclusion about it and
tries to evaluate the hypothesis. It will conclude that a change of a policy needs to be
announced to relevant people via personal message in their own language via a suitable
messenger.
Date of Award2024
Original languageEnglish (American)
SupervisorHarald Lampesberger (Supervisor)

Cite this

'