INFORMATION SYSTEM MANAGEMENT

Chapter 1: Introduction

A Study of Information Security Policies Page 1

CHAPTER 1

INTRODUCTION

1.1 INTRODUCTION:

Information security has always been a major challenge to most IT companies. To

ensure business continuity, the security of corporate information is extremely

important. The basic reason is information is an asset which, like other important

business assets, is of value to an organization and consequently needs to be suitably

protected. Information security protects information from a wide range of threats in

order to get strategic advantage to ensure business continuity, minimize business

losses and maximize return on investments and business opportunities.

Previous studies have shown that corporate information is vulnerable to security

attacks. This research study intends to investigate the implementation of information

security policies (ISP) by IT companies based on different domains, in order to

protect assets of the organization and to minimize business losses. The domains are

the areas of concentration where security needs to be focused and different

information security policies are developed for the domains.

1.2 INFORMATION:

Information is a processed data, which is converted to specific form that gives some

definite meaning. It is collection of facts organized in such a way that it has additional

value beyond the facts. Information can be properly stored in organized form, for set

of data which generates specific meaning. Information itself possesses many

characteristics such as accuracy, portability, comprehensiveness, pertinence, currency,

valuably, timely availability, meaningfulness and so on. The value of information

comes from the characteristics it possesses. When characteristic of information

changes, the value of that information either increases or more commonly decreases.

The value of information affects more to the users than the others do. Timeliness of

information is a critical factor because it loses its value after validity period is over or



delivered late. Though information security professionals and end users share the

same understanding of characteristics of information, tensions can arise when the

need to secure integrity of information from threats conflict with the end-users need

for unhindered access to the information.

We live in an Information economy. Information itself has value and commerce often

involves the exchange of information rather than the tangible goods. Systems based

on computers are increasingly used to create, store and transfer information.

Information can be available in many different forms. It can be existed in printed or

written on paper format, stored electronically, transmitted by post or using electronic

means, shown on films, or spoken in conversation. Whatever forms the information

takes, whatever the means by which it is shared or stored, it should always be

appropriately protected. As Information can take many forms, hence methods of

securing information are various.

1.3 INFORMATION SECURITY:

Information security means protecting information and information systems from

unauthorized access, use, disclosure, disruption, modification or destruction.

Information security as defined by standards published by the committee on National

Security System is the protection of information and its critical elements, including

the systems and hardware that use, store and transmit that information.

Information security is achieved by implementing a suitable set of controls which

could be policies, practices, procedures, organizational structures and software

functions. These controls need to be established in order to ensure that the specific

security objectives of the organizations are met.

1.3.1 Control:

It is a system that prevents, detects or corrects unlawful events. System is a set of

interrelated components that functions together to achieve the objectives. An unlawful

event can arise if unauthorized, inaccurate, incomplete, redundant, ineffective or

inefficient input enters the system. For an organization Controls are broadly classified



into three types such as Managerial control, operational control and technical

control. [1]

1.3.2 Managerial controls:

This controls cover security processes that are designed by strategic planner and

implemented by the security administration of organization. Management control

addresses the design and implementation of the security planning process and security

program management. Management controls also address risk management and

security control reviews and it further describe the necessity and scope of legal

compliances and maintenance of entire security life cycle.

1.3.3 Operational controls:

These controls are concerned with the operational functionality of security in the

organization. It includes lower level planning such as disaster recovery and incident

response planning. It also includes personal and physical security as well as protection

of production input and output. It provides guidance for development of education,

training and awareness programs for users, administrators and management. In

addition to this, it also addresses hardware and software system maintenance and

integrity of data.

1.3.4 Technical controls:

Technical control addresses the tactical and technical issues related to designing and

implementing security in the organization. They also handle the issues related to

examining and selecting the technologies appropriate to protecting information.

Technical controls addresses specific technology selection and acquisition of certain

technical components. Logical access controls such as identification, authorization,

authentication and accountability are part of these technical controls. Technical

controls also address the development and implementation of audit trails for

accountability. Cryptography for message encryption and decryption also deals with

technical controls. Rights assigned to the users based on his or her profile is also

included in technical controls. These three sets of controls cover entire spectrum of

safeguard for IT organizations.



