a study on information security management system tic

7/31/2019 A Study on Information Security Management System tic

1/67

SRM UNIVERSITY

(UNDERSECTION 3 OF UGC ACT 1956)

APROJECTREPORT

ON

A STUDY ON EFFECTIVNESS OF INFORMATION SECURITY

MANAGEMENT

Submitted in partial fulfillment of the requirements for the award of

Master of Business Administration SRM University

SUBMITTED BY

N.SHARAN KUMAR

Reg No. 3511010667

Under the Guidance of

Dr. A. Chandra Mohan SRM School of Management Studies

Faculty of Management Studies

SRM SCHOOL OF MANAGEMENT

FACULTY OF ENGINEERING AND TECHNOLOGY

SRM UNIVERSITY

KATTANKULATHUR

1


2/67

MAY 2012

DECLARATION

I, N.SHARAN KUMAR, student of SRM University School of Management studies would

like to declare that the Project entitled A STUDY ON EFFECTIVNESS OF

INFORMATION SECURITY MANAGEMENT submitted to University School of

Management studies, Chennai in partial fulfillment of Master of Business Administration

(MBA) final year Degree course from the SRM University.

REGISTERED NO: 3511010667

PLACE: Chennai

DATE :

Signature


3/67

BONAFIDE CERTIFICATE

This is to certify that the Project titled A STUDY ON EFFECTIVNESS OF

INFORMATION SECURITY MANAGEMENT Submitted by N. SHARAN KUMAR

in partial fulfillment of the requirements of the Post Graduate Degree course in Masters of

Business Administration (MBA) for the Academic year 2010-2012 in the subject of

Finance Management is the original work of the above candidate.

Head of MBA

FACULTY IN-CHARGE

(Dr. Jayashree Suresh ) (Dr. A.

Chandra Mohan)


4/67

Date: MAY 2012 EXTERNAL IN-CHARGE

Station: Chennai

ACKNOWLEDGEMENT

I express my gratitude to Dr. Mrs. Jayashree Suresh, Dean, SRM School of

Management and Dr A.Chandra Mohan for providing an amazing environment

for me to complete this project successfully.

At the outset, no words are adequate to express my sincere thanks to Mr. (Head

- HR). For granting this opportunity to have a wide spread view and experience

in the form of project work.

I thank my relatives and friends for their assurance and encouragement. I am

deeply indebted to my loving parents for their endurance and perseverance during

the course of my study.


5/67

ABSTRACT

Although information security traditionally has been a technological discipline, the role and

function of employees is an additional important part. Users can both be a threat and a

resource in information security management. On the one hand, employees can produce or

ignite threats and vulnerabilities. On the other hand, they are a precondition for safe and

secure operation. As a consequence, information security management of employees is an

important part of the total information security management in organizations.

The general aim of this study is to explore the information security management of

employees. This is approached by studying: users function in and view on information

security; measures aiming at improving individual information security performance; and

information security management practice in organizations.

Employee participation is evaluated to be the most effective process to improve individual

information security performance, but is modestly used. An intervention study based on

direct participation, dialogue and collective reflection in order to improve individual

information security awareness and behavior showed significant improvements among

participants. Employee participation is likely to improve the quality of technological and

administrative security solutions; improve the usability of security technology; improve

security professionals knowledge of sharp-end information security activities; close the

gap in understanding and communication between security managers and users; improve

individual ownership, acceptance and motivation for information security; and ensure

democratic rights that influence personal working conditions.

The analysis of data was done using various statistical tools such as Chi-square test,

ANOVA, Rank correlation etc.


6/67

Among the 120 respondents, majority are satisfied that the company is using a systematic

approach for the identification, assessment and management of information security risks.

TABLE OF CONTENTS

CHAPTER

NO

DESCRIPTION PAGE

NO

I

INTRODUCTION

1.1 Introduction

1.2 Industry Profile

1.3 Company Profile

1.4 Review of Literature

1

5

10

14

II

MAIN THEME

2.1 Research Objectives

2.2 Need for the study

2.3 Scope of the study

2.4 Research Problem

2.5 Research Methodology

2.6 Limitations of the study

19

20

21

22

23

25

III

RESULT

3.1 Data Analysis & Interpretation

3.2 Research Findings

3.3 Suggestions

3.4 Conclusion

26

54

56

57


7/67

APPENDICES

REFERENCES


8/67

CHAPTER 1

1.1 INTRODUCTION

Information security has traditionally been technology-oriented, with a large

number of technological security solutions available. However, by the widespread use of

computers at both work and home; the increased connectivity and access to information;

the communication channels available by information technology; convergence of

technology; and the utilization of technology in new organizational forms and ways of

organizing work, non-technological aspects of information security now must be

considered in addition to technological aspects. This development implies that the role andfunction of users of information technology is important to deal with, since users might be

a considerable threat to the security level as well as being essential resources to prevent

incidents from happening.

The general aim of the study is to explore information security management of

employees. Information security is viewed in a framework of a socio-technical system.

Technological, individual and organizational attributes and the interactions between these

contribute in preserving information security in an organization. User performance is

created by the organizational context. Organizational members information security

behavior and awareness are created by a combination of technology, workplace conditions

and formal and informal organizational factors. Employees are important resources in the

information security activities of an organization. It would be nave to neglect employees

as a possible malicious threat, but in principle users are not the enemies within. To make

use of the this resource, employee participation is regarded an important principle in all

organizational processes.

1


9/67

1.1.1 OVERVIEW OF ISMS

An Information Security Management System (ISMS) is way to protect and

manage information based on a systematic business risk approach, to establish, implement,

operate, monitor, review, maintain, and improve information security. It is an

organizational approach to information security.

Information security is the protection of information to ensure:

Confidentiality: ensuring that the information is accessible only to those authorized to

access it.

Integrity: ensuring that the information is accurate and complete and that the information

is not modified without authorization.

Availability: ensuring that the information is accessible to authorized users when

required. Information security is achieved by applying a suitable set of controls (policies,

processes, procedures, organizational structures, and software and hardware functions).

2


10/67

1.1.2 INFORMATION SECURITY MANAGEMENT SYSTEM

An Information Security Management System (ISMS) is a systematic approach

to managing sensitive company information so that it remains secure. It encompasses

people, processes and IT systems. An information security management system (ISMS) is aset of policies concerned with information security management orIT related risks.

The governing principle behind ISMS is that an organization should design,

implement and maintain a coherent set of policies, processes and systems to manage risks

to its information assets, thus ensuring acceptable levels of information security risk.

1.1.3 ISMS DESCRIPTION

As with all management processes, an ISMS must remain effective and efficient

in the long term, adapting to changes in the internal organization and external environment.

ISO/IEC 27001 therefore incorporates the typical "Plan-Do-Check-Act" (PDCA), or

Deming cycle, approach:

The Plan phase is about designing the ISMS, assessing information security risks

and selecting appropriate controls.

The Do phase involves implementing and operating the controls.

The Check phase objective is to review and evaluate the performance (efficiency

and effectiveness) of the ISMS.

In the Act phase, changes are made where necessary to bring the ISMS back to

peak performance.

3
http://en.wikipedia.org/wiki/Information_securityhttp://en.wikipedia.org/wiki/IT_riskhttp://en.wikipedia.org/wiki/Asset_(computing)http://en.wikipedia.org/wiki/PDCAhttp://en.wikipedia.org/wiki/Information_securityhttp://en.wikipedia.org/wiki/IT_riskhttp://en.wikipedia.org/wiki/Asset_(computing)http://en.wikipedia.org/wiki/PDCA


11/67

1.1.4 NEED FOR A ISMS

Security experts say and statistics confirm that:

Information technology security administrators should expect to devote

approximately one-third of their time addressing technical aspects. The remaining

two-thirds should be spent developing policies and procedures, performing security

reviews and analyzing risk, addressing contingency planning and promoting

security awareness;

security depends on people more than on technology;

employees are a far greater threat to information security than outsiders;

Security is like a chain. It is as strong as its weakest link;

the degree of security depends on three factors: the risk you are willing to take, the

functionality of the system and the costs you are prepared to pay;

Security is not a status or a snapshot but a running process.

These facts inevitably lead to the conclusion that:

Security administration is a management and NOT a purely technical issue.

