Documente Academic
Documente Profesional
Documente Cultură
by
Jagruti Patil
2008
Project Advisor
Narasimhaswamy Banavara, Ph.D.
Department of Mathematics and Computer Information Science
ACKNOWLEDEGMENT
Firstly, I would like to thank my mentor Dr. Banavara, who guided me throughout the
which was an important factor in my project. He also helped and guided me in writing the report
I would like to thank ABC Company and the employees who provided me all the
Also, I would like to thank all my professors, Dr. Chen, Prof. Nunez, Dr. Shreedhar and
Prof. Ozdogan, who taught me subjects like IT Audit and Compliance, Information Security,
Data Mining and E-commerce security which were value additions to my project.
And finally I would like to thank the Mercy College library, which provided access to all
organizations are focusing more on securing their information. In order to ensure information
security, the organization must take appropriate security measures to make sure no information is
leaked or passed to unauthorized users. Apart from technology, companies should also make sure
that they have proper policies, procedures, and standards in place in the organization in
compliance with laws and regulations. For this purpose, organizations should have a
frameworks in the literature, one comprehensive information security framework has been
chosen for this project. . Then, the information security framework of a manufacturing
organization has been studied and mapped to the information security framework chosen from
the literature. After mapping, it is found that the organization’s information security framework
is quite similar to the chosen information security framework. In spite of similarities, there are
few flaws in organization’s information security framework. It is found that the organization’s
doesn’t provide any training to the employees regarding information security, which is a
considerable factor in information security. Also, Senior Managers are more involved in
INTRODUCTION......................................................................................................................... 1
SCOPE ........................................................................................................................................... 2
RECOMMENDATIONS............................................................................................................ 26
CONCLUSION ........................................................................................................................... 27
REFERENCES ............................................................................................................................ 28
APPENDIX I ............................................................................................................................... 31
APPENDIX II .............................................................................................................................. 34
INTRODUCTION
variety of threats and vulnerabilities (ISO/IEC 17799:2005). For this reason, many
information security framework, which helps the organization to identify the risks associated
manufacturing organization and map the company’s framework with an information security
framework chosen from the literature. This will help determine the status of the company’s
current information security framework and help decide whether the current information
1
SCOPE
businesses, many are seeking an appropriate security framework (Yhan, 2005). Research on ISM
generally addresses two areas, the technical computer security and non-technical security
management, while some researchers span both areas (Baskerville & Siponen, 2002). This
project addresses non-technical security aspect of the information security framework. The scope
consists of the leadership, organizational structures and processes that ensure that the
(www.isaca.org). Compliance is the process that records and monitors the policies,
The corporate executives should ensure whether all the policies are in compliance
with standards such as SOX. Also, the corporate executives such as CEO, CIO, and
2
senior management should ensure the controls are in place for compliance for
measure to increase security in organizations (Hong, Chi, Chao & Tang, 2007). Policies
are high level document which helps organization to address security related issues.
regulations. Many of them have important implications for information management and
internal control systems even though they may lack explicit references to information
modern organizations, and it is self evident that awareness of applicable laws and
critical for compliance (Luthy, & Forcht, 2006).While designing information security
framework, organization should consider different laws such as SOX, HIPPA etc, and
how they help to formulate security policy. Organizations should consider all these acts
3
Risk Analysis and Assessment helps in identifying the business assets an
organization wants to protect, and the potential threats to those assets. Organizations
wanting to conduct information security risk analysis may find selecting a methodology
problematic. Currently there are numerous risk analysis methodologies available, some of
which are qualitative while others are more quantitative in nature (Vorster &
Labuschagne, 2006). Organizations should have risk analysis methodologies which help
in identifying the potential risks and ways to mitigate those risks. The ISF should address
risk analysis methodologies, how well the risks are identified and who all are involved in
Each project has limitations or boundaries associated with it. Here are few
For the sake of information security, much of the company’s information was kept
It was not possible to interview all the concerned people. For example it was not possible
to arrange an interview with Chief Executive Officer (CEO) and Chief Information
Officer (CIO).
The challenges for management in providing information security are formidable. Even
for relatively small organizations, information system assets are substantial, including databases
4
and files related to personnel, company operation, financial matters, and so on. (Stallings,
(2007).
encompassing people, process and Information Technology (IT) systems that safeguards critical
systems and information protecting them from internal and external threats” (Barlas, Queen,
Randowiz, Shillam, & Williams, 2007). ISM is increasingly important within organizations,
becoming a strategic imperative as security threats continue to escalate (Okin, 2006). Security
and privacy is among the top ten management concerns, according to a 2005 survey of executive
regarded as the most serious problem with security in organizations today (Biegelman & Bartow,
2006).