OS Security and Application Controls

Operational Controls

Organizational controls

Legal and societal environment

DATABASE

Management

controls

Controls in IT Environment

Figure 1.1: Controls in IT Environment

1.4: HISTORY OF INFORMATION SECURITY:

The history of information security begins with the history of computer security. The

need for security is to secure physical locations, hardware and software from outside

threats. This began in the World War II when the first mainframes developed to aid

computations for code breaking. History of information security is discussed below as

per Information Security Era. [2]

1.4.1: Information Security Era [1960-1970]:

In 1967, Department of Defense, United States, brought to the attention of researchers

about the security related to sharing of resources within the department. At that time,

systems were being acquired at a rapid rate and the problem of securing them was a

pressing concern for both the military and defense contractors.

The movement towards security that went beyond protecting physical locations began

with a single paper sponsored by the Department of Defense, the Rand Report R-609,

which attempted to define the multiple controls and mechanism necessary for the

protection of a multilevel computer system. The document was classified for almost



ten years and is now referred to as ``the paper that started the study of computer

security``.

In mid of 1969, after restructuring of Multiplexed Information and Computing Service

(MULTICS) projects, MULTICS created and implemented security levels and

passwords. Its primary purpose, text processing did not require the same level of

security as that of its predecessor. In fact, it was not until the early 1970s that even the

simplest component of security, the password function, was implemented as a

component of operating system.


In the late 1970s, the microprocessors brought in a new age of computing. The

personal computer, built with this computer technology became the workhorse of

modern computing, thereby decentralizing the exclusive domain of data centre. With

this decentralization of data, the need for resource-sharing increased during 1980s,

driving owners of personal computers to interconnect their machines. This networking

ability worked for both mainframe and microcomputers and open the opportunity for

computing community to make all computing resources work together.


This networking resource was made available to the general public in the 1990s,

having previously been the domain of Government, academia and Industry

professionals. In 1990s, network computers became more common as it increased the

need to connect these networks to each other. This gave rise to the Internet, the first

Global network at the close of twentieth century. After the Internet was

commercialized, the technology became pervasive, reaching every corner of globe

with expanding universe of uses.


At the beginning when Internet started expanding, the interconnections of millions of

networks were based on de facto standards, because industry standards for

interconnection of networks did not exist at that time. These de facto standards did not

consider the security of information to be a critical factor, but as these precursor

technologies were more widely adopted and became industry standards, some degree



of security was introduced. However early Internet deployment treated security as a

low priority. This is the reason why today also we are facing the problems with

Internet security. For example, many of the problems that plague e-mail on the

Internet today are the result of this early lack of security. Early computing approaches

relied on security that was built on the physical environment of the data centre that

housed the computers. As network computers became the dominant style of

computing, the ability to physically secure a networked computer was lost and the

stored information became more exposed to security threats.

1.4.5: Information Security Era [2000-Onwards]:

Today, the Internet has brought millions of unsecured computer networks into

communication with each other. The security of each computer`s stored information is

now contingent on the level of security of every other computer to which it is

connected.

1.5. EVOLUTION OF INFORMATION SECURITY:

Information security evolved from a concept developed by computer security industry

known as C.I.A. Triangle. The C.I.A. Triangle has been the industry standard for

computer security since the development of mainframe. [3]

This C.I.A. Triangle is

shown below. Information security comprises of following three basic characteristics

which are discussed below:

a) Confidentiality: Confidentiality means keeping information safe from being seen

(privacy). It refers to how data is being collected, used and maintained within an

organization. It includes the protection of data from passive attacks and requires that

the information is accessible to authorized users only. It ensures that information can

only be accessed by those with the proper authorization.

b) Integrity: In information security, integrity means keeping information from being

changed in an unauthorized way. It ensures that data is a proper representation of

information, accurate, and in an unimpaired condition. Integrity is violated when an

employee accidentally or with malicious intent deletes important data files, when

a computer virus infects a computer, when an employee is able to modify his own

salary in a payroll database, when an unauthorized user vandalizes a web site, when



someone is able to cast a very large number of votes in an online poll, and so on. In

short, integrity deals with safeguarding the accuracy and completeness of information

and the ways in which it is processed.

c) Availability: For any information system to serve its purpose, the information must

be available when it is needed. This means that the computing systems used to store

and process the information, the security controls used to protect it, and the

communication channels used to access it must be functioning correctly. High

availability systems aim to remain available at all times, preventing service

disruptions due to power outages, hardware failures, and system upgrades. Ensuring

availability also involves preventing denial-of-service attacks. Availability ensures

that authorized users have access to information and associated assets whenever

required.

