Professional Documents
Culture Documents
CHAPTER 1
INTRODUCTION
1.1 INTRODUCTION:
Information security has always been a major challenge to most IT companies. To
ensure business continuity, the security of corporate information is extremely
important. The basic reason is information is an asset which, like other important
business assets, is of value to an organization and consequently needs to be suitably
protected. Information security protects information from a wide range of threats in
order to get strategic advantage to ensure business continuity, minimize business
losses and maximize return on investments and business opportunities.
Previous studies have shown that corporate information is vulnerable to security
attacks. This research study intends to investigate the implementation of information
security policies (ISP) by IT companies based on different domains, in order to
protect assets of the organization and to minimize business losses. The domains are
the areas of concentration where security needs to be focused and different
information security policies are developed for the domains.
1.2 INFORMATION:
Information is a processed data, which is converted to specific form that gives some
definite meaning. It is collection of facts organized in such a way that it has additional
value beyond the facts. Information can be properly stored in organized form, for set
of data which generates specific meaning. Information itself possesses many
characteristics such as accuracy, portability, comprehensiveness, pertinence, currency,
valuably, timely availability, meaningfulness and so on. The value of information
comes from the characteristics it possesses. When characteristic of information
changes, the value of that information either increases or more commonly decreases.
The value of information affects more to the users than the others do. Timeliness of
information is a critical factor because it loses its value after validity period is over or
A Study of Information Security Policies
Page 1
Chapter 1: Introduction
delivered late. Though information security professionals and end users share the
same understanding of characteristics of information, tensions can arise when the
need to secure integrity of information from threats conflict with the end-users need
for unhindered access to the information.
We live in an Information economy. Information itself has value and commerce often
involves the exchange of information rather than the tangible goods. Systems based
on computers are increasingly used to create, store and transfer information.
Information can be available in many different forms. It can be existed in printed or
written on paper format, stored electronically, transmitted by post or using electronic
means, shown on films, or spoken in conversation. Whatever forms the information
takes, whatever the means by which it is shared or stored, it should always be
appropriately protected. As Information can take many forms, hence methods of
securing information are various.
1.3.1 Control:
It is a system that prevents, detects or corrects unlawful events. System is a set of
interrelated components that functions together to achieve the objectives. An unlawful
event can arise if unauthorized, inaccurate, incomplete, redundant, ineffective or
inefficient input enters the system. For an organization Controls are broadly classified
Page 2
Chapter 1: Introduction
into three types such as Managerial control, operational control and technical
control. [1]
Page 3
Chapter 1: Introduction
OS Security and
Application Controls
Operational
Controls
DATA
BASE
Organizational
controls
Management
controls
Legal and
societal
environment
Controls in IT Environment
Figure 1.1: Controls in IT Environment
Page 4
Chapter 1: Introduction
ten years and is now referred to as ``the paper that started the study of computer
security``.
In mid of 1969, after restructuring of Multiplexed Information and Computing Service
(MULTICS) projects, MULTICS created and implemented security levels and
passwords. Its primary purpose, text processing did not require the same level of
security as that of its predecessor. In fact, it was not until the early 1970s that even the
simplest component of security, the password function, was implemented as a
component of operating system.
1.4.2: Information Security Era [1970-1980]:
In the late 1970s, the microprocessors brought in a new age of computing. The
personal computer, built with this computer technology became the workhorse of
modern computing, thereby decentralizing the exclusive domain of data centre. With
this decentralization of data, the need for resource-sharing increased during 1980s,
driving owners of personal computers to interconnect their machines. This networking
ability worked for both mainframe and microcomputers and open the opportunity for
computing community to make all computing resources work together.
1.4.3: Information Security Era [1980-1990]:
This networking resource was made available to the general public in the 1990s,
having previously been the domain of Government, academia and Industry
professionals. In 1990s, network computers became more common as it increased the
need to connect these networks to each other. This gave rise to the Internet, the first
Global network at the close of twentieth century. After the Internet was
commercialized, the technology became pervasive, reaching every corner of globe
with expanding universe of uses.
