Você está na página 1de 40




Jagruti Patil

A project submitted to the Faculty in the

Department of Mathematics and Computer Information Science
in partial fulfillment of the requirements for the degree of
Master of Science in Information Assurance and Security
Mercy College


Project Advisor
Narasimhaswamy Banavara, Ph.D.
Department of Mathematics and Computer Information Science

Firstly, I would like to thank my mentor Dr. Banavara, who guided me throughout the

semester to complete the project. He showed me different ways of approaching companies,

which was an important factor in my project. He also helped and guided me in writing the report

by taking time to read the report and correcting me wherever possible.

I would like to thank ABC Company and the employees who provided me all the

information required for my project.

Also, I would like to thank all my professors, Dr. Chen, Prof. Nunez, Dr. Shreedhar and

Prof. Ozdogan, who taught me subjects like IT Audit and Compliance, Information Security,

Data Mining and E-commerce security which were value additions to my project.

And finally I would like to thank the Mercy College library, which provided access to all

the collections. Without this the project would be incomplete.


Information is the most important element of an organization. In today’s world,

organizations are focusing more on securing their information. In order to ensure information

security, the organization must take appropriate security measures to make sure no information is

leaked or passed to unauthorized users. Apart from technology, companies should also make sure

that they have proper policies, procedures, and standards in place in the organization in

compliance with laws and regulations. For this purpose, organizations should have a

comprehensive information security framework. After a study of different information security

frameworks in the literature, one comprehensive information security framework has been

chosen for this project. . Then, the information security framework of a manufacturing

organization has been studied and mapped to the information security framework chosen from

the literature. After mapping, it is found that the organization’s information security framework

is quite similar to the chosen information security framework. In spite of similarities, there are

few flaws in organization’s information security framework. It is found that the organization’s

doesn’t provide any training to the employees regarding information security, which is a

considerable factor in information security. Also, Senior Managers are more involved in

coordination and compliance of policies rather than corporate executives.


INTRODUCTION......................................................................................................................... 1

SCOPE ........................................................................................................................................... 2

LIMITATIONS OF THE PROJECT ......................................................................................... 4

INFORMATION SECURITY FRAMEWORK ........................................................................ 4

WHAT IS INFORMATION SECURITY MANAGEMENT? ...................................................................... 5

WHAT IS INFORMATION SECURITY FRAMEWORK? ........................................................................ 5

SIGNIFICANCE OF INFORMATION SECURITY FRAMEWORK ................................... 7

REVIEW: THE FRAMEWORK ................................................................................................ 9


ABOUT THE COMPANY ......................................................................................................... 12

DATA COLLECTION ............................................................................................................... 13

ABC’S INFORMATION SECURITY FRAMEWORK ......................................................... 14

FINDINGS: THE MAPPING .................................................................................................... 16

RECOMMENDATIONS............................................................................................................ 26

CONCLUSION ........................................................................................................................... 27

REFERENCES ............................................................................................................................ 28

APPENDIX I ............................................................................................................................... 31

APPENDIX II .............................................................................................................................. 34

Information is an asset that, like other important business assets, is essential to an

organization’s business and consequently needs to be suitably protected. This is especially

important in the increasingly interconnected business environment. As a result of this

increasing interconnectivity, information is now exposed to a growing number and a wider

variety of threats and vulnerabilities (ISO/IEC 17799:2005). For this reason, many

organizations nowadays implement various security policies in order to protect the

organization. Also, to have a secure flow of information, organizations implement an

information security framework, which helps the organization to identify the risks associated

with the organization’s information and ways to mitigate those risks.

The aim of this project is to study the information security framework in a

manufacturing organization and map the company’s framework with an information security

framework chosen from the literature. This will help determine the status of the company’s

current information security framework and help decide whether the current information

security framework is complete or needs more components in order to be fool-proof.