Figure 1.2 CIA Triangle Source: ISO 17799

1.6 COMPONENTS OF INFORMATION SECURITY:

Information is a process through a specific type of Information system. These

Information Systems are decomposed in three main portions such as hardware,

software and communications with the purpose to identify and apply information

security industry standards, as mechanisms of protection and prevention, at three

levels or layers: Physical, Personal and Organizational. [4]

1.6.1 Physical level is concerned with Physical access to system, servers, PCs, data

centers, etc, holding sensitive information is restricted to business need-to-know.



1.6.2. Personal level deals with user authorization. It depends on profile and rights

assign to the individual user in order to access confidential information.

1.6.3. Organizational level is focused on guidelines and procedures needed to access

specific information by the internal and external users of organization. These

guidelines and related procedures are nothing but information security policies. The

diagram given below depicts Organizational, Personal and Physical level security to

maintain confidentiality, Integrity and availability of Information.

Information security involves multiple portions such as hardware, software and

communication as a components information system within a security firm. In this

field, it is essential to integrate multiple initiatives within a corporate strategy so that

each element provides an optimal level of protection. This is where information

security management systems come into play they ensure that all efforts are

coordinated in order to achieve optimum security.

Figure1. 3: Components of Information Security Source: WIKIPEDIA

1.7. INFORMATION SECURITY MANAGEMENT SYSTEM:

An Information Security Management System (ISMS) provides a systematic approach

to managing sensitive information in order to protect it. It encompasses employees,

processes and information systems.

An Information Security Management System (ISMS) is a management system

based on a systematic business risk approach. It is a system designed to establish,

implement, operate, monitor, review, maintain, and improve information security. It is



an organizational approach to information security.[5]

It is a documented system

certifying that:

Information assets in an organization are described and secured,

Information security risks are managed and mitigated,

Security policies together with their ownerships and guarantees are in place,

Adherence to security measures is inspected periodically.

ISMS can be implemented as a specific information system that deals with a

particular business area, or it can be implemented as an all-encompassing system

involving the whole organization. In any case, ISMS usually involves resources

spanning from the management to the regular employees.

Figure 1.4: Components of ISMS

The establishment of an Information security policy and the definition of the ISMS

scope are more often management and strategic issues while the Risk Management

process is an everyday operational concern.

1.7.1 The conceptual framework of ISMS:

The Information Security Management System (ISO 27001: 2005) is defined as that

part of a global management system, based on a certain approach of the business risk,

through which it is establishing, implementing, analyzing, monitoring and improving

the security of the information. This system includes organizational structures,

policies, planning activities, practices, processes and resources. Information security

should be an integral part of the organizations operating and business culture. The



methodological view of developing ISMS necessitates the covering of 6 steps is given

below:

a. Definition of Security Policy,

b. Definition of ISMS Scope,

c. Risk Assessment (as part of Risk Management),

d. Risk Management,

e. Selection of Appropriate Controls

f. Statement of Applicability

Although the ISMS is a recurring process as a whole, in most of the types of

organizations, steps 1 and 2 recur on a longer cycle than steps 3, 4, 5 and 6. This is

mainly because the establishment of a security policy and the definition of the ISMS

scope are more often management and strategic issues while the Risk Management

process is an everyday operational concern.

Figure 1.5: The steps of the process of developing the ISMS

Source: (Source: http://www.enisa.europa.eu)



1.8: INFORMATION SECURITY POLICY:

Information security policy is a preventative mechanism for protecting important data

and processes. It is a preventive mechanism that protects information resources such

as data, skilled people, hardware and software, which is considered to be the asset for

the organization. It communicates coherent security standards to users, management

and technical staff. It is a high-level, organization-wide plan for protecting

information.

Information security is primarily a management problem, not a technical one, as

policy obliges personnel to function in a manner that adds to the security of

information assets, rather than as a threat to those assets. A policy is a plan or course

of action used by an organization to convey instructions from senior-most

management to those who make decisions, take actions and perform other duties on

behalf of the organization. Policies are organizational laws in that it dictate acceptable

and unacceptable behavior within context of organization`s culture.