4


12/67

1.2 INDUSTRY PROFILE

Introduction:

The software industry includes businesses involved in the

development, maintenance andpublication ofcomputer software using any business model.

The industry also includes software services, such as training, documentation, and

consulting and outsourcing those business models.

History:

The word "software" had been coined as a prank by at least

1953, but did not appear in print until the 1960s. Before this time, computers were

programmed either by customers, or the few commercial computer vendors of the time,such as UNIVAC and IBM. The first company founded to provide software products and

services was Computer Usage Company in 1955. The software industry expanded in the

early 1960s, almost immediately after computers were first sold in mass-produced

quantities. Universities, government, and business customers created a demand for

software. Many of these programs were written in-house by full-time staff programmers.

Some were distributed freely between users of a particular machine for no charge. Others

were done on a commercial basis, and other firms such as Computer Sciences Corporation

(founded in 1959) started to grow. The computer-makers started bundling operating

systems software and programming environments with their machines.

The industry expanded greatly with the rise of the personal

computer in the mid-1970s, which brought computing to the desktop of the office worker.

In subsequent years, it also created a growing market for games, applications, and utilities.

DOS, Microsoft's first operating system product, was the dominant operating system at the

time.In the early years of the 21st century, another successful business model has arisen for

hosted software, called software as a service, orSaaS ,this was at least the third time this

model had been attempted. SaaS reduces the concerns about software piracy, since it can

only

be accessed through the Web, and by definition no client software is loaded onto the end

user's PC.

Software sectors: The Global Scenario

5
http://en.wikipedia.org/wiki/Software_developmenthttp://en.wikipedia.org/wiki/Software_maintenancehttp://en.wikipedia.org/wiki/Software_publisherhttp://en.wikipedia.org/wiki/Computer_softwarehttp://en.wikipedia.org/wiki/Service_(economics)http://en.wikipedia.org/wiki/Traininghttp://en.wikipedia.org/wiki/Software_documentationhttp://en.wikipedia.org/wiki/Consultancyhttp://en.wikipedia.org/wiki/UNIVAChttp://en.wikipedia.org/wiki/IBMhttp://en.wikipedia.org/wiki/Computer_Usage_Companyhttp://en.wikipedia.org/wiki/Computer_Sciences_Corporationhttp://en.wikipedia.org/wiki/Operating_systemshttp://en.wikipedia.org/wiki/Operating_systemshttp://en.wikipedia.org/wiki/Microsofthttp://en.wikipedia.org/wiki/SaaShttp://en.wikipedia.org/wiki/Software_developmenthttp://en.wikipedia.org/wiki/Software_maintenancehttp://en.wikipedia.org/wiki/Software_publisherhttp://en.wikipedia.org/wiki/Computer_softwarehttp://en.wikipedia.org/wiki/Service_(economics)http://en.wikipedia.org/wiki/Traininghttp://en.wikipedia.org/wiki/Software_documentationhttp://en.wikipedia.org/wiki/Consultancyhttp://en.wikipedia.org/wiki/UNIVAChttp://en.wikipedia.org/wiki/IBMhttp://en.wikipedia.org/wiki/Computer_Usage_Companyhttp://en.wikipedia.org/wiki/Computer_Sciences_Corporationhttp://en.wikipedia.org/wiki/Operating_systemshttp://en.wikipedia.org/wiki/Operating_systemshttp://en.wikipedia.org/wiki/Microsofthttp://en.wikipedia.org/wiki/SaaS


13/67

There are several types of businesses in the software

industry. Infrastructure software, including operating systems, middleware and databases,

is made by companies such as Microsoft, IBM, Sybase, EMC, Oracle and VMWare.

Enterprise software, the software that automates business processes in finance, production,

logistics, sales and marketing, is made by Oracle, SAP AG , Sage and Infor. Security

software is made by the likes ofSymantec, Trend Micro and Kaspersky. Several industry-

specific software makers are also among the largest software companies in the world:

SunGard, making software for banks, Black Board making software for schools, and

companies like Qualcomm orCyber Vision making software for telecom companies. Other

companies do contract programming to develop unique software for one particular client

company i.e outsourcing, or focus on configuring and customizing suites from large

vendors such as SAP or Oracle.

Leading companies: Mindshare and Marketshare

In terms of technology leadership, the software industry

has long been led by IBM. However, Microsoft became the dominant PC operating system

supplier. Other companies that have substantial mindshare (not: marketshare) in the

software industry are SUN Microsystems, the developer of the Java platform (purchased by

Oracle in 2010), Red Hat, for its open source momentum, and Google for its Google Docs.

However in terms of revenues coming from software sales, the software industry is clearly

dominated by Microsoft, since inception. Microsoft products are still sold in largest number

across the globe.

Size of the industry:

According to market researcher DataMonitor, the size of the

worldwide software industry in 2008 was US$ 303.8 billion, an increase of 6.5% compared

to 2007. Americas account for 42.6% of the global software market's value. DataMonitor

forecasts that in 2013, the global software market will have a value of US$ 457 billion, an

increase of 50.5% since 2008.

6
http://en.wikipedia.org/wiki/Microsofthttp://en.wikipedia.org/wiki/IBMhttp://en.wikipedia.org/wiki/Sybasehttp://en.wikipedia.org/wiki/EMC_Corporationhttp://en.wikipedia.org/wiki/Oracle_Corporationhttp://en.wikipedia.org/wiki/VMWarehttp://en.wikipedia.org/wiki/Oracle_Corporationhttp://en.wikipedia.org/wiki/SAP_AGhttp://en.wikipedia.org/wiki/Sage_SAhttp://en.wikipedia.org/wiki/Inforhttp://en.wikipedia.org/wiki/Symantechttp://en.wikipedia.org/wiki/Trend_Microhttp://en.wikipedia.org/wiki/Kasperskyhttp://en.wikipedia.org/wiki/SunGardhttp://en.wikipedia.org/w/index.php?title=BlackBoard&action=edit&redlink=1http://en.wikipedia.org/wiki/Qualcommhttp://en.wikipedia.org/w/index.php?title=CyberVision&action=edit&redlink=1http://en.wikipedia.org/wiki/Microsofthttp://en.wikipedia.org/wiki/IBMhttp://en.wikipedia.org/wiki/Sybasehttp://en.wikipedia.org/wiki/EMC_Corporationhttp://en.wikipedia.org/wiki/Oracle_Corporationhttp://en.wikipedia.org/wiki/VMWarehttp://en.wikipedia.org/wiki/Oracle_Corporationhttp://en.wikipedia.org/wiki/SAP_AGhttp://en.wikipedia.org/wiki/Sage_SAhttp://en.wikipedia.org/wiki/Inforhttp://en.wikipedia.org/wiki/Symantechttp://en.wikipedia.org/wiki/Trend_Microhttp://en.wikipedia.org/wiki/Kasperskyhttp://en.wikipedia.org/wiki/SunGardhttp://en.wikipedia.org/w/index.php?title=BlackBoard&action=edit&redlink=1http://en.wikipedia.org/wiki/Qualcommhttp://en.wikipedia.org/w/index.php?title=CyberVision&action=edit&redlink=1


14/67

Software Magazine's Top 10 ranking of 2011:

1. International Business Machine

2. Oracle Corporation

3. Accenture

4. Google

5. Yahoo

6. HP

7. Symantec

8. Capgemini

9. Computer Sciences Corporation

INDIA IT INDUSTRY:The Indian information technology (IT) industry has played a major role in placing India

on the international map. The industry is mainly governed by IT software and facilities for

instance System Integration, Software experiments, Custom Application Development and

Maintenance (CADM), network services and IT Solutions. According to Nasscom's

findings Indian IT-BPO industry expanded by 12% during the Fiscal year 2009 and

attained aggregate returns of US$ 71.6 billion. Out of the derived revenue US$ 59.6 billion

was solely earned by the software and services division. Moreover, the industry witnessed

an increase of around US$ 7 million in FY 2008-09 i.e. US$ 47.3 billion against US$ 40.9

billion accrued in FY 2008-09.