As information security become increasingly important to the continue success for

businesses, many are seeking an appropriate security framework (Yhan, 2005). Research on ISM

generally addresses two areas, the technical computer security and non-technical security

management, while some researchers span both areas (Baskerville & Siponen, 2002). This

project addresses non-technical security aspect of the information security framework. The scope

of the project focuses on four areas:

 IT Governance and Compliance

 Policies and Procedures

 Impact of Laws and Regulations on the Organization

 Risk Analysis and Assessment

The scope of the project is explained in detail below:

 IT Governance and Compliance

IT Governance is the responsibility of executives and the board of directors, and

consists of the leadership, organizational structures and processes that ensure that the

enterprise’s IT sustains and extends the organization’s strategies and objectives

(www.isaca.org). Compliance is the process that records and monitors the policies,

procedures and controls needed to enable compliance with legislative or industry

mandates as well as internal policies (Governance, Risk and Compliance, 2008).

The corporate executives should ensure whether all the policies are in compliance

with standards such as SOX. Also, the corporate executives such as CEO, CIO, and

senior management should ensure the controls are in place for compliance for

establishing the security throughout the organization.

 Policies and Procedures

A formal written Information Security Policy (ISP) should be formulated by

addressing concerns at each of the levels in the information security framework.

Developing or adopting a comprehensive ISP which focuses on procedures and

implementation considerations has empirically been found to be an effective managerial

measure to increase security in organizations (Hong, Chi, Chao & Tang, 2007). Policies

are high level document which helps organization to address security related issues.

 Impact of Laws and Regulations on the Organization

Organizations worldwide are impacted by an increasing number of laws and

regulations. Many of them have important implications for information management and

internal control systems even though they may lack explicit references to information

management. This is because information technology (IT) has become pervasive in

modern organizations, and it is self evident that awareness of applicable laws and

regulations, along with their potential impacts on information management systems, is

critical for compliance (Luthy, & Forcht, 2006).While designing information security

framework, organization should consider different laws such as SOX, HIPPA etc, and

how they help to formulate security policy. Organizations should consider all these acts

while designing the information security framework.

 Risk Analysis and Assessment

Risk Analysis and Assessment helps in identifying the business assets an

organization wants to protect, and the potential threats to those assets. Organizations

wanting to conduct information security risk analysis may find selecting a methodology

problematic. Currently there are numerous risk analysis methodologies available, some of

which are qualitative while others are more quantitative in nature (Vorster &

Labuschagne, 2006). Organizations should have risk analysis methodologies which help

in identifying the potential risks and ways to mitigate those risks. The ISF should address

risk analysis methodologies, how well the risks are identified and who all are involved in

assessing the risk.


Each project has limitations or boundaries associated with it. Here are few

limitations of this project:

 For the sake of information security, much of the company’s information was kept

confidential; hence data collection is limited.

 It was not possible to interview all the concerned people. For example it was not possible

to arrange an interview with Chief Executive Officer (CEO) and Chief Information

Officer (CIO).


The challenges for management in providing information security are formidable. Even

for relatively small organizations, information system assets are substantial, including databases

and files related to personnel, company operation, financial matters, and so on. (Stallings,


What is information security management?

Information security management(ISM) is defined as “a systematic approach to

encompassing people, process and Information Technology (IT) systems that safeguards critical

systems and information protecting them from internal and external threats” (Barlas, Queen,

Randowiz, Shillam, & Williams, 2007). ISM is increasingly important within organizations,

becoming a strategic imperative as security threats continue to escalate (Okin, 2006). Security

and privacy is among the top ten management concerns, according to a 2005 survey of executive

IT managers (SIM, 2006). The absence of a well-defined information policy is currently

regarded as the most serious problem with security in organizations today (Biegelman & Bartow,


Navigating the multitude of existing security standards, including dedicated standards for

information security and frameworks for controlling the implementation on IT, presents a

challenge to organizations. The framework is intended to promote a cohesive approach which

considers a process view of information within the context of the organizational operational

environment (Sipior & Ward, 2008).

What is information security framework?