1.8.1 Policy definitions:

A policy is a high-level statement of enterprise beliefs, goals and objectives and the

general means for their attainment for a specified subject area. There are three

different forms of policy statements. Those are: General Program Policy, Topic

specific policy and System/Application-Specific policy. [6]

The general program

policy sets strategic directions of the enterprise for global behavior and assigns

resources for its implementation. This includes the topics such as information

management, conflict of interest, employee standards of conduct and general security

measures. Topic specific policy addresses specific issues of concern to the

organization. This includes e-mail policy, Internet usage policy, physical access

policy, system application development and maintenance and network security policy.

System/ Application specific policies focus on decisions taken by management to

protect a particular application or system. System /Application specific policy might

include controls established for specific systems such as financial management

system, accounting system, employee appraisal and order inventory.

Basic requirements of the policies are as follows:

1. Policies must:

Be implementable and enforceable.



Be concise and easy to understand.

Balance protection with productivity.

Be updated regularly to reflect the evolution of the organization.

2. Policies should:

Have rationale (reasons why policy is formulated).

Describe what is covered by the policies - whom, what, and where

Discuss how violations will be handled.

1.8.2. Security policy:

Security policy is defined as a high level statement of organizational beliefs, goals and

objectives and the general means for their attainment as related to the protection of

organizational assets. A security policy is set at high level and never states `how` to

accomplish the objectives. As security policy is written at high level, organizations

must develop standards, guidelines and procedures that offer those affected by the

policy and meeting the business objectives or missions of the organization. Security

policy life cycle consists of four phases such as:

a. Secure b. Monitor c. Test d. Improve. This security life cycle is shown below:

Figure 1.6: Security Cycle Source: CSI Bangalore



a. Secure: This is a statement of policy that defines security feature or security measure

for a specific domain. Policy statement is of management intention, supporting the

goals and principles of information security.

b. Monitor: This phase relates with supervision over implementation of policy. All

related processes of a policy are observed and watched carefully.

c. Test: After implementation of a policy, it is checked at various levels rigorously

which can involve procedures for communications, technical tools, audits and review

processes.

d. Improve: This is the last phase of security cycle where feedback is taken from all

concern people to find out loop-holes and discrepancies in the policy. With this policy

is further updated with some modification in existing policy. This improvement in the

last phase is taken care by the first phase where policy statement is modified.

1.8.3 Types of Security Policies:

Security policies are classified into two broad categories:

1. Administrative Policies

2. Technical Policies

1.8.3.1 Administrative Policies: These policies are related to the people who actually

implement the systems. All concerned people who are involved in design,

development, implementation and support function play major role in handling

administrative policies.

These policies are developed for all respected domains of the organization which

forms organization system.

Now the question comes who should be concerned about administrative policies?

Following is detailed description of users who are concern about administrative

policies.

a. Users - policies will affect them the most.

b. System personnel - they will be required to implement and support the policies.

c. Managers are concerned about protection of data and the associated cost of the

policy.



d. Lawyers and auditors - are concerned about company reputation, responsibility to

clients/customers.

1.8.3.2 Technical Policies: These policies are concerned with all technical aspects

such as hardware, software and operating system level functioning of the company.

For example, it involves system fault tolerance RAID Levels, Backup media devices,

up and down time for server, mean time between failures, transaction tracking

systems and many more. People who are part of security-organization-structure plays

major role in implementing these policies.

Researcher`s emphasis is more on administrative policies than technical one, as

administrative policies deals with the employees of the origination. Furthermore for

the study of Information security policies, most of the times, technical aspects are not

shared with outside people as a part of security measure.

1.8.3.2 A Structure/ framework of Comprehensive security policy:

Without security policies, organization has no general security framework. A

Comprehensive security policy consists of following structure:

Policy Statements,

Procedures to implement policy,

Procedures to ensure compliance,

Mechanism for review (audit) and updating of Policy.

1.8.4 Information Security Policy Structure: [7]

Objective: Company management must establish a clear direction and support

for an enterprise wide information security program.

Policy Statement: Information is a company asset and is the property of the

company. The company information includes information that is electronically

generated, typed, stored or communicated. Information must be protected

according to its sensitivity, criticality and value regardless of media on which

it is stored, the manual or automated systems that process it or the method by

which it is distributed.

Provision: To ensure that business objectives and customer confidence are

maintained, all employees have responsibility to protect information from



authorized access, modification, disclosure or destruction whether accidental

or intentional.

