a study on information security management system tic
Post on 05-Apr-2018
217 Views
Preview:
TRANSCRIPT
-
7/31/2019 A Study on Information Security Management System tic
1/67
SRM UNIVERSITY
(UNDERSECTION 3 OF UGC ACT 1956)
APROJECTREPORT
ON
A STUDY ON EFFECTIVNESS OF INFORMATION SECURITY
MANAGEMENT
Submitted in partial fulfillment of the requirements for the award of
Master of Business Administration SRM University
SUBMITTED BY
N.SHARAN KUMAR
Reg No. 3511010667
Under the Guidance of
Dr. A. Chandra Mohan SRM School of Management Studies
Faculty of Management Studies
SRM SCHOOL OF MANAGEMENT
FACULTY OF ENGINEERING AND TECHNOLOGY
SRM UNIVERSITY
KATTANKULATHUR
1
-
7/31/2019 A Study on Information Security Management System tic
2/67
MAY 2012
DECLARATION
I, N.SHARAN KUMAR, student of SRM University School of Management studies would
like to declare that the Project entitled A STUDY ON EFFECTIVNESS OF
INFORMATION SECURITY MANAGEMENT submitted to University School of
Management studies, Chennai in partial fulfillment of Master of Business Administration
(MBA) final year Degree course from the SRM University.
REGISTERED NO: 3511010667
PLACE: Chennai
DATE :
Signature
-
7/31/2019 A Study on Information Security Management System tic
3/67
BONAFIDE CERTIFICATE
This is to certify that the Project titled A STUDY ON EFFECTIVNESS OF
INFORMATION SECURITY MANAGEMENT Submitted by N. SHARAN KUMAR
in partial fulfillment of the requirements of the Post Graduate Degree course in Masters of
Business Administration (MBA) for the Academic year 2010-2012 in the subject of
Finance Management is the original work of the above candidate.
Head of MBA
FACULTY IN-CHARGE
(Dr. Jayashree Suresh ) (Dr. A.
Chandra Mohan)
-
7/31/2019 A Study on Information Security Management System tic
4/67
Date: MAY 2012 EXTERNAL IN-CHARGE
Station: Chennai
ACKNOWLEDGEMENT
I express my gratitude to Dr. Mrs. Jayashree Suresh, Dean, SRM School of
Management and Dr A.Chandra Mohan for providing an amazing environment
for me to complete this project successfully.
At the outset, no words are adequate to express my sincere thanks to Mr. (Head
- HR). For granting this opportunity to have a wide spread view and experience
in the form of project work.
I thank my relatives and friends for their assurance and encouragement. I am
deeply indebted to my loving parents for their endurance and perseverance during
the course of my study.
-
7/31/2019 A Study on Information Security Management System tic
5/67
ABSTRACT
Although information security traditionally has been a technological discipline, the role and
function of employees is an additional important part. Users can both be a threat and a
resource in information security management. On the one hand, employees can produce or
ignite threats and vulnerabilities. On the other hand, they are a precondition for safe and
secure operation. As a consequence, information security management of employees is an
important part of the total information security management in organizations.
The general aim of this study is to explore the information security management of
employees. This is approached by studying: users function in and view on information
security; measures aiming at improving individual information security performance; and
information security management practice in organizations.
Employee participation is evaluated to be the most effective process to improve individual
information security performance, but is modestly used. An intervention study based on
direct participation, dialogue and collective reflection in order to improve individual
information security awareness and behavior showed significant improvements among
participants. Employee participation is likely to improve the quality of technological and
administrative security solutions; improve the usability of security technology; improve
security professionals knowledge of sharp-end information security activities; close the
gap in understanding and communication between security managers and users; improve
individual ownership, acceptance and motivation for information security; and ensure
democratic rights that influence personal working conditions.
The analysis of data was done using various statistical tools such as Chi-square test,
ANOVA, Rank correlation etc.
-
7/31/2019 A Study on Information Security Management System tic
6/67
Among the 120 respondents, majority are satisfied that the company is using a systematic
approach for the identification, assessment and management of information security risks.
TABLE OF CONTENTS
CHAPTER
NO
DESCRIPTION PAGE
NO
I
INTRODUCTION
1.1 Introduction
1.2 Industry Profile
1.3 Company Profile
1.4 Review of Literature
1
5
10
14
II
MAIN THEME
2.1 Research Objectives
2.2 Need for the study
2.3 Scope of the study
2.4 Research Problem
2.5 Research Methodology
2.6 Limitations of the study
19
20
21
22
23
25
III
RESULT
3.1 Data Analysis & Interpretation
3.2 Research Findings
3.3 Suggestions
3.4 Conclusion
26
54
56
57
-
7/31/2019 A Study on Information Security Management System tic
7/67
APPENDICES
REFERENCES
-
7/31/2019 A Study on Information Security Management System tic
8/67
CHAPTER 1
1.1 INTRODUCTION
Information security has traditionally been technology-oriented, with a large
number of technological security solutions available. However, by the widespread use of
computers at both work and home; the increased connectivity and access to information;
the communication channels available by information technology; convergence of
technology; and the utilization of technology in new organizational forms and ways of
organizing work, non-technological aspects of information security now must be
considered in addition to technological aspects. This development implies that the role andfunction of users of information technology is important to deal with, since users might be
a considerable threat to the security level as well as being essential resources to prevent
incidents from happening.
The general aim of the study is to explore information security management of
employees. Information security is viewed in a framework of a socio-technical system.
Technological, individual and organizational attributes and the interactions between these
contribute in preserving information security in an organization. User performance is
created by the organizational context. Organizational members information security
behavior and awareness are created by a combination of technology, workplace conditions
and formal and informal organizational factors. Employees are important resources in the
information security activities of an organization. It would be nave to neglect employees
as a possible malicious threat, but in principle users are not the enemies within. To make
use of the this resource, employee participation is regarded an important principle in all
organizational processes.
1
-
7/31/2019 A Study on Information Security Management System tic
9/67
1.1.1 OVERVIEW OF ISMS
An Information Security Management System (ISMS) is way to protect and
manage information based on a systematic business risk approach, to establish, implement,
operate, monitor, review, maintain, and improve information security. It is an
organizational approach to information security.
Information security is the protection of information to ensure:
Confidentiality: ensuring that the information is accessible only to those authorized to
access it.
Integrity: ensuring that the information is accurate and complete and that the information
is not modified without authorization.
Availability: ensuring that the information is accessible to authorized users when
required. Information security is achieved by applying a suitable set of controls (policies,
processes, procedures, organizational structures, and software and hardware functions).
2
-
7/31/2019 A Study on Information Security Management System tic
10/67
1.1.2 INFORMATION SECURITY MANAGEMENT SYSTEM
An Information Security Management System (ISMS) is a systematic approach
to managing sensitive company information so that it remains secure. It encompasses
people, processes and IT systems. An information security management system (ISMS) is aset of policies concerned with information security management orIT related risks.
The governing principle behind ISMS is that an organization should design,
implement and maintain a coherent set of policies, processes and systems to manage risks
to its information assets, thus ensuring acceptable levels of information security risk.
1.1.3 ISMS DESCRIPTION
As with all management processes, an ISMS must remain effective and efficient
in the long term, adapting to changes in the internal organization and external environment.
ISO/IEC 27001 therefore incorporates the typical "Plan-Do-Check-Act" (PDCA), or
Deming cycle, approach:
The Plan phase is about designing the ISMS, assessing information security risks
and selecting appropriate controls.
The Do phase involves implementing and operating the controls.
The Check phase objective is to review and evaluate the performance (efficiency
and effectiveness) of the ISMS.
In the Act phase, changes are made where necessary to bring the ISMS back to
peak performance.
3
http://en.wikipedia.org/wiki/Information_securityhttp://en.wikipedia.org/wiki/IT_riskhttp://en.wikipedia.org/wiki/Asset_(computing)http://en.wikipedia.org/wiki/PDCAhttp://en.wikipedia.org/wiki/Information_securityhttp://en.wikipedia.org/wiki/IT_riskhttp://en.wikipedia.org/wiki/Asset_(computing)http://en.wikipedia.org/wiki/PDCA -
7/31/2019 A Study on Information Security Management System tic
11/67
1.1.4 NEED FOR A ISMS
Security experts say and statistics confirm that:
Information technology security administrators should expect to devote
approximately one-third of their time addressing technical aspects. The remaining
two-thirds should be spent developing policies and procedures, performing security
reviews and analyzing risk, addressing contingency planning and promoting
security awareness;
security depends on people more than on technology;
employees are a far greater threat to information security than outsiders;
Security is like a chain. It is as strong as its weakest link;
the degree of security depends on three factors: the risk you are willing to take, the
functionality of the system and the costs you are prepared to pay;
Security is not a status or a snapshot but a running process.