Information security framework is a comprehensive security framework model that ensures

the overall security of information there by eliminating business risks. Information security does

not focuses only on technological issue, but also points out other main important elements of an

organization such as people, process, business strategies etc., which also mandates the need for

information security.

The comprehensive information security framework should incorporate the following key


 Recommended sound security governance practices (e.g., organization, policies, etc.)

 Recommended sound security controls practices (e.g., people, process, technology)

 A guide to help reconcile the framework to common and different aspects of generally

adopted standards (e.g., COBIT, HIPAA, etc.)

 An analysis of risk or implications for each component of the framework

 A guide of acceptable options or alternatives and criteria, to aid in tailoring to an

organizations operating environment

 A guide for implementation and monitoring

 Toolset for organizations to test compliance against the framework (HITRUST)

A comprehensive security framework boils down to three familiar basic components: people,

technology, and process. When correctly assembled, the people, technology, and process

elements of your information security program work together to secure the environment and

remain consistent with your firm's business objectives (Kark, Stamp, Penn, Koetzle & Mulligan,

2007). Diagram 1 shows the concept of people, process and technology.

Diagram 1: People, Process and Technology


Diagram 2 shows the problem organization faces today. The company has all the

components like software development, polices and procedures, incident management, business

continuity management, regulations & audit etc. These components are called islands of security

which can’t talk each other and also don’t work together.

Diagram 2: Problem Space

Adapted from (Curphey, 2008)

A comprehensive information security framework is the answer for the components to

work together, instead of having stand alone components and system. The connected information

security framework delivers practical guidance for everyday IT practices and activities, helping

users establish and implement reliable, cost-effective IT services. The diagram 3 shows how the

information security framework helps different components to interact with one another.

Diagram 3: Information Security Framework

Adapted from (Curphey, 2008)


The information security framework for an organization establishes policies and best

practices. The framework used for assessing the organization’s current information security

framework provides a roadmap for the evaluation and improvement of information security

policies and practices. Different information security framework were studied one was chosen

for this study. The chosen information security framework is a representative of most

information security framework in the literature.

Table 1 shows preliminary governance framework serves as an input to the main

framework shown in table 2.

Actors/Actions Corporate Business Unit Senior CIO/CISO
Executives Head Manager
Governance/Business What am I required to do?
What am I afraid not to do?

Roles and How do I accomplish my objectives?

Metrics/Audit How effectively do I achieve my objectives?
What adjustments do I need to make?
Table 1 Preliminary Governance Framework

Adapted from (Corner, Noonam & Holleyman, 2003)

The framework poses three sets of questions, with regard to information security:

1. What am I (Corporate Executives/ Business Unit Head/ Senior Manager/ CIO) required to do?

/What am I afraid not to do?

2. How do I accomplish my objectives?

3. How effectively do I achieve my objectives? What adjustments do I need to make? (Corner,

Noonam & Holleyman, 2003).

In order to ensure that these policies are more effectively implemented, we have

developed a preliminary information security governance framework for action that outlines

specific roles for business unit heads, senior managers, CIOs, and the CEOs themselves.

The information security framework defines roles and responsibilities for CEO, business unit

heads, and senior managers. Apart from roles and responsibilities, the information security

framework also has metrics which is used to evaluate the security performances.

The framework which is studied is presented in a comprehensive chart given in Table2.