Responsibilities:

Senior management and the officers of the company are required to employ

internal controls designed to safeguard company assets, including business

information. It is a management obligation to ensure that all employees

understand and comply with the Company Security policies and standards as

well as all applicable laws and regulations.

Employee responsibilities for protecting the company information are detailed

in the information classification policy.

Compliance:

Company management has the responsibility to manage corporate

information, personnel and physical property relevant to business operations

as well as the right to monitor the actual utilization of all corporate assets.

Employees who fail to comply with the policies will be considered to be in

violation of the company employee standards of conduct and will be subject to

appropriate corrective action.

1.9 INFORMATION SECURITY POLICY STANDARDS:

1.9.1. Standards:

These are mandatory activities, actions, rules or regulations designed to provide

policies with support structure and specific direction they required to be meaningful

and effective. They are often expensive to administer and therefore should be used

judiciously.

When it comes to implementing codes of practice for information security

management, the best point of reference is BS 7799 / ISO 17799, an internationally

recognized standard in this field that is widely used for drafting security policies.

1.9.2 BS 7799/ ISO 17799:

The goal of BS 7799 / ISO 17799 is to provide a common base for developing

organizational security standards and effective security management practice and to

provide confidence in inter-organizational dealings.



1.10 DOMAINS OF INFORMATION SECURITY POLICY:

Information security policies are classified and developed for following different

domains as per BS7799/ ISO 17799 standards. A Security policy needs to be based on

the current organization structure and use of technology Current and Future.

Accordingly the policy can be divided into different sections. A suggested list of

domains is as follows:

1. User (Personal) Policy/ Accepted Usage policy.

2. Data access Policy.

3. Physical Access Policy.

4. Internet Access Policy.

5. E-Mail Policy.

6. Digital Signature Policy.

7. Outsourcing Policy.

8. Software Development and acquisition Policy.

9. Hardware acquisition Policy.

10. Network and Telecommunication Security Policy.

11. Business Continuity Planning and Disaster Recovery Planning (BCP and DRP)

12. Policy for Security Organization Structure.

Polices under this domain include the purpose and objective of the Security policy

document. It specifies the policy implementation method and overall structure of

Security policies. The common objectives for all the domains is about the change in

IT plan with the policy, risk associated and policy based training imparted to users

related to respective domains.

Policies are living documents that must be managed and nurtured as they constantly

change and grow. It is expected from the IT companies that these policy documents

must be properly distributed, read, understood, agreed and managed.

A sample representation of domains of security policy is shown on the next page.



Security

Organization

Structure

Personnel

Policy

Physical

Security

PolicyHardware

Acquisition

Network

&

Telecom

Software

Development &

Maintenance

Data

Access

Policy

Internet

Access

Policy

E-Mail

Policy

Digital

Signatures

& Encryption

BCP

DRP

Outsourcing

Policy

Figure 1.7: A Sample Representation of Domains of Security policy Source: CSI

Bangalore

1.10.1: User policy (Personal Policy)/ Acceptable Usage Policy:

Policy design for USER DOMAIN takes care about every individual user access to

the system. This section contains the policy regarding defining and implementing

logical access controls, password selection and maintenance, Classification of users

based on user profiles and user groups etc.

1.10.2: Data access Policy:

Data access policy is one of the most important domains where rights and

permissions are set for accessing the information based on user profile. Sharing of

resources, virus protection software, mandatory use of license software, password

protection are the issues associated with this policy.

1.10.3: Physical access Policy:

The implementation of physical access security requires sound organizational policy.

Physical access policy direct the users of information assets in the appropriate use of

computing resources and information assets, as well as the protection of their own

personal safety in day-to-day operations.



1.10.4: Internet access policy:

Internet is one of the biggest aspects of the security as all the access to organizational

resources is open with the support of Internet and prone to vulnerable attacks. This

section covers the policies regarding Internet use and web site controls, as well as

restricted use of Internet, and availability of firewall on the organizational network.

This also takes care of security measures like access to specific sites and installation

of proxy server and VPN for private and confidential access.

1.10.5: E-mail Access policy:

Though the modern technology is an inherently risky technology but on the other

hand it is also a very productive and efficient technology. Like with e-mail its value

increases with the number of regular users. E-mail policy addresses the issues related

to organizational e-mail accounts, restricted disk usage quota, access only to

organizational e-mail server and conducting audit of e-mail utility.