Navigating the multitude of existing security standards, including dedicated standards for
information security and frameworks for controlling the implementation on IT, presents a
considers a process view of information within the context of the organizational operational
the overall security of information there by eliminating business risks. Information security does
not focuses only on technological issue, but also points out other main important elements of an
5
organization such as people, process, business strategies etc., which also mandates the need for
information security.
The comprehensive information security framework should incorporate the following key
elements:
A guide to help reconcile the framework to common and different aspects of generally
A comprehensive security framework boils down to three familiar basic components: people,
technology, and process. When correctly assembled, the people, technology, and process
elements of your information security program work together to secure the environment and
remain consistent with your firm's business objectives (Kark, Stamp, Penn, Koetzle & Mulligan,
6
Diagram 1: People, Process and Technology
Diagram 2 shows the problem organization faces today. The company has all the
components like software development, polices and procedures, incident management, business
continuity management, regulations & audit etc. These components are called islands of security
which can’t talk each other and also don’t work together.
7
Diagram 2: Problem Space
work together, instead of having stand alone components and system. The connected information
security framework delivers practical guidance for everyday IT practices and activities, helping
users establish and implement reliable, cost-effective IT services. The diagram 3 shows how the
information security framework helps different components to interact with one another.
8
Diagram 3: Information Security Framework
The information security framework for an organization establishes policies and best
practices. The framework used for assessing the organization’s current information security
framework provides a roadmap for the evaluation and improvement of information security
policies and practices. Different information security framework were studied one was chosen
for this study. The chosen information security framework is a representative of most
9
Actors/Actions Corporate Business Unit Senior CIO/CISO
Executives Head Manager
Governance/Business What am I required to do?
What am I afraid not to do?
The framework poses three sets of questions, with regard to information security:
1. What am I (Corporate Executives/ Business Unit Head/ Senior Manager/ CIO) required to do?
In order to ensure that these policies are more effectively implemented, we have
developed a preliminary information security governance framework for action that outlines
specific roles for business unit heads, senior managers, CIOs, and the CEOs themselves.
The information security framework defines roles and responsibilities for CEO, business unit
heads, and senior managers. Apart from roles and responsibilities, the information security
framework also has metrics which is used to evaluate the security performances.
10
PRELIMINARY INFORMATION SECURITY GOVERNANCE FRAMEWORK
11
ABOUT THE COMPANY
with around 2,500 employees in North America and 17,000 employees worldwide. The company
ABC Company is a leading manufacturing company in the mid-western of United States, which
manufactures pumps, valves, mixers, fittings and many more process components. The company
serves wide range of industries such as food, pharmaceutical, oil, gas, biotechnology and many
more.
Finance
Accounting
Marketing
Information Technology
Production
Purchase
Customer service
The Information Technology (IT) Department of ABC Company has more than 30
employees serving around 100 users. Apart from employees, there are 50 consultants working on
SAP implementation.
The company has successfully implemented SAP in 2008 for all major business functions
and is currently using it as their ERP system. The company’s data center is located in North East
of United States.
12
All traveling consultants are given Laptop machines while the employees are using
Desktop systems.
Operating System used: Microsoft Windows Server 2003 for SAP R/3,
IBM I Series for PRMS, Lotus Notes and few more applications
Software Application used: ERP (Enterprise resource planning) Solution SAP R/3
DATA COLLECTION
Data Collection is an important aspect of any type of research study. Inaccurate data
collection can impact the results of a study and ultimately lead to invalid results. Data-collection
techniques allow us to systematically collect information about our objects of study. For the
security of information and to maintain the confidentiality of the sensitive data, much of the
information was not disclosed by the ABC Company. Data was collected on-site in person.
13
Interviews
Interview was one of the data collection technique used in order to collect the data from
ABC Company. There were two in person interviews were conducted with IT Director
Questionnaires
included in APPENDIX I.
E-mail Correspondence
Apart from interview and questionnaires, there was e-mail correspondence with IT
14
Roles and • Enforcing • Responsible for coordination • Ensure information • CIO implements
Responsibili Compliance with of policy systems in compliance with control throughout
ties Corporate policies • Enforce security policies security policies the enterprise
• Compliance policy • Works on recommendations • Uses CobIT framework for • Assists in
• Compliance provided by auditors implementing controls classifying
Assurance • Ensures software • Implement procedures information
• Oversight of maintenance, project • Ensures training is
Business Unit with management, system provided to the employees
regulations administration
15
FINDINGS: THE MAPPING
“Information security is often treated solely as a technology issue, when it should also be
Information security is not simply a technological issue. Different technology can be used
to address the security problem but apart from technology, there should be proper policies,
procedures in place which will handle information security issue more appropriately.