1.4.4: Information Security Era [1990-2000]:
At the beginning when Internet started expanding, the interconnections of millions of
networks were based on de facto standards, because industry standards for
interconnection of networks did not exist at that time. These de facto standards did not
consider the security of information to be a critical factor, but as these precursor
technologies were more widely adopted and became industry standards, some degree
A Study of Information Security Policies
Page 5
Chapter 1: Introduction
of security was introduced. However early Internet deployment treated security as a
low priority. This is the reason why today also we are facing the problems with
Internet security. For example, many of the problems that plague e-mail on the
Internet today are the result of this early lack of security. Early computing approaches
relied on security that was built on the physical environment of the data centre that
housed the computers. As network computers became the dominant style of
computing, the ability to physically secure a networked computer was lost and the
stored information became more exposed to security threats.
1.4.5: Information Security Era [2000-Onwards]:
Today, the Internet has brought millions of unsecured computer networks into
communication with each other. The security of each computer`s stored information is
now contingent on the level of security of every other computer to which it is
connected.
1.5. EVOLUTION OF INFORMATION SECURITY:
Information security evolved from a concept developed by computer security industry
known as C.I.A. Triangle. The C.I.A. Triangle has been the industry standard for
computer security since the development of mainframe.
[3]
Page 6
Chapter 1: Introduction
someone is able to cast a very large number of votes in an online poll, and so on. In
short, integrity deals with safeguarding the accuracy and completeness of information
and the ways in which it is processed.
c) Availability: For any information system to serve its purpose, the information must
be available when it is needed. This means that the computing systems used to store
and process the information, the security controls used to protect it, and the
communication channels used to access it must be functioning correctly. High
availability systems aim to remain available at all times, preventing service
disruptions due to power outages, hardware failures, and system upgrades. Ensuring
availability also involves preventing denial-of-service attacks. Availability ensures
that authorized users have access to information and associated assets whenever
required.
Page 7
Chapter 1: Introduction
1.6.2. Personal level deals with user authorization. It depends on profile and rights
assign to the individual user in order to access confidential information.
1.6.3. Organizational level is focused on guidelines and procedures needed to access
specific information by the internal and external users of organization. These
guidelines and related procedures are nothing but information security policies. The
diagram given below depicts Organizational, Personal and Physical level security to
maintain confidentiality, Integrity and availability of Information.
Information security involves multiple portions such as hardware, software and
communication as a components information system within a security firm. In this
field, it is essential to integrate multiple initiatives within a corporate strategy so that
each element provides an optimal level of protection. This is where information
security management systems come into play they ensure that all efforts are
coordinated in order to achieve optimum security.
Page 8
Chapter 1: Introduction
an organizational approach to information security.[5] It is a documented system
certifying that:
Security policies together with their ownerships and guarantees are in place,
Page 9
Chapter 1: Introduction
methodological view of developing ISMS necessitates the covering of 6 steps is given
below:
a. Definition of Security Policy,
b. Definition of ISMS Scope,
c. Risk Assessment (as part of Risk Management),
d. Risk Management,
e. Selection of Appropriate Controls
f. Statement of Applicability
Although the ISMS is a recurring process as a whole, in most of the types of
organizations, steps 1 and 2 recur on a longer cycle than steps 3, 4, 5 and 6. This is
mainly because the establishment of a security policy and the definition of the ISMS
scope are more often management and strategic issues while the Risk Management
process is an everyday operational concern.
Page 10
Chapter 1: Introduction
1.8: INFORMATION SECURITY POLICY:
Information security policy is a preventative mechanism for protecting important data
and processes. It is a preventive mechanism that protects information resources such
as data, skilled people, hardware and software, which is considered to be the asset for
the organization. It communicates coherent security standards to users, management
and technical staff. It is a high-level, organization-wide plan for protecting
information.
Information security is primarily a management problem, not a technical one, as
policy obliges personnel to function in a manner that adds to the security of
information assets, rather than as a threat to those assets. A policy is a plan or course
of action used by an organization to convey instructions from senior-most
management to those who make decisions, take actions and perform other duties on
behalf of the organization. Policies are organizational laws in that it dictate acceptable
and unacceptable behavior within context of organization`s culture.
[6]
policy sets strategic directions of the enterprise for global behavior and assigns
resources for its implementation. This includes the topics such as information
management, conflict of interest, employee standards of conduct and general security
measures. Topic specific policy addresses specific issues of concern to the
organization. This includes e-mail policy, Internet usage policy, physical access
policy, system application development and maintenance and network security policy.