IT Outsourcing in India:

As per NASSCOM, IT exports in business process outsourcing (BPO) services attained

revenues of US$ 48 billion in FY 2008-09 and accounted for more than 77% of the entire

software and services income. Over the years India has been the most favorable

outsourcing hub for firm on a lookout to offshore their IT operations. The factors behind

India being a preferred destination are its reasonably priced labor, favorable business

ambiance and availability of expert workforce. Considering its escalating growth, IBM has

plans to increase its business process outsourcing (BPO) functions in India besides

employing 5,000 workforces to assist its growth.

7
http://en.wikipedia.org/wiki/International_Business_Machinehttp://en.wikipedia.org/wiki/Oracle_Corporationhttp://en.wikipedia.org/wiki/Accenturehttp://en.wikipedia.org/wiki/Googlehttp://en.wikipedia.org/wiki/Yahoohttp://en.wikipedia.org/wiki/HPhttp://en.wikipedia.org/wiki/Symantechttp://en.wikipedia.org/wiki/Capgeminihttp://en.wikipedia.org/wiki/Computer_Sciences_Corporationhttp://en.wikipedia.org/wiki/International_Business_Machinehttp://en.wikipedia.org/wiki/Oracle_Corporationhttp://en.wikipedia.org/wiki/Accenturehttp://en.wikipedia.org/wiki/Googlehttp://en.wikipedia.org/wiki/Yahoohttp://en.wikipedia.org/wiki/HPhttp://en.wikipedia.org/wiki/Symantechttp://en.wikipedia.org/wiki/Capgeminihttp://en.wikipedia.org/wiki/Computer_Sciences_Corporation


15/67

In the next few years, the industry is all set to witness some multi-million dollar

agreements namely:

A 5 year agreement between HCL Technologies and News Corp for

administering its information centers and IT services in UK. As per the industryanalysts, the pact is estimated to be in the range of US$ 200-US$ 250 million

US$ 50 million agreement between HCL Technologies and Meggitt, UK-based

security apparatus manufacturer, for offering engineering facilities.

Global giant Walmart has short listed their Indian IT dealers namely Cognizant

Technology Solutions, UST Global and Infosys Technologies for a contract worth US$

600 million

India's domestic IT Market:

India's domestic IT Market over the years has become one of the major driving forces of

the industry. The domestic IT infrastructure is developing contexts of technology and

intensity of penetration.

In the FY 2008-09, the domestic IT sector attained revenues worth US$ 24.3 billion as

compared to US$ 23.1 billion in FY 2007-08, registering a growth of 5.4%. Moreover, the

increasing demand for IT services and goods by India Inc has strengthened the expansionof the domestic market with agreements worth rising up extraordinarily to US$ 100

million. By the FY 2012, the domestic sector is estimated to expand to US$ 1.7 billion

against the existing from US$ 1 billion.

Government initiative in India's domestic IT Market:

The Indian government has established a National Taskforce on IT with an aim

of formatting a durable National IT Policy for India Endorsement of the IT Act, which offers an authorized structure to assist

electronic trade and electronic operations.

8


16/67

Major investments in India's domestic IT Market

According to Andhra Pradesh Government the state's SEZs and Software

Technology Parks of India (STPI) will witness an investment of US$ 3.27 billion in the

next few years.

VMware Inc, San Francisco-based IT firm is looking forward to invest US$ 100

million by 2010 in India.

EMC Corporation's total Indian assets is expected to reach US$ 2 billion by 2014

Indian Software Industry:

The Indian Information Technology industry accounts for

a 5.19% of the country's GDP and export earnings as of 2010, while providing employment

to a significant number of its tertiary sectorworkforce. More than 2.3 million people are

employed in the sector either directly or indirectly, making it one of the biggest job creators

in India and a mainstay of the national economy. In 2011, annual revenues from

outsourcing operations in India amounted to US$54.33 billion compared to China with

$35.76 billion and Philippines with $8.85 billion. India's outsourcing industry is expected

to increase to US$225 billion by 2020.

Recent trends in software Industry:

The computer software industry, unlike the more

traditional manufacturing and services industries, is coping with the current gloomy

economic climate as best it can by concentrating on transforming interesting ideasinto

novel technology, must-have applications, and competitive maneuvering rivals. Profits may

be down at the moment but expectations, whether for companies like Microsoft, Apple, andIBM or Intel, Symantec and Oracle, remain quite high.Remond, WA-based software giant

Microsoft is currently battling the European Commission over inclusion of its Internet

Explorer web browser in operating system software.

9
http://en.wikipedia.org/wiki/Indiahttp://en.wikipedia.org/wiki/GDPhttp://en.wikipedia.org/wiki/Tertiary_sectorhttp://en.wikipedia.org/wiki/Tertiary_sectorhttp://en.wikipedia.org/wiki/United_States_dollarhttp://en.wikipedia.org/wiki/People's_Republic_of_Chinahttp://en.wikipedia.org/wiki/Philippineshttp://en.wikipedia.org/wiki/Indiahttp://en.wikipedia.org/wiki/GDPhttp://en.wikipedia.org/wiki/Tertiary_sectorhttp://en.wikipedia.org/wiki/United_States_dollarhttp://en.wikipedia.org/wiki/People's_Republic_of_Chinahttp://en.wikipedia.org/wiki/Philippines


17/67

Additional issues facing the computer software industry are

piracy, a crime which may lessen once software applications are more often found and used

on the Internet and are not available on individual computers; portability, the transferability

of software among operating systems

Future of software industry:

Hardware, software, and people are the three basic

ingredients of enterprise business technology. They provide the enterprise with an

economic advantage through automated and improved business processes, increased

employee productivity, and more accurate and precise information. The relationship

between these three components has evolved over time. In the business technology era, we

predict that managing the third part of the equation people will emerge as thedominant focus. As software applications become business services, the cost of human

resources producing, operating, and managing software will soon be prohibitive and the

new focal point.

10


18/67

1.3 COMPANY PROFILE

Yamee ClusterWe pride ourselves especially in our ability to deliver precise solutions

within the stipulated time-limit and budget and provide support after delivery. Yamee

Cluster global presence combined with offshore delivery Network delivers business

and technology expertise to help organizations foster innovation and leverage leading

edge technologies for business improvement. By offering innovative yet flexible

solutions combined with a solid delivery backbone, Yamee Cluster can work

collaboratively with clients thereby providing high-value approach to your Outsourcing

Strategy.

Mission:

Our mission is to emerge and propel as an international identity on the basis of ourrenowned solutions, while we continue to grow. We strive to deliver excellenceby

Implementing Innovative Ideas

Delivering Cost Effective Solutions

Being a trustworthy and fair business partner

Maintaining Quality Standards

Vision:

We strategize our business techniques and deliver unmatched quality solutions that exceedour customers satisfaction. Our vision is to earn respect as an individual identityand emerge as an esteemed software service provider by:

Building and maintaining long term relationship

Delivering quality products

Providing innovative business solutions

Services offered

Web Design, Development & Customized Web Solutions

Content Management Systems(CMS), Customer Relationship

Management (CRM)

E-commerce (Shopping Cart, Payment Gateway)

11


19/67

Quality Promoters / ISO Certification promoting Bodies

Training & Placement Services

Bulk SMS & Bulk Email Softwares

Software Development : Customized Software Solutions

On-site programmers and Offshore Project Based Exclusive

Programmers for Clients

UI (User Interface) Design

Graphic Design, Artworks , Logo, Vector Art, Digitizing

Animation, Flash, Game Development

Open Source Customization

Application Development : ipad, iphone, mobile, android & windows Phones

Interactive Web Applications

Analytics : Web, Data, Business

Online Advertising

Database Programming

Skills

Microsoft .NET (ASP.NET, C#, VB .NET)

MYSQL, MSSQL, Oracle, Postgre SQL,MS Access AJAX, JavaScript, VBScript, Jquery

MAPI, TAPI, SAPI, HTML/DHTML, XHTML, XML/XSLT

Tomcat, Microsoft IIS, Apache,MS Exchange Server

Windows 9x/2000/CE/ME/NT/XP ,Linux, FreeBSD, Symbian OS, Ubundu PHP Solutions, PHP5, Cake PHP, Zend Framework Development LAMP / WAMP Development

Graphic Design, Artworks , Logo, Vector Art, Digitizing Joomla, Drupal, Word press,

Flash, Animation, CorelDraw, Photoshop

OS commerce, Virtue Mart, Magento etc.,

Recent Clients

www.the-village.in

www.globeshine.com

www.afreshtech.com

12
http://www.the-village.in/http://www.globeshine.com/http://www.afreshtech.com/http://www.the-village.in/http://www.globeshine.com/http://www.afreshtech.com/


20/67

www.anupackersmovers.com

www.lavinz.com

www.gbtech.in

www.kimsindia.com

www.wintechdiamondprods.com

www.graceelevators.com

www.elimagchurch.com

www.indomodulars.com

Our Management:

Mr.Sasi Kumar R

Founder, Managing Director

Mobile:+91-9080247659 / +91-8148232188

Mr.Sasi Kumar R

Past: Manager - Business Development at Lavinz Infraa ServicesICT Networks Onsite project Manager at The Copycat LtdNetwork & Software support engineer at TATA Consultancy Services

He is responsible for the overall strategy and focus of the company. Hekeeps updated with the latest technological developments in BPO industry andbrings in extensive management experience to YAMEE CLUSTER.