1.10.6: Software Development and Acquisition policy:

All policies required for development of application software in-house and purchase

of new software are included in this section. It should particularly specify the

development methodology, standards adopted by the organization and Project

management methods. This policy ensures about the parameters such as time frame,

performance ratings, steering committee and comparative analysis of vendors.

1.10.7: Hardware Acquisition policy:

Policies regarding method and process to acquire the hardware and required

installation software, except application software and system software like Operating

system and utilities. This policy covers performance analysis of vendors, comparative

analysis and rating and also time frame for installation of hardware devices.

1.10.8: Outsourcing Policy:

This indicates the methods to outsource the organizations information requirements.

It also covers the processes regarding purchase of customized software and



outsourcing of information processing subsystems. It also includes non discloser

agreement with the outsourcing parties and formalities for signing contract with

outsourcing people. Training within the company for specific technology could be

again part of outsourcing policy.

1.10.9: Digital signature Policy:

Encryption of data is commonplace method. There are various encryption methods

and software available in market. Therefore it is necessary to adopt a common policy

for encryption. This policy mainly addresses the issues regarding assigning keys to

different electronic documents with respective key algorithms, highly controlled

online databases and end to end encryption methods.

1.10.10: Network and Telecommunication Security Policy:

Policies in respect of Use of Network, type and configuration of network Intranet,

Extranet, and transmission speed, firewall; types of telecommunication used within

the organization are covered in this section. Use of security devices like firewall and

proxy server as well as backup domain controller have been considered for company

information security. Applications of different RAID levels are also identified.

1.10.11: BCP and DRP:

The detailed Business continuity and Disaster recovery plan for every unit of

organization is necessary. This section covers the primary policy for development of

BCP and DRP. It includes backup process, media storage for backup and frequency of

backup and related training for DRP..

1.10.12: Policy for Security Organization Structure:

This policy takes care of information about security team and organization structure

to represent degree of security from top to bottom level of the organization. It also

involves the responsibility of security team in terms of IS audit with emphasis on

internal and external audit.



1.11 NEED OF THE STUDY:

Information Technology (IT) is being managed today in leading edge enterprises,

corporate, and Government sectors to improve organizations performance.

Information itself has value and commerce often involves the exchange of

information rather than the tangible goods. Systems based on computers are

increasingly used to create, store and transfer information. Computers and information

systems are constantly changing as the way organization conducts business.

In this era of IT most of business organization performs online transactions and

deliver value to its customers. Any business or government agency that functions

within the modern context of connected and responsive services relies on information

systems to support these transactions. Even if the transaction is not online information

system and the data they process enable the creation and movement of goods and

services. Therefore protecting data during transition and stored at one location are

both critical aspects of information security. The value of data motivates attackers to

steal, sabotage or corrupt it. An effective security management program is essential

for protection of integrity and value of organizational information.

Organizations spend hundreds of thousands of dollars and expend thousands of man-

hours to maintain their information systems. Unlike any other aspect of information

technology, information security`s primary mission is to ensure that systems and their

contents remains same. Attacks on information systems are occurring daily and the

need for information security increases as the sophistication of such attacks increase.

The Confederation of Indian Industry (CII) took up this critical issue and organized

the IT Security Conference 2005 at Mumbai when it released a report on the

Information Security Program based on research conducted across 70 sectors of

Indian industry. According to the report, financial data is accorded top priority by 62

percent of the respondents when it comes to IT security. On the recent IT security

breaches at BPOs in Pune, Dr.Natarajan said, Though information security measures

employed by Indian companies are at par with the best in the world, incidents such as

these can occur anywhere. He also insisted that the existence of a continuous security

program is a necessity today. Statistics from the study highlight that 38 percent of



companies lack an information security policy, 71 percent have no security process

certification, and 30 to 35 percent have no business continuity or disaster recovery

plan in place.

1.11.1. Industry wise Degree of Risk to Information systems:

Risk is any event that could impact a business and prevent it from reaching its

corporate goals. Risk is often described by Mathematical formula [8]

:

Threat is likelihood that the corporate will exposed to an incident that has impact on

the business. Vulnerability is the point of weakness that a threat can exploit and an

asset is the component that will be affected by a risk. Following figure shows the

analysis for degree of exposure to risk according to industry sector specifically for

information systems.