System/ Application specific policies focus on decisions taken by management to
protect a particular application or system. System /Application specific policy might
include controls established for specific systems such as financial management
system, accounting system, employee appraisal and order inventory.
Basic requirements of the policies are as follows:
1. Policies must:
Be implementable and enforceable.
A Study of Information Security Policies
Page 11
Chapter 1: Introduction
Be concise and easy to understand.
Balance protection with productivity.
Be updated regularly to reflect the evolution of the organization.
2. Policies should:
Have rationale (reasons why policy is formulated).
Describe what is covered by the policies - whom, what, and where
Discuss how violations will be handled.
Page 12
Chapter 1: Introduction
a. Secure: This is a statement of policy that defines security feature or security measure
for a specific domain. Policy statement is of management intention, supporting the
goals and principles of information security.
b. Monitor: This phase relates with supervision over implementation of policy. All
related processes of a policy are observed and watched carefully.
c. Test: After implementation of a policy, it is checked at various levels rigorously
which can involve procedures for communications, technical tools, audits and review
processes.
d. Improve: This is the last phase of security cycle where feedback is taken from all
concern people to find out loop-holes and discrepancies in the policy. With this policy
is further updated with some modification in existing policy. This improvement in the
last phase is taken care by the first phase where policy statement is modified.
1.8.3 Types of Security Policies:
Security policies are classified into two broad categories:
1. Administrative Policies
2. Technical Policies
1.8.3.1 Administrative Policies: These policies are related to the people who actually
implement the systems. All concerned people who are involved in design,
development, implementation and support function play major role in handling
administrative policies.
These policies are developed for all respected domains of the organization which
forms organization system.
Now the question comes who should be concerned about administrative policies?
Following is detailed description of users who are concern about administrative
policies.
a. Users - policies will affect them the most.
b. System personnel - they will be required to implement and support the policies.
c. Managers are concerned about protection of data and the associated cost of the
policy.
Page 13
Chapter 1: Introduction
d. Lawyers and auditors - are concerned about company reputation, responsibility to
clients/customers.
1.8.3.2 Technical Policies: These policies are concerned with all technical aspects
such as hardware, software and operating system level functioning of the company.
For example, it involves system fault tolerance RAID Levels, Backup media devices,
up and down time for server, mean time between failures, transaction tracking
systems and many more. People who are part of security-organization-structure plays
major role in implementing these policies.
Researcher`s emphasis is more on administrative policies than technical one, as
administrative policies deals with the employees of the origination. Furthermore for
the study of Information security policies, most of the times, technical aspects are not
shared with outside people as a part of security measure.
1.8.3.2 A Structure/ framework of Comprehensive security policy:
Without security policies, organization has no general security framework. A
Comprehensive security policy consists of following structure:
Policy Statements,
Page 14
Chapter 1: Introduction
authorized access, modification, disclosure or destruction whether accidental
or intentional.
Responsibilities:
Senior management and the officers of the company are required to employ
internal controls designed to safeguard company assets, including business
information. It is a management obligation to ensure that all employees
understand and comply with the Company Security policies and standards as
well as all applicable laws and regulations.
Employee responsibilities for protecting the company information are detailed
in the information classification policy.
Compliance:
Page 15
Chapter 1: Introduction
5. E-Mail Policy.
6. Digital Signature Policy.
7. Outsourcing Policy.
8. Software Development and acquisition Policy.
9. Hardware acquisition Policy.
10. Network and Telecommunication Security Policy.
11. Business Continuity Planning and Disaster Recovery Planning (BCP and DRP)
12. Policy for Security Organization Structure.
Polices under this domain include the purpose and objective of the Security policy
document. It specifies the policy implementation method and overall structure of
Security policies. The common objectives for all the domains is about the change in
IT plan with the policy, risk associated and policy based training imparted to users
related to respective domains.
Policies are living documents that must be managed and nurtured as they constantly
change and grow. It is expected from the IT companies that these policy documents
must be properly distributed, read, understood, agreed and managed.
