You are on page 1of 29

Chapter 1: Introduction



Information security has always been a major challenge to most IT companies. To
ensure business continuity, the security of corporate information is extremely
important. The basic reason is information is an asset which, like other important
business assets, is of value to an organization and consequently needs to be suitably
protected. Information security protects information from a wide range of threats in
order to get strategic advantage to ensure business continuity, minimize business
losses and maximize return on investments and business opportunities.
Previous studies have shown that corporate information is vulnerable to security
attacks. This research study intends to investigate the implementation of information
security policies (ISP) by IT companies based on different domains, in order to
protect assets of the organization and to minimize business losses. The domains are
the areas of concentration where security needs to be focused and different
information security policies are developed for the domains.

Information is a processed data, which is converted to specific form that gives some
definite meaning. It is collection of facts organized in such a way that it has additional
value beyond the facts. Information can be properly stored in organized form, for set
of data which generates specific meaning. Information itself possesses many
characteristics such as accuracy, portability, comprehensiveness, pertinence, currency,
valuably, timely availability, meaningfulness and so on. The value of information
comes from the characteristics it possesses. When characteristic of information
changes, the value of that information either increases or more commonly decreases.
The value of information affects more to the users than the others do. Timeliness of
information is a critical factor because it loses its value after validity period is over or
A Study of Information Security Policies

Page 1

Chapter 1: Introduction
delivered late. Though information security professionals and end users share the
same understanding of characteristics of information, tensions can arise when the
need to secure integrity of information from threats conflict with the end-users need
for unhindered access to the information.
We live in an Information economy. Information itself has value and commerce often
involves the exchange of information rather than the tangible goods. Systems based
on computers are increasingly used to create, store and transfer information.
Information can be available in many different forms. It can be existed in printed or
written on paper format, stored electronically, transmitted by post or using electronic
means, shown on films, or spoken in conversation. Whatever forms the information
takes, whatever the means by which it is shared or stored, it should always be
appropriately protected. As Information can take many forms, hence methods of
securing information are various.


Information security means protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification or destruction.
Information security as defined by standards published by the committee on National
Security System is the protection of information and its critical elements, including
the systems and hardware that use, store and transmit that information.
Information security is achieved by implementing a suitable set of controls which
could be policies, practices, procedures, organizational structures and software
functions. These controls need to be established in order to ensure that the specific
security objectives of the organizations are met.

1.3.1 Control:
It is a system that prevents, detects or corrects unlawful events. System is a set of
interrelated components that functions together to achieve the objectives. An unlawful
event can arise if unauthorized, inaccurate, incomplete, redundant, ineffective or
inefficient input enters the system. For an organization Controls are broadly classified

A Study of Information Security Policies

Page 2

Chapter 1: Introduction
into three types such as Managerial control, operational control and technical
control. [1]

1.3.2 Managerial controls:

This controls cover security processes that are designed by strategic planner and
implemented by the security administration of organization. Management control
addresses the design and implementation of the security planning process and security
program management. Management controls also address risk management and
security control reviews and it further describe the necessity and scope of legal
compliances and maintenance of entire security life cycle.

1.3.3 Operational controls:

These controls are concerned with the operational functionality of security in the
organization. It includes lower level planning such as disaster recovery and incident
response planning. It also includes personal and physical security as well as protection
of production input and output. It provides guidance for development of education,
training and awareness programs for users, administrators and management. In
addition to this, it also addresses hardware and software system maintenance and
integrity of data.

1.3.4 Technical controls:

Technical control addresses the tactical and technical issues related to designing and
implementing security in the organization. They also handle the issues related to
examining and selecting the technologies appropriate to protecting information.
Technical controls addresses specific technology selection and acquisition of certain
technical components. Logical access controls such as identification, authorization,
authentication and accountability are part of these technical controls. Technical
controls also address the development and implementation of audit trails for
accountability. Cryptography for message encryption and decryption also deals with
technical controls. Rights assigned to the users based on his or her profile is also
included in technical controls. These three sets of controls cover entire spectrum of
safeguard for IT organizations.

