O processo de formulação de uma política de segurança de informações segundo a percepção dos gestores: um estudo em instituições hospitalares
Data
2007-12-18
Autores
Orientador(res)
Albertin, Alberto Luiz
Métricas
Título da Revista
ISSN da Revista
Título de Volume
Resumo
The purpose of this paper was to understand the participation of managers in the process of formulating strategies for information security policy, identifying the leading elements to develop an analysis system in hospital organizations. The object of this study was formed by five hospital organizations selected according to typical characteristics, time of existence and market position, and data availability. This research was carried out in a multicase, longitudinal, contextual and procedural, exploratory and descriptive fashion. It intended to generate specific criteria to develop data-based theory. Interviews were conducted in two different moments establishing two stages of data exploration. The data interpreting system was qualitative, as the research amassed information from individual and group interviews to understand the phenomena according to the perspective of the subjects — fourteen managers involved directly with IT and organizational and strategic plans. The Grounded Theory method was used to analyze the subjective aspects such as the managers’ perceptions and opinions about the specific organizational context in hospital organizations. The study led to the development of an analysis framework named “Continuous monitoring cycle for the development of an Information Security Policy in Hospital Organizations”. With this structure, it has been possible to identify information security accountability in various organizational levels, outlining responsibilities in relation to implementation, compliance, audit and evaluation, establishing necessary guidelines for all protection measures still to be implemented. As a result, it was found that the hospital organizations in this study, in their unique nature, displayed lack of qualification to formulate a clear, formal information security policy due to the need for straight forward definitions in the role of the various organizational groups, and the leading elements to managers’ perception in decision making.