International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com Volume 2, Issue 11, November 2013 ISSN 2319 - 4847 Information Security Preparedness of Indian Academic Campuses with respect to Global Standards: a Gap Analysis D.S. BHILARE School of Computer Science & IT, Devi Ahilya University, Indore, India ABSTRACT An effective information security strategy is essential for protecting information assets and ensuring compliance with various state regulations such as Indian IT ACT; and aspirations of the various stake holders in the Academic Campuses. Institutions are forced to enhance their attention and budget to protect institutional infrastructure and information assets. Despite this attention, a very little information is available about the Information Security Governance implementations and its effectiveness in the Indian universities and colleges. In order to build an effective information protection strategy, it is essential to evaluate and understand the existing security posture of the Universities with respect to the Global standards and practices. The study is conducted using ISO/IEC security standards as a basic framework. The major factors affecting information security are identified. Outcome of these investigations shall help institutions in getting a deeper understanding of current information security issues and trends; as well as identify areas of concern, for ensuring more secured campuses. Keywords: information security, higher education, global practices, security gap analysis 1. INTRODUCTION The primary challenge for any Information Security Officer in the institutes of higher education is to build confidence in academic community; regarding security of personal, financial and research information. Since 2008, the amended IT Act has helped in improving information security, but meeting the minimal requirements for compliance does not ensure protection. Institutions are realizing that much more is needed to effectively mitigate risks and achieve their information security objectives. Rising demand for IT services and the widespread distribution and governance of research computing resources, coupled with an incredible rise in computer crimes, place increasing stress on higher education institution [13]. Even institutes well known for their IT security investments have suffered resulting in the theft of personal, private or confidential information. Colleges and Universities too frequently serve as launch-pad for spam and DOS attacks [9]. Inadequate security may interrupt critical services or lead to the theft of sensitive data: student information, employee information or intellectual property [1]. The loss of public trust or the failure to comply with regulations could result in severe financial implications. A major security breach could also cause irrevocable damage to institutions reputation. To effectively protect information assets, it is essential to evaluate institutions present standing in relation to industry best practices and regulatory requirements. A gap assessment is needed to identify the effective course of action based on institutional objectives. In many domains, the concepts of guarding trade secrets, protecting corporate data from competitors, and fighting patent infringements are well understood. Not all industries are adept at protecting information. Information security is even more problematic in higher education. The functioning of the IHE calls for sharing of knowledge and providing access to information and technology. In other words, the concept of information security runs counter to the open culture of information sharing in academics [14]. The second challenge is the perception of many people that data security is a technical issue and, therefore, the sole responsibility of IT department or chief information security officer and his team. To understand the institute’s information security risk, one must identify the critical activities, examine potential threats and vulnerabilities[8]. Sometimes threats from insider are much greater than the threat from the outsiders [7]. This involves examining the current IS practices, infrastructure, and methods for utilizing technology in the institution. Thus, understanding present security state and identifying vulnerabilities is the first step towards protecting the confidentiality, integrity and availability of critical information. It is also an important component for ensuring regulatory compliance. The purpose of the investigation is to understand the present information security scenario in the context of Indian Universities and Colleges, with respect to global information security practices. Efforts are made to compare the level of local issues and practices with their western peers and also with the overall global industry practices in general. The survey results and conclusions are studied in global context using the survey results published by well known international reputed research and consulting houses. The following survey reports are used as a benchmark to assess the state of Information Security in the Indian institutes of higher education: Volume 2, Issue 11, November 2013 Page 57 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com Volume 2, Issue 11, November 2013 ISSN 2319 - 4847 The study is expected to indentify major areas of concern, and analyze