A Study of Information Security Policies

Page 3

Chapter 1: Introduction
OS Security and
Application Controls


Legal and

Controls in IT Environment
Figure 1.1: Controls in IT Environment


The history of information security begins with the history of computer security. The
need for security is to secure physical locations, hardware and software from outside
threats. This began in the World War II when the first mainframes developed to aid
computations for code breaking. History of information security is discussed below as
per Information Security Era. [2]
1.4.1: Information Security Era [1960-1970]:
In 1967, Department of Defense, United States, brought to the attention of researchers
about the security related to sharing of resources within the department. At that time,
systems were being acquired at a rapid rate and the problem of securing them was a
pressing concern for both the military and defense contractors.
The movement towards security that went beyond protecting physical locations began
with a single paper sponsored by the Department of Defense, the Rand Report R-609,
which attempted to define the multiple controls and mechanism necessary for the
protection of a multilevel computer system. The document was classified for almost

A Study of Information Security Policies

Page 4

Chapter 1: Introduction
ten years and is now referred to as ``the paper that started the study of computer
In mid of 1969, after restructuring of Multiplexed Information and Computing Service
(MULTICS) projects, MULTICS created and implemented security levels and
passwords. Its primary purpose, text processing did not require the same level of
security as that of its predecessor. In fact, it was not until the early 1970s that even the
simplest component of security, the password function, was implemented as a
component of operating system.
1.4.2: Information Security Era [1970-1980]:
In the late 1970s, the microprocessors brought in a new age of computing. The
personal computer, built with this computer technology became the workhorse of
modern computing, thereby decentralizing the exclusive domain of data centre. With
this decentralization of data, the need for resource-sharing increased during 1980s,
driving owners of personal computers to interconnect their machines. This networking
ability worked for both mainframe and microcomputers and open the opportunity for
computing community to make all computing resources work together.
1.4.3: Information Security Era [1980-1990]:
This networking resource was made available to the general public in the 1990s,
having previously been the domain of Government, academia and Industry
professionals. In 1990s, network computers became more common as it increased the
need to connect these networks to each other. This gave rise to the Internet, the first
Global network at the close of twentieth century. After the Internet was
commercialized, the technology became pervasive, reaching every corner of globe
with expanding universe of uses.
1.4.4: Information Security Era [1990-2000]:
At the beginning when Internet started expanding, the interconnections of millions of
networks were based on de facto standards, because industry standards for
interconnection of networks did not exist at that time. These de facto standards did not
consider the security of information to be a critical factor, but as these precursor
technologies were more widely adopted and became industry standards, some degree
A Study of Information Security Policies

Page 5

Chapter 1: Introduction
of security was introduced. However early Internet deployment treated security as a
low priority. This is the reason why today also we are facing the problems with
Internet security. For example, many of the problems that plague e-mail on the
Internet today are the result of this early lack of security. Early computing approaches
relied on security that was built on the physical environment of the data centre that
housed the computers. As network computers became the dominant style of
computing, the ability to physically secure a networked computer was lost and the
stored information became more exposed to security threats.
1.4.5: Information Security Era [2000-Onwards]:
Today, the Internet has brought millions of unsecured computer networks into
communication with each other. The security of each computer`s stored information is
now contingent on the level of security of every other computer to which it is
Information security evolved from a concept developed by computer security industry
known as C.I.A. Triangle. The C.I.A. Triangle has been the industry standard for
computer security since the development of mainframe.


This C.I.A. Triangle is

shown below. Information security comprises of following three basic characteristics

which are discussed below:
a) Confidentiality: Confidentiality means keeping information safe from being seen
(privacy). It refers to how data is being collected, used and maintained within an
organization. It includes the protection of data from passive attacks and requires that
the information is accessible to authorized users only. It ensures that information can
only be accessed by those with the proper authorization.
b) Integrity: In information security, integrity means keeping information from being
changed in an unauthorized way. It ensures that data is a proper representation of
information, accurate, and in an unimpaired condition. Integrity is violated when an
employee accidentally or with malicious intent deletes important data files, when
a computer virus infects a computer, when an employee is able to modify his own
salary in a payroll database, when an unauthorized user vandalizes a web site, when
A Study of Information Security Policies

Page 6

Chapter 1: Introduction
someone is able to cast a very large number of votes in an online poll, and so on. In
short, integrity deals with safeguarding the accuracy and completeness of information
and the ways in which it is processed.

c) Availability: For any information system to serve its purpose, the information must
be available when it is needed. This means that the computing systems used to store
and process the information, the security controls used to protect it, and the
communication channels used to access it must be functioning correctly. High
availability systems aim to remain available at all times, preventing service
disruptions due to power outages, hardware failures, and system upgrades. Ensuring
availability also involves preventing denial-of-service attacks. Availability ensures
that authorized users have access to information and associated assets whenever

Figure 1.2 CIA Triangle

Source: ISO 17799


Information is a process through a specific type of Information system. These
Information Systems are decomposed in three main portions such as hardware,
software and communications with the purpose to identify and apply information
security industry standards, as mechanisms of protection and prevention, at three
levels or layers: Physical, Personal and Organizational. [4]
1.6.1 Physical level is concerned with Physical access to system, servers, PCs, data
centers, etc, holding sensitive information is restricted to business need-to-know.