These facts inevitably lead to the conclusion that:
Security administration is a management and NOT a purely technical issue.
4
-
7/31/2019 A Study on Information Security Management System tic
12/67
1.2 INDUSTRY PROFILE
Introduction:
The software industry includes businesses involved in the
development, maintenance andpublication ofcomputer software using any business model.
The industry also includes software services, such as training, documentation, and
consulting and outsourcing those business models.
History:
The word "software" had been coined as a prank by at least
1953, but did not appear in print until the 1960s. Before this time, computers were
programmed either by customers, or the few commercial computer vendors of the time,such as UNIVAC and IBM. The first company founded to provide software products and
services was Computer Usage Company in 1955. The software industry expanded in the
early 1960s, almost immediately after computers were first sold in mass-produced
quantities. Universities, government, and business customers created a demand for
software. Many of these programs were written in-house by full-time staff programmers.
Some were distributed freely between users of a particular machine for no charge. Others
were done on a commercial basis, and other firms such as Computer Sciences Corporation
(founded in 1959) started to grow. The computer-makers started bundling operating
systems software and programming environments with their machines.
The industry expanded greatly with the rise of the personal
computer in the mid-1970s, which brought computing to the desktop of the office worker.
In subsequent years, it also created a growing market for games, applications, and utilities.
DOS, Microsoft's first operating system product, was the dominant operating system at the
time.In the early years of the 21st century, another successful business model has arisen for
hosted software, called software as a service, orSaaS ,this was at least the third time this
model had been attempted. SaaS reduces the concerns about software piracy, since it can
only
be accessed through the Web, and by definition no client software is loaded onto the end
user's PC.
Software sectors: The Global Scenario
5
http://en.wikipedia.org/wiki/Software_developmenthttp://en.wikipedia.org/wiki/Software_maintenancehttp://en.wikipedia.org/wiki/Software_publisherhttp://en.wikipedia.org/wiki/Computer_softwarehttp://en.wikipedia.org/wiki/Service_(economics)http://en.wikipedia.org/wiki/Traininghttp://en.wikipedia.org/wiki/Software_documentationhttp://en.wikipedia.org/wiki/Consultancyhttp://en.wikipedia.org/wiki/UNIVAChttp://en.wikipedia.org/wiki/IBMhttp://en.wikipedia.org/wiki/Computer_Usage_Companyhttp://en.wikipedia.org/wiki/Computer_Sciences_Corporationhttp://en.wikipedia.org/wiki/Operating_systemshttp://en.wikipedia.org/wiki/Operating_systemshttp://en.wikipedia.org/wiki/Microsofthttp://en.wikipedia.org/wiki/SaaShttp://en.wikipedia.org/wiki/Software_developmenthttp://en.wikipedia.org/wiki/Software_maintenancehttp://en.wikipedia.org/wiki/Software_publisherhttp://en.wikipedia.org/wiki/Computer_softwarehttp://en.wikipedia.org/wiki/Service_(economics)http://en.wikipedia.org/wiki/Traininghttp://en.wikipedia.org/wiki/Software_documentationhttp://en.wikipedia.org/wiki/Consultancyhttp://en.wikipedia.org/wiki/UNIVAChttp://en.wikipedia.org/wiki/IBMhttp://en.wikipedia.org/wiki/Computer_Usage_Companyhttp://en.wikipedia.org/wiki/Computer_Sciences_Corporationhttp://en.wikipedia.org/wiki/Operating_systemshttp://en.wikipedia.org/wiki/Operating_systemshttp://en.wikipedia.org/wiki/Microsofthttp://en.wikipedia.org/wiki/SaaS -
7/31/2019 A Study on Information Security Management System tic
13/67
There are several types of businesses in the software
industry. Infrastructure software, including operating systems, middleware and databases,
is made by companies such as Microsoft, IBM, Sybase, EMC, Oracle and VMWare.
Enterprise software, the software that automates business processes in finance, production,
logistics, sales and marketing, is made by Oracle, SAP AG , Sage and Infor. Security
software is made by the likes ofSymantec, Trend Micro and Kaspersky. Several industry-
specific software makers are also among the largest software companies in the world:
SunGard, making software for banks, Black Board making software for schools, and
companies like Qualcomm orCyber Vision making software for telecom companies. Other
companies do contract programming to develop unique software for one particular client
company i.e outsourcing, or focus on configuring and customizing suites from large
vendors such as SAP or Oracle.
Leading companies: Mindshare and Marketshare
In terms of technology leadership, the software industry
has long been led by IBM. However, Microsoft became the dominant PC operating system
supplier. Other companies that have substantial mindshare (not: marketshare) in the
software industry are SUN Microsystems, the developer of the Java platform (purchased by
Oracle in 2010), Red Hat, for its open source momentum, and Google for its Google Docs.
However in terms of revenues coming from software sales, the software industry is clearly
dominated by Microsoft, since inception. Microsoft products are still sold in largest number
across the globe.
Size of the industry:
According to market researcher DataMonitor, the size of the
worldwide software industry in 2008 was US$ 303.8 billion, an increase of 6.5% compared
to 2007. Americas account for 42.6% of the global software market's value. DataMonitor
forecasts that in 2013, the global software market will have a value of US$ 457 billion, an
increase of 50.5% since 2008.
6
http://en.wikipedia.org/wiki/Microsofthttp://en.wikipedia.org/wiki/IBMhttp://en.wikipedia.org/wiki/Sybasehttp://en.wikipedia.org/wiki/EMC_Corporationhttp://en.wikipedia.org/wiki/Oracle_Corporationhttp://en.wikipedia.org/wiki/VMWarehttp://en.wikipedia.org/wiki/Oracle_Corporationhttp://en.wikipedia.org/wiki/SAP_AGhttp://en.wikipedia.org/wiki/Sage_SAhttp://en.wikipedia.org/wiki/Inforhttp://en.wikipedia.org/wiki/Symantechttp://en.wikipedia.org/wiki/Trend_Microhttp://en.wikipedia.org/wiki/Kasperskyhttp://en.wikipedia.org/wiki/SunGardhttp://en.wikipedia.org/w/index.php?title=BlackBoard&action=edit&redlink=1http://en.wikipedia.org/wiki/Qualcommhttp://en.wikipedia.org/w/index.php?title=CyberVision&action=edit&redlink=1http://en.wikipedia.org/wiki/Microsofthttp://en.wikipedia.org/wiki/IBMhttp://en.wikipedia.org/wiki/Sybasehttp://en.wikipedia.org/wiki/EMC_Corporationhttp://en.wikipedia.org/wiki/Oracle_Corporationhttp://en.wikipedia.org/wiki/VMWarehttp://en.wikipedia.org/wiki/Oracle_Corporationhttp://en.wikipedia.org/wiki/SAP_AGhttp://en.wikipedia.org/wiki/Sage_SAhttp://en.wikipedia.org/wiki/Inforhttp://en.wikipedia.org/wiki/Symantechttp://en.wikipedia.org/wiki/Trend_Microhttp://en.wikipedia.org/wiki/Kasperskyhttp://en.wikipedia.org/wiki/SunGardhttp://en.wikipedia.org/w/index.php?title=BlackBoard&action=edit&redlink=1http://en.wikipedia.org/wiki/Qualcommhttp://en.wikipedia.org/w/index.php?title=CyberVision&action=edit&redlink=1 -
7/31/2019 A Study on Information Security Management System tic
14/67
Software Magazine's Top 10 ranking of 2011:
1. International Business Machine
2. Oracle Corporation
3. Accenture
4. Google
5. Yahoo
6. HP
7. Symantec
8. Capgemini
9. Computer Sciences Corporation
INDIA IT INDUSTRY:The Indian information technology (IT) industry has played a major role in placing India
on the international map. The industry is mainly governed by IT software and facilities for
instance System Integration, Software experiments, Custom Application Development and
Maintenance (CADM), network services and IT Solutions. According to Nasscom's
findings Indian IT-BPO industry expanded by 12% during the Fiscal year 2009 and
attained aggregate returns of US$ 71.6 billion. Out of the derived revenue US$ 59.6 billion
was solely earned by the software and services division. Moreover, the industry witnessed
an increase of around US$ 7 million in FY 2008-09 i.e. US$ 47.3 billion against US$ 40.9
billion accrued in FY 2008-09.
IT Outsourcing in India:
As per NASSCOM, IT exports in business process outsourcing (BPO) services attained
revenues of US$ 48 billion in FY 2008-09 and accounted for more than 77% of the entire
software and services income. Over the years India has been the most favorable
outsourcing hub for firm on a lookout to offshore their IT operations. The factors behind
India being a preferred destination are its reasonably priced labor, favorable business
ambiance and availability of expert workforce. Considering its escalating growth, IBM has
plans to increase its business process outsourcing (BPO) functions in India besides
employing 5,000 workforces to assist its growth.