Actors/ Corporate Business Unit Head Senior Manager CIO / CSIO

Actions Executives
What am I required to do? / What am I afraid not to do?
Governance Legislation / Standards, policies and Standards, audit results Security policies, security
/ Business ROI Budgets operations, and resources
How do I accomplish my objectives?
Roles and • Oversight Provide information • Provide security for • Develop, maintain, and
Responsibil and security protection information and systems ensure compliance to
ities coordination commensurate with • Periodic assessments of program
of policies the risk and Business assets and their associated • Designate security officer
• Oversight of impact. risks with primary duties and
business unit • Provide security • Determine level of security training
compliance training appropriate • Develop required policies to
• Compliance • Develop the controls • Implement policies and support security program
reporting environment and procedures to cost and business unit specific
• Actions to activities effectively reduce risk to needs
enforce • Report on acceptable levels • Develop information use
Accountabilit effectiveness of • Periodic test of security and
y policies, and and controls categorization plan
Procedures • Assist senior managers with
their security responsibilities
• Conduct security awareness
How effectively do I achieve my objectives? What adjustments do I need to make?
Metrics / Financial Policy violations, Risk assessment and impact Security awareness
Audit reporting, misuse of assets, analysis, control effectiveness, incident
monetizing internal control environment activities, response and impact analysis,
losses, violations remedial actions, policy and security program
conforming to procedure compliance, effectiveness, information
policies security and control test integrity, effects on
results information processing
Table2. Preliminary Information Security Governance Framework

Adapted from (Corner, Noonam & Holleyman, 2003)


XYZ Corporation (name changed to ensure privacy) is a leading manufacturing company

with around 2,500 employees in North America and 17,000 employees worldwide. The company

has more than 35 locations around the world.

This study focuses on one division of XYZ Corporation, namely ABC.

ABC Company is a leading manufacturing company in the mid-western of United States, which

manufactures pumps, valves, mixers, fittings and many more process components. The company

serves wide range of industries such as food, pharmaceutical, oil, gas, biotechnology and many


The company has following different departments:

 Finance

 Accounting

 Marketing

 Information Technology

 Production

 Purchase

 Customer service

The Information Technology (IT) Department of ABC Company has more than 30

employees serving around 100 users. Apart from employees, there are 50 consultants working on

SAP implementation.

The company has successfully implemented SAP in 2008 for all major business functions

and is currently using it as their ERP system. The company’s data center is located in North East

of United States.

 All traveling consultants are given Laptop machines while the employees are using

Desktop systems.

 E-Mail Server used: LOTUS NOTES

 Operating System used: Microsoft Windows Server 2003 for SAP R/3,

IBM I Series for PRMS, Lotus Notes and few more applications

 Database used: Microsoft SQL Server for SAP R/3

 Software Application used: ERP (Enterprise resource planning) Solution SAP R/3

(Version ECC 6.0)

Modules implemented in SAP (System Analysis and Program Development)

 Material Management (MM)

 Sales and Distribution (SD)

 Financial Accounting and Controlling (FICO)

 Production Planning (PP)

 Quality Management (QM)


Data Collection is an important aspect of any type of research study. Inaccurate data

collection can impact the results of a study and ultimately lead to invalid results. Data-collection

techniques allow us to systematically collect information about our objects of study. For the

security of information and to maintain the confidentiality of the sensitive data, much of the

information was not disclosed by the ABC Company. Data was collected on-site in person.

Following data collection techniques were used:

 Interviews

Interview was one of the data collection technique used in order to collect the data from

ABC Company. There were two in person interviews were conducted with IT Director

and IT Infrastructure manager so as to collect information about ABC Company’s

information security framework.

 Questionnaires

Questionnaires were prepared and given to IT Infrastructure manager and network

administrator. Questions sent to IT infrastructure manager and network administrator are

included in APPENDIX I.

 E-mail Correspondence

Apart from interview and questionnaires, there was e-mail correspondence with IT

Infrastructure manager and network administrator.


Actors/ Corporate Business Unit Head Senior Manager CIO / CSIO

Actions Executives (IT Director) (IT Infrastructure (CIO)
(CEO, Global Manager)
What am I required to do? / What am I afraid not to do?
Governance Legislation / ROI Standards, policies and Standards, audit results Security policies,
/ Business Budgets security operations,
Drivers and resources
How do I accomplish my objectives?

Roles and • Enforcing • Responsible for coordination • Ensure information • CIO implements
Responsibili Compliance with of policy systems in compliance with control throughout
ties Corporate policies • Enforce security policies security policies the enterprise
• Compliance policy • Works on recommendations • Uses CobIT framework for • Assists in
• Compliance provided by auditors implementing controls classifying
Assurance • Ensures software • Implement procedures information
• Oversight of maintenance, project • Ensures training is
Business Unit with management, system provided to the employees
regulations administration

How effectively do I achieve my objectives? What adjustments do I need to make?