Page 16
Chapter 1: Introduction
Internet
Access
Policy
Personnel
Policy
Data
Access
Policy
E-Mail
Policy
Security
Organization
Structure
Physical
Security
Policy
Software
Development &
Maintenance
Outsourcing
Policy
BCP
DRP
Hardware
Acquisition
Network
&
Telecom
Digital
Signatures
& Encryption
Page 17
Chapter 1: Introduction
Page 18
Chapter 1: Introduction
outsourcing of information processing subsystems. It also includes non discloser
agreement with the outsourcing parties and formalities for signing contract with
outsourcing people. Training within the company for specific technology could be
again part of outsourcing policy.
to represent degree of security from top to bottom level of the organization. It also
involves the responsibility of security team in terms of IS audit with emphasis on
internal and external audit.
Page 19
Chapter 1: Introduction
1.11 NEED OF THE STUDY:
Information Technology (IT) is being managed today in leading edge enterprises,
corporate, and Government sectors to improve organizations performance.
Information itself has value and commerce often involves the exchange of
information rather than the tangible goods. Systems based on computers are
increasingly used to create, store and transfer information. Computers and information
systems are constantly changing as the way organization conducts business.
In this era of IT most of business organization performs online transactions and
deliver value to its customers. Any business or government agency that functions
within the modern context of connected and responsive services relies on information
systems to support these transactions. Even if the transaction is not online information
system and the data they process enable the creation and movement of goods and
services. Therefore protecting data during transition and stored at one location are
both critical aspects of information security. The value of data motivates attackers to
steal, sabotage or corrupt it. An effective security management program is essential
for protection of integrity and value of organizational information.
Organizations spend hundreds of thousands of dollars and expend thousands of manhours to maintain their information systems. Unlike any other aspect of information
technology, information security`s primary mission is to ensure that systems and their
contents remains same. Attacks on information systems are occurring daily and the
need for information security increases as the sophistication of such attacks increase.
The Confederation of Indian Industry (CII) took up this critical issue and organized
the IT Security Conference 2005 at Mumbai when it released a report on the
Information Security Program based on research conducted across 70 sectors of
Indian industry. According to the report, financial data is accorded top priority by 62
percent of the respondents when it comes to IT security. On the recent IT security
breaches at BPOs in Pune, Dr.Natarajan said, Though information security measures
employed by Indian companies are at par with the best in the world, incidents such as
these can occur anywhere. He also insisted that the existence of a continuous security
program is a necessity today. Statistics from the study highlight that 38 percent of
Page 20
Chapter 1: Introduction
companies lack an information security policy, 71 percent have no security process
certification, and 30 to 35 percent have no business continuity or disaster recovery
plan in place.
1.11.1. Industry wise Degree of Risk to Information systems:
Risk is any event that could impact a business and prevent it from reaching its
corporate goals. Risk is often described by Mathematical formula [8]:
Threat is likelihood that the corporate will exposed to an incident that has impact on
the business. Vulnerability is the point of weakness that a threat can exploit and an
asset is the component that will be affected by a risk. Following figure shows the
analysis for degree of exposure to risk according to industry sector specifically for
information systems.
Page 21
Chapter 1: Introduction
An organization purchases the IP (Intellectual Property) of other organizations and
abides by the licensing agreement for its fair and responsible use. The most common
IP breach is the unlawful use or duplication of software-based intellectual property
which is known as software piracy. Software is licensed to a single designated user of
organization. Software License is based on per user access and if this license copy is
copied for multiple users then this results in violation of the copyright. Software
publishers use several control mechanisms to prevent copyright infringement. Still
BSA survey in July 2004 revealed that as much as a third of all software in use
globally is pirated.
Forces of nature makes very high impact on IT companies which relates with
Business continuity planning (BCP) and disaster recovery planning (DRP). These are
the most dangerous threats as it usually occurs without prior intimation. These threats
include events such as fire, flood, earthquake, lightning, volcanic eruption and insect
infestation which can disrupt not only lives of individuals but storage, transmission
and use of information.
1.11.2: Threats to Information Security:
In context of information security, a threat is an object, person or other entity that
represents a constant danger to an asset of organization. These threats can be
classified as Internal and External threats. Internal threats are usually associated with
employees of organization who are involved in the business processes and external
threats occur due to external environment such as competitors in the market. Act of
human error or failure, compromises to intellectual property[9], act of information
extortion and use of pirated software fall in the category of Internal threats while
deliberate act of espionage or trespass, viruses or denial-of-service attacks, forces of
nature, hacking, cyber frauds, email spoofing corresponds to External threats.
Following figure shows clear classification between Internal and External threats.