7
http://en.wikipedia.org/wiki/International_Business_Machinehttp://en.wikipedia.org/wiki/Oracle_Corporationhttp://en.wikipedia.org/wiki/Accenturehttp://en.wikipedia.org/wiki/Googlehttp://en.wikipedia.org/wiki/Yahoohttp://en.wikipedia.org/wiki/HPhttp://en.wikipedia.org/wiki/Symantechttp://en.wikipedia.org/wiki/Capgeminihttp://en.wikipedia.org/wiki/Computer_Sciences_Corporationhttp://en.wikipedia.org/wiki/International_Business_Machinehttp://en.wikipedia.org/wiki/Oracle_Corporationhttp://en.wikipedia.org/wiki/Accenturehttp://en.wikipedia.org/wiki/Googlehttp://en.wikipedia.org/wiki/Yahoohttp://en.wikipedia.org/wiki/HPhttp://en.wikipedia.org/wiki/Symantechttp://en.wikipedia.org/wiki/Capgeminihttp://en.wikipedia.org/wiki/Computer_Sciences_Corporation -
7/31/2019 A Study on Information Security Management System tic
15/67
In the next few years, the industry is all set to witness some multi-million dollar
agreements namely:
A 5 year agreement between HCL Technologies and News Corp for
administering its information centers and IT services in UK. As per the industryanalysts, the pact is estimated to be in the range of US$ 200-US$ 250 million
US$ 50 million agreement between HCL Technologies and Meggitt, UK-based
security apparatus manufacturer, for offering engineering facilities.
Global giant Walmart has short listed their Indian IT dealers namely Cognizant
Technology Solutions, UST Global and Infosys Technologies for a contract worth US$
600 million
India's domestic IT Market:
India's domestic IT Market over the years has become one of the major driving forces of
the industry. The domestic IT infrastructure is developing contexts of technology and
intensity of penetration.
In the FY 2008-09, the domestic IT sector attained revenues worth US$ 24.3 billion as
compared to US$ 23.1 billion in FY 2007-08, registering a growth of 5.4%. Moreover, the
increasing demand for IT services and goods by India Inc has strengthened the expansionof the domestic market with agreements worth rising up extraordinarily to US$ 100
million. By the FY 2012, the domestic sector is estimated to expand to US$ 1.7 billion
against the existing from US$ 1 billion.
Government initiative in India's domestic IT Market:
The Indian government has established a National Taskforce on IT with an aim
of formatting a durable National IT Policy for India Endorsement of the IT Act, which offers an authorized structure to assist
electronic trade and electronic operations.
8
-
7/31/2019 A Study on Information Security Management System tic
16/67
Major investments in India's domestic IT Market
According to Andhra Pradesh Government the state's SEZs and Software
Technology Parks of India (STPI) will witness an investment of US$ 3.27 billion in the
next few years.
VMware Inc, San Francisco-based IT firm is looking forward to invest US$ 100
million by 2010 in India.
EMC Corporation's total Indian assets is expected to reach US$ 2 billion by 2014
Indian Software Industry:
The Indian Information Technology industry accounts for
a 5.19% of the country's GDP and export earnings as of 2010, while providing employment
to a significant number of its tertiary sectorworkforce. More than 2.3 million people are
employed in the sector either directly or indirectly, making it one of the biggest job creators
in India and a mainstay of the national economy. In 2011, annual revenues from
outsourcing operations in India amounted to US$54.33 billion compared to China with
$35.76 billion and Philippines with $8.85 billion. India's outsourcing industry is expected
to increase to US$225 billion by 2020.
Recent trends in software Industry:
The computer software industry, unlike the more
traditional manufacturing and services industries, is coping with the current gloomy
economic climate as best it can by concentrating on transforming interesting ideasinto
novel technology, must-have applications, and competitive maneuvering rivals. Profits may
be down at the moment but expectations, whether for companies like Microsoft, Apple, andIBM or Intel, Symantec and Oracle, remain quite high.Remond, WA-based software giant
Microsoft is currently battling the European Commission over inclusion of its Internet
Explorer web browser in operating system software.
9
http://en.wikipedia.org/wiki/Indiahttp://en.wikipedia.org/wiki/GDPhttp://en.wikipedia.org/wiki/Tertiary_sectorhttp://en.wikipedia.org/wiki/Tertiary_sectorhttp://en.wikipedia.org/wiki/United_States_dollarhttp://en.wikipedia.org/wiki/People's_Republic_of_Chinahttp://en.wikipedia.org/wiki/Philippineshttp://en.wikipedia.org/wiki/Indiahttp://en.wikipedia.org/wiki/GDPhttp://en.wikipedia.org/wiki/Tertiary_sectorhttp://en.wikipedia.org/wiki/United_States_dollarhttp://en.wikipedia.org/wiki/People's_Republic_of_Chinahttp://en.wikipedia.org/wiki/Philippines -
7/31/2019 A Study on Information Security Management System tic
17/67
Additional issues facing the computer software industry are
piracy, a crime which may lessen once software applications are more often found and used
on the Internet and are not available on individual computers; portability, the transferability
of software among operating systems
Future of software industry:
Hardware, software, and people are the three basic
ingredients of enterprise business technology. They provide the enterprise with an
economic advantage through automated and improved business processes, increased
employee productivity, and more accurate and precise information. The relationship
between these three components has evolved over time. In the business technology era, we
predict that managing the third part of the equation people will emerge as thedominant focus. As software applications become business services, the cost of human
resources producing, operating, and managing software will soon be prohibitive and the
new focal point.
10
-
7/31/2019 A Study on Information Security Management System tic
18/67
1.3 COMPANY PROFILE
Yamee ClusterWe pride ourselves especially in our ability to deliver precise solutions
within the stipulated time-limit and budget and provide support after delivery. Yamee
Cluster global presence combined with offshore delivery Network delivers business
and technology expertise to help organizations foster innovation and leverage leading
edge technologies for business improvement. By offering innovative yet flexible
solutions combined with a solid delivery backbone, Yamee Cluster can work
collaboratively with clients thereby providing high-value approach to your Outsourcing
Strategy.
Mission:
Our mission is to emerge and propel as an international identity on the basis of ourrenowned solutions, while we continue to grow. We strive to deliver excellenceby
Implementing Innovative Ideas
Delivering Cost Effective Solutions
Being a trustworthy and fair business partner
Maintaining Quality Standards
Vision:
We strategize our business techniques and deliver unmatched quality solutions that exceedour customers satisfaction. Our vision is to earn respect as an individual identityand emerge as an esteemed software service provider by:
Building and maintaining long term relationship
Delivering quality products
Providing innovative business solutions
Services offered
Web Design, Development & Customized Web Solutions
Content Management Systems(CMS), Customer Relationship
Management (CRM)
E-commerce (Shopping Cart, Payment Gateway)
11
-
7/31/2019 A Study on Information Security Management System tic
19/67
Quality Promoters / ISO Certification promoting Bodies
Training & Placement Services
Bulk SMS & Bulk Email Softwares
Software Development : Customized Software Solutions
On-site programmers and Offshore Project Based Exclusive
Programmers for Clients
UI (User Interface) Design
Graphic Design, Artworks , Logo, Vector Art, Digitizing
Animation, Flash, Game Development
Open Source Customization
Application Development : ipad, iphone, mobile, android & windows Phones
Interactive Web Applications
Analytics : Web, Data, Business
Online Advertising
Database Programming
Skills
Microsoft .NET (ASP.NET, C#, VB .NET)
MYSQL, MSSQL, Oracle, Postgre SQL,MS Access AJAX, JavaScript, VBScript, Jquery
MAPI, TAPI, SAPI, HTML/DHTML, XHTML, XML/XSLT
Tomcat, Microsoft IIS, Apache,MS Exchange Server
Windows 9x/2000/CE/ME/NT/XP ,Linux, FreeBSD, Symbian OS, Ubundu PHP Solutions, PHP5, Cake PHP, Zend Framework Development LAMP / WAMP Development
Graphic Design, Artworks , Logo, Vector Art, Digitizing Joomla, Drupal, Word press,
Flash, Animation, CorelDraw, Photoshop
OS commerce, Virtue Mart, Magento etc.,
Recent Clients
www.the-village.in
www.globeshine.com
www.afreshtech.com
12
http://www.the-village.in/http://www.globeshine.com/http://www.afreshtech.com/http://www.the-village.in/http://www.globeshine.com/http://www.afreshtech.com/ -
7/31/2019 A Study on Information Security Management System tic
20/67
www.anupackersmovers.com
www.lavinz.com
www.gbtech.in
www.kimsindia.com
www.wintechdiamondprods.com
www.graceelevators.com
www.elimagchurch.com
www.indomodulars.com
Our Management:
Mr.Sasi Kumar R
Founder, Managing Director
Mobile:+91-9080247659 / +91-8148232188
Mr.Sasi Kumar R
Past: Manager - Business Development at Lavinz Infraa ServicesICT Networks Onsite project Manager at The Copycat LtdNetwork & Software support engineer at TATA Consultancy Services
He is responsible for the overall strategy and focus of the company. Hekeeps updated with the latest technological developments in BPO industry andbrings in extensive management experience to YAMEE CLUSTER.