Metrics / • Financial reporting Audits • Risk assessment is done at • security awareness
Audit is confidential • Conforming to policies is each level effectiveness
done • Enforces Violation policy • Impact analysis
• Internal Auditing • Monitors misuse of assets
•External Auditing
• Audit results are stored in a

Table2. Information security Framework of ABC Company


“Information security is often treated solely as a technology issue, when it should also be

treated as a governance issue.” (Corner, Noonam & Holleyman, 2003).

Information security is not simply a technological issue. Different technology can be used

to address the security problem but apart from technology, there should be proper policies,

procedures in place which will handle information security issue more appropriately.

The information security framework chosen from the literature is mapped to an

information security framework of ABC Company. The mapping is shown in Table2.

The table 2 shows horizontal axis which consists of various executives and vertical axis shows

responsibilities that different executive performs so as to ensure information security.

Following are the responsibilities that various executives from ABC Company have to perform

so as to achieve information security.

 Corporate Executives

The corporate executives are involved to make sure coordination, compliance of

policies. Executives are involved to ensure compliance with different policies. For

example, executive ensures the policies are in compliance with SOX (Sarbanes-Oxley

Act). Also, the company also ensures the user roles created are in compliance with SOX.

 Business Unit Head

Apart from corporate executives, Business Unit heads are also involved in

coordination of policies. Business Unit Head, executives and senior managers examines

the policy to ensure coordination of policies before implementing it.

Also, Business Unit head is also involved in project management, software

implementation, and system administration. Business Unit Heads are allowed to take

decision regarding the project management.

 Senior Manager

Senior managers also play important role in ensuring information security.

According to the policy of ABC Company, managers must adopt COBIT control

framework for implementing various controls.

COBIT (Control Objectives for Information and related Technology) provides set

of best practices, procedures and practices which helps organization to meet business

challenges. Also, a senior manager also ensures that the training is provided to the


 Chief Information Officer (CIO)

Chief information officer is involved in classifying information.

Also, the CIO is involved in implementing controls throughout the enterprise. Regarding

the information classification, the ABC Company has an internal team which works

along with internal auditors for classifying information. Access to the information, is

provided based on user roles.

Apart from roles and responsibilities of the executives there are few metrics/ audit which

help organizations to evaluate their results.

 Corporate Executives:

For the corporate executives, financial reporting is the metrics which helps them

to manage organization. In case of ABC Company, information regarding financial

reporting is kept confidential due to security reasons.

 Business Unit Head:

The Business Unit Head makes sure of there is no misuse of assets or violations

of policy. The ABC Company has violations policy in place. It makes sure that there is no

misuse of assets. In ABC Company, if a manager founds any misuse of assets or any

employee who has violated the policy, then the manager is responsible to contact Unit

HR (Human Resource). The unit HR in turn will contact corporate HR. Now, the

Corporate HR will designate the person. The designated person will take the charge and

will do the needful investigation. After the investigation, the report will be submitted and

accordingly the actions will be taken against the employee.

In ABC Company, the Business Unit Head also works on the recommendations

provided by external auditors. The audit results are stored in the

 Senior Manager:

Senior Managers along with other executives performs risk assessment. Risk

assessment is done at each level. For example, ABC Company performs risk assessment

before providing access to the third party. Risk assessment is performed to identify

potential risks and necessary steps are taken.


CIO helps organization to improve security awareness among the employees. The

new employee will be given a handbook consisting of all the policies and standards the

company follows. Also, the employees will have to take online tutorial. Handbook and

online tutorial are the two ways through which the company spreads awareness among

the employees.

The ABC Company has following policies and procedures:

Information Systems Access Controls Policy

 User Access Management (Sarbanes Oxley Standard Control)

They have defined access control management approach which consists of

a. Different types of access is provided (DBA, end user etc.)

b. Different types of network access is provided (Internal or remote)

c. Formal registration and deregistration process is followed.