A Study of Information Security Policies

Page 7

Chapter 1: Introduction
1.6.2. Personal level deals with user authorization. It depends on profile and rights
assign to the individual user in order to access confidential information.
1.6.3. Organizational level is focused on guidelines and procedures needed to access
specific information by the internal and external users of organization. These
guidelines and related procedures are nothing but information security policies. The
diagram given below depicts Organizational, Personal and Physical level security to
maintain confidentiality, Integrity and availability of Information.
Information security involves multiple portions such as hardware, software and
communication as a components information system within a security firm. In this
field, it is essential to integrate multiple initiatives within a corporate strategy so that
each element provides an optimal level of protection. This is where information
security management systems come into play they ensure that all efforts are
coordinated in order to achieve optimum security.

Figure1. 3: Components of Information Security Source: WIKIPEDIA


An Information Security Management System (ISMS) provides a systematic approach
to managing sensitive information in order to protect it. It encompasses employees,
processes and information systems.
An Information Security Management System (ISMS) is a management system
based on a systematic business risk approach. It is a system designed to establish,
implement, operate, monitor, review, maintain, and improve information security. It is
A Study of Information Security Policies

Page 8

Chapter 1: Introduction
an organizational approach to information security.[5] It is a documented system
certifying that:

Information assets in an organization are described and secured,

Information security risks are managed and mitigated,

Security policies together with their ownerships and guarantees are in place,

Adherence to security measures is inspected periodically.

ISMS can be implemented as a specific information system that deals with a
particular business area, or it can be implemented as an all-encompassing system
involving the whole organization. In any case, ISMS usually involves resources
spanning from the management to the regular employees.

Figure 1.4: Components of ISMS

The establishment of an Information security policy and the definition of the ISMS
scope are more often management and strategic issues while the Risk Management
process is an everyday operational concern.
1.7.1 The conceptual framework of ISMS:
The Information Security Management System (ISO 27001: 2005) is defined as that
part of a global management system, based on a certain approach of the business risk,
through which it is establishing, implementing, analyzing, monitoring and improving
the security of the information. This system includes organizational structures,
policies, planning activities, practices, processes and resources. Information security
should be an integral part of the organizations operating and business culture. The

A Study of Information Security Policies

Page 9

Chapter 1: Introduction
methodological view of developing ISMS necessitates the covering of 6 steps is given
a. Definition of Security Policy,
b. Definition of ISMS Scope,
c. Risk Assessment (as part of Risk Management),
d. Risk Management,
e. Selection of Appropriate Controls
f. Statement of Applicability
Although the ISMS is a recurring process as a whole, in most of the types of
organizations, steps 1 and 2 recur on a longer cycle than steps 3, 4, 5 and 6. This is
mainly because the establishment of a security policy and the definition of the ISMS
scope are more often management and strategic issues while the Risk Management
process is an everyday operational concern.

Figure 1.5: The steps of the process of developing the ISMS

Source: (Source:

A Study of Information Security Policies

Page 10

Chapter 1: Introduction
Information security policy is a preventative mechanism for protecting important data
and processes. It is a preventive mechanism that protects information resources such
as data, skilled people, hardware and software, which is considered to be the asset for
the organization. It communicates coherent security standards to users, management
and technical staff. It is a high-level, organization-wide plan for protecting
Information security is primarily a management problem, not a technical one, as
policy obliges personnel to function in a manner that adds to the security of
information assets, rather than as a threat to those assets. A policy is a plan or course
of action used by an organization to convey instructions from senior-most
management to those who make decisions, take actions and perform other duties on
behalf of the organization. Policies are organizational laws in that it dictate acceptable
and unacceptable behavior within context of organization`s culture.

1.8.1 Policy definitions:

A policy is a high-level statement of enterprise beliefs, goals and objectives and the
general means for their attainment for a specified subject area. There are three
different forms of policy statements. Those are: General Program Policy, Topic
specific policy and System/Application-Specific policy.


