International Journal of Application or Innovation in Engineering & Management... Web Site: www.ijaiem.org Email: , Volume 2, Issue 11, November 2013

advertisement
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 11, November 2013
ISSN 2319 - 4847
Information Security Preparedness of Indian
Academic Campuses with respect to Global
Standards: a Gap Analysis
D.S. BHILARE
School of Computer Science & IT,
Devi Ahilya University, Indore, India
ABSTRACT
An effective information security strategy is essential for protecting information assets and ensuring compliance with various
state regulations such as Indian IT ACT; and aspirations of the various stake holders in the Academic Campuses. Institutions are
forced to enhance their attention and budget to protect institutional infrastructure and information assets. Despite this attention,
a very little information is available about the Information Security Governance implementations and its effectiveness in the
Indian universities and colleges. In order to build an effective information protection strategy, it is essential to evaluate and
understand the existing security posture of the Universities with respect to the Global standards and practices.
The study is conducted using ISO/IEC security standards as a basic framework. The major factors affecting information security
are identified. Outcome of these investigations shall help institutions in getting a deeper understanding of current information
security issues and trends; as well as identify areas of concern, for ensuring more secured campuses.
Keywords: information security, higher education, global practices, security gap analysis
1. INTRODUCTION
The primary challenge for any Information Security Officer in the institutes of higher education is to build confidence in
academic community; regarding security of personal, financial and research information. Since 2008, the amended IT Act
has helped in improving information security, but meeting the minimal requirements for compliance does not ensure
protection. Institutions are realizing that much more is needed to effectively mitigate risks and achieve their information
security objectives.
Rising demand for IT services and the widespread distribution and governance of research computing resources, coupled
with an incredible rise in computer crimes, place increasing stress on higher education institution [13]. Even institutes
well known for their IT security investments have suffered resulting in the theft of personal, private or confidential
information. Colleges and Universities too frequently serve as launch-pad for spam and DOS attacks [9].
Inadequate security may interrupt critical services or lead to the theft of sensitive data: student information, employee
information or intellectual property [1]. The loss of public trust or the failure to comply with regulations could result in
severe financial implications. A major security breach could also cause irrevocable damage to institutions reputation. To
effectively protect information assets, it is essential to evaluate institutions present standing in relation to industry best
practices and regulatory requirements. A gap assessment is needed to identify the effective course of action based on
institutional objectives.
In many domains, the concepts of guarding trade secrets, protecting corporate data from competitors, and fighting patent
infringements are well understood. Not all industries are adept at protecting information. Information security is even
more problematic in higher education. The functioning of the IHE calls for sharing of knowledge and providing access to
information and technology. In other words, the concept of information security runs counter to the open culture of
information sharing in academics [14]. The second challenge is the perception of many people that data security is a
technical issue and, therefore, the sole responsibility of IT department or chief information security officer and his team.
To understand the institute’s information security risk, one must identify the critical activities, examine potential threats
and vulnerabilities[8]. Sometimes threats from insider are much greater than the threat from the outsiders [7]. This
involves examining the current IS practices, infrastructure, and methods for utilizing technology in the institution. Thus,
understanding present security state and identifying vulnerabilities is the first step towards protecting the confidentiality,
integrity and availability of critical information. It is also an important component for ensuring regulatory compliance.
The purpose of the investigation is to understand the present information security scenario in the context of Indian
Universities and Colleges, with respect to global information security practices. Efforts are made to compare the level of
local issues and practices with their western peers and also with the overall global industry practices in general. The
survey results and conclusions are studied in global context using the survey results published by well known
international reputed research and consulting houses. The following survey reports are used as a benchmark to assess the
state of Information Security in the Indian institutes of higher education:
Volume 2, Issue 11, November 2013
Page 57
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 11, November 2013
ISSN 2319 - 4847
The study is expected to indentify major areas of concern, and analyze them to provide the appropriate solutions, in the
Indian context. The study would provide vital input essential for designing an appropriate solution to the various issues
being addressed. The study is expected to provide the following inputs for achieving the said objectives:
 A clear understanding of the security posture of the Indian Academic Institutes with respect to their global peers and
industry
 Major areas of concerns on our campuses
 Identifies the gaps in institutes security controls, policies and processes
 Provides a specific, actionable input to improve overall security posture based on resources, needs and practices in the
remaining world
2. OBJECTIVE
The objective of the whole investigation is to understand, where we stand with respect to global information security
practices. Efforts are made to compare the level of Indian Information Security issues and practices with their western
peers and also with the overall global industry practices in general, irrespective of a particular sector.