Mrs. Subhasmita Garnayak

Executive HR

Mrs. Subhasmita Garnayak, is responsible for all type of HR activities.

13
http://www.anupackersmovers.com/http://www.lavinz.com/http://www.gbtech.in/http://www.kimsindia.com/http://www.wintechdiamondprods.com/http://www.graceelevators.com/http://www.elimagchurch.com/http://www.indomodulars.com/http://www.anupackersmovers.com/http://www.lavinz.com/http://www.gbtech.in/http://www.kimsindia.com/http://www.wintechdiamondprods.com/http://www.graceelevators.com/http://www.elimagchurch.com/http://www.indomodulars.com/


21/67

1.4 REVIEW OF LITERATURE

INFORMATION SECURITY MANAGEMENT

Information security management (ISM) fundamentally emphasizes

confidentiality (to ensure privacy of information), integrity (to ensure authorized operations

on information), and availability (to ensure availability of functional systems) (Dhillon,

2007). Technical aspects of ISM include computer software and hardware control concepts

such as encryption and network security (Dhillon, 2007). Non-technical aspects cover

topics such as risk management, culture management, and regulatory compliance (Dhillon,

2007; Nosworthy, 2000; von Solms, 2001). As the field has grown, it is obvious that

nontechnical aspects as they are much related to people behaviors are far more challenging

to manage and, costly if failed, than technical ones.

Among greatest risks in the field of ISM are insider threats (Humphreys

2008; Theohariduo et al. 2005) and security awareness (Jones, 2007; Kelly, 2006; Siponen,

2000; Straub and Welke, 1998; von Solms, 2001; von Solms and von Solms, 2004). First,

insider threats refer to threats originating from people who can access corporate systemsand abuse such privileges for personal gains. Such misbehaviors violate security protection

of the firm and lead to losses of a combination of tangible and intangible assets. Second,

according to the Information Security Forum (ISF) (2005), security awareness is defined as

the extent to which organizational members understand the importance of information

security, the level of security required by the organization and their individual security

responsibilities, and act accordingly. Many incidents of security breaches could have been

prevented if people are knowledgeable and aware of their actions.

A case in point that shows how people factors are critical to ISM is the

explicit inclusion of human resource security controls in the ISO/IEC 27001 and 27002

(previously ISO/IEC 17799) (Humphreys, 2008; Theohariduo et al., 2005). They require

that organizations establish HR practices such as conducting background and reference

14


22/67

checks, requiring employees to sign confidentiality agreement, offering security awareness

and training programs, and deleting all computer accounts associated with terminated

employees. In sum, due to significant implications of people factors for ISM, the role of

human resource management must be acknowledged and strategically planned to support

ISM.

Rather than technology, people factors such as security awareness and insider

threats are more significantly challenging to manage and are now considered more than

ever to be fundamentally critical to the field of information security management (ISM)

(Chang and Lin, 2007; Dhillon, 2007; Ruighaver et al., 2007; Schultz, 2004; Siponen,

2000; von Solms, 2001; von Solms and von Solms, 2004). As a result, it is unavoidable to

acknowledge the potential role of human resource management (HRM) to ISM. Indeed,

both the 2007 Deloitte Global Security Survey and 2007 Ernst & Young Global

Information Security

Survey suggest that it is crucial how an organization screens and employs

people and that simple criminal background checks are not enough and that security

training and awareness programs need to be emphasized and provided because how

employees deal with information essentially represents risks. In short, since HR practices

such as staffing and training appear to be very pivotal to ISM, it is more critical than ever

to shift the role of HRM in organizations from traditionally seen as being passive to

strategically active.

Securing infrastructure is one of the most critical issues facing business and

governments today worldwide, as it becomes conventional wisdom that the health of the

collective cyber community is vital to the growth and stability of the global economy. As

an outgrowth of that realization, it is becoming widely accepted that information securityprofessionals are critical to protecting the trusted environment in which global Internet

communications, instant information access, and business transactions are made possible

every day.

15


23/67

Its become conventional wisdom among information security professionals

that people are the most critical part of effectively securing an organization. From the staff

accountant end user to the Board of Directors, every person involved in an organization

plays a role in that organizations security. This includes having first-rate information

security personnel to create policies and oversee implementation, obtaining management

buy-in and support for the security program, and ensuring employees throughout the

enterprise understand, respect and evangelize security policy.

Why are people so important in the security equation? They are highly

unpredictable, and even the most comprehensive awareness program cannot ensure that all

employees will make the right security choices 100% of the time. Conscious or not,

employees are faced with decisions every hour that can impact the security of an

organizations or its customers data. The most expensive intrusion detection system in the

world can be breached by an employee simply divulging their password over the phone to a

company impostor. And employees take laptops home every day that may contain sensitive

customer data. Technology cannot prevent or protect against human error, which is the

cause of up to 42 percent of all data breaches1. It is only with a careful balance of people,

policy and processes that an organization can effectively manage its risks.

While information security professionals are obviously integral to managing

an organizations risk, they alone cannot corral the human variable present in all

organizations. Thats why many information security professionals believe there is a

critical need to partner more closely with the one department that deals exclusively with the

human component of the organization human resources.

The international standard for information security management, ISO/IEC

17799, describes information security as the protection of information from a wide rangeof threats in order to ensure business continuity, minimize business risk, and maximize

return on investments and business opportunities. If not mitigated, these threats can

destroy a companys reputation, violate a consumers privacy, result in the theft or

destruction of intellectual property, and, in some cases, endanger lives.

16


24/67

Twenty years ago, the field of information security was in its infancy. Many companies did

not take threats to their infrastructure seriously. For those companies that did, the majority

of people responsible for protecting information assets did not have a formal background or

education in the field and obtained their experience in information technology or related

disciplines, transferring into information security only as the need arose. Information

security professionals frequently reported to someone in IT and did not carry much weight

with upper management.

Today, driven by increasing regulations and the desire to maximize global

commerce opportunities, protecting information assets has become one of the most

important functions within any organization, public or private. For this reason,

organizations increasingly rely on information security professionals to implement a

suitable set of controls, including policies, processes, procedures, organizational structures

and software and hardware functions. These controls need to be established, implemented,

and continually monitored, reviewed and improved to ensure that the specific security and

business objectives of the organization are met.

The 2006 Global Information Security Workforce Study (GISWS), sponsored by (ISC)2

[pronounced ISC-squared], reported that the number of information security

professionals worldwide in 2006 was approximately 1.5 million. This figure is expected to

increase to slightly more than 2 million by 2010, displaying a compound annual growth

rate (CAGR) of 7.8 percent from 2005 to 2010, compared to 4.6 percent of projected

growth in the number of IT employees globally in the same timeframe.

After surveying more than 4,000 information security professionals worldwide,

the GISWS indicated that more than 37 percent of respondents work for organizations with

annual revenue of one billion or more, and more than 62 percent work for organizationswith at least 1,000 employees. Often, information security professionals are found in the

greatest numbers in organizations whose mission is to safeguard critical infrastructure, such

as government defense agencies, telecommunications and the financial industry. Because

the profession is still relatively new, many small to medium businesses do not have a

security department at all.