them to provide the appropriate solutions, in the Indian context. The study would provide vital input essential for designing an appropriate solution to the various issues being addressed. The study is expected to provide the following inputs for achieving the said objectives: A clear understanding of the security posture of the Indian Academic Institutes with respect to their global peers and industry Major areas of concerns on our campuses Identifies the gaps in institutes security controls, policies and processes Provides a specific, actionable input to improve overall security posture based on resources, needs and practices in the remaining world 2. OBJECTIVE The objective of the whole investigation is to understand, where we stand with respect to global information security practices. Efforts are made to compare the level of Indian Information Security issues and practices with their western peers and also with the overall global industry practices in general, irrespective of a particular sector. 3. METHODOLOGY The following procedure was adopted to gather the required data for conducting the investigation to fulfill the above stated objectives: Literature Review Telephone interviews with: 35 Information technology managers 15 Faculty members Expert views of a selected security experts A quantitative survey of 25 institutes of higher education Efforts were made to take input from the most experienced person in that institute. It was ensured that minimum experience of the respondent should not be less than five years. In order to be able to pinpoint the specific areas that require attention, the questionnaire was designed to gather information on the following key aspects of Information Security based on globally recognized information security standard ISO 27001:2005 and industry best practices: Governance, Investment, Risk, Use of security technologies, Quality of Operations & Privacy. Since we are living in a global village, must know about our peers, their way of functioning and practices followed. In order to ensure secure campuses, it is vital that we measure our performance against recognized benchmarks. This survey is intended to enable benchmarking against comparable organizations. Benchmarking with a peer group and overall industry can assist institutions in identifying those practices that, when adopted and implemented, have the potential to produce more secure campuses. Most of the survey responses were collected during face-to-face interviews with individuals responsible for information security at the participating organizations. When this was not possible, the respondents were given to choice to fill it online[11]. 4. PROCEDURE The following procedure was adopted to gather the required input data for conducting the investigations. Information is gathered from the literature review and telephonic interviews, covering IT Managers and Faculty members. In addition, expert views of selected security experts are taken. Finally, a quantitative survey of 25 institutes of higher education is carried out. As far as possible, the input is taken from the most experienced person in that institute. In order to pinpoint the specific areas, that require attention, the questionnaire is designed to gather information on aspects of Information Security based on globally recognized information security standard ISO 27001:2005 and industry best practices [15], [16], [17], [18]. The questionnaire is based on the following key aspects: Governance: It includes compliance with regulations and policy, accountability, management support, assessment plans, feedback etc. Investment: This covers Budgeting, Staffing, and Management aspects. Risk: This covers Vulnerabilities, Intentions, Public Networks, and Controls. Use of security technologies: Encryption, Knowledge base, Trends, and Technology Quality of operations: It covers issues like Business Continuity Management, Benchmarking, Administration, Prevention, Detection, Response, Privileged Users, Authentication, and Controls. Volume 2, Issue 11, November 2013 Page 58 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com Volume 2, Issue 11, November 2013 ISSN 2319 - 4847 Privacy: This includes Compliance with Regulations, Ethics, Data Collection Policies, Communication Techniques, Safeguards, and Personal Information Protection. Most of the survey responses were collected during face-to-face interviews with individuals responsible for information security at the participating organizations. In other cases, the respondents were given the choice to fill it online using the following link: www.dauniv.ac.in\questionaire. In the following sections, analysis of the input received from various sources, under various categories is illustrated with the help of graphs and tables. 