The general program

policy sets strategic directions of the enterprise for global behavior and assigns
resources for its implementation. This includes the topics such as information
management, conflict of interest, employee standards of conduct and general security
measures. Topic specific policy addresses specific issues of concern to the
organization. This includes e-mail policy, Internet usage policy, physical access
policy, system application development and maintenance and network security policy.
System/ Application specific policies focus on decisions taken by management to
protect a particular application or system. System /Application specific policy might
include controls established for specific systems such as financial management
system, accounting system, employee appraisal and order inventory.
Basic requirements of the policies are as follows:
1. Policies must:
Be implementable and enforceable.
A Study of Information Security Policies

Page 11

Chapter 1: Introduction
Be concise and easy to understand.
Balance protection with productivity.
Be updated regularly to reflect the evolution of the organization.
2. Policies should:
Have rationale (reasons why policy is formulated).
Describe what is covered by the policies - whom, what, and where
Discuss how violations will be handled.

1.8.2. Security policy:

Security policy is defined as a high level statement of organizational beliefs, goals and
objectives and the general means for their attainment as related to the protection of
organizational assets. A security policy is set at high level and never states `how` to
accomplish the objectives. As security policy is written at high level, organizations
must develop standards, guidelines and procedures that offer those affected by the
policy and meeting the business objectives or missions of the organization. Security
policy life cycle consists of four phases such as:
a. Secure b. Monitor c. Test d. Improve. This security life cycle is shown below:

Figure 1.6: Security Cycle Source: CSI Bangalore

A Study of Information Security Policies

Page 12

Chapter 1: Introduction
a. Secure: This is a statement of policy that defines security feature or security measure
for a specific domain. Policy statement is of management intention, supporting the
goals and principles of information security.
b. Monitor: This phase relates with supervision over implementation of policy. All
related processes of a policy are observed and watched carefully.
c. Test: After implementation of a policy, it is checked at various levels rigorously
which can involve procedures for communications, technical tools, audits and review
d. Improve: This is the last phase of security cycle where feedback is taken from all
concern people to find out loop-holes and discrepancies in the policy. With this policy
is further updated with some modification in existing policy. This improvement in the
last phase is taken care by the first phase where policy statement is modified.
1.8.3 Types of Security Policies:
Security policies are classified into two broad categories:
1. Administrative Policies
2. Technical Policies Administrative Policies: These policies are related to the people who actually
implement the systems. All concerned people who are involved in design,
development, implementation and support function play major role in handling
administrative policies.
These policies are developed for all respected domains of the organization which
forms organization system.
Now the question comes who should be concerned about administrative policies?
Following is detailed description of users who are concern about administrative
a. Users - policies will affect them the most.
b. System personnel - they will be required to implement and support the policies.
c. Managers are concerned about protection of data and the associated cost of the

A Study of Information Security Policies

Page 13

Chapter 1: Introduction
d. Lawyers and auditors - are concerned about company reputation, responsibility to
clients/customers. Technical Policies: These policies are concerned with all technical aspects
such as hardware, software and operating system level functioning of the company.
For example, it involves system fault tolerance RAID Levels, Backup media devices,
up and down time for server, mean time between failures, transaction tracking
systems and many more. People who are part of security-organization-structure plays
major role in implementing these policies.
Researcher`s emphasis is more on administrative policies than technical one, as
administrative policies deals with the employees of the origination. Furthermore for
the study of Information security policies, most of the times, technical aspects are not
shared with outside people as a part of security measure. A Structure/ framework of Comprehensive security policy:
Without security policies, organization has no general security framework. A
Comprehensive security policy consists of following structure:

Policy Statements,

Procedures to implement policy,

Procedures to ensure compliance,

Mechanism for review (audit) and updating of Policy.

1.8.4 Information Security Policy Structure: [7]

Objective: Company management must establish a clear direction and support
for an enterprise wide information security program.

Policy Statement: Information is a company asset and is the property of the

company. The company information includes information that is electronically
generated, typed, stored or communicated. Information must be protected
according to its sensitivity, criticality and value regardless of media on which
it is stored, the manual or automated systems that process it or the method by
which it is distributed.