3. METHODOLOGY
The following procedure was adopted to gather the required data for conducting the investigation to fulfill the above
stated objectives:
Literature Review
Telephone interviews with:
35 Information technology managers
15 Faculty members
Expert views of a selected security experts
A quantitative survey of 25 institutes of higher education
Efforts were made to take input from the most experienced person in that institute. It was ensured that minimum
experience of the respondent should not be less than five years. In order to be able to pinpoint the specific areas that
require attention, the questionnaire was designed to gather information on the following key aspects of Information
Security based on globally recognized information security standard ISO 27001:2005 and industry best practices:
Governance, Investment, Risk, Use of security technologies, Quality of Operations & Privacy.
Since we are living in a global village, must know about our peers, their way of functioning and practices followed. In
order to ensure secure campuses, it is vital that we measure our performance against recognized benchmarks. This survey
is intended to enable benchmarking against comparable organizations. Benchmarking with a peer group and overall
industry can assist institutions in identifying those practices that, when adopted and implemented, have the potential to
produce more secure campuses.
Most of the survey responses were collected during face-to-face interviews with individuals responsible for information
security at the participating organizations. When this was not possible, the respondents were given to choice to fill it
online[11].
4. PROCEDURE
The following procedure was adopted to gather the required input data for conducting the investigations. Information is
gathered from the literature review and telephonic interviews, covering IT Managers and Faculty members. In addition,
expert views of selected security experts are taken. Finally, a quantitative survey of 25 institutes of higher education is
carried out. As far as possible, the input is taken from the most experienced person in that institute.
In order to pinpoint the specific areas, that require attention, the questionnaire is designed to gather information on
aspects of Information Security based on globally recognized information security standard ISO 27001:2005 and industry
best practices [15], [16], [17], [18]. The questionnaire is based on the following key aspects:
 Governance: It includes compliance with regulations and policy, accountability, management support, assessment
plans, feedback etc.
 Investment: This covers Budgeting, Staffing, and Management aspects.
 Risk: This covers Vulnerabilities, Intentions, Public Networks, and Controls.
 Use of security technologies: Encryption, Knowledge base, Trends, and Technology
 Quality of operations: It covers issues like Business Continuity Management, Benchmarking, Administration,
Prevention, Detection, Response, Privileged Users, Authentication, and Controls.
Volume 2, Issue 11, November 2013
Page 58
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 11, November 2013
ISSN 2319 - 4847
 Privacy: This includes Compliance with Regulations, Ethics, Data Collection Policies, Communication Techniques,
Safeguards, and Personal Information Protection.
Most of the survey responses were collected during face-to-face interviews with individuals responsible for information
security at the participating organizations. In other cases, the respondents were given the choice to fill it online using the
following link: www.dauniv.ac.in\questionaire.
In the following sections, analysis of the input received from various sources, under various categories is illustrated with
the help of graphs and tables.
5. SURVEY ANALYSIS
An analysis of the feedback received from the respondents is carried out individually as well as with respect to research
outcome & statistics published by the well recognized international research houses. The gap analysis is done in various
categories; as shown below:
1) Respondents by Title
2) Percentage of IT Budget Allocated for Security
3) Primary Responsibilities of CISO
4) Consequences of the Information Security Incidences
5) Percentage of Security Outsourced
6) Expected Increase in the Number of IT Security Staff
7) Number of Incidents per Year
8) Percentage of Losses Due to Insiders
9) Percentage of Key Types of Incidents
10) Security Technologies Used
11) Security Certificates Held by the IT Security Staff
12) Strategies to Reduce Vulnerabilities in the Campus
13) Information Security Testing
14) Assessment of Information Security Measures
15) Actions Taken After an Incident
16) Reasons for Not Responding
17) Use of Information Security Standards
18) Information Security Policy within the Organization
19) Data Retention Policy within the Organization
20) Software Development Process within the Organization
21) Major Barriers in Ensuring Information Security
22) Top Internal/External Audit Findings during the Year
23) Major Causes of failure of Information Security Projects
24) Sharing of Information about Security Incidents with Other Institutions
In the following sections, analysis of the responses received for each category mentioned above is carried out and
illustrated with graphs and tables. Out of these twenty four parameters some of the findings have been published earlier
[12], remaining work is being covered in this paper.
5.1 Percentage of IT Budget Allocated for Security
There are 53 % institutes who are spending less than 5 % of their total IT Budget on Information Security. Figure 1
shows that this allocation is significantly lower than the global peers. Globally, there are more than 20 % respondents
who are spending minimum eight percent, whereas in Indian Universities there are no respondents in this category.