5. SURVEY ANALYSIS An analysis of the feedback received from the respondents is carried out individually as well as with respect to research outcome & statistics published by the well recognized international research houses. The gap analysis is done in various categories; as shown below: 1) Respondents by Title 2) Percentage of IT Budget Allocated for Security 3) Primary Responsibilities of CISO 4) Consequences of the Information Security Incidences 5) Percentage of Security Outsourced 6) Expected Increase in the Number of IT Security Staff 7) Number of Incidents per Year 8) Percentage of Losses Due to Insiders 9) Percentage of Key Types of Incidents 10) Security Technologies Used 11) Security Certificates Held by the IT Security Staff 12) Strategies to Reduce Vulnerabilities in the Campus 13) Information Security Testing 14) Assessment of Information Security Measures 15) Actions Taken After an Incident 16) Reasons for Not Responding 17) Use of Information Security Standards 18) Information Security Policy within the Organization 19) Data Retention Policy within the Organization 20) Software Development Process within the Organization 21) Major Barriers in Ensuring Information Security 22) Top Internal/External Audit Findings during the Year 23) Major Causes of failure of Information Security Projects 24) Sharing of Information about Security Incidents with Other Institutions In the following sections, analysis of the responses received for each category mentioned above is carried out and illustrated with graphs and tables. Out of these twenty four parameters some of the findings have been published earlier [12], remaining work is being covered in this paper. 5.1 Percentage of IT Budget Allocated for Security There are 53 % institutes who are spending less than 5 % of their total IT Budget on Information Security. Figure 1 shows that this allocation is significantly lower than the global peers. Globally, there are more than 20 % respondents who are spending minimum eight percent, whereas in Indian Universities there are no respondents in this category. Percentage of IT Budget allocated for Security 35 30 30 27 25 15 27 24 20 18 15 15 12 10 11 11 8 5 0 Unknown 0 > 10 % 0 8 - 10 % CSI 2008 1 6-7% 3-5% 1-2% 0-1 % Indian Universities Figure 1: Percentage of IT Budget Allocated for Security Volume 2, Issue 11, November 2013 Page 59 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com Volume 2, Issue 11, November 2013 ISSN 2319 - 4847 5.2 Primary Responsibilities of CISO Survey respondents indicate that the CISO’s primary responsibilities are security governance, Security strategy and planning, internal security awareness, as well as IT risk management (all rating at least 60%, with security governance as high as 90%). Respondents indicate that CISOs are least responsible for areas such as web customers’ administration, external security awareness, disaster recovery planning, and the protection of paper based information (all ratings less than 40%). These findings do not mean that these latter areas are being necessarily neglected. For example, respondents indicate that the CISO is more concerned with internal security awareness (74%) than with external awareness (16%). Respondents also indicate that IT compliance management (at 51%) is part of the responsibility of the CISO. This is an important responsibility, as in India, IT security laws are still under formation stage. IT Act 2000 is the only instrument available for security enforcement. There are two distinct responsibilities to which Indian respondents are giving higher weightage, compared to Deloitte 2008 Global Information Security Survey respondents. These responsibilities are given below: Responsibility Deloitte 2008 Survey 44 % IT Perimeter Security Business Management Continuity Indi an Survey 60 % 68% 38 % Primary Responsibilities of CISO Privacy Business continuity Management Security performance management Disaster recovery planning External customers’ security awareness Interaction with law enforcement authorities Security web customers’ administration Physical security Security governance Security strategy and planning Internal security awareness Security incident response and management Security assessments Vulnerability and threat management Security implementation and integration Security architecture IT risk management Identity and access management Security administration Security training Security consulting Security investigations IT compliance management Third-party security IT perimeter security Security employees/users administration Security operations Computer forensics 0 10 20 30 40 50 60 Deloitte 2009 70 80 90 100 Indian Universities Figure 2: Primary Responsibilities of CISO Volume 2, Issue 11, November 2013 Page 60 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com Volume 2, Issue 11, November 2013 ISSN 2319 - 4847 5.3 Consequences of Information Security Incidences Damage to reputation and image was cited as the most significant consequence of an information security incident by 83% of survey respondents. This finding, in combination with the concern for regulatory action (80%), loss of revenue (63%), and the loss of customers (61%) are clear indicators for why information security remains a focus for most organizations. The survey results reflect the fact that stakeholder confidence and a positive image can take years to build, but can be severely damaged by a single incident. For many years, regulatory compliance has been the leading driver for information security. It has been an important catalyst for raising awareness and driving real improvements. Although cited by 80% of respondents as a driver for information security, compliance alone is not enough to ensure improvements. To protect reputation and image many Universities and colleges have gone beyond the requirements of regulatory compliance to have more secured campuses. Institutes need