Figure 1.8: Degree of Risk to Information systems Source: www.callio.com

The greater the risk to an organization, the more likely the organization is to pay

greater attention to the security of its data. Such is the case in governmental, financial

and health-related fields, as shown in above figure.

Risk = Threat X Vulnerability X Asset value



An organization purchases the IP (Intellectual Property) of other organizations and

abides by the licensing agreement for its fair and responsible use. The most common

IP breach is the unlawful use or duplication of software-based intellectual property

which is known as software piracy. Software is licensed to a single designated user of

organization. Software License is based on per user access and if this license copy is

copied for multiple users then this results in violation of the copyright. Software

publishers use several control mechanisms to prevent copyright infringement. Still

BSA survey in July 2004 revealed that as much as a third of all software in use

globally is pirated.

Forces of nature makes very high impact on IT companies which relates with

Business continuity planning (BCP) and disaster recovery planning (DRP). These are

the most dangerous threats as it usually occurs without prior intimation. These threats

include events such as fire, flood, earthquake, lightning, volcanic eruption and insect

infestation which can disrupt not only lives of individuals but storage, transmission

and use of information.

1.11.2: Threats to Information Security:

In context of information security, a threat is an object, person or other entity that

represents a constant danger to an asset of organization. These threats can be

classified as Internal and External threats. Internal threats are usually associated with

employees of organization who are involved in the business processes and external

threats occur due to external environment such as competitors in the market. Act of

human error or failure, compromises to intellectual property[9]

, act of information

extortion and use of pirated software fall in the category of Internal threats while

deliberate act of espionage or trespass, viruses or denial-of-service attacks, forces of

nature, hacking, cyber frauds, email spoofing corresponds to External threats.

Following figure shows clear classification between Internal and External threats.

To make sound decision about information security, management must be informed

about the various threats facing the organization, its people, applications, data and

information systems.



Figure 1.9: Information Security in an Organization

One of the greatest threat to an organizations information security is the

organization`s own employees. Employees are the threat-agents closest to the

organizational data. As employees use data in everyday activities to conduct the

organization`s business their mistakes represent a serious threat to the confidentiality,

Integrity and availability of data. This employee mistake can lead to entry of

erroneous data, accidental deletion or modification of data, storage of data in

unprotected areas such as desktops and website. One person`s carelessness can create

a vulnerability with which organization may face major loss in the business. Much

human error or failure can be prevented with training and ongoing awareness

activities but also with the controls ranging from simplex to complex procedures.

Now a days viruses are most common threats to information systems. A computer

virus consists of segments of code that perform malicious actions. This code attaches

itself to the existing program and takes control of that program access to targeted

computer. This is the most common method of virus transmission at the opening of

twenty first century is via e-mail attachment files. E-mail programs prove to be a

fertile ground for computer viruses unless they are suitably controlled.

In general, as the organizational network grows to accommodate changing needs more

robust technology solutions may be needed to replace security programs the

organization has outgrown.



Today`s organizations are under immense pressure to acquire and operate integrated,

efficient and capable applications. The modern organization needs to create an

environment that safeguards applications using the organization`s IT systems,

particularly those applications that serve as important elements of infrastructure of the

organization.

To address information security needs, each of the organization`s communities of

interest must address information security in terms of business impact and the cost of

business interruption, rather than focusing on security as a technical problem.

Managing information security has more to do with policy and its enforcement than

with the technology of its implementation. [10]

Therefore researcher is identifying the domains of information security policy and

their implementation by the IT companies in order to find out reduction in the risk of

threats.



1.12 ABSRACT OF THESIS AND CHAPTERISATION:

1.12.1 ABSTRACT OF THESIS (Scope of research)

The scope of the research is restricted to Pune City or zone. The research is carried

out to study status of information security policies in selected IT companies in Pune

city. The 45 IT companies includes software, BPO and Hardware companies. The

major parameters studied are training, implementation, best practices, IT plan and

Risk Management.

1.12.2. CHAPTERISATION:

The study is classified into following five chapters excluding Appendix.

1.12.2.1. INTRODUCTION:

This chapter elaborates brief introduction about information security policies,

definition, need, objective and scope of information security policies. It has

highlighted on major issues related to IT Security breaches which have been recently

happed. Different types of controls necessary to address these IT security breaches are

also described as applicable to the organization. This chapter gives broad coverage to

basic concepts such as History-Evolution and components of Information security,

Information security policy, policy development life cycle, Risk and threats to

information systems security, Information security management system,

documentation and framework of the policy, classification of security policies,

domains of security policies and Information security policy standards such as ISO

17799 and BS7799.