Percentage of IT Budget allocated for Security
35
30
30
27
25
15
27
24
20
18
15
15
12
10
11
11
8
5
0
Unknown
0
> 10 %
0
8 - 10 %
CSI 2008
1
6-7%
3-5%
1-2%
0-1 %
Indian Universities
Figure 1: Percentage of IT Budget Allocated for Security
Volume 2, Issue 11, November 2013
Page 59
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 11, November 2013
ISSN 2319 - 4847
5.2 Primary Responsibilities of CISO
Survey respondents indicate that the CISO’s primary responsibilities are security governance, Security strategy and
planning, internal security awareness, as well as IT risk management (all rating at least 60%, with security governance as
high as 90%). Respondents indicate that CISOs are least responsible for areas such as web customers’ administration,
external security awareness, disaster recovery planning, and the protection of paper based information (all ratings less
than 40%). These findings do not mean that these latter areas are being necessarily neglected. For example, respondents
indicate that the CISO is more concerned with internal security awareness (74%) than with external awareness (16%).
Respondents also indicate that IT compliance management (at 51%) is part of the responsibility of the CISO. This is an
important responsibility, as in India, IT security laws are still under formation stage. IT Act 2000 is the only instrument
available for security enforcement.
There are two distinct responsibilities to which Indian respondents are giving higher weightage, compared to Deloitte
2008 Global Information Security Survey respondents. These responsibilities are given below:
Responsibility
Deloitte
2008 Survey
44 %
IT Perimeter Security
Business
Management
Continuity
Indi
an Survey
60
%
68%
38 %
Primary Responsibilities of CISO
Privacy
Business continuity Management
Security performance management
Disaster recovery planning
External customers’ security awareness
Interaction with law enforcement authorities
Security web customers’ administration
Physical security
Security governance
Security strategy and planning
Internal security awareness
Security incident response and management
Security assessments
Vulnerability and threat management
Security implementation and integration
Security architecture
IT risk management
Identity and access management
Security administration
Security training
Security consulting
Security investigations
IT compliance management
Third-party security
IT perimeter security
Security employees/users administration
Security operations
Computer forensics
0
10
20
30
40
50
60
Deloitte 2009
70
80
90
100
Indian Universities
Figure 2: Primary Responsibilities of CISO
Volume 2, Issue 11, November 2013
Page 60
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 11, November 2013
ISSN 2319 - 4847
5.3 Consequences of Information Security Incidences
Damage to reputation and image was cited as the most significant consequence of an information security incident by
83% of survey respondents. This finding, in combination with the concern for regulatory action (80%), loss of revenue
(63%), and the loss of customers (61%) are clear indicators for why information security remains a focus for most
organizations.
The survey results reflect the fact that stakeholder confidence and a positive image can take years to build, but can be
severely damaged by a single incident. For many years, regulatory compliance has been the leading driver for information
security. It has been an important catalyst for raising awareness and driving real improvements. Although cited by 80% of
respondents as a driver for information security, compliance alone is not enough to ensure improvements.
To protect reputation and image many Universities and colleges have gone beyond the requirements of regulatory
compliance to have more secured campuses. Institutes need to build sustainable compliance programs while taking a more
strategic and comprehensive view of information security.
The following graph indicates that on this issue respondents from both the world think alike and are equally concerned.
Consequences of Information security Incidences
Damage to employee relationships
Litigation/legal action
Regulatory action/sanction
Indian
Loss of customers
Ernst & Young 2008
Loss of revenues
Loss of stakeholder confidence
Damage to reputation and brand
0
10
20
30
40
50
60
70
80
90
Figure 3: Consequences of Information Security Incidences
5.4 Percentage of Security Outsourced
Survey showed that in-house security management is around 80 percent, organizations are unwilling to outsource it
completely. Organizations globally tend to outsource some of the highly technical part, remaining they are keeping in
their hand. Perhaps, institutes believe in handling sensitive information themselves.
5.5 Number of incidents per year
Before looking at the nature and cost of incidents, the survey asks respondents to estimate how many incidents they have
had to deal with over the course of the year. The following graph indicates that 35% respondents say that they have had
more than ten incidents per year. If we compare with the global peers 47 % respondents say that they face 1 to 5 incidents
per year. This may be due to number of laws applicable overseas and awareness.
5.6 Percentage of losses due to insiders
The following figure shows that, 42 percent respondents believe that insiders are responsible for 1 – 20 percent losses,
and 47 percent respondents believe that there is no loss on account of insiders. It's certainly true that some insiders are
particularly well-placed to do enormous damage to an organization, but this survey's respondents seem to indicate that
talk of the prevalence of insider criminals may be overblown. On the other hand, we're speaking here of financial losses to
the organization, and in many cases significant insider crimes, such as leaking of credit card information, may not be
detected by the victimized organization and no direct costs may be associated with the theft.