to build sustainable compliance programs while taking a more strategic and comprehensive view of information security. The following graph indicates that on this issue respondents from both the world think alike and are equally concerned. Consequences of Information security Incidences Damage to employee relationships Litigation/legal action Regulatory action/sanction Indian Loss of customers Ernst & Young 2008 Loss of revenues Loss of stakeholder confidence Damage to reputation and brand 0 10 20 30 40 50 60 70 80 90 Figure 3: Consequences of Information Security Incidences 5.4 Percentage of Security Outsourced Survey showed that in-house security management is around 80 percent, organizations are unwilling to outsource it completely. Organizations globally tend to outsource some of the highly technical part, remaining they are keeping in their hand. Perhaps, institutes believe in handling sensitive information themselves. 5.5 Number of incidents per year Before looking at the nature and cost of incidents, the survey asks respondents to estimate how many incidents they have had to deal with over the course of the year. The following graph indicates that 35% respondents say that they have had more than ten incidents per year. If we compare with the global peers 47 % respondents say that they face 1 to 5 incidents per year. This may be due to number of laws applicable overseas and awareness. 5.6 Percentage of losses due to insiders The following figure shows that, 42 percent respondents believe that insiders are responsible for 1 – 20 percent losses, and 47 percent respondents believe that there is no loss on account of insiders. It's certainly true that some insiders are particularly well-placed to do enormous damage to an organization, but this survey's respondents seem to indicate that talk of the prevalence of insider criminals may be overblown. On the other hand, we're speaking here of financial losses to the organization, and in many cases significant insider crimes, such as leaking of credit card information, may not be detected by the victimized organization and no direct costs may be associated with the theft. The comparative study also reveals that the industry respondents perceive more losses from insider compared to the higher education respondents. This is also evident from the budget allocations and attention paid to the issue of insider Volume 2, Issue 11, November 2013 Page 61 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com Volume 2, Issue 11, November 2013 ISSN 2319 - 4847 threat in higher education compared to industry. Only 41 % Indian University respondents feel that, there is no threat from the insiders, whereas 61 % industry respondents feel so. Losses due to Insiders 70 Respondent % 60 50 40 CSI 2008 30 Indian Universities 20 10 0 81100% 6180% 4160% 2140% 1-20% None Figure 4: Losses due to Insiders 5.7 Percentage of key types of incidents The survey asks about a number of different sorts of computer attacks and incidents. In the following figure, a subset of these are graphed, this chart shows the four categories of highest incidence, namely viruses, insider abuse, laptop theft and unauthorized access to systems. Incidences related to virus are much higher in the Indian Universities (86 %) compared to the Industry (50 %). Second important finding is that, laptop theft is much less in the Indian Universities, perhaps usage is also less. The number of financial frauds is also negligible compared to the industry figures. Though, cases of unauthorized access and bots are higher compared to the global trends. S.No. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Table 1: Incident Details Type of Incidence CSI 2008 Survey (Incident %) Denial of service 21 Laptop theft 42 Telecom fraud 5 Unauthorized access 29 Virus 50 Financial fraud 12 Insider abuse 44 System penetration 13 Sabotage 2 Theft/loss of proprietary info 4 From mobile devices 5 From all other sources Abuse of wireless network 14 Web site defacement 6 Misuse of Web application 11 Bots 20 DNS attacks 8 Instant messaging abuse 21 Password sniffing 9 Theft/loss of customer data from mobile devices 8 from all other sources 8 Volume 2, Issue 11, November 2013 Indian University & Colleges (Incident %) 17 3 4 35 86 2 33 26 0 0 4 48 12 21 27 17 29 21 2 2 Page 62 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com Volume 2, Issue 11, November 2013 ISSN 2319 - 4847 5.8 Security Certificates Held by the IT Staff The following graph shows the percentage of certified security professionals in the Indian Universities compared with western universities (ECAR survey). The graph clearly indicates that Information Security practices are at nascent stage in the Indian Universities and due to this early stage, there are less number of security professionals working in this area compared to global benchmark. As shown in the figure, two percent hold the Certified Information Systems Security Professional (CISSP) certificate. Four and half percent hold the Certified Information Security Manager (CISM), three percent hold the Global Information Assurance Certification (GIAC) and four percent hold the Certified Information Systems Auditor (CISA) certificate. 