The table 2 shows horizontal axis which consists of various executives and vertical axis shows
Following are the responsibilities that various executives from ABC Company have to perform
Corporate Executives
policies. Executives are involved to ensure compliance with different policies. For
example, executive ensures the policies are in compliance with SOX (Sarbanes-Oxley
Act). Also, the company also ensures the user roles created are in compliance with SOX.
Apart from corporate executives, Business Unit heads are also involved in
coordination of policies. Business Unit Head, executives and senior managers examines
16
Also, Business Unit head is also involved in project management, software
implementation, and system administration. Business Unit Heads are allowed to take
Senior Manager
According to the policy of ABC Company, managers must adopt COBIT control
COBIT (Control Objectives for Information and related Technology) provides set
of best practices, procedures and practices which helps organization to meet business
challenges. Also, a senior manager also ensures that the training is provided to the
employees.
Also, the CIO is involved in implementing controls throughout the enterprise. Regarding
the information classification, the ABC Company has an internal team which works
along with internal auditors for classifying information. Access to the information, is
Apart from roles and responsibilities of the executives there are few metrics/ audit which
Corporate Executives:
17
For the corporate executives, financial reporting is the metrics which helps them
The Business Unit Head makes sure of there is no misuse of assets or violations
of policy. The ABC Company has violations policy in place. It makes sure that there is no
misuse of assets. In ABC Company, if a manager founds any misuse of assets or any
employee who has violated the policy, then the manager is responsible to contact Unit
HR (Human Resource). The unit HR in turn will contact corporate HR. Now, the
Corporate HR will designate the person. The designated person will take the charge and
will do the needful investigation. After the investigation, the report will be submitted and
In ABC Company, the Business Unit Head also works on the recommendations
Senior Manager:
Senior Managers along with other executives performs risk assessment. Risk
assessment is done at each level. For example, ABC Company performs risk assessment
before providing access to the third party. Risk assessment is performed to identify
CIO
CIO helps organization to improve security awareness among the employees. The
new employee will be given a handbook consisting of all the policies and standards the
18
company follows. Also, the employees will have to take online tutorial. Handbook and
online tutorial are the two ways through which the company spreads awareness among
the employees.
Inventory Management
Passwords
The company has password policy which states that the password will
expire after 90 days…which makes sure that the user will change the
password. Also, the user has to sign the document which states that the
operating system.
19
Application Access Controls and Segregation of Duties
Applications will control user access rights ( read, write, delete and
execute)
Sensitive Systems Access Controls makes sure that the sensitive data is
network links.
will be used.
assessment documents.
Operational Systems
Only authorized users can modify the operational systems and has to
Audit logs are maintained for the minimum of 30 days so as to identify the
intrusion or misuse.
20
Enterprise information services are centrally managed and for the
Production data can be used for testing but the customer’s personal
Remote access
Perimeter Controls
Workstation Controls
21
Security Considerations
anomalies.
The company has Governance and compliance policy which consists of following:
Compliance Policy
Controls Governance
Corporate Information
Assurances
22
IT Physical Security Policy
Cable Plant
Site
Account Creation
Archiving
Delegated Access
The company has information classification policy which will classify the information as
Also, the company has policy for storage, disclosure, and destruction of information.
23
Third Party Access to Information Assets Policy
Risk assessment is done before prior to providing the access to third party.
For the network and device connections, the employee has to follow the
policy.
Modems
The IT department will have to maintain the list of modems used by the
company.
Network Segmentation
New Hires
Background Checks
Current Employee
24
Current employees will be provided training
Exiting Employee
Contractors
Cryptographic Controls
Digital Signatures
the message.
Key Management
replacement.
25
RECOMMENDATIONS
After the mapping of information security framework, it is found that the chosen
framework maps well with the Company’s information security framework. The only difference
between the two frameworks that was found is the roles and responsibilities of the drivers differ.
Although, the company has proper information security framework in place but there are few
recommendations which
Training:
To create a pervasive security culture, the value of information security to the corporation
security practices (Janice C. S & Burke T. W, 2008). Also, consultants should be made
Password Policy:
The ABC Company has password policy in place but they have not implemented the
Confidentiality agreement:
In many cases, there is no confidentiality agreement with the third party contractors. For
example in many companies when a consultant from other company joins the client
Physical security:
There is no physical security for computer systems. The company should have some lock
systems which can prevent someone from stealing your PC, or stealing your hardware.