The comparative study also reveals that the industry respondents perceive more losses from insider compared to the
higher education respondents. This is also evident from the budget allocations and attention paid to the issue of insider
Volume 2, Issue 11, November 2013
Page 61
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 11, November 2013
ISSN 2319 - 4847
threat in higher education compared to industry. Only 41 % Indian University respondents feel that, there is no threat
from the insiders, whereas 61 % industry respondents feel so.
Losses due to Insiders
70
Respondent %
60
50
40
CSI 2008
30
Indian Universities
20
10
0
81100%
6180%
4160%
2140%
1-20%
None
Figure 4: Losses due to Insiders
5.7 Percentage of key types of incidents
The survey asks about a number of different sorts of computer attacks and incidents. In the following figure, a subset of
these are graphed, this chart shows the four categories of highest incidence, namely viruses, insider abuse, laptop theft
and unauthorized access to systems. Incidences related to virus are much higher in the Indian Universities (86 %)
compared to the Industry (50 %). Second important finding is that, laptop theft is much less in the Indian Universities,
perhaps usage is also less. The number of financial frauds is also negligible compared to the industry figures. Though,
cases of unauthorized access and bots are higher compared to the global trends.
S.No.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Table 1: Incident Details
Type of Incidence
CSI 2008
Survey
(Incident
%)
Denial of service
21
Laptop theft
42
Telecom fraud
5
Unauthorized access
29
Virus
50
Financial fraud
12
Insider abuse
44
System penetration
13
Sabotage
2
Theft/loss of proprietary
info
4
From mobile devices 5
From all other sources
Abuse of wireless network
14
Web site defacement
6
Misuse of Web application
11
Bots
20
DNS attacks
8
Instant messaging abuse
21
Password sniffing
9
Theft/loss of customer data
from mobile devices 8
from all other sources 8
Volume 2, Issue 11, November 2013
Indian
University
& Colleges
(Incident %)
17
3
4
35
86
2
33
26
0
0
4
48
12
21
27
17
29
21
2
2
Page 62
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 11, November 2013
ISSN 2319 - 4847
5.8 Security Certificates Held by the IT Staff
The following graph shows the percentage of certified security professionals in the Indian Universities compared with
western universities (ECAR survey). The graph clearly indicates that Information Security practices are at nascent stage
in the Indian Universities and due to this early stage, there are less number of security professionals working in this area
compared to global benchmark. As shown in the figure, two percent hold the Certified Information Systems Security
Professional (CISSP) certificate. Four and half percent hold the Certified Information Security Manager (CISM), three
percent hold the Global Information Assurance Certification (GIAC) and four percent hold the Certified Information
Systems Auditor (CISA) certificate.
5.9 Strategies to Reduce Vulnerabilities in the Campus
The most often used strategies, which is used by more than 80 percent respondents are limiting protocols allowed through
router or Firewall, restricted access to applications and server, and limiting the URLs allowed through the firewall.
Strategies like “installing a software inventory”, “security devices for identification” and “closed desktop systems” were
used by less than ten percent respondents. Less than fifty percent respondents did not have recovery and backup plan and
isolation strategy for the compromised desktops.
Surprisingly, Indian Universities are far ahead in using URL filtering through firewall (80 percent) compared to global
higher education statistics (45 percent). But lagging far behind in the area of recovery and backup planning, only 11
percent Indian Universities have the required plan, whereas globally 55 percent universities have the backup and recovery
plan in place.
Strategies to Reduce Security Vulnerabilities
Isolating or quarantining computers that do not meet minimum security
requirement
Instituting a recovery or backup plan in case of disasters caused by natural
events or human acts
Installing closed desktop systems that don’t allow user configuration
changes
Installing a softw are inventory system to w atch for malicious softw are or
program changes
Using security devices (such as cards or biometric scanners)
Timing-out access to specific applications after an idle period
Restricting and eliminating access to servers and applications
Limiting the URLs allow ed throughout the firew all
Limiting the type of protocol allow ed thru router
0
10
20
30
ECAR 2006
40
50
60
70
80
90
100
Indian Universities
Figure 5: Strategies to reduce Security Vulnerabilities
5.10 Information Security Testing
Tenth Global Information Security Survey, 2008 conducted by Ernst & Young highlights that the investments in
technology are of little value unless people are trained on what to do and how to do it [2]. This has been recently
reinforced by several high profile information security breaches where it was eventually determined to be a human failure
that brought about the incident and not technical vulnerability. So much emphasis is often placed on technology that the
“people” component of information security is frequently overlooked.
Hackers have long known the easiest way to bypass an information security system is to exploit the people. Simple
techniques such as impersonating IT or company personnel, can be used to gain access to information from unsuspecting
employees. A large percentage of respondents (45%) confirmed that they regularly perform internet testing, but only 9%
of respondents conduct social engineering attempts to test their employees.
Ernst & Young, 2008 GIS survey, confirms that