 Inventory Management

For access to inventory management they use tiered method

 Passwords

The company has password policy which states that the password will

expire after 90 days…which makes sure that the user will change the

password. Also, the user has to sign the document which states that the

user should not disclose the password to anyone.

 Network Access Controls

Refer to Network connectivity policy

 Operating System Access Controls

The company has guidelines that should be followed when configuring

operating system.

 Application Access Controls and Segregation of Duties

Applications will control user access rights ( read, write, delete and


 Sensitive Systems Access Controls

Sensitive Systems Access Controls makes sure that the sensitive data is

maintained by data owners and will not be located on publicly accessible

network links.

 Mobile Handheld Devices

If the mobile contains company’s information then encryption controls

will be used.

IS Implementation and Administration Policy

 Security Requirement Analysis for individual or function-centric systems

Security requirement analysis is done so as to identify the security level

for a particular system. The security requirements are based on risk

assessment documents.

 Operational Systems

Only authorized users can modify the operational systems and has to

follow the documents.

 System Audit and Monitoring

Audit logs are maintained for the minimum of 30 days so as to identify the

intrusion or misuse.

 Enterprise Information Systems Services

Enterprise information services are centrally managed and for the

implementation of information services requires ISO’s written approval.

 Use of Production Data in Test Systems

Production data can be used for testing but the customer’s personal

information can not be used.

 Remote Access to Systems Policy

 Policy Roles and Responsibilities

Remote access

For the remote access they use VPN

 Anti Virus and Personal Firewalls

In order to provide security to the network they use firewall.

For the host security they use antivirus.

 Virus Protection and Patch Policy

Virus protection policy consists of following:

 Information Systems Virus Protection Policy

 General Controls, including application of Patches

 Perimeter Controls

 Workstation Controls

IT-Related Service Procurement Policy

 Services Procurement Policy

The company has established process for procurement

 Security Considerations

Following security considerations will be incorporated

 Procedures to protect assets

 Identified process for contract change management, system

maintenance, periodic reporting system, and reporting system


Information Security Governance and Compliance Policy

The company has Governance and compliance policy which consists of following:

 Compliance Policy

 Controls Governance

 CobiT Control Framework

 Intellectual Property Rights

 Corporate Information

 Privacy of Personal Information

 Monitoring for Information Asset Misuse

 Compliance with COMPANY Corporate Policies

 Required of COMPANY IT Managers

 Other Compliance Requirements and Emerging Regulations Compliance


 Ongoing Monitoring and Governance

IT Physical Security Policy

The company has the physical security policy which addresses:

 Information Systems Assets Protection

 Electrical Power Supply

 Cable Plant

 Wireless Communication Handheld Devices and Equipment Located Off-


E-Mail Administration Policy (Lotus Notes)

The company has e-mail policy in place which addresses

 Managing Mail Messages and Mail Forwarding

 Account Creation

 Account Deletion Client Password Resets

 Access for Out of Office Agent

 Mail File Quota

 Mail File Purging

 Archiving

 Delegated Access

Information Classification Policy

The company has information classification policy which will classify the information as

ownership information, public information, and internal use only.

Also, the company has policy for storage, disclosure, and destruction of information.

Third Party Access to Information Assets Policy

 Third Party Access Policy Risk Assessment Considerations

Risk assessment is done before prior to providing the access to third party.

Network Connectivity Policy

 Network and Device Connections

For the network and device connections, the employee has to follow the


 Identification Network Categories

The company’s network is divided into different categories.

 Remote User Access

Only authorized users are allowed to access the network remotely.

 Modems

The IT department will have to maintain the list of modems used by the


 Wireless Network Connections

 Network Segmentation

Network segmentation is done to logically divide the network.

Human Resources Security Policy

 New Hires

New hires are made aware of policies and security.

 Background Checks

Background checks are done for new hires.