17


25/67

A common misconception of information security is that is a function of IT.

While it may have begun in the IT department, information security is a highly specialized

function, and its influence has grown exponentially in recent years as executives have seen

both the necessity for and returns on investment in information security. Today,

information security professionals often have a seat in the executive boardroom, enabling

them to make valuable recommendations during the earliest stages of business initiatives.

Another common misconception is that the information security

professionals job functions are similar to those of IT professionals. In fact, information

security responsibilities can run the gamut, from risk management to computer forensics.

Each responsibility can require vastly different skill sets and experience beyond the bits

and bytes of IT.

CHAPTER 2

18


26/67

MAIN THEME OF THE STUDY

2.1 RESEARCH OBJECTIVES

The main objective is to explore the information security management of

employees.

To study employees responsibility towards information security.

To study the managerial and operational functions of information security

management system.

To analyze the integration functions of information security management system.

To analyze whether there is a common view of information security among

employees and top management of a company.

To reduce the risk towards their work.

2.2 NEED FOR THE STUDY

In todays globally networked environment, the significance of information andcorresponding information systems is truly massive to users. Securing that

information and incorporating it into an overall corporate or enterprise governance

approach are critical.

Too often, enterprise information security has been dealt with or relegated as a

technology issue with little or no consideration given to the holistic enterprise

priorities and requirements.

All information systems users (e.g., management, staff, business partners) need to

understand their roles and responsibilities to protect the confidentiality, availability

and integrity of the organizations information assets.

2.3 SCOPE OF THE STUDY

19


27/67

Every organizational member using a computer is a user independent of

knowledge, skills, authority and the situation they use the computer. As a result there are

many different kinds of users. This study concentrates on users that are employees in an

organization and their use of computers when working. The studied employees have no

particular information security expertise. It is studied how users operate at a daily basis in

interplay with other organizational members, technology and organizational structures and

norms, i.e. normal proactive operation rather than a reactive view on critical actions crating

incidents. I thus assume that employees in principle not are enemies within, but rather are

important resources in the information security activities in an organization.

2.4 RESEARCH PROBLEM

Many companies struggle to gain a good information security level, since

employees lack such training and also dont follow internal information security .I believe

that employees an top level management focus differently a information security issues

,due to different work task ,responsibilities and information security skills. And behavior

models explaining technology, environment and people may explain improvement of

polices. This may cause a gap which mat lead to problem like weak password security, how

to handle sensitive data in a good way and take appropriate action in relation to this

subject.

2.5 RESEARCH METHODOLOGY20


28/67

AIM OF THE RESEARCH

The general aim of the study is to explore information security management of

employees.

RESEARCH AREA:

The area of study covers the information security management system followed in

Yamee Cluster.

RESEARCH UNIT:

Yamee Cluster, Chennai.

RESEARCH APPROACH:

Descriptive approach.

RESEARCH PERIOD:

Two months

DATA SOURCES

PRIMARY DATA: With the help of structured questionnaire, personally administered

interview technique has been used for the collection of primary data from the respondents.

SECONDARY DATA: The secondary data has been collected from the company records

and website http://www.yamee.co.in/ .

RESEARCH INSTRUMENT

21
http://www.yamee.co.in/http://www.yamee.co.in/


29/67

Questionnaire consists of open ended, dichotomous, closed ended and 3 point

scaling.

SAMPLE UNIVERSE:

240 employees (All levels)

SAMPLE SIZE:

The sample size is taken as 120.

SAMPLING METHOD:

Convenient random sampling

DATA COLLECTION METHOD:

Interview

STATISTICAL TOOLS

1. Percentage analysis

2. Chi-square test.

3. Weighted average

4. Rank correlation5. ANOVA.

2.6 LIMITATIONS OF THE STUDY

22


30/67

The thesis does not deal extensively with the technological aspects of

information security. However, it is difficult to avoid mentioning the technology in a

mainly technological field of research and practice. The technology is important to

information security, and must not be forgotten although it has a minor part of this thesis.

There are a lot of information security means, methods and processes, which can be

technological, formal or informal. This thesis concentrates on different types of measures

directed at users, i.e. aiming at improving and maintaining the quality of users awareness

and behavior

CHAPTER 3

3.1 DATA ANALYSIS AND INTERPRETATION

23


31/67

3.1.1 Distribution of respondents based on age group

Table no.3.1.1

S.no Employee age

group

Number of respondents Percentage of respondents

1 Up to 20 8 6.662 21-30 46 38.333 31-40 34 28.334 41-50 21 17.55 >50 11 9.18

Total 120 100

Figure 3.1.1.1

Employee age group

6.66

38.33

28.33

17.5

9.18

0

5

10

15

20

25

30

35

40

45

Up to 20 21-30 31-40 41-50 >50

particulars

Percentage

ofrespondents

Inference: From the above table it is inferred that 40 % of the employees belongs to the

age group 21-30, 30 % of the employees belong to the age group 31-40 .It shows that the

majority of the employees are middle aged group.

3.1.2 Split-up of respondents based on gender.

Table no 3.1.2

24


32/67

S.no Gender Number of respondents Percentage of

respondents

1 Male 97 80.832 Female 23 19.17

Total 120 100

Figure 3.1.2.1

Based on gender

80.83 19.1719.17Male

Female

Inference: It is inferred that 81% of the employees belong male gender, only 19% of them

belong to female gender .it shows majority of employees belong to male gender.

3.1.3 Split-up of respondents based on marital status

Table no.3.1.3

25


33/67

S.no Marital Status Number of

respondents

Percentage of

respondents

1 Single 76 63.33

2 Married 44 36.67

Total 120 100

Figure 3.1.3.1

Based on marital status

63.33

36.67

36.67Single

Married

Inference: From the above table it is inferred that 63 % of the employees are single, 37%

of the employees are married .It seems that the majority of the employees are single.

3.1.4 Distribution of respondents based on employees Qualification.

Table no.3.1.4

26


34/67

S.no Employees

Qualification

Number of

respondents

Percentage of

respondents

1 Graduate 72 602 Post graduate 38 31.673 Others 10 8.33

Total 120 100

Figure 3.1.4.1

Employees Qualification.

60

31.67

8.33

0

10

20

30

40

50

60

70

Graduate Post graduate others

Particulars

Percentage

ofrespondents

Inference: From the above table it is inferred that 60% of the employees are graduate,

32 % of the employees are post graduate .It shows that the majority of the employees are

graduate and only 8% belong to others.

3.1.5 Distribution of respondents based on length of service.

Table no.3.1.5

S.no Length of service Number of

respondents

Percentage of

respondents

27


35/67

1 Up to 5yrs 63 52.5

2 6-10 yrs 45 37.5

3 > 10 yrs 12 10

Total 120 100

Figure 3.1.5.1

52.5

37.5

10

0

10

20

30

40

50

60

Percentage of

respondents

Upto 5yrs 6-10 yrs > 10 yrs

Length of service

length of service

Inference: It is inferred that 53% of the employees have rendered the length of service up

to 5 years and 37% of them lies between 6-10yrs of service .it shows that majority of

employees have been along with organization for long duration.

3.1.6 Distribution of respondents based on salary.

Table no3.1.6

S.no Particulars Number of

respondents

Percentage of

respondents

1 Up to 10,000 61 50.83

28


36/67

2 11000-30000 38 31.67

3 >30000 21 17.5

Total 120 100

Figure 3.1.6.1

50.83

31.67

17.5

0

10

20

30

40

50

60

Percentage of

respondents

Up to 10,000 11000-30000 >30000

Particulars

Respondents based on salary

Inference: It is inferred that 51% of the employees obtain salary up to 10,000 and 32% of

them obtain in between from 11,000-30,000 .It shows that only few employees obtain more

than 30,000.

3.1.7 Analysis on whether job description specified the security responsibilities of

employees.

Table no.3.1.7

S.no particulars Number of

respondents

Percentage of

respondents

1 Yes 116 96.67

29


37/67

2 No 4 3.33

Total 120 100

Figure 3.1.7.1

job description

96.67

3.33

yesNo

Inference: It is inferred that 97% of the employees are aware of job description specifying

the security responsibilities, only 3% of them are unaware .It shows organization providing

more importance on specifying the security responsibilities to employees.