Mrs. Subhasmita Garnayak
Executive HR
Mrs. Subhasmita Garnayak, is responsible for all type of HR activities.
13
http://www.anupackersmovers.com/http://www.lavinz.com/http://www.gbtech.in/http://www.kimsindia.com/http://www.wintechdiamondprods.com/http://www.graceelevators.com/http://www.elimagchurch.com/http://www.indomodulars.com/http://www.anupackersmovers.com/http://www.lavinz.com/http://www.gbtech.in/http://www.kimsindia.com/http://www.wintechdiamondprods.com/http://www.graceelevators.com/http://www.elimagchurch.com/http://www.indomodulars.com/ -
7/31/2019 A Study on Information Security Management System tic
21/67
1.4 REVIEW OF LITERATURE
INFORMATION SECURITY MANAGEMENT
Information security management (ISM) fundamentally emphasizes
confidentiality (to ensure privacy of information), integrity (to ensure authorized operations
on information), and availability (to ensure availability of functional systems) (Dhillon,
2007). Technical aspects of ISM include computer software and hardware control concepts
such as encryption and network security (Dhillon, 2007). Non-technical aspects cover
topics such as risk management, culture management, and regulatory compliance (Dhillon,
2007; Nosworthy, 2000; von Solms, 2001). As the field has grown, it is obvious that
nontechnical aspects as they are much related to people behaviors are far more challenging
to manage and, costly if failed, than technical ones.
Among greatest risks in the field of ISM are insider threats (Humphreys
2008; Theohariduo et al. 2005) and security awareness (Jones, 2007; Kelly, 2006; Siponen,
2000; Straub and Welke, 1998; von Solms, 2001; von Solms and von Solms, 2004). First,
insider threats refer to threats originating from people who can access corporate systemsand abuse such privileges for personal gains. Such misbehaviors violate security protection
of the firm and lead to losses of a combination of tangible and intangible assets. Second,
according to the Information Security Forum (ISF) (2005), security awareness is defined as
the extent to which organizational members understand the importance of information
security, the level of security required by the organization and their individual security
responsibilities, and act accordingly. Many incidents of security breaches could have been
prevented if people are knowledgeable and aware of their actions.
A case in point that shows how people factors are critical to ISM is the
explicit inclusion of human resource security controls in the ISO/IEC 27001 and 27002
(previously ISO/IEC 17799) (Humphreys, 2008; Theohariduo et al., 2005). They require
that organizations establish HR practices such as conducting background and reference
14
-
7/31/2019 A Study on Information Security Management System tic
22/67
checks, requiring employees to sign confidentiality agreement, offering security awareness
and training programs, and deleting all computer accounts associated with terminated
employees. In sum, due to significant implications of people factors for ISM, the role of
human resource management must be acknowledged and strategically planned to support
ISM.
Rather than technology, people factors such as security awareness and insider
threats are more significantly challenging to manage and are now considered more than
ever to be fundamentally critical to the field of information security management (ISM)
(Chang and Lin, 2007; Dhillon, 2007; Ruighaver et al., 2007; Schultz, 2004; Siponen,
2000; von Solms, 2001; von Solms and von Solms, 2004). As a result, it is unavoidable to
acknowledge the potential role of human resource management (HRM) to ISM. Indeed,
both the 2007 Deloitte Global Security Survey and 2007 Ernst & Young Global
Information Security
Survey suggest that it is crucial how an organization screens and employs
people and that simple criminal background checks are not enough and that security
training and awareness programs need to be emphasized and provided because how
employees deal with information essentially represents risks. In short, since HR practices
such as staffing and training appear to be very pivotal to ISM, it is more critical than ever
to shift the role of HRM in organizations from traditionally seen as being passive to
strategically active.
Securing infrastructure is one of the most critical issues facing business and
governments today worldwide, as it becomes conventional wisdom that the health of the
collective cyber community is vital to the growth and stability of the global economy. As
an outgrowth of that realization, it is becoming widely accepted that information securityprofessionals are critical to protecting the trusted environment in which global Internet
communications, instant information access, and business transactions are made possible
every day.
15
-
7/31/2019 A Study on Information Security Management System tic
23/67
Its become conventional wisdom among information security professionals
that people are the most critical part of effectively securing an organization. From the staff
accountant end user to the Board of Directors, every person involved in an organization
plays a role in that organizations security. This includes having first-rate information
security personnel to create policies and oversee implementation, obtaining management
buy-in and support for the security program, and ensuring employees throughout the
enterprise understand, respect and evangelize security policy.
Why are people so important in the security equation? They are highly
unpredictable, and even the most comprehensive awareness program cannot ensure that all
employees will make the right security choices 100% of the time. Conscious or not,
employees are faced with decisions every hour that can impact the security of an
organizations or its customers data. The most expensive intrusion detection system in the
world can be breached by an employee simply divulging their password over the phone to a
company impostor. And employees take laptops home every day that may contain sensitive
customer data. Technology cannot prevent or protect against human error, which is the
cause of up to 42 percent of all data breaches1. It is only with a careful balance of people,
policy and processes that an organization can effectively manage its risks.
While information security professionals are obviously integral to managing
an organizations risk, they alone cannot corral the human variable present in all
organizations. Thats why many information security professionals believe there is a
critical need to partner more closely with the one department that deals exclusively with the
human component of the organization human resources.
The international standard for information security management, ISO/IEC
17799, describes information security as the protection of information from a wide rangeof threats in order to ensure business continuity, minimize business risk, and maximize
return on investments and business opportunities. If not mitigated, these threats can
destroy a companys reputation, violate a consumers privacy, result in the theft or
destruction of intellectual property, and, in some cases, endanger lives.
16
-
7/31/2019 A Study on Information Security Management System tic
24/67
Twenty years ago, the field of information security was in its infancy. Many companies did
not take threats to their infrastructure seriously. For those companies that did, the majority
of people responsible for protecting information assets did not have a formal background or
education in the field and obtained their experience in information technology or related
disciplines, transferring into information security only as the need arose. Information
security professionals frequently reported to someone in IT and did not carry much weight
with upper management.
Today, driven by increasing regulations and the desire to maximize global
commerce opportunities, protecting information assets has become one of the most
important functions within any organization, public or private. For this reason,
organizations increasingly rely on information security professionals to implement a
suitable set of controls, including policies, processes, procedures, organizational structures
and software and hardware functions. These controls need to be established, implemented,
and continually monitored, reviewed and improved to ensure that the specific security and
business objectives of the organization are met.
The 2006 Global Information Security Workforce Study (GISWS), sponsored by (ISC)2
[pronounced ISC-squared], reported that the number of information security
professionals worldwide in 2006 was approximately 1.5 million. This figure is expected to
increase to slightly more than 2 million by 2010, displaying a compound annual growth
rate (CAGR) of 7.8 percent from 2005 to 2010, compared to 4.6 percent of projected
growth in the number of IT employees globally in the same timeframe.
After surveying more than 4,000 information security professionals worldwide,
the GISWS indicated that more than 37 percent of respondents work for organizations with
annual revenue of one billion or more, and more than 62 percent work for organizationswith at least 1,000 employees. Often, information security professionals are found in the
greatest numbers in organizations whose mission is to safeguard critical infrastructure, such
as government defense agencies, telecommunications and the financial industry. Because
the profession is still relatively new, many small to medium businesses do not have a
security department at all.
17
-
7/31/2019 A Study on Information Security Management System tic
25/67
A common misconception of information security is that is a function of IT.
While it may have begun in the IT department, information security is a highly specialized
function, and its influence has grown exponentially in recent years as executives have seen
both the necessity for and returns on investment in information security. Today,
information security professionals often have a seat in the executive boardroom, enabling
them to make valuable recommendations during the earliest stages of business initiatives.
Another common misconception is that the information security
professionals job functions are similar to those of IT professionals. In fact, information
security responsibilities can run the gamut, from risk management to computer forensics.
Each responsibility can require vastly different skill sets and experience beyond the bits
and bytes of IT.
CHAPTER 2
18
-
7/31/2019 A Study on Information Security Management System tic
26/67
MAIN THEME OF THE STUDY
2.1 RESEARCH OBJECTIVES
The main objective is to explore the information security management of
employees.