5.9 Strategies to Reduce Vulnerabilities in the Campus The most often used strategies, which is used by more than 80 percent respondents are limiting protocols allowed through router or Firewall, restricted access to applications and server, and limiting the URLs allowed through the firewall. Strategies like “installing a software inventory”, “security devices for identification” and “closed desktop systems” were used by less than ten percent respondents. Less than fifty percent respondents did not have recovery and backup plan and isolation strategy for the compromised desktops. Surprisingly, Indian Universities are far ahead in using URL filtering through firewall (80 percent) compared to global higher education statistics (45 percent). But lagging far behind in the area of recovery and backup planning, only 11 percent Indian Universities have the required plan, whereas globally 55 percent universities have the backup and recovery plan in place. Strategies to Reduce Security Vulnerabilities Isolating or quarantining computers that do not meet minimum security requirement Instituting a recovery or backup plan in case of disasters caused by natural events or human acts Installing closed desktop systems that don’t allow user configuration changes Installing a softw are inventory system to w atch for malicious softw are or program changes Using security devices (such as cards or biometric scanners) Timing-out access to specific applications after an idle period Restricting and eliminating access to servers and applications Limiting the URLs allow ed throughout the firew all Limiting the type of protocol allow ed thru router 0 10 20 30 ECAR 2006 40 50 60 70 80 90 100 Indian Universities Figure 5: Strategies to reduce Security Vulnerabilities 5.10 Information Security Testing Tenth Global Information Security Survey, 2008 conducted by Ernst & Young highlights that the investments in technology are of little value unless people are trained on what to do and how to do it [2]. This has been recently reinforced by several high profile information security breaches where it was eventually determined to be a human failure that brought about the incident and not technical vulnerability. So much emphasis is often placed on technology that the “people” component of information security is frequently overlooked. Hackers have long known the easiest way to bypass an information security system is to exploit the people. Simple techniques such as impersonating IT or company personnel, can be used to gain access to information from unsuspecting employees. A large percentage of respondents (45%) confirmed that they regularly perform internet testing, but only 9% of respondents conduct social engineering attempts to test their employees. Ernst & Young, 2008 GIS survey, confirms that technology plays a pivotal role in information security, but there must also be a focus on training and awareness programs for information security to operate effectively. Organizations must view their people to be as critical as any other information security component so they can help prevent and properly respond to information security incidents in an effective and timely manner. Volume 2, Issue 11, November 2013 Page 63 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com Volume 2, Issue 11, November 2013 ISSN 2319 - 4847 The following graph shows that the Indian Universities are lagging behind in almost all the areas, except in the area of application code review, which is perhaps the strength of the Indian Universities. This suggests that level of awareness need to be improved and more efforts are required to strengthen existing training and awareness programs. Information Security Penetration Testing 140 120 100 80 60 40 20 0 Internet testing Infrastructure testing Remote access Physical access to secure areas Wireless testing Application Social source code engineering reviews attempts E & Y 2008 Other Indian Universities Figure 6: Information Security Penetration Testing 5.11 Software Development Process within the Organization: In order to reduce vulnerabilities of software developed in-house, certain procedures should be followed. Some organizations have focused on educating their development teams on practices that help prevent the inadvertent introduction of vulnerabilities as applications are created or maintained. The following graph shows that the Indian Universities are far behind the global developers, in adopting the formal secure development procedures. Moreover, the global figures are also not very encouraging, less than forty percent organizations are following formal development procedures. It has been observed that the operating system vulnerabilities have declined during past few years. Therefore, hackers are now targeting the vulnerabilities present in the applications, developed in-house. In-house software development Process 45 40 35 30 25 20 15 10 5 0 39 34 30 29 23 22 CSI 2008 Indian Universities 11 8 3 1 Formal Process Established Formal Process Being Developed Don’t Know Other Informal Process Figure 7: In-house Software Development Process 5.12 Major Barriers in Ensuring Information Security Not surprisingly, budget constraints and the lack of qualified professionals occupy the first two spots, 74% and 56%, respectively. Current economic crisis has further reduced the IT and security budgets. Respondents have given lowest priority to the privacy issue, which is bit surprising. If we compare the responses with the “global information