.

3.1.8 Analysis on the security education and training provided to employees

Table no3.1.8


respondents

Percentage of

respondents

1 Agree 101 84.16

2 Disagree 19 15.9

30


38/67

Total 120 100

Figure 3.1.8.1

security education and training

84.16 15.915.9Agree

Disagree

Inference: From the above table it is inferred that 84 % of the employees agree on availing

security education and training, only 16% of the employees disagree to it .It seems that themajority of the employees are availing security education and training.

3.1.9 Analysis on the familiarity of information security policies among employees

Table no.3.1.9


respondents

Percentage of

respondents

1 Extremely 86 71.67

2 Moderately 34 28.33

31


39/67

3 Not at all 0 0

Total 120 100

Figure 3.1.9.1

71.67

28.33

0

0

10

20

30

40

50

60

70

80

Percentage of

respondents

Extremely Moderately Not at all

Particulars

Familiarity of information security policies

Inference: From the above table it is inferred that 72 % of the employees agree on

familiarity of information security policies and 28% of the employees agree moderately to

it .It seems that the majority of the employees are familiar with information security

policies.

3.1.10 Analysis on the top management support towards information security controls

Table no3.1.10


respondents

Percentage of respondents

1 To a great extent 104 86.67

2 Somewhat 12 10

3 Very little 4 3.33

4 Not at all 0 0

32


40/67

Total 120 100

Figure 3.1.10.1

Top management support

86.67

103.33 0

0

20

40

60

80

100

To a greatextent

Somewhat Very little Not at all

Particulars

Percentage

ofrespondents

Inference: It is inferred that 87% of the employees are satisfied with top management

support towards information security controls and only 3% of them agrees very little .It

shows that only few employees seeking much more support from top management.

3.1.11 Analysis on whether the security awareness program is provided to the employees.

Table no3.1.11


respondents

Percentage of

respondents

1 Sure to Happen 51 42.52 Very likely to Happen 22 18.333 Likely to Happen 32 26.67

4 Might Happen 12 105 Wont Happen 3 2.5

Total 120 100

33


41/67

Figure 3.1.11.1

security awareness program

42.5

18.33

26.67

10

2.5

05

1015202530354045

Sure to

Happen

Very likely to

Happen

Likely to

Happen

Might

Happen

Wont

Happen

Particulars

Percentage

ofresponden

ts

Inference: It is inferred that 43% of the employees agreed that the security awareness

program is provided to them and 27% of them agreed likely to Happen. It shows that there

is a moderate occurrence of security awareness program in the organization.

3.1.12 Analysis on the password management training provided to employees.

Table no3.1.12


respondents

Percentage of

respondents

1 Agree 95 79.20

2 undecided 20 16.673 Disagree 5 4.16

Total 120 100

Figure 3.1.12.1

34


42/67

79.2

16.67 4.16

0

10

20

30

40

50

60

70

80

Percentage of

respondents

Agree undecided Disagree

Particulars

Password management training

Inference: It is inferred that 79% of the employees agreed password management training

provided to them. And 17% of them are undecided. It shows that organization have to

concentrate on this issue.

3.1.13 Analysis on the co-operation of information security measures among employees.

Table no3.1.13


respondents

Percentage of

respondents

Size Total

Score

W.A

1 Enthusiastic 35 29.20 35*5 175

2 Cooperative 62 51.67 62*4 248

3 Neutral 13 10.83 13*3 39 4.0

4 Uncooperative 8 6.67 8*2 16

5 Disruptive 2 1.67 2*1 2

Total 120 100 480

Figure 3.1.13.1

35


43/67

co-operation of information security measures

1.67

6.67

10.83

51.67

29.2

0 10 20 30 40 50 60

Enthusiastic

Cooperative

Neutral

Uncoperative

Disruptive

Particulars


Inference: It is inferred that 29% of the employees are Enthusiastic on the co-operation of

information security measures among them and 52% of them are cooperative. Since the

weighted average on the co-operation of information security measures among employees

is 4. It shows good relationship among employees.

3.1.14 Analysis on the allocation of information security roles and responsibilities.

Table no3.1.14


respondents

Percentage of

respondents

Size Total

Score

W.a

1 Exceeded 87 72.5 87*4 348

2 Met 30 25 30*3 90

3 Nearly met 3 2.5 3*2 6 3.7

4 Missed 0 0 0 0

Total 120 100 444

Figure3.1.14.1

36


44/67

72.5

252.5

0

0

20

40

6080

Percentage of

respondents

Exceeded Met Nearly met Missed

Particulars

allocation of information security roles and

responsibilities

Inference: From the above table it is inferred that 73% of the employees are satisfied on

the allocation of information security roles and responsibilities, 25 % of the employees are

moderately satisfied. Since the weighted average on the allocation of information security

roles and responsibilities is 3.7. It shows organization perform well on allocating the

information security roles and responsibilities

3.1.15 Analysis on whether any special training like psychological manipulation is

provided to employees

Table no3.1.15


respondents

Percentage of

respondents

Size Total

Score

W.A

1 Often 29 24.20 29*4 116

2 Sometimes 48 40 48*3 144

3 Seldom 10 8.33 10*2 20 2.6

4 Never 33 27.5 33*1 33

Total 120 100 313

Figure 3.1.15.1

37


45/67

special training

24.2

40

8.33

27.5

0

5

10

15

20

2530

35

40

45

Often Sometimes Seldom Never

Particulars

Percentage

ofres

pondents

Inference: From the above table it is inferred that 40% of the employees agree that they

avail special training on sometime basis, 24 % of the employees agrees that held often.

Since the weighted average on special training provided to employees is 2.6. It shows that

the organization should concentrate on improving the occurrence of special training.

3.1.16 Analysis on whether the organizations communicate policy updates regularly to

employees.

Table no3.1.16


respondents


1 Very good 95 79.20

2 Good 21 17.5

3 Barely Acceptable 4 3.33

4 Poor 0 0

5 Very poor 0 0

Total 120 100

Figure 3.1.16.1

38


46/67

policy updates regularly

79.2

17.5

3.33 0 00

1020304050

60708090

Very good Good Barely

Acceptable

Poor Very poor

Particulars

Percentage

ofre

spondents

Inference: From the above table it is inferred that 79% of the employees agree that the

organization communicate policy updates regularly to employees, 18 % of the employees

agrees moderately. It shows the efficiency of an organization in communicating policy

updates regularly to employees.

3.1.17 Analysis on regular updating of security policy.

Table no3.1.17


respondents


1 Frequently 96 80

2 Occasionally 18 15

3 Rarely 6 5

4 Never 0 0

Total 120 100

Figure 3.1.17.1

39


47/67

Updation of security policy.

80

15

50

0

10

20

30

40

5060

70

80

90

Frequently Occasionally Rarely Never

Particulars

Percentage

ofres

pondents

Inference: From the above table it is inferred that 80% of the employees agree that the

organization regularly updates the security policy, 15 % of the employees agrees

moderately. It shows only few of them opted rarely in updating the security policy

3.1.18 Analysis on whether information security is aimed more about human or technical

side.

Table no3.1.18

S.no Particulars Number of respondents Percentage of

respondents

1 Human side 59 49.202 Technical side 61 50.83

Total 120 100

Figure 3.1.18.1

40


48/67

information securiy is aimed more about

49.2, 49%

50.83, 51%

Human side

Technical side

Inference: From the above table it is inferred that 51% of the employees agree that

information security is aimed more about technical side, 49 % of the employees agree on

human side. It shows employees highly believe in Technical aspects.

3.1.19 Analysis on facilities offered is adequate for secured workstation.

Table no 3.1.19


respondents


1 Strongly agree 29 24.20

2 Agree 47 39.16

3 Neutral 29 24.204 Disagree 10 8.33

5 Strongly disagree 5 4.16

Total 120 100

Figure 3.1.19.1

41


49/67

facilities offered are adequate for secured

workstation

24.2

39.16

24.2

8.334.16

0

10

20

30

40

50

Strongly

agree

Agree Neutral Disagree Strongly

disagree

Particulars

Percentage

of

responden

ts

Inference: From the above table it is inferred that 39% of the employees agree that

facilities offered are adequate for secured workstation, 24 % of the employees strongly

agrees and 24% of them are neutral. It shows organization should concentrate on this area.