Provision: To ensure that business objectives and customer confidence are

maintained, all employees have responsibility to protect information from

A Study of Information Security Policies

Page 14

Chapter 1: Introduction
authorized access, modification, disclosure or destruction whether accidental
or intentional.
Senior management and the officers of the company are required to employ
internal controls designed to safeguard company assets, including business
information. It is a management obligation to ensure that all employees
understand and comply with the Company Security policies and standards as
well as all applicable laws and regulations.
Employee responsibilities for protecting the company information are detailed
in the information classification policy.

Company management has the responsibility to manage corporate

information, personnel and physical property relevant to business operations
as well as the right to monitor the actual utilization of all corporate assets.
Employees who fail to comply with the policies will be considered to be in
violation of the company employee standards of conduct and will be subject to
appropriate corrective action.


1.9.1. Standards:
These are mandatory activities, actions, rules or regulations designed to provide
policies with support structure and specific direction they required to be meaningful
and effective. They are often expensive to administer and therefore should be used
When it comes to implementing codes of practice for information security
management, the best point of reference is BS 7799 / ISO 17799, an internationally
recognized standard in this field that is widely used for drafting security policies.
1.9.2 BS 7799/ ISO 17799:
The goal of BS 7799 / ISO 17799 is to provide a common base for developing
organizational security standards and effective security management practice and to
provide confidence in inter-organizational dealings.
A Study of Information Security Policies

Page 15

Chapter 1: Introduction


Information security policies are classified and developed for following different
domains as per BS7799/ ISO 17799 standards. A Security policy needs to be based on
the current organization structure and use of technology Current and Future.
Accordingly the policy can be divided into different sections. A suggested list of
domains is as follows:
1. User (Personal) Policy/ Accepted Usage policy.
2. Data access Policy.
3. Physical Access Policy.

Internet Access Policy.

5. E-Mail Policy.
6. Digital Signature Policy.
7. Outsourcing Policy.
8. Software Development and acquisition Policy.
9. Hardware acquisition Policy.
10. Network and Telecommunication Security Policy.
11. Business Continuity Planning and Disaster Recovery Planning (BCP and DRP)
12. Policy for Security Organization Structure.

Polices under this domain include the purpose and objective of the Security policy
document. It specifies the policy implementation method and overall structure of
Security policies. The common objectives for all the domains is about the change in
IT plan with the policy, risk associated and policy based training imparted to users
related to respective domains.
Policies are living documents that must be managed and nurtured as they constantly
change and grow. It is expected from the IT companies that these policy documents
must be properly distributed, read, understood, agreed and managed.

A sample representation of domains of security policy is shown on the next page.

A Study of Information Security Policies

Page 16

Chapter 1: Introduction







Development &



& Encryption

Figure 1.7: A Sample Representation of Domains of Security policy Source: CSI


1.10.1: User policy (Personal Policy)/ Acceptable Usage Policy:

Policy design for USER DOMAIN takes care about every individual user access to
the system. This section contains the policy regarding defining and implementing
logical access controls, password selection and maintenance, Classification of users
based on user profiles and user groups etc.

1.10.2: Data access Policy:

Data access policy is one of the most important domains where rights and
permissions are set for accessing the information based on user profile. Sharing of
resources, virus protection software, mandatory use of license software, password
protection are the issues associated with this policy.

1.10.3: Physical access Policy:

The implementation of physical access security requires sound organizational policy.
Physical access policy direct the users of information assets in the appropriate use of
computing resources and information assets, as well as the protection of their own
personal safety in day-to-day operations.
A Study of Information Security Policies

Page 17

Chapter 1: Introduction

1.10.4: Internet access policy:

Internet is one of the biggest aspects of the security as all the access to organizational
resources is open with the support of Internet and prone to vulnerable attacks. This
section covers the policies regarding Internet use and web site controls, as well as
restricted use of Internet, and availability of firewall on the organizational network.
This also takes care of security measures like access to specific sites and installation
of proxy server and VPN for private and confidential access.

1.10.5: E-mail Access policy:

Though the modern technology is an inherently risky technology but on the other
hand it is also a very productive and efficient technology. Like with e-mail its value
increases with the number of regular users. E-mail policy addresses the issues related
to organizational e-mail accounts, restricted disk usage quota, access only to
organizational e-mail server and conducting audit of e-mail utility.