security survey”, conducted by the Deloitte, less number of Indian Universities has considered technology as a barrier. Perhaps, this indicates that we are good at technology absorption. Issues like, “increasing sophistication of threats” and “inadequate functionality/interoperability of software” are also at low priority and not considered as a very significant barrier. Survey shows that management support is far better in the other part of the world, 45% respondents have reported lack of management support. Volume 2, Issue 11, November 2013 Page 64 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com Volume 2, Issue 11, November 2013 ISSN 2319 - 4847 Major Barriers in Ensuring Information Security Budget constraints and/or lack of resources Increasing sophistication of threats Emerging technologies Inadequate availability of security professionals Indian Universities Deloitte 2009 Privacy issues and concerns Inadequate functionality/interoperability of security s/w Lack of information security strategy Lack of management support 0 10 20 30 40 50 60 70 80 Figure 8: Major Barriers in Ensuring Information Security 5.13 Top Internal/External Audit Findings during the Year The top audit finding indicates that the “segregation of duties”, has got the highest priority. There are reports, which show that cases of forged mark-sheets are higher in those universities, where same persons are involved in the preparation of the duplicate mark-sheet and verification as well. Indian respondents have identified “Excessive access rights” as the more serious concern compared to the global respondents. Top three findings are “segregation of duties” (41%), “access control compliance procedures” (35%) and “lack of clean-up of access rules following a transfer” (32%). State of “excessive access rights” is better in the Indian Universities compared to the global statistics. Auditors and regulators expect that individuals will have rights only to the data/information that are needed to perform their jobs. And when those rights are no longer needed to perform the job, they also expect the rights to be revoked. And “revoked” does not just mean at some point in the future, it means in a timely fashion. As simple as this sounds in theory, in practice, it is not. Given changing job responsibilities, a more mobile workforce, employee turnover, and corporate reorganizations and mergers, this is a big challenge. Access control compliance has emerged above the lack of clean-up of access rules following the job change. Access and control compliance reflects the security concern of many organizations of having controls in place to ensure users have access only to what they need to properly do their jobs. Auditors look for conflicts in segregation of duties in which one individual has access to responsibilities that are inherently in conflict with one another. To use a banking example, the same person should not accept cash, record deposits, make deposits, and reconcile the account. It is a lack of segregation of duties that allows some individuals to circumvent intended controls. Top Internal/External Auditor Findings Excessive Access Rights Segregation of duties Access control compliance with procedures Lack of audit trails/logging Lack of documentation of controls Excessive developers’ access to production systems and data Lack of review of audit trails Lack of clean-up of access rules following a role change Use of production data in testing DRP/BCP testing DRP/BCP documentation/currency Lack of documented security policies, guidelines & procedures Servers not hardened consistent with the standards Lack of security awareness programs Lack of separate testing environment Use of weak password parameters Lack of server hardening standards Lack of authorization of changes prior to implementation 0 5 10 Deloitte 2009 15 20 25 30 35 40 45 Indian Univers ities Figure 9: Top External/Internal Auditor Findings Volume 2, Issue 11, November 2013 Page 65 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com Volume 2, Issue 11, November 2013 ISSN 2319 - 4847 6. DISCUSSION AND CONCLUSION We all understand that protection of institutional information is very essential for the continuity of the business or activity. In order to develop or adopt global standard practices, understanding of present security practices and degree of its effectiveness is very vital. Globally CMU and Earnst & Young are releasing their annual Information Security survey reports and recommendations in the area of higher education. However, unfortunately there is no such information available for Indian Universities and Colleges. This survey not only gives present state of affairs in the institutes of higher education, it also compares the findings with global peers, which include industries as well as academic campuses. This gives fair idea of where do we stand in global perspective and helps us in making a gap analysis with global peers. This gap analysis would form a sound basis for planning and implementation of an appropriate Information Security Management System for the institutes of higher education. The analysis of the parameters presented in paper, when we integrate with the some results published earlier [12] gives a fair picture of the present state of the Indian Universities. The Key findings are as follows: Protecting reputation