3.1.20 Analysis on the regular up gradation of softwares by the organization

Table no3.1.20


respondents


1 Strongly agree 54 45

2 Agree 33 27.6

3 Neutral 16 13.33

4 Disagree 7 5.83

5 Strongly disagree 10 8.33

Total 120 100

Figure 3.1.20.1

42


50/67

Regular upgradation of softwares

53.33

27.6

13.33

5.83

0

10

20

3040

50

60

Extremely Very Moderately Slightly Not at all

Particulars

Percentage

ofres

pondents

Inference: From the above table it is inferred that 53% of the employees agrees on regular

up gradation of softwares by the organization, 28 % of the employees very moderately

agrees and 16% of them agrees slightly. It shows organization should do regular up

gradation of softwares for efficient work station.

3.1.21 Analysis on the security awareness is mere educating employees rather than

providing training.

Table no3.1.21


respondents

Percentage of

respondents

1 True 120 100

2 False 0 0

Total 120 100

Figure 3.1.21.1

43


51/67

security awareness is mere educating

100%

0%

1

2

Inference: From the above table it is inferred that 100% of the employees agrees that the

security awareness is mere educating employees rather than providing training. It shows

that employees strongly believe that security awareness is mere educating.

3.1.22 Analysis on the security awareness training provided to the employees

Table no 3.1.22


respondents

Percentage of

respondents

1 General 107 89.202 Department wise 13 10.83

Total 120 100

Figure 3.1.22.1

44


52/67

security awareness training

89%

11%11%

General

Department wise

Inference: From the above table it is inferred that 89% of the employees referred that

security awareness training provided to the employees is general and 11% of them referred

as departmental. It shows that the organization provide their employees with generalized

training.

3.1.23 Analysis on the existing information security system meets the security objectives.Table no3.1.23


respondents


1 One of the best 102 852 Above average 18 153 Average 0 04 Below average 0 05 One of the worst 0 0

Total 120 100

Figure 3.1.23.1

45


53/67

Existing information security system

85

15

0 0 00

1020304050

60708090

One of the

best

Above

average

Average Below

average

One of the

worst

Particulars

Percentage

ofre

spondents

Inference: From the above table it is inferred that 85% of the employees accepted that the

existing information security system is one of the best and 15% of them accepted as above

average. It shows that the existing information security system meets the security

objectives effectively.

DATA ANALYSIS AND INTERPRETATION

STATISTICAL TOOL APPLICATION

CHI-SQUARE TEST

3.1.24 FIXING THE PROBLEM ON OCCURRENCE OF SECURITY

AWARENESS PROGRAM

S. no Particulars No. of Respondents Percentage

1. Sure to happen 51 42.5%

2. Very likely to happen 22 18.33%

3. Likely to happen 32 26.67%

4. Might happen 12 10%

46


54/67

5. Wont happen 3 2.5%

Null hypothesis H0:

There is no significant difference between the Occurrences of security awareness program.

Alternative hypothesis H1:

There is a significant difference between the Occurrences of security awareness program.

CHI SQUARE TEST

TABLE 3.1.24TABLE 3.1.24

O E (O-E) (O-E)2 (O-E)2/E

51 24 27 729 30.38

22 24 -2 4 0.17

32 24 8 64 2.67

12 24 -12 144 6

3 24 -21 441 18.37

57.59

X = 120/5=24

X =(O-E)2/E=57.59

df = r 1=5- 1=4

The table value of Chi square for 4.d.f @ 5% level of Significance

47


55/67

2 = 0.05 for 4d.f=9.49

Since the calculated value is greater than the table value we reject the null hypothesis

Hence it is concluded that there is significant difference between observed and expected

value.

3.1.24 RANK CORRELATION-A comparison of the Facilities offered

and up gradation of softwares.

Table no 3.1.25

S.NO Particulars Facilities offered (Xi) Up gradation of softwares (Yi)

1 Strongly Agree 29 542 Agree 47 333 Undecided 29 164 Disagree 10 75 Strongly Disagree 5 10

Xi Yi Di=Xi-Yi Di2

3.5 5 -1.5 2.25

5 4 1 13.5 3 .5 0.252 1 1 11 2 -1 1

Di=5.5Rank correlation can be obtained by using the formula

=1-{[6D2]/n(n2-1)}48


56/67

=1-{6(5.5)/5(25-1)}

=1-{33/120}

=1-(0.275)

=0.725

Remarks: The rank coefficient lies between -1 and +1.1-r1.

Conclusion: Since the rank correlation between the Facilities offered and up gradation of

softwares is positive. We conclude that the Facilities offered and up gradation of

softwares have the nearest approach to the above factors.

3.1.26 ANOVA table Analysis on the effectiveness of system utilization.

Table no 3.1.26Particulars Signifi

cantly

Above

(x1)

X12 Above

(x2)

X22 Met

(X3)

X32 Below

(X4)

X42 Signifi

cantly

Above

(x5)

X5

Speed 23 529 47 2209 31 961 11 121 8 64Storage 14 196 48 2304 23 529 28 784 7 49Accuracy 25 625 66 4356 11 121 9 81 9 81

Diligence 63 3969 34 1156 12 144 8 64 3 9

Reliability 84 7056 16 256 12 144 7 49 1 1

x1=209 x12

12375

x2

211

x22

10281

x3

89

x32

1899

x4

63

x42

1099

x5

28

x

23

Null Hypothesis (H0): There is no significant difference between the effectiveness of

system utilization.

Alternative Hypothesis (H1): There is a significant difference between the effectiveness

of system utilization.

Calculation

Sum of all the items of various samples = x1+x2+x3+x4+x549


57/67

= 209+211+89+63+28

= 600

Correlation Factor T2 /N = 6002/25

= 14400

Total Sum of squares (SST)

= x12+x22+x32+x42+x52- T2 /N

= 12375+10281+1899+1099+234-14400

= 11488

Sum of squares between samples (SSC)

= x12 /N1+x22/N2+x32 /N3+x42/N4+x52/N5- T2 /N

= 2092/5+2112/5+892/5+632/5+282/5-14400

= 8736.2+8904.2+1584.2+793.8+156.8-14400

= 5775.2

Sum of the squares with in the samples (SSE)

SSE=SST-SSC

= 11488-5775.2

=5712.8

Analysis Of Variance

Table 3.1.27

Sources of

variation

Sum of squares

(SS)

Degrees of

freedom(D.F)

Mean Square F

Between The

samples

SSC=5775.2 K-1=(5-1) MSC=SSC/K-1

=5775.2/4

MSC/MSE

Within the

samples

SSE=5712.8 (N-k)=(25-4) MSE=

SSE/N-K

=5712.8/21

=5775.2/4

X

21/5712.8Total SST=11488 N-1=24 F=5.31

Calculated Value =5.31

Table Value = 2.84

50


58/67

Conclusion: Since the Calculated Value of F=5.31 is greater than the table value of

F0.05=2.84 so the null hypothesis is rejected there is a significant difference between the

Effectiveness of system utilization

3.2 RESEARCH FINDINGS

It is found that 40 % of the employees belongs to the age group 21-30, 30 % of the

employees belong to the age group 31-40 .It shows that the majority of the

employees are middle aged group.

It is found that 81% of the employees belong to male gender, only 19% of them

belong to female gender .It shows majority of employees belong to male gender.

It is found that 63 % of the employees are single, 37% of the employees are married

.It seems that the majority of the employees are single.

It is found that 60% of the employees are graduate, 32 % of the employees are post

graduate.

It is found that 53% of the employees have rendered the length of service up to 5

years and 37% of them lies between 6-10yrs of service .it shows that majority of

employees have been along with organization for long duration. It is found that 51% of the employees obtain salary up to 10,000 and 32% of them

obtain in between from 11,000-30,000 .It shows that only few employees obtain

more than 30,000.

It is found that 97% of the employees are aware of job description specifying the

security responsibilities; only 3% of them are unaware.

It is found that 84 % of the employees agree on availing security education and

training, only 16% of the employees disagree to it .It seems that the majority of the

employees are availing security education and training.