1.10.6: Software Development and Acquisition policy:

All policies required for development of application software in-house and purchase
of new software are included in this section. It should particularly specify the
development methodology, standards adopted by the organization and Project
management methods. This policy ensures about the parameters such as time frame,
performance ratings, steering committee and comparative analysis of vendors.
1.10.7: Hardware Acquisition policy:
Policies regarding method and process to acquire the hardware and required
installation software, except application software and system software like Operating
system and utilities. This policy covers performance analysis of vendors, comparative
analysis and rating and also time frame for installation of hardware devices.

1.10.8: Outsourcing Policy:

This indicates the methods to outsource the organizations information requirements.
It also covers the processes regarding purchase of customized software and
A Study of Information Security Policies

Page 18

Chapter 1: Introduction
outsourcing of information processing subsystems. It also includes non discloser
agreement with the outsourcing parties and formalities for signing contract with
outsourcing people. Training within the company for specific technology could be
again part of outsourcing policy.

1.10.9: Digital signature Policy:

Encryption of data is commonplace method. There are various encryption methods
and software available in market. Therefore it is necessary to adopt a common policy
for encryption. This policy mainly addresses the issues regarding assigning keys to
different electronic documents with respective key algorithms, highly controlled
online databases and end to end encryption methods.
1.10.10: Network and Telecommunication Security Policy:
Policies in respect of Use of Network, type and configuration of network Intranet,
Extranet, and transmission speed, firewall; types of telecommunication used within
the organization are covered in this section. Use of security devices like firewall and
proxy server as well as backup domain controller have been considered for company
information security. Applications of different RAID levels are also identified.
1.10.11: BCP and DRP:
The detailed Business continuity and Disaster recovery plan for every unit of
organization is necessary. This section covers the primary policy for development of
BCP and DRP. It includes backup process, media storage for backup and frequency of
backup and related training for DRP..
1.10.12: Policy for Security Organization Structure:
This policy takes care of information

about security team and organization structure

to represent degree of security from top to bottom level of the organization. It also
involves the responsibility of security team in terms of IS audit with emphasis on
internal and external audit.

A Study of Information Security Policies

Page 19

Chapter 1: Introduction
Information Technology (IT) is being managed today in leading edge enterprises,
corporate, and Government sectors to improve organizations performance.
Information itself has value and commerce often involves the exchange of
information rather than the tangible goods. Systems based on computers are
increasingly used to create, store and transfer information. Computers and information
systems are constantly changing as the way organization conducts business.
In this era of IT most of business organization performs online transactions and
deliver value to its customers. Any business or government agency that functions
within the modern context of connected and responsive services relies on information
systems to support these transactions. Even if the transaction is not online information
system and the data they process enable the creation and movement of goods and
services. Therefore protecting data during transition and stored at one location are
both critical aspects of information security. The value of data motivates attackers to
steal, sabotage or corrupt it. An effective security management program is essential
for protection of integrity and value of organizational information.
Organizations spend hundreds of thousands of dollars and expend thousands of manhours to maintain their information systems. Unlike any other aspect of information
technology, information security`s primary mission is to ensure that systems and their
contents remains same. Attacks on information systems are occurring daily and the
need for information security increases as the sophistication of such attacks increase.
The Confederation of Indian Industry (CII) took up this critical issue and organized
the IT Security Conference 2005 at Mumbai when it released a report on the
Information Security Program based on research conducted across 70 sectors of
Indian industry. According to the report, financial data is accorded top priority by 62
percent of the respondents when it comes to IT security. On the recent IT security
breaches at BPOs in Pune, Dr.Natarajan said, Though information security measures
employed by Indian companies are at par with the best in the world, incidents such as
these can occur anywhere. He also insisted that the existence of a continuous security
program is a necessity today. Statistics from the study highlight that 38 percent of

A Study of Information Security Policies

Page 20

Chapter 1: Introduction
companies lack an information security policy, 71 percent have no security process
certification, and 30 to 35 percent have no business continuity or disaster recovery
plan in place.
1.11.1. Industry wise Degree of Risk to Information systems:
Risk is any event that could impact a business and prevent it from reaching its
corporate goals. Risk is often described by Mathematical formula [8]:

Risk = Threat X Vulnerability X Asset value

Threat is likelihood that the corporate will exposed to an incident that has impact on
the business. Vulnerability is the point of weakness that a threat can exploit and an
asset is the component that will be affected by a risk. Following figure shows the
analysis for degree of exposure to risk according to industry sector specifically for
information systems.

Figure 1.8: Degree of Risk to Information systems Source:

The greater the risk to an organization, the more likely the organization is to pay
greater attention to the security of its data. Such is the case in governmental, financial
and health-related fields, as shown in above figure.