26
CONCLUSION
To the organization, information is the most vital asset. In order to protect information,
the organization should have proper information security framework in place. The organization
should also make a note that the information security framework is an ongoing process.
reviews, are important to ensure the adequate protection of information resources (Ezingeard &
Bowen-Schrire, 2007). To assess the adequacy of current practices, measuring and reporting of
In this era of increased cyber attacks and information security breaches, it is essential that
all organizations give information security the focus it requires. To ensure information security,
the organization should understand that information security is not solely a technological issue.
The organization should also consider the non-technical aspect of information security while
27
REFERENCES
http://www.iso.org/iso/support/faqs/faqs_widely_used_standards/widely_used_standards
_other/information_security.htm
Yhan, G., (2005). ISO 17799: Scope and implementation – Part 1 Security Policy.
http://www.infosecwriters.com/texts.php?op=display&id=335
Baskerville, R., & Siponen, M. (2002). An information security meta-policy for emergent
COBIT 4.1 Executive Summary and Framework. (2008). Retrieved Nov 20, 2008, from
http://www.isaca.org/AMTemplate.cfm?Section=Downloads&Template=/ContentManag
ement/ContentDisplay.cfm&ContentID=34172
http://en.wikipedia.org/wiki/Governance,_Risk_Management,_and_Compliance
Hong, K. –S., Chi, Y. –P., Chao, L. R., & Tang, J. –H. (2007). An empirical study of information
Luthy, D., & Forcht, K. (2006). Laws and regulations affecting information management and
14(2)
Anita Vorster, A., & Labuschagne, L. (2005). A framework for comparing different information
28
William S. (December 2007). Standards for Information Security Management. The Internet
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_10-
4/104_standards.html
Barlas, S., Queen, R., Radowitz, R., Shillam, P., & Williams, K. (2007). Top 10 technology
Okin, S. (2006, January/February). Information security and the board: Keeping risk out and
letting business in. SIM News. 1-3. Retrieved November 28, 2008 from
http://www.simnet.org/Content/NavigationMenu/Resources/SIM_News__January_February_200
6/Features5/Features.htm
top concern for SIM members. SIM News. Retrieved November 28, 2008 from
http://www.simnet.org/Content/NavigationMenu/Resources/SIM_News__January_Febru
ary_2006/Features5/Features.htm
Janice C. S & Burke T. W (2008). A Framework for Information Security Management based on
Kark, K., Stamp, P., Penn, J., Koetzle, L., & Mulligan, J. A. (2007). Defining A High-Level
10, 2008.
http://www.hitrustalliance.org/HITRUST%20Common%20Security%20Framework%20Overvie
w.pdf
29
from the Burton Group from http://securitybuddha.com/2008/06/10/grc-why-its-of-limited-
interest-to-me/
Conner, B., Noonan, T., & Holleyman, R. (2003). Information Security Governance: Toward a
http://www.bsa.org/country/Research%20and%20Statistics/Whitepapers.acompany
http://people.uwec.edu/piercech/ResearchMethods/Data%20collection%20methods/DAT
A%20COLLECTION%20METHODS.htm
30
APPENDIX I
QUESTIONS
2. What are the major applications does the company uses? (List few of them?)
i. B. technician
ii. C. people
7. How does the company identify the risks? What are the ways in which you calculate the
risk?
8. Does the company have any framework for risk analysis and assessment?
10. When you encounter an information theft or any other disaster…what procedure you
12. How do the corporate executives / managers make sure of coordination of policies? What
13. Does company provide training to the business unit head/ CIO/ manager? How long?
14. If company provides training, what is the policy for training and how often do they
provide training?
31
15. How the CIO / security manager does conduct security awareness? Training / memos /
17. Does company have any reporting policy? Reporting to whom? How often? What kind of
reporting?
18. What different types of policy does company have that ensures security?
19. Does a manager perform any periodic assessment of assets and risks associated with
20. Does the company have information use and categorization plan? How does it work?
21. What actions does the company take after auditing is done and how does the company
22. Does the company have policy for violations, misuse of assets and internal control assets?
23. How does the company determine what level of security is appropriate?
25. How does the company spread security awareness among the employees?
26. Does the company conduct any kind of surveys to check security awareness among the
employees?
27. Approximately how many users does the company have in your organization?
29. How are the branch offices / field offices connected to the main data center?
32. How does the company perform risk assessment and analysis?
32
33. What are the metrics with which you evaluate the impact of the risks?
35. How does the current information security framework help your organization?
40. What are the ways in which you achieve confidentiality, availability and integrity of
data?
41. How does the company implement / enforce policies and procedures?
42. What are the policies and procedures that the organization follows in order to secure
information?
44. What are the laws and regulations that affect the current information security framework?
45. Does the company follow any standard acts such as SOX, HIPPA or a framework such as
COBIT etc.?
33
APPENDIX II
GLOSSARY
34
35