and image has become a significant driver for information security. Despite economic pressures, organizations continue to invest in information security. International information security standards are gaining greater acceptance and adoption. Privacy is now a priority, but adequate measures needs to be deployed People remain the weakest link for information security, insider threats are real. Business continuity planning is still not getting enough attention Most organizations are unwilling to outsource key information security activities and there is no information sharing on incidents faced The survey highlights the fact that budget allocation for Information Security is still much less compared to the Global Universities. The technical competence of the IS personnel is also indicates much improvement is required. There are very few organizations performing formal ethical hacking and penetration testing to assess the functioning of the security system. At present most of the institutions are not complying with the statutory obligations and are at the risk of getting penalized. This sample doesn’t represent all the categories of Indian Universities and Colleges, mainly institutes of the central part of India are covered. Due to the diverse focus of institutions surveyed and the qualitative format of our research, the results reported herein may not be representative of each identified category. Based on these findings a Information Security Governance plan for Institutes of Higher Education may be developed. This knowledge based solution is expected to achieve more effective and integrated information security. References [1] By Mohammad H. Qayoumi and Carol Woody, “addressing information security risk”, Educause Quarterly volume 28(4), 2005 [2] 10th Global Information Security Survey, 2008 by Ernst and Young, http://www.ey.com/Publication/vwLUAssets/EY_TSRS_GISS2007/$FILE/EY_TSRS_GISS2007.pdf [3] Robert B. Kvavik, IT Security in Higher Education, Survey by Educause Centre for Applied Research, 2006, http://www.mis-asia.com/__data/assets/pdf_file/0004/128668/Global-State-of-Information-Security---2008-survey.pdf [4] Roberts Richardson, 13th CSI Computer and Crime Survey, 2008, http://i.zdnet.com/blogs/csisurvey2008.pdf [5] Peter Hind, Global State of Information Security, CIO Magazine, CSO Magazine & PWC 2008 study, October 2008, http://www.mis-asia.com/__data/assets/pdf_file/0004/128668/Global-State-of-Information-Security---2008-survey.pdf [6] Protecting what matters, The 6th Annual Global Security Survey, by Deloitte, 2008, http://www2.deloitte.com/assets/Dcom-Shared%20Assets/Documents/dtt_fsi_GlobalSecuritySurvey_0901.pdf [7] D.S. Bhilare, A.K. Ramani, S. Tanwani, “Protecting Intellectual Property and Sensitive Information in Academic Campuses from Trusted Insiders: Leveraging Active Directory”, ACM SIGUCCS International conference 2009 on communication and collaboration, St. Louis, USA 11-14 October, 2009, Pages 99-104, ISBN:978-1-60558-477-5, http://doi.acm.org/10.1145/1629501.1629520 [8] Diana Oblinger, “Computer and Network Security and Higher Education’s Core Values,” (Research Bulletin, Issue 6) (Boulder, CO: EDUCAUSE Center for Applied Research,2003), http://connect.educause.edu/Library/ECAR/ComputerandNetworkSecurit/40063 [9] Walton, G., Longstaff, T., & Linger, R. “Computational Security Attributes.” Proceedings of Hawaii International Conference on System Sciences (HICSS-42). IEEE Computer Society Press, 2009. [10] Moore, A. P., Cappelli, D. M., & Trzeciak, R. F. “The ‘Big Picture’ of Insider IT Sabotage Across U.S. Critical Infrastructures” in Insider Attack and Cyber Security: Beyond the Hacker, eds. Stolfo, S.J., et al., Springer Science + Business Media, LLC, 2008. http://www.cert.org/archive/pdf/08tr009.pdf [11] Link to questionnaire: http://www.dauniv.ac.in/questionaire Volume 2, Issue 11, November 2013 Page 66 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com Volume 2, Issue 11, November 2013 ISSN 2319 - 4847 [12] D.S. Bhilare, A.K. Ramani, S. Tanwani, “An investigation of information security issues in the Indian institutes of higher education: current security state and practices”, International Journal of Computer and Network Security, ISSN: 2076-2739, Vol.2 No.1, pp 108-114, January 2010. [13] Walton, G., Longstaff, T., & Linger, R. “Computational Security Attributes.” Proceedings of Hawaii International Conference on System Sciences (HICSS-42). IEEE Computer Society Press, 2009. [14] Moore, A. P., Cappelli, D. M., & Trzeciak, R. F. “The ‘Big Picture’ of Insider IT Sabotage Across U.S. Critical Infrastructures” in Insider Attack and Cyber Security: Beyond the Hacker, eds. Stolfo, S.J., et al., Springer Science + Business Media, LLC, http://www.cert.org/archive/pdf/08tr009.pdf, 2008. [15] ISO, ISO/IEC 27001, Information technology - Security techniques - Information security management systems, 2005. [16] ISO, ISO/IEC 27002, Information technology - Security techniques - Code of practice for information security management (Redesignation of ISO/IEC 17799:2005), 2005. [17] ISO, ISO/IEC 27005, Information technology - Security techniques - Information security risk management, 2008. [18] The standard of good practice of information security, ISF, https://www.securityforum.org/?page=downloadsogp, 2007. Volume 2, Issue 11, November 2013 Page 67