It is found that 72 % of the employees agrees on familiarity of information security

policies and 28% of the employees agrees moderately to it .It seems that the

majority of the employees are familiar with information security policies.

51


59/67

It is found that 87% of the employees are satisfied with top management support

towards information security controls and only 3% of them agree very little.

It is found that 43% of the employees feel that the security awareness program is

provided to them and 27% of them agreed likely to happen. It shows that there is a

moderate occurrence of security awareness program in the organization.

It is found that 79% of the employees agreed password management training

provided to them. And 17% of them are undecided.

It is found that 29% of the employees are Enthusiastic on the co-operation of

information security measures among them and 52% of them are cooperative.

It is found that 73% of the employees are satisfied on the allocation of information

security roles and responsibilities, 25 % of the employees are moderately satisfied.

It is found that 40% of the employees agree that they avail special training on

sometime basis, 24 % of the employees agrees that held often.

It is found that 79% of the employees agree that the organization communicate

policy updates regularly to employees, 18 % of the employees agree moderately.

It is found that 80% of the employees agree that the organization regularly updates

the security policy, 15 % of the employees agree moderately.

It is found that 51% of the employees agree that information security is aimed

more about technical side, 49 % of the employees agree on human side. It is found that 39% of the employees agree that facilities offered are adequate for

secured workstation, 24 % of the employees strongly agree and 24% of them are

neutral.

It is inferred that 53% of the employees agrees on regular up gradation of

softwares by the organization.

It is found that 100% of the employees agree that the security awareness is mere

educating employees rather than providing training.

It is found that 89% of the employees referred that security awareness training

provided to the employees is general and 11% of them referred as departmental.

It is found that 85% of the employees accepted that the existing information

security system is one of the best and 15% of them accepted as above average.

52


60/67

Every employee and visitor should sign and aware of Non-Disclosure Agreement

(NDA).

Security awareness training program will be held twice in a year.

The background information of terminated employees is stored for specified

duration for future reference.

3.3 SUGGESTIONS

The Organization can create a specific mechanism to assess and improve user

awareness among employees, at least maintain records for the user awareness

training conducted.

User awareness audits can be conducted to check the level of awareness in the

employees. Whatever technical solutions have be implemented, unless the user

awareness is not strong, it will be biggest threat to the organization.

Business Impact Analysis (BIA) can be performed to analyze the impact on the

system due to various unprecedented events or incidents. Various failure scenarios

and its possible business impacts are analyzed. This includes technical problems,

human resources and other events.

Social engineering is a method of extracting information from people (in this case

the employee) to intrude into your premises or network. Social Engineering testscan be conducted by making telephone calls, sending emails etc.

The organization can provide any special training like Psychological manipulation

training to employees.

The Security awareness program can be conducted every quarter of a year

featuring the following elements,

(a) Awareness is a blended solution of activities that promotes security,

establishes accountability, and informs the workforce of security news.

(b) Training strives to produce relevant and needed security knowledge and

skills within the workforce. Training supports competency development

and helps personnel understand and learn how to perform their security

role.

53


61/67

(c) Education integrates all of the security skills and competencies of the

various functional specialties into a common body of knowledge and

adds a multidisciplinary study of concepts, issues, and principles

(technological and social).

3.4 CONCLUSION

The study have emphasized developing and applying formal systems, like security policies,

procedures and controls, while awareness activities are less applied in the organizations.

Technical-administrative measures (policy; procedures; control; and administrative tools)are the most implemented measures, but are at the same time assessed to have lower

effectiveness than awareness creation .The results indicate that in order for information

security measures to become effective, security should be built like a staircase of combined

measures.

Therefore the establishment, maintenance and continuous update of ISMS provide a strong

indication that a company is using a systematic approach for the identification, assessment

and management of information security risks.

Since people factors are considered more crucial than ever to the field of information

security management (ISM), organizations should pay more attention to the role of human

resource management (HRM). This paper overall suggests that with more strategically

active role of HRM through an effective combination of selection, training, and pay

practices, organizations not only can manage people issues in ISM more effectively, but

also may be able to sustain the competitive advantage of the organizations.

54


62/67

APPENDICES

Questionnaire

A Study on Effectiveness Information Security Management System in Yamee

Cluster.

1) Name : ____________________________________________________

2) Age : a) Up to20 b) 21-30 c) 31-40 d) 41-50 e) > 50

3) Designation : _____________________________________________________

4) Gender : a) Male b) Female

5) Marital Status : a) Single b) Married

6) Qualification : a) 10th b) 12th c) Graduate d) Post Graduate e) others

7) Length of Service: a) Up to 5 yrs b) 6-10 yrs c) 11-15 yrs

d) 16-20 yrs e) > 20 yrs

8) Salary : a) Up to 10,000 b) 11,000- 30,000 c) 31,000-50,000

d) 51,000-70,000 e) > 71,000

1) Does your job description specify the security responsibilities associated with a

given job?

a) Yes b) No

55


63/67

2) Do you receive adequate level of security education and training to reduce risk of

human error?

a) Agree b) Disagree

3) Are you familiar with the information security policies?

a) Extremely b) Moderately c) Not at all

4) Rate the top management support towards information security controls

a) To a Great Extent b) Somewhat c) Very Little d) Not at All

5) Do you have an employee security awareness training program?

a) Sure to happen b) Very likely to happen c) Likely to happen

d) Might happen e) Won't happen

6) Are you trained to understand the appropriate use of passwords and the need to keep

passwords private?

a) Agree b) Undecided c) Disagree

7) Co-operation of information security measures among employees

a) Enthusiastic b) Cooperative c) Neutral

d) Uncooperative e) Disruptive

8) How well your management allocates the information security roles and responsibilities?

a) Exceeded b) Met c) nearly met d) Missed

9) Do you engage office work at home?

56


64/67

a) Yes b) No

10) Do security awareness training is general or specified to department wise?

_____________________________________________________________________

11) Does your organization provide any special training like Psychological manipulation

training and so on?

a) Often b) Sometimes c) Seldom d) Never

12) How often security policy will be updated?

a) Frequently b) Occasionally c) Rarely d) Never

13) How well the organization is communicating with you regarding periodic updating of

policy and other things?

a) Very Good b) Good c) Barely Acceptable

d) Poor e) Very Poor

14) Information security is aimed more about

a) Human side

b) Technical Aspects

15) Do you agree that the facilities offered are adequate for secured workstation?

a) Strongly agree b) Agree c) Neutral

d) Disagree e) Strongly Disagree

57


65/67

16) Does your organization regularly upgrade the softwares for Easy and effective

utilization?

a) Strongly agree b) Agree c ) Neutral

d)Disagree e )Strongly Disagree

17) Security awareness is mere educating employees rather than providing training

a) True b) false

18) When leaving for lunch or to take a break, how do you secure your workstation?

a) Turn my monitor off

b) Logging off of the workstation

c) Lock the workstation by pressing Ctrl+Alt+Delete and selecting Lock computer.

d) Turn the computer off.

e) None of the above

f) Others ___________________________

19) Human Wall Is Always Better Than a Firewall

a) Definitely b) Probably c) Probably Not

20) How well the existing information security system meets the security objectives

(Confidentiality + Integrity +Availability)?

a) One of the best b) above average c) average

d) Below average e) one of the worst.

21) Effectiveness of system utilization.

58


66/67

59

Security

objectivesSignificantly

AboveAbove Met Below

Significantly

Below

Speed

StorageAccuracyDiligenceReliability


67/67

REFERENCES

C.R.Kothari, (1997), Research Methodology Methods and Techniques 2nd

Edition.

ISO/IEC 27001(2005) Information technology - Security techniques - Information

security management systems Requirements.

NIST Special Publication 800-12. An Introduction to Computer Security: The NIST

Handbook. October 1995.

Thomson, M.E. and Von Solms, R. (1998) Information security awareness:

Educating your users effectively, Information Management and Computer Security.

Chang, S.E. and Ho, C.B. (2006) Organizational factors to the effectiveness of

implementing information security management, Industrial Management & Data

Systems.

WEBSITES:

www.managementhelp.org/

www.oppapers.com

www.wikipedia.org www iso org
http://www.google.com/http://www.google.com/http://www.google.com/http://www.google.com/

a study on information security management system tic

Documents