 Current Employee

Current employees will be provided training

 Exiting Employee

There is an exit process for employee.

 Contractors

Contractors will be made aware of their responsibilities to protect

confidentiality and security of the information as well as system.

Acceptable Encryption Policy

 Cryptographic Controls

Cryptographic controls are used in order to ensure confidentiality,

integrity, and authenticity of information.

 Digital Signatures

Digital signatures are electronic signatures makes sure that the

authenticated sender has sent the message. Digital signatures help to

authenticate the source of messages and help to maintain the integrity of

the message.

 Key Management

Key management addresses issues such as storage, exchange, use and



After the mapping of information security framework, it is found that the chosen

framework maps well with the Company’s information security framework. The only difference

between the two frameworks that was found is the roles and responsibilities of the drivers differ.

Although, the company has proper information security framework in place but there are few

recommendations which

Following are the recommendations:

 Training:

To create a pervasive security culture, the value of information security to the corporation

must be widely communicated. To reinforce behavioral change, various approaches may

be undertaken. Employees should be trained in security awareness and appropriate

security practices (Janice C. S & Burke T. W, 2008). Also, consultants should be made

aware of all the policies and procedures.

 Password Policy:

The ABC Company has password policy in place but they have not implemented the

password policy. The password policy is important security criteria.

 Confidentiality agreement:

In many cases, there is no confidentiality agreement with the third party contractors. For

example in many companies when a consultant from other company joins the client

location, the consultants have to sign the confidentiality agreement.

 Physical security:

There is no physical security for computer systems. The company should have some lock

systems which can prevent someone from stealing your PC, or stealing your hardware.


To the organization, information is the most vital asset. In order to protect information,

the organization should have proper information security framework in place. The organization

should also make a note that the information security framework is an ongoing process.

Continuous improvements, whether in response to environmental incidences or interview

reviews, are important to ensure the adequate protection of information resources (Ezingeard &

Bowen-Schrire, 2007). To assess the adequacy of current practices, measuring and reporting of

risks, control issues, and vulnerabilities are necessary (Purtell, 2007).

In this era of increased cyber attacks and information security breaches, it is essential that

all organizations give information security the focus it requires. To ensure information security,

the organization should understand that information security is not solely a technological issue.

The organization should also consider the non-technical aspect of information security while

developing the information security framework.


ISO/IEC 17799:2005 Information technology - Security techniques - Code of practice for

information security management. Retrieved on December 17, 2008.



Yhan, G., (2005). ISO 17799: Scope and implementation – Part 1 Security Policy.


Baskerville, R., & Siponen, M. (2002). An information security meta-policy for emergent

organizations. Logistics of Information Management, 15(5/6)337-46.

COBIT 4.1 Executive Summary and Framework. (2008). Retrieved Nov 20, 2008, from



Governance, Risk Management, and Compliance. Retrieved Nov 20, 2008.


Hong, K. –S., Chi, Y. –P., Chao, L. R., & Tang, J. –H. (2007). An empirical study of information

security policy on information security elevation in Taiwan. Information Management

and Computer Security, 14(2), pages unavailable.

Luthy, D., & Forcht, K. (2006). Laws and regulations affecting information management and

frameworks for assessing compliance. Information Management & Computer Security


Anita Vorster, A., & Labuschagne, L. (2005). A framework for comparing different information

security risk analysis methodologies volume 150

William S. (December 2007). Standards for Information Security Management. The Internet

protocol Journal, volume 10 No. 4. from



Barlas, S., Queen, R., Radowitz, R., Shillam, P., & Williams, K. (2007). Top 10 technology

concerns. Strategic Finanace, 88(10), 21.

Okin, S. (2006, January/February). Information security and the board: Keeping risk out and

letting business in. SIM News. 1-3. Retrieved November 28, 2008 from



SIM (Society for Information Management). (2006, January/February). Security: Addressing a

top concern for SIM members. SIM News. Retrieved November 28, 2008 from



Janice C. S & Burke T. W (2008). A Framework for Information Security Management based on

Guiding Standards: A United States Perspective, volume 5.