1.12.2.2. LITERATURE SURVEY:

In this chapter summery of the information collected from various sources in the form

of secondary data is available. The information is gathered from reference books,

periodical and journals and many of the web sites. This information includes

guidelines for effective information security management, overview of security

principles intended for laws and policies as well as relation between policies,

standards and practices. The Information of security policy infrastructure, policy

design life cycle and policy design process are discussed in details from point of view



of formulating a questionnaire. The sample structure of policy and policy

representation for three domains is also mentioned in this chapter. In some cases

researcher has also collected information by attending workshops and seminars

organized by Computer Society of India (CSI) and ISACA, Pune Chapter.

1.12.2.3. RESEARCH METHODOLOGY:

This chapter includes information about sampling unit, sampling plan as well as

sample size. It also further covers brief information about why and how the sample

size is selected. Sampling procedure is also described which is mainly focused on

random sampling method. This chapter also covers sources of collection of primary

and secondary data. Objectives and hypothesis for the research is discussed in this

chapter. Entire Research design phases such as sampling design, observational design,

statistical design and operational design are described in this chapter. Collection of

data through questionnaire is elaborated in details as the way it was conducted by the

researcher. Various characteristics of collected data are also elaborated. The statistical

tools and techniques which are needed for hypothesis testing are explained in

operational design.

1.12.2.4. DATA ANALYSIS:

This is the most important chapter of the research which provides information about

steps involved in data analysis which begins with data processing. Data processing

requires editing; coding, classification of collected data. Analysis of all domain

related questions is made first. Emphasis of the chapter is more on hypothesis testing

by using chi square test and simple Excel analysis where comparison is not required.

SPSS SOFTWARE 11.0 is used for analyzing the data and representation in terms of

cross tabulation in case of hypothesis testing. Hypothesis is tested for group of all IT

companies together, as well as segment wise testing is also performed to know about

the status between Software, BPO and Hardware companies. Tables, Graphs and

charts are also shown in this chapter for the interpretation of data and hypothesis

testing.



1.12.2.5. CONCLUSION AND FINDINGS:

Summary of entire thesis is available is this chapter. This chapter provides conclusion

derived from data analysis for proving the hypothesis. It also gives coverage to

expected outcome derived from data analysis. This chapter is also focused on

expected findings along with conclusions and suggestions. It gives brief idea about

the limitations for the researcher while conducting the studies and insight for further

research work.



1.13 REFERENCES:

1. Michaneal E.Whiteman and Herbert J. Maltord, Principles of Information

Security, Second edition 2007, Thomson Technology, India Edition,

Pg. [198-199]


Security, Second edition 2007, Thomson Technology, India Edition, Pg. [5-7]

3. The BS 7799/ISO 17799 Standard for better approach to Information Security

by Jacquelin Bisson and Rene Saint German, posted on 15th

June 2004 by

www.callio.com and retrived on 18th

December 2006.

4. http://en.wikipedia.org/wiki/File:CIAJMK1209.png, retrieved on 30th

May

2009.

5. Tipton, Harold F. & Krause, Micki: Information Security Management

Handbook, 6th

Edition, 2008, Volume 2, Auerbach Publications, Taylor &

Francis Group, Boca Raton, New York, Pg. [15-16].

6. Thomas R. Peltier, Information Security Policies, Procedures and Standards-

Guidelines for effective information security management, Auerbach

Publications, 2002, Pg. 29.

7. Thomas R. Peltier, Information Security Policies, Procedures and Standards-

Guidelines for effective information security management, Auerbach

Publications, 2002, Exhibit 2, Pg. [177-178].



8. Tipton, Harold F. & Krause, Micki: Information Security Management

Handbook, 5th

Edition, 2004, Auerbach Publications, Taylor & Francis

Group, Boca Raton, New York, Pg.751.


Security, Second edition 2007, Thomson Technology, India Edition, Pg. 39.


Security, Second edition 2007, Thomson Technology, India Edition, Pg. 37.

INFORMATION SYSTEM MANAGEMENT

Documents

Transcript of INFORMATION SYSTEM MANAGEMENT