To study employees responsibility towards information security.
To study the managerial and operational functions of information security
management system.
To analyze the integration functions of information security management system.
To analyze whether there is a common view of information security among
employees and top management of a company.
To reduce the risk towards their work.
2.2 NEED FOR THE STUDY
In todays globally networked environment, the significance of information andcorresponding information systems is truly massive to users. Securing that
information and incorporating it into an overall corporate or enterprise governance
approach are critical.
Too often, enterprise information security has been dealt with or relegated as a
technology issue with little or no consideration given to the holistic enterprise
priorities and requirements.
All information systems users (e.g., management, staff, business partners) need to
understand their roles and responsibilities to protect the confidentiality, availability
and integrity of the organizations information assets.
2.3 SCOPE OF THE STUDY
19
-
7/31/2019 A Study on Information Security Management System tic
27/67
Every organizational member using a computer is a user independent of
knowledge, skills, authority and the situation they use the computer. As a result there are
many different kinds of users. This study concentrates on users that are employees in an
organization and their use of computers when working. The studied employees have no
particular information security expertise. It is studied how users operate at a daily basis in
interplay with other organizational members, technology and organizational structures and
norms, i.e. normal proactive operation rather than a reactive view on critical actions crating
incidents. I thus assume that employees in principle not are enemies within, but rather are
important resources in the information security activities in an organization.
2.4 RESEARCH PROBLEM
Many companies struggle to gain a good information security level, since
employees lack such training and also dont follow internal information security .I believe
that employees an top level management focus differently a information security issues
,due to different work task ,responsibilities and information security skills. And behavior
models explaining technology, environment and people may explain improvement of
polices. This may cause a gap which mat lead to problem like weak password security, how
to handle sensitive data in a good way and take appropriate action in relation to this
subject.
2.5 RESEARCH METHODOLOGY20
-
7/31/2019 A Study on Information Security Management System tic
28/67
AIM OF THE RESEARCH
The general aim of the study is to explore information security management of
employees.
RESEARCH AREA:
The area of study covers the information security management system followed in
Yamee Cluster.
RESEARCH UNIT:
Yamee Cluster, Chennai.
RESEARCH APPROACH:
Descriptive approach.
RESEARCH PERIOD:
Two months
DATA SOURCES
PRIMARY DATA: With the help of structured questionnaire, personally administered
interview technique has been used for the collection of primary data from the respondents.
SECONDARY DATA: The secondary data has been collected from the company records
and website http://www.yamee.co.in/ .
RESEARCH INSTRUMENT
21
http://www.yamee.co.in/http://www.yamee.co.in/ -
7/31/2019 A Study on Information Security Management System tic
29/67
Questionnaire consists of open ended, dichotomous, closed ended and 3 point
scaling.
SAMPLE UNIVERSE:
240 employees (All levels)
SAMPLE SIZE:
The sample size is taken as 120.
SAMPLING METHOD:
Convenient random sampling
DATA COLLECTION METHOD:
Interview
STATISTICAL TOOLS
1. Percentage analysis
2. Chi-square test.
3. Weighted average
4. Rank correlation5. ANOVA.
2.6 LIMITATIONS OF THE STUDY
22
-
7/31/2019 A Study on Information Security Management System tic
30/67
The thesis does not deal extensively with the technological aspects of
information security. However, it is difficult to avoid mentioning the technology in a
mainly technological field of research and practice. The technology is important to
information security, and must not be forgotten although it has a minor part of this thesis.
There are a lot of information security means, methods and processes, which can be
technological, formal or informal. This thesis concentrates on different types of measures
directed at users, i.e. aiming at improving and maintaining the quality of users awareness
and behavior
CHAPTER 3
3.1 DATA ANALYSIS AND INTERPRETATION
23
-
7/31/2019 A Study on Information Security Management System tic
31/67
3.1.1 Distribution of respondents based on age group
Table no.3.1.1
S.no Employee age
group
Number of respondents Percentage of respondents
1 Up to 20 8 6.662 21-30 46 38.333 31-40 34 28.334 41-50 21 17.55 >50 11 9.18
Total 120 100
Figure 3.1.1.1
Employee age group
6.66
38.33
28.33
17.5
9.18
0
5
10
15
20
25
30
35
40
45
Up to 20 21-30 31-40 41-50 >50
particulars
Percentage
ofrespondents
Inference: From the above table it is inferred that 40 % of the employees belongs to the
age group 21-30, 30 % of the employees belong to the age group 31-40 .It shows that the
majority of the employees are middle aged group.
3.1.2 Split-up of respondents based on gender.
Table no 3.1.2
24
-
7/31/2019 A Study on Information Security Management System tic
32/67
S.no Gender Number of respondents Percentage of
respondents
1 Male 97 80.832 Female 23 19.17
Total 120 100
Figure 3.1.2.1
Based on gender
80.83 19.1719.17Male
Female
Inference: It is inferred that 81% of the employees belong male gender, only 19% of them
belong to female gender .it shows majority of employees belong to male gender.
3.1.3 Split-up of respondents based on marital status
Table no.3.1.3
25
-
7/31/2019 A Study on Information Security Management System tic
33/67
S.no Marital Status Number of
respondents
Percentage of
respondents
1 Single 76 63.33
2 Married 44 36.67
Total 120 100
Figure 3.1.3.1
Based on marital status
63.33
36.67
36.67Single
Married
Inference: From the above table it is inferred that 63 % of the employees are single, 37%
of the employees are married .It seems that the majority of the employees are single.
3.1.4 Distribution of respondents based on employees Qualification.
Table no.3.1.4
26
-
7/31/2019 A Study on Information Security Management System tic
34/67
S.no Employees
Qualification
Number of
respondents
Percentage of
respondents
1 Graduate 72 602 Post graduate 38 31.673 Others 10 8.33
Total 120 100
Figure 3.1.4.1
Employees Qualification.
60
31.67
8.33
0
10
20
30
40
50
60
70
Graduate Post graduate others
Particulars
Percentage
ofrespondents
Inference: From the above table it is inferred that 60% of the employees are graduate,
32 % of the employees are post graduate .It shows that the majority of the employees are
graduate and only 8% belong to others.
3.1.5 Distribution of respondents based on length of service.
Table no.3.1.5
S.no Length of service Number of
respondents
Percentage of
respondents
27
-
7/31/2019 A Study on Information Security Management System tic
35/67
1 Up to 5yrs 63 52.5
2 6-10 yrs 45 37.5
3 > 10 yrs 12 10
Total 120 100
Figure 3.1.5.1
52.5
37.5
10
0
10
20
30
40
50
60
Percentage of
respondents
Upto 5yrs 6-10 yrs > 10 yrs
Length of service
length of service
Inference: It is inferred that 53% of the employees have rendered the length of service up
to 5 years and 37% of them lies between 6-10yrs of service .it shows that majority of
employees have been along with organization for long duration.
3.1.6 Distribution of respondents based on salary.
Table no3.1.6
S.no Particulars Number of
respondents
Percentage of
respondents
1 Up to 10,000 61 50.83
28
-
7/31/2019 A Study on Information Security Management System tic
36/67
2 11000-30000 38 31.67
3 >30000 21 17.5
Total 120 100
Figure 3.1.6.1
50.83
31.67
17.5
0
10
20
30
40
50
60
Percentage of
respondents
Up to 10,000 11000-30000 >30000
Particulars
Respondents based on salary
Inference: It is inferred that 51% of the employees obtain salary up to 10,000 and 32% of
them obtain in between from 11,000-30,000 .It shows that only few employees obtain more
than 30,000.
3.1.7 Analysis on whether job description specified the security responsibilities of
employees.
Table no.3.1.7
S.no particulars Number of
respondents
Percentage of
respondents
1 Yes 116 96.67
29
-
7/31/2019 A Study on Information Security Management System tic
37/67
2 No 4 3.33
Total 120 100
Figure 3.1.7.1
job description
96.67
3.33
yesNo
Inference: It is inferred that 97% of the employees are aware of job description specifying
the security responsibilities, only 3% of them are unaware .It shows organization providing
more importance on specifying the security responsibilities to employees.
.
3.1.8 Analysis on the security education and training provided to employees
Table no3.1.8
S.no Particulars Number of
respondents
Percentage of
respondents
1 Agree 101 84.16
2 Disagree 19 15.9
30
-
7/31/2019 A Study on Information Security Management System tic
38/67
Total 120 100
Figure 3.1.8.1
security education and training
84.16 15.915.9Agree
Disagree
Inference: From the above table it is inferred that 84 % of the employees agree on availing
security education and training, only 16% of the employees disagree to it .It seems that themajority of the employees are availing security education and training.