HITRUST Common Security Framework Overview from http://www.hitrustalliance.org

Kark, K., Stamp, P., Penn, J., Koetzle, L., & Mulligan, J. A. (2007). Defining A High-Level

Security Framework. Putting Basic Security Principles To Work. Retrieved December

10, 2008.



Curphey, M., (2008). Information security enlightment

from the Burton Group from http://securitybuddha.com/2008/06/10/grc-why-its-of-limited-


Conner, B., Noonan, T., & Holleyman, R. (2003). Information Security Governance: Toward a

Framework for Action [White paper] from


Data collection and methods. Retrieved on December 5, 2008



Ezingeard, J-N., & Bowen-Schrire, M. (2007). Triggers of Change in information security

management practices. Journal of General Management, 32(4), 53-72.

Purtell, T. (2007). A new view on IT risk. Risk Management, 54(10), 28.


1. How many users does the company have in your organizations?

2. What are the major applications does the company uses? (List few of them?)

3. How does the company provide security to the applications?

4. How does the company enforce the policy?

5. What is the access policy for A. management people

i. B. technician

ii. C. people

6. How does the company provide security to the network?

7. How does the company identify the risks? What are the ways in which you calculate the


8. Does the company have any framework for risk analysis and assessment?

9. Which security model does company has?

10. When you encounter an information theft or any other disaster…what procedure you

need to follow and who is the person in charge?

11. How does the company provide security to your network?

12. How do the corporate executives / managers make sure of coordination of policies? What

operations do they do?

13. Does company provide training to the business unit head/ CIO/ manager? How long?

How often? Do they provide training to any other executives?

14. If company provides training, what is the policy for training and how often do they

provide training?

15. How the CIO / security manager does conduct security awareness? Training / memos /

workshops / intranet / etc.?

16. How do the senior manager / manager ensure coordination of policy?

17. Does company have any reporting policy? Reporting to whom? How often? What kind of


18. What different types of policy does company have that ensures security?

19. Does a manager perform any periodic assessment of assets and risks associated with

assets? What results have been obtained in previous assessments?

20. Does the company have information use and categorization plan? How does it work?

21. What actions does the company take after auditing is done and how does the company

maintain audit results?

22. Does the company have policy for violations, misuse of assets and internal control assets?

23. How does the company determine what level of security is appropriate?

24. As a Divisional director what are your roles and responsibilities?

25. How does the company spread security awareness among the employees?

26. Does the company conduct any kind of surveys to check security awareness among the


27. Approximately how many users does the company have in your organization?

28. How many departments are there in your organization?

29. How are the branch offices / field offices connected to the main data center?

30. What are the major applications used by your organization?

31. Does the company have a framework for risk analysis?

32. How does the company perform risk assessment and analysis?

33. What are the metrics with which you evaluate the impact of the risks?

34. Does the company have a framework for information security?

35. How does the current information security framework help your organization?

36. How people’s access to information is controlled?

37. How secure communication between people be ensured?

38. How information security is managed?

39. How an information system is developed in order to be secure?

40. What are the ways in which you achieve confidentiality, availability and integrity of


41. How does the company implement / enforce policies and procedures?

42. What are the policies and procedures that the organization follows in order to secure


43. How does the company provide access to the users?

44. What are the laws and regulations that affect the current information security framework?

45. Does the company follow any standard acts such as SOX, HIPPA or a framework such as

COBIT etc.?



CEO: Chief Executive Officer

CIO: Chief Information Officer

COBIT: Control Objectives for Information and related Technology

DBA: Database Administrator

ERP: Enterprise resource planning

FICO: Financial Accounting and Controlling

HR: Human Resources

ISM: Information Security Management

ISP: Information Security Policy

IT: Information technology

MM: Material Management

PP: Production Planning

QM: Quality Management

SAP: System Analysis and Program Development

SD: Sales and Distribution

SOX: Sarbanes Oxley Act