A Study of Information Security Policies

Page 21

Chapter 1: Introduction
An organization purchases the IP (Intellectual Property) of other organizations and
abides by the licensing agreement for its fair and responsible use. The most common
IP breach is the unlawful use or duplication of software-based intellectual property
which is known as software piracy. Software is licensed to a single designated user of
organization. Software License is based on per user access and if this license copy is
copied for multiple users then this results in violation of the copyright. Software
publishers use several control mechanisms to prevent copyright infringement. Still
BSA survey in July 2004 revealed that as much as a third of all software in use
globally is pirated.
Forces of nature makes very high impact on IT companies which relates with
Business continuity planning (BCP) and disaster recovery planning (DRP). These are
the most dangerous threats as it usually occurs without prior intimation. These threats
include events such as fire, flood, earthquake, lightning, volcanic eruption and insect
infestation which can disrupt not only lives of individuals but storage, transmission
and use of information.
1.11.2: Threats to Information Security:
In context of information security, a threat is an object, person or other entity that
represents a constant danger to an asset of organization. These threats can be
classified as Internal and External threats. Internal threats are usually associated with
employees of organization who are involved in the business processes and external
threats occur due to external environment such as competitors in the market. Act of
human error or failure, compromises to intellectual property[9], act of information
extortion and use of pirated software fall in the category of Internal threats while
deliberate act of espionage or trespass, viruses or denial-of-service attacks, forces of
nature, hacking, cyber frauds, email spoofing corresponds to External threats.
Following figure shows clear classification between Internal and External threats.
To make sound decision about information security, management must be informed
about the various threats facing the organization, its people, applications, data and
information systems.

A Study of Information Security Policies

Page 22

Chapter 1: Introduction

Figure 1.9:

Information Security in an Organization

One of the greatest threat to an organizations information security is the

organization`s own employees. Employees are the threat-agents closest to the
organizational data. As employees use data in everyday activities to conduct the
organization`s business their mistakes represent a serious threat to the confidentiality,
Integrity and availability of data. This employee mistake can lead to entry of
erroneous data, accidental deletion or modification of data, storage of data in
unprotected areas such as desktops and website. One person`s carelessness can create
a vulnerability with which organization may face major loss in the business. Much
human error or failure can be prevented with training and ongoing awareness
activities but also with the controls ranging from simplex to complex procedures.
Now a days viruses are most common threats to information systems. A computer
virus consists of segments of code that perform malicious actions. This code attaches
itself to the existing program and takes control of that program access to targeted
computer. This is the most common method of virus transmission at the opening of
twenty first century is via e-mail attachment files. E-mail programs prove to be a
fertile ground for computer viruses unless they are suitably controlled.
In general, as the organizational network grows to accommodate changing needs more
robust technology solutions may be needed to replace security programs the
organization has outgrown.

A Study of Information Security Policies

Page 23

Chapter 1: Introduction
Today`s organizations are under immense pressure to acquire and operate integrated,
efficient and capable applications. The modern organization needs to create an
environment that safeguards applications using the organization`s IT systems,
particularly those applications that serve as important elements of infrastructure of the
To address information security needs, each of the organization`s communities of
interest must address information security in terms of business impact and the cost of
business interruption, rather than focusing on security as a technical problem.
Managing information security has more to do with policy and its enforcement than
with the technology of its implementation. [10]
Therefore researcher is identifying the domains of information security policy and
their implementation by the IT companies in order to find out reduction in the risk of

A Study of Information Security Policies

Page 24

Chapter 1: Introduction
1.12.1 ABSTRACT OF THESIS (Scope of research)
The scope of the research is restricted to Pune City or zone. The research is carried
out to study status of information security policies in selected IT companies in Pune
city. The 45 IT companies includes software, BPO and Hardware companies. The
major parameters studied are training, implementation, best practices, IT plan and
Risk Management.
The study is classified into following five chapters excluding Appendix. INTRODUCTION:
This chapter elaborates brief introduction about information security policies,
definition, need, objective and scope of information security policies. It has
highlighted on major issues related to IT Security breaches which have been recently
happed. Different types of controls necessary to address these IT security breaches are
also described as applicable to the organization. This chapter gives broad coverage to
basic concepts such as History-Evolution and components of Information security,
Information security policy, policy development life cycle, Risk and threats to







documentation and framework of the policy, classification of security policies,

domains of security policies and Information security policy standards such as ISO
17799 and BS7799. LITERATURE SURVEY:
In this chapter summery of the information collected from various sources in the form
of secondary data is available. The information is gathered from reference books,
periodical and journals and many of the web sites. This information includes
guidelines for effective information security management, overview of security
principles intended for laws and policies as well as relation between policies,
standards and practices. The Information of security policy infrastructure, policy
design life cycle and policy design process are discussed in details from point of view
A Study of Information Security Policies