3.1.9 Analysis on the familiarity of information security policies among employees
Table no.3.1.9
S.no Particulars Number of
respondents
Percentage of
respondents
1 Extremely 86 71.67
2 Moderately 34 28.33
31
-
7/31/2019 A Study on Information Security Management System tic
39/67
3 Not at all 0 0
Total 120 100
Figure 3.1.9.1
71.67
28.33
0
0
10
20
30
40
50
60
70
80
Percentage of
respondents
Extremely Moderately Not at all
Particulars
Familiarity of information security policies
Inference: From the above table it is inferred that 72 % of the employees agree on
familiarity of information security policies and 28% of the employees agree moderately to
it .It seems that the majority of the employees are familiar with information security
policies.
3.1.10 Analysis on the top management support towards information security controls
Table no3.1.10
S.no Particulars Number of
respondents
Percentage of respondents
1 To a great extent 104 86.67
2 Somewhat 12 10
3 Very little 4 3.33
4 Not at all 0 0
32
-
7/31/2019 A Study on Information Security Management System tic
40/67
Total 120 100
Figure 3.1.10.1
Top management support
86.67
103.33 0
0
20
40
60
80
100
To a greatextent
Somewhat Very little Not at all
Particulars
Percentage
ofrespondents
Inference: It is inferred that 87% of the employees are satisfied with top management
support towards information security controls and only 3% of them agrees very little .It
shows that only few employees seeking much more support from top management.
3.1.11 Analysis on whether the security awareness program is provided to the employees.
Table no3.1.11
S.no Particulars Number of
respondents
Percentage of
respondents
1 Sure to Happen 51 42.52 Very likely to Happen 22 18.333 Likely to Happen 32 26.67
4 Might Happen 12 105 Wont Happen 3 2.5
Total 120 100
33
-
7/31/2019 A Study on Information Security Management System tic
41/67
Figure 3.1.11.1
security awareness program
42.5
18.33
26.67
10
2.5
05
1015202530354045
Sure to
Happen
Very likely to
Happen
Likely to
Happen
Might
Happen
Wont
Happen
Particulars
Percentage
ofresponden
ts
Inference: It is inferred that 43% of the employees agreed that the security awareness
program is provided to them and 27% of them agreed likely to Happen. It shows that there
is a moderate occurrence of security awareness program in the organization.
3.1.12 Analysis on the password management training provided to employees.
Table no3.1.12
S.no Particulars Number of
respondents
Percentage of
respondents
1 Agree 95 79.20
2 undecided 20 16.673 Disagree 5 4.16
Total 120 100
Figure 3.1.12.1
34
-
7/31/2019 A Study on Information Security Management System tic
42/67
79.2
16.67 4.16
0
10
20
30
40
50
60
70
80
Percentage of
respondents
Agree undecided Disagree
Particulars
Password management training
Inference: It is inferred that 79% of the employees agreed password management training
provided to them. And 17% of them are undecided. It shows that organization have to
concentrate on this issue.
3.1.13 Analysis on the co-operation of information security measures among employees.
Table no3.1.13
S.no Particulars Number of
respondents
Percentage of
respondents
Size Total
Score
W.A
1 Enthusiastic 35 29.20 35*5 175
2 Cooperative 62 51.67 62*4 248
3 Neutral 13 10.83 13*3 39 4.0
4 Uncooperative 8 6.67 8*2 16
5 Disruptive 2 1.67 2*1 2
Total 120 100 480
Figure 3.1.13.1
35
-
7/31/2019 A Study on Information Security Management System tic
43/67
co-operation of information security measures
1.67
6.67
10.83
51.67
29.2
0 10 20 30 40 50 60
Enthusiastic
Cooperative
Neutral
Uncoperative
Disruptive
Particulars
Percentage of respondents
Inference: It is inferred that 29% of the employees are Enthusiastic on the co-operation of
information security measures among them and 52% of them are cooperative. Since the
weighted average on the co-operation of information security measures among employees
is 4. It shows good relationship among employees.
3.1.14 Analysis on the allocation of information security roles and responsibilities.
Table no3.1.14
S.no Particulars Number of
respondents
Percentage of
respondents
Size Total
Score
W.a
1 Exceeded 87 72.5 87*4 348
2 Met 30 25 30*3 90
3 Nearly met 3 2.5 3*2 6 3.7
4 Missed 0 0 0 0
Total 120 100 444
Figure3.1.14.1
36
-
7/31/2019 A Study on Information Security Management System tic
44/67
72.5
252.5
0
0
20
40
6080
Percentage of
respondents
Exceeded Met Nearly met Missed
Particulars
allocation of information security roles and
responsibilities
Inference: From the above table it is inferred that 73% of the employees are satisfied on
the allocation of information security roles and responsibilities, 25 % of the employees are
moderately satisfied. Since the weighted average on the allocation of information security
roles and responsibilities is 3.7. It shows organization perform well on allocating the
information security roles and responsibilities
3.1.15 Analysis on whether any special training like psychological manipulation is
provided to employees
Table no3.1.15
S.no Particulars Number of
respondents
Percentage of
respondents
Size Total
Score
W.A
1 Often 29 24.20 29*4 116
2 Sometimes 48 40 48*3 144
3 Seldom 10 8.33 10*2 20 2.6
4 Never 33 27.5 33*1 33
Total 120 100 313
Figure 3.1.15.1
37
-
7/31/2019 A Study on Information Security Management System tic
45/67
special training
24.2
40
8.33
27.5
0
5
10
15
20
2530
35
40
45
Often Sometimes Seldom Never
Particulars
Percentage
ofres
pondents
Inference: From the above table it is inferred that 40% of the employees agree that they
avail special training on sometime basis, 24 % of the employees agrees that held often.
Since the weighted average on special training provided to employees is 2.6. It shows that
the organization should concentrate on improving the occurrence of special training.
3.1.16 Analysis on whether the organizations communicate policy updates regularly to
employees.
Table no3.1.16
S.no Particulars Number of
respondents
Percentage of respondents
1 Very good 95 79.20
2 Good 21 17.5
3 Barely Acceptable 4 3.33
4 Poor 0 0
5 Very poor 0 0
Total 120 100
Figure 3.1.16.1
38
-
7/31/2019 A Study on Information Security Management System tic
46/67
policy updates regularly
79.2
17.5
3.33 0 00
1020304050
60708090
Very good Good Barely
Acceptable
Poor Very poor
Particulars
Percentage
ofre
spondents
Inference: From the above table it is inferred that 79% of the employees agree that the
organization communicate policy updates regularly to employees, 18 % of the employees
agrees moderately. It shows the efficiency of an organization in communicating policy
updates regularly to employees.
3.1.17 Analysis on regular updating of security policy.
Table no3.1.17
S.no Particulars Number of
respondents
Percentage of respondents
1 Frequently 96 80
2 Occasionally 18 15
3 Rarely 6 5
4 Never 0 0
Total 120 100
Figure 3.1.17.1
39
-
7/31/2019 A Study on Information Security Management System tic
47/67
Updation of security policy.
80
15
50
0
10
20
30
40
5060
70
80
90
Frequently Occasionally Rarely Never
Particulars
Percentage
ofres
pondents
Inference: From the above table it is inferred that 80% of the employees agree that the
organization regularly updates the security policy, 15 % of the employees agrees
moderately. It shows only few of them opted rarely in updating the security policy
3.1.18 Analysis on whether information security is aimed more about human or technical
side.
Table no3.1.18
S.no Particulars Number of respondents Percentage of
respondents
1 Human side 59 49.202 Technical side 61 50.83
Total 120 100
Figure 3.1.18.1
40
-
7/31/2019 A Study on Information Security Management System tic
48/67
information securiy is aimed more about
49.2, 49%
50.83, 51%
Human side
Technical side
Inference: From the above table it is inferred that 51% of the employees agree that
information security is aimed more about technical side, 49 % of the employees agree on
human side. It shows employees highly believe in Technical aspects.
3.1.19 Analysis on facilities offered is adequate for secured workstation.
Table no 3.1.19
S.no Particulars Number of
respondents
Percentage of respondents
1 Strongly agree 29 24.20
2 Agree 47 39.16
3 Neutral 29 24.204 Disagree 10 8.33
5 Strongly disagree 5 4.16
Total 120 100
Figure 3.1.19.1
41
-
7/31/2019 A Study on Information Security Management System tic
49/67
facilities offered are adequate for secured
workstation
24.2
39.16
24.2
8.334.16
0
10
20
30
40
50
Strongly
agree
Agree Neutral Disagree Strongly
disagree
Particulars
Percentage
of
responden
ts
Inference: From the above table it is inferred that 39% of the employees agree that
facilities offered are adequate for secured workstation, 24 % of the employees strongly
agrees and 24% of them are neutral. It shows organization should concentrate on this area.