To make sound decision about information security, management must be informed
about the various threats facing the organization, its people, applications, data and
information systems.
Page 22
Chapter 1: Introduction
Figure 1.9:
Page 23
Chapter 1: Introduction
Today`s organizations are under immense pressure to acquire and operate integrated,
efficient and capable applications. The modern organization needs to create an
environment that safeguards applications using the organization`s IT systems,
particularly those applications that serve as important elements of infrastructure of the
organization.
To address information security needs, each of the organization`s communities of
interest must address information security in terms of business impact and the cost of
business interruption, rather than focusing on security as a technical problem.
Managing information security has more to do with policy and its enforcement than
with the technology of its implementation. [10]
Therefore researcher is identifying the domains of information security policy and
their implementation by the IT companies in order to find out reduction in the risk of
threats.
Page 24
Chapter 1: Introduction
1.12 ABSRACT OF THESIS AND CHAPTERISATION:
1.12.1 ABSTRACT OF THESIS (Scope of research)
The scope of the research is restricted to Pune City or zone. The research is carried
out to study status of information security policies in selected IT companies in Pune
city. The 45 IT companies includes software, BPO and Hardware companies. The
major parameters studied are training, implementation, best practices, IT plan and
Risk Management.
1.12.2. CHAPTERISATION:
The study is classified into following five chapters excluding Appendix.
1.12.2.1. INTRODUCTION:
This chapter elaborates brief introduction about information security policies,
definition, need, objective and scope of information security policies. It has
highlighted on major issues related to IT Security breaches which have been recently
happed. Different types of controls necessary to address these IT security breaches are
also described as applicable to the organization. This chapter gives broad coverage to
basic concepts such as History-Evolution and components of Information security,
Information security policy, policy development life cycle, Risk and threats to
information
systems
security,
Information
security
management
system,
Page 25
Chapter 1: Introduction
of formulating a questionnaire. The sample structure of policy and policy
representation for three domains is also mentioned in this chapter. In some cases
researcher has also collected information by attending workshops and seminars
organized by Computer Society of India (CSI) and ISACA, Pune Chapter.
1.12.2.3. RESEARCH METHODOLOGY:
This chapter includes information about sampling unit, sampling plan as well as
sample size. It also further covers brief information about why and how the sample
size is selected. Sampling procedure is also described which is mainly focused on
random sampling method. This chapter also covers sources of collection of primary
and secondary data. Objectives and hypothesis for the research is discussed in this
chapter. Entire Research design phases such as sampling design, observational design,
statistical design and operational design are described in this chapter. Collection of
data through questionnaire is elaborated in details as the way it was conducted by the
researcher. Various characteristics of collected data are also elaborated. The statistical
tools and techniques which are needed for hypothesis testing are explained in
operational design.
1.12.2.4. DATA ANALYSIS:
This is the most important chapter of the research which provides information about
steps involved in data analysis which begins with data processing. Data processing
requires editing; coding, classification of collected data. Analysis of all domain
related questions is made first. Emphasis of the chapter is more on hypothesis testing
by using chi square test and simple Excel analysis where comparison is not required.
SPSS SOFTWARE 11.0 is used for analyzing the data and representation in terms of
cross tabulation in case of hypothesis testing. Hypothesis is tested for group of all IT
companies together, as well as segment wise testing is also performed to know about
the status between Software, BPO and Hardware companies. Tables, Graphs and
charts are also shown in this chapter for the interpretation of data and hypothesis
testing.
Page 26
Chapter 1: Introduction
Page 27
Chapter 1: Introduction
1.13 REFERENCES:
1. Michaneal E.Whiteman and Herbert J. Maltord, Principles of Information
Security, Second edition 2007, Thomson Technology, India Edition,
Pg. [198-199]
6. Thomas R. Peltier, Information Security Policies, Procedures and StandardsGuidelines for effective information security management, Auerbach
Publications, 2002, Pg. 29.
7. Thomas R. Peltier, Information Security Policies, Procedures and StandardsGuidelines for effective information security management, Auerbach
Publications, 2002, Exhibit 2, Pg. [177-178].
Page 28
Chapter 1: Introduction
8. Tipton, Harold F. & Krause, Micki: Information Security Management
Handbook, 5th Edition, 2004, Auerbach Publications, Taylor & Francis
Group, Boca Raton, New York, Pg.751.
Page 29