Page 25

Chapter 1: Introduction
of formulating a questionnaire. The sample structure of policy and policy
representation for three domains is also mentioned in this chapter. In some cases
researcher has also collected information by attending workshops and seminars
organized by Computer Society of India (CSI) and ISACA, Pune Chapter. RESEARCH METHODOLOGY:
This chapter includes information about sampling unit, sampling plan as well as
sample size. It also further covers brief information about why and how the sample
size is selected. Sampling procedure is also described which is mainly focused on
random sampling method. This chapter also covers sources of collection of primary
and secondary data. Objectives and hypothesis for the research is discussed in this
chapter. Entire Research design phases such as sampling design, observational design,
statistical design and operational design are described in this chapter. Collection of
data through questionnaire is elaborated in details as the way it was conducted by the
researcher. Various characteristics of collected data are also elaborated. The statistical
tools and techniques which are needed for hypothesis testing are explained in
operational design. DATA ANALYSIS:
This is the most important chapter of the research which provides information about
steps involved in data analysis which begins with data processing. Data processing
requires editing; coding, classification of collected data. Analysis of all domain
related questions is made first. Emphasis of the chapter is more on hypothesis testing
by using chi square test and simple Excel analysis where comparison is not required.
SPSS SOFTWARE 11.0 is used for analyzing the data and representation in terms of
cross tabulation in case of hypothesis testing. Hypothesis is tested for group of all IT
companies together, as well as segment wise testing is also performed to know about
the status between Software, BPO and Hardware companies. Tables, Graphs and
charts are also shown in this chapter for the interpretation of data and hypothesis

A Study of Information Security Policies

Page 26

Chapter 1: Introduction CONCLUSION AND FINDINGS:

Summary of entire thesis is available is this chapter. This chapter provides conclusion
derived from data analysis for proving the hypothesis. It also gives coverage to
expected outcome derived from data analysis. This chapter is also focused on
expected findings along with conclusions and suggestions. It gives brief idea about
the limitations for the researcher while conducting the studies and insight for further
research work.

A Study of Information Security Policies

Page 27

Chapter 1: Introduction

1. Michaneal E.Whiteman and Herbert J. Maltord, Principles of Information
Security, Second edition 2007, Thomson Technology, India Edition,
Pg. [198-199]

2. Michaneal E.Whiteman and Herbert J. Maltord, Principles of Information

Security, Second edition 2007, Thomson Technology, India Edition, Pg. [5-7]

3. The BS 7799/ISO 17799 Standard for better approach to Information Security

by Jacquelin Bisson and Rene Saint German, posted on 15th June 2004 by and retrived on 18th December 2006.

4., retrieved on 30th May


5. Tipton, Harold F. & Krause, Micki: Information Security Management

Handbook, 6th Edition, 2008, Volume 2, Auerbach Publications, Taylor &
Francis Group, Boca Raton, New York, Pg. [15-16].

6. Thomas R. Peltier, Information Security Policies, Procedures and StandardsGuidelines for effective information security management, Auerbach
Publications, 2002, Pg. 29.

7. Thomas R. Peltier, Information Security Policies, Procedures and StandardsGuidelines for effective information security management, Auerbach
Publications, 2002, Exhibit 2, Pg. [177-178].

A Study of Information Security Policies

Page 28

Chapter 1: Introduction
8. Tipton, Harold F. & Krause, Micki: Information Security Management
Handbook, 5th Edition, 2004, Auerbach Publications, Taylor & Francis
Group, Boca Raton, New York, Pg.751.

9. Michaneal E.Whiteman and Herbert J. Maltord, Principles of Information

Security, Second edition 2007, Thomson Technology, India Edition, Pg. 39.

10. Michaneal E.Whiteman and Herbert J. Maltord, Principles of Information

Security, Second edition 2007, Thomson Technology, India Edition, Pg. 37.

A Study of Information Security Policies

Page 29