3.1.20 Analysis on the regular up gradation of softwares by the organization
Table no3.1.20
S.no Particulars Number of
respondents
Percentage of respondents
1 Strongly agree 54 45
2 Agree 33 27.6
3 Neutral 16 13.33
4 Disagree 7 5.83
5 Strongly disagree 10 8.33
Total 120 100
Figure 3.1.20.1
42
-
7/31/2019 A Study on Information Security Management System tic
50/67
Regular upgradation of softwares
53.33
27.6
13.33
5.83
0
10
20
3040
50
60
Extremely Very Moderately Slightly Not at all
Particulars
Percentage
ofres
pondents
Inference: From the above table it is inferred that 53% of the employees agrees on regular
up gradation of softwares by the organization, 28 % of the employees very moderately
agrees and 16% of them agrees slightly. It shows organization should do regular up
gradation of softwares for efficient work station.
3.1.21 Analysis on the security awareness is mere educating employees rather than
providing training.
Table no3.1.21
S.no Particulars Number of
respondents
Percentage of
respondents
1 True 120 100
2 False 0 0
Total 120 100
Figure 3.1.21.1
43
-
7/31/2019 A Study on Information Security Management System tic
51/67
security awareness is mere educating
100%
0%
1
2
Inference: From the above table it is inferred that 100% of the employees agrees that the
security awareness is mere educating employees rather than providing training. It shows
that employees strongly believe that security awareness is mere educating.
3.1.22 Analysis on the security awareness training provided to the employees
Table no 3.1.22
S.no Particulars Number of
respondents
Percentage of
respondents
1 General 107 89.202 Department wise 13 10.83
Total 120 100
Figure 3.1.22.1
44
-
7/31/2019 A Study on Information Security Management System tic
52/67
security awareness training
89%
11%11%
General
Department wise
Inference: From the above table it is inferred that 89% of the employees referred that
security awareness training provided to the employees is general and 11% of them referred
as departmental. It shows that the organization provide their employees with generalized
training.
3.1.23 Analysis on the existing information security system meets the security objectives.Table no3.1.23
S.no Particulars Number of
respondents
Percentage of respondents
1 One of the best 102 852 Above average 18 153 Average 0 04 Below average 0 05 One of the worst 0 0
Total 120 100
Figure 3.1.23.1
45
-
7/31/2019 A Study on Information Security Management System tic
53/67
Existing information security system
85
15
0 0 00
1020304050
60708090
One of the
best
Above
average
Average Below
average
One of the
worst
Particulars
Percentage
ofre
spondents
Inference: From the above table it is inferred that 85% of the employees accepted that the
existing information security system is one of the best and 15% of them accepted as above
average. It shows that the existing information security system meets the security
objectives effectively.
DATA ANALYSIS AND INTERPRETATION
STATISTICAL TOOL APPLICATION
CHI-SQUARE TEST
3.1.24 FIXING THE PROBLEM ON OCCURRENCE OF SECURITY
AWARENESS PROGRAM
S. no Particulars No. of Respondents Percentage
1. Sure to happen 51 42.5%
2. Very likely to happen 22 18.33%
3. Likely to happen 32 26.67%
4. Might happen 12 10%
46
-
7/31/2019 A Study on Information Security Management System tic
54/67
5. Wont happen 3 2.5%
Null hypothesis H0:
There is no significant difference between the Occurrences of security awareness program.
Alternative hypothesis H1:
There is a significant difference between the Occurrences of security awareness program.
CHI SQUARE TEST
TABLE 3.1.24TABLE 3.1.24
O E (O-E) (O-E)2 (O-E)2/E
51 24 27 729 30.38
22 24 -2 4 0.17
32 24 8 64 2.67
12 24 -12 144 6
3 24 -21 441 18.37
57.59
X = 120/5=24
X =(O-E)2/E=57.59
df = r 1=5- 1=4
The table value of Chi square for 4.d.f @ 5% level of Significance
47
-
7/31/2019 A Study on Information Security Management System tic
55/67
2 = 0.05 for 4d.f=9.49
Since the calculated value is greater than the table value we reject the null hypothesis
Hence it is concluded that there is significant difference between observed and expected
value.
3.1.24 RANK CORRELATION-A comparison of the Facilities offered
and up gradation of softwares.
Table no 3.1.25
S.NO Particulars Facilities offered (Xi) Up gradation of softwares (Yi)
1 Strongly Agree 29 542 Agree 47 333 Undecided 29 164 Disagree 10 75 Strongly Disagree 5 10
Xi Yi Di=Xi-Yi Di2
3.5 5 -1.5 2.25
5 4 1 13.5 3 .5 0.252 1 1 11 2 -1 1
Di=5.5Rank correlation can be obtained by using the formula
=1-{[6D2]/n(n2-1)}48
-
7/31/2019 A Study on Information Security Management System tic
56/67
=1-{6(5.5)/5(25-1)}
=1-{33/120}
=1-(0.275)
=0.725
Remarks: The rank coefficient lies between -1 and +1.1-r1.
Conclusion: Since the rank correlation between the Facilities offered and up gradation of
softwares is positive. We conclude that the Facilities offered and up gradation of
softwares have the nearest approach to the above factors.
3.1.26 ANOVA table Analysis on the effectiveness of system utilization.
Table no 3.1.26Particulars Signifi
cantly
Above
(x1)
X12 Above
(x2)
X22 Met
(X3)
X32 Below
(X4)
X42 Signifi
cantly
Above
(x5)
X5
Speed 23 529 47 2209 31 961 11 121 8 64Storage 14 196 48 2304 23 529 28 784 7 49Accuracy 25 625 66 4356 11 121 9 81 9 81
Diligence 63 3969 34 1156 12 144 8 64 3 9
Reliability 84 7056 16 256 12 144 7 49 1 1
x1=209 x12
12375
x2
211
x22
10281
x3
89
x32
1899
x4
63
x42
1099
x5
28
x
23
Null Hypothesis (H0): There is no significant difference between the effectiveness of
system utilization.
Alternative Hypothesis (H1): There is a significant difference between the effectiveness
of system utilization.
Calculation
Sum of all the items of various samples = x1+x2+x3+x4+x549
-
7/31/2019 A Study on Information Security Management System tic
57/67
= 209+211+89+63+28
= 600
Correlation Factor T2 /N = 6002/25
= 14400
Total Sum of squares (SST)
= x12+x22+x32+x42+x52- T2 /N
= 12375+10281+1899+1099+234-14400
= 11488
Sum of squares between samples (SSC)
= x12 /N1+x22/N2+x32 /N3+x42/N4+x52/N5- T2 /N
= 2092/5+2112/5+892/5+632/5+282/5-14400
= 8736.2+8904.2+1584.2+793.8+156.8-14400
= 5775.2
Sum of the squares with in the samples (SSE)
SSE=SST-SSC
= 11488-5775.2
=5712.8
Analysis Of Variance
Table 3.1.27
Sources of
variation
Sum of squares
(SS)
Degrees of
freedom(D.F)
Mean Square F
Between The
samples
SSC=5775.2 K-1=(5-1) MSC=SSC/K-1
=5775.2/4
MSC/MSE
Within the
samples
SSE=5712.8 (N-k)=(25-4) MSE=
SSE/N-K
=5712.8/21
=5775.2/4
X
21/5712.8Total SST=11488 N-1=24 F=5.31
Calculated Value =5.31
Table Value = 2.84
50
-
7/31/2019 A Study on Information Security Management System tic
58/67
Conclusion: Since the Calculated Value of F=5.31 is greater than the table value of
F0.05=2.84 so the null hypothesis is rejected there is a significant difference between the
Effectiveness of system utilization
3.2 RESEARCH FINDINGS
It is found that 40 % of the employees belongs to the age group 21-30, 30 % of the
employees belong to the age group 31-40 .It shows that the majority of the
employees are middle aged group.
It is found that 81% of the employees belong to male gender, only 19% of them
belong to female gender .It shows majority of employees belong to male gender.
It is found that 63 % of the employees are single, 37% of the employees are married
.It seems that the majority of the employees are single.
It is found that 60% of the employees are graduate, 32 % of the employees are post
graduate.
It is found that 53% of the employees have rendered the length of service up to 5
years and 37% of them lies between 6-10yrs of service .it shows that majority of
employees have been along with organization for long duration. It is found that 51% of the employees obtain salary up to 10,000 and 32% of them
obtain in between from 11,000-30,000 .It shows that only few employees obtain
more than 30,000.
It is found that 97% of the employees are aware of job description specifying the
security responsibilities; only 3% of them are unaware.
It is found that 84 % of the employees agree on availing security education and
training, only 16% of the employees disagree to it .It seems that the majority of the
employees are availing security education and training.
It is found that 72 % of the employees agrees on familiarity of information security
policies and 28% of the employees agrees moderately to it .It seems that the
majority of the employees are familiar with information security policies.
51
-
7/31/2019 A Study on Information Security Management System tic
59/67
It is found that 87% of the employees are satisfied with top management support
towards information security controls and only 3% of them agree very little.
It is found that 43% of the employees feel that the security awareness program is
provided to them and 27% of them agreed likely to happen. It shows that there is a
moderate occurrence of security awareness program in the organization.
It is found that 79% of the employees agreed password management training
provided to them. And 17% of them are undecided.
It is found that 29% of the employees are Enthusiastic on the co-operation of
information security measures among them and 52% of them are cooperative.
It is found that 73% of the employees are satisfied on the allocation of information
security roles and responsibilities, 25 % of the employees are moderately satisfied.
It is found that 40% of the employees agree that they avail special training on
sometime basis, 24 % of the employees agrees that held often.
It is found that 79% of the employees agree that the organization communicate
policy updates regularly to employees, 18 % of the employees agree moderately.
It is found that 80% of the employees agree that the organization regularly updates
the security policy, 15 % of the employees agree moderately.
It is found that 51% of the employees agree that information security is aimed
more about technical side, 49 % of the employees agree on human side. It is found that 39% of the employees agree that facilities offered are adequate for
secured workstation, 24 % of the employees strongly agree and 24% of them are
neutral.
It is inferred that 53% of the employees agrees on regular up gradation of
softwares by the organization.
It is found that 100% of the employees agree that the security awareness is mere
educating employees rather than providing training.
It is found that 89% of the employees referred that security awareness training
provided to the employees is general and 11% of them referred as departmental.
It is found that 85% of the employees accepted that the existing information
security system is one of the best and 15% of them accepted as above average.
52
-
7/31/2019 A Study on Information Security Management System tic
60/67
Every employee and visitor should sign and aware of Non-Disclosure Agreement
(NDA).
Security awareness training program will be held twice in a year.
The background information of terminated employees is stored for specified
duration for future reference.
3.3 SUGGESTIONS
The Organization can create a specific mechanism to assess and improve user
awareness among employees, at least maintain records for the user awareness
training conducted.
User awareness audits can be conducted to check the level of awareness in the
employees. Whatever technical solutions have be implemented, unless the user
awareness is not strong, it will be biggest threat to the organization.
Business Impact Analysis (BIA) can be performed to analyze the impact on the
system due to various unprecedented events or incidents. Various failure scenarios
and its possible business impacts are analyzed. This includes technical problems,
human resources and other events.
Social engineering is a method of extracting information from people (in this case
the employee) to intrude into your premises or network. Social Engineering testscan be conducted by making telephone calls, sending emails etc.
The organization can provide any special training like Psychological manipulation
training to employees.
The Security awareness program can be conducted every quarter of a year
featuring the following elements,
(a) Awareness is a blended solution of activities that promotes security,
establishes accountability, and informs the workforce of security news.
(b) Training strives to produce relevant and needed security knowledge and
skills within the workforce. Training supports competency development
and helps personnel understand and learn how to perform their security
role.
53
-
7/31/2019 A Study on Information Security Management System tic
61/67
(c) Education integrates all of the security skills and competencies of the
various functional specialties into a common body of knowledge and
adds a multidisciplinary study of concepts, issues, and principles
(technological and social).
3.4 CONCLUSION
The study have emphasized developing and applying formal systems, like security policies,
procedures and controls, while awareness activities are less applied in the organizations.
Technical-administrative measures (policy; procedures; control; and administrative tools)are the most implemented measures, but are at the same time assessed to have lower
effectiveness than awareness creation .The results indicate that in order for information
security measures to become effective, security should be built like a staircase of combined
measures.
Therefore the establishment, maintenance and continuous update of ISMS provide a strong
indication that a company is using a systematic approach for the identification, assessment
and management of information security risks.
Since people factors are considered more crucial than ever to the field of information
security management (ISM), organizations should pay more attention to the role of human
resource management (HRM). This paper overall suggests that with more strategically
active role of HRM through an effective combination of selection, training, and pay
practices, organizations not only can manage people issues in ISM more effectively, but
also may be able to sustain the competitive advantage of the organizations.
54
-
7/31/2019 A Study on Information Security Management System tic
62/67
APPENDICES
Questionnaire
A Study on Effectiveness Information Security Management System in Yamee
Cluster.
1) Name : ____________________________________________________
2) Age : a) Up to20 b) 21-30 c) 31-40 d) 41-50 e) > 50
3) Designation : _____________________________________________________
4) Gender : a) Male b) Female
5) Marital Status : a) Single b) Married
6) Qualification : a) 10th b) 12th c) Graduate d) Post Graduate e) others
7) Length of Service: a) Up to 5 yrs b) 6-10 yrs c) 11-15 yrs
d) 16-20 yrs e) > 20 yrs
8) Salary : a) Up to 10,000 b) 11,000- 30,000 c) 31,000-50,000
d) 51,000-70,000 e) > 71,000
1) Does your job description specify the security responsibilities associated with a
given job?
a) Yes b) No
55
-
7/31/2019 A Study on Information Security Management System tic
63/67
2) Do you receive adequate level of security education and training to reduce risk of
human error?
a) Agree b) Disagree
3) Are you familiar with the information security policies?
a) Extremely b) Moderately c) Not at all
4) Rate the top management support towards information security controls
a) To a Great Extent b) Somewhat c) Very Little d) Not at All
5) Do you have an employee security awareness training program?
a) Sure to happen b) Very likely to happen c) Likely to happen
d) Might happen e) Won't happen
6) Are you trained to understand the appropriate use of passwords and the need to keep
passwords private?
a) Agree b) Undecided c) Disagree
7) Co-operation of information security measures among employees
a) Enthusiastic b) Cooperative c) Neutral
d) Uncooperative e) Disruptive
8) How well your management allocates the information security roles and responsibilities?
a) Exceeded b) Met c) nearly met d) Missed
9) Do you engage office work at home?
56
-
7/31/2019 A Study on Information Security Management System tic
64/67
a) Yes b) No
10) Do security awareness training is general or specified to department wise?
_____________________________________________________________________
11) Does your organization provide any special training like Psychological manipulation
training and so on?
a) Often b) Sometimes c) Seldom d) Never
12) How often security policy will be updated?
a) Frequently b) Occasionally c) Rarely d) Never
13) How well the organization is communicating with you regarding periodic updating of
policy and other things?
a) Very Good b) Good c) Barely Acceptable
d) Poor e) Very Poor
14) Information security is aimed more about
a) Human side
b) Technical Aspects
15) Do you agree that the facilities offered are adequate for secured workstation?
a) Strongly agree b) Agree c) Neutral
d) Disagree e) Strongly Disagree
57
-
7/31/2019 A Study on Information Security Management System tic
65/67
16) Does your organization regularly upgrade the softwares for Easy and effective
utilization?
a) Strongly agree b) Agree c ) Neutral
d)Disagree e )Strongly Disagree
17) Security awareness is mere educating employees rather than providing training
a) True b) false
18) When leaving for lunch or to take a break, how do you secure your workstation?
a) Turn my monitor off
b) Logging off of the workstation
c) Lock the workstation by pressing Ctrl+Alt+Delete and selecting Lock computer.
d) Turn the computer off.
e) None of the above
f) Others ___________________________
19) Human Wall Is Always Better Than a Firewall
a) Definitely b) Probably c) Probably Not
20) How well the existing information security system meets the security objectives
(Confidentiality + Integrity +Availability)?
a) One of the best b) above average c) average
d) Below average e) one of the worst.
21) Effectiveness of system utilization.
58
-
7/31/2019 A Study on Information Security Management System tic
66/67
59
Security
objectivesSignificantly
AboveAbove Met Below
Significantly
Below
Speed
StorageAccuracyDiligenceReliability
-
7/31/2019 A Study on Information Security Management System tic
67/67
REFERENCES
C.R.Kothari, (1997), Research Methodology Methods and Techniques 2nd
Edition.
ISO/IEC 27001(2005) Information technology - Security techniques - Information
security management systems Requirements.
NIST Special Publication 800-12. An Introduction to Computer Security: The NIST
Handbook. October 1995.
Thomson, M.E. and Von Solms, R. (1998) Information security awareness:
Educating your users effectively, Information Management and Computer Security.
Chang, S.E. and Ho, C.B. (2006) Organizational factors to the effectiveness of
implementing information security management, Industrial Management & Data
Systems.
WEBSITES:
www.managementhelp.org/
www.oppapers.com
www.wikipedia.org www iso org
http://www.google.com/http://www.google.com/http://www.google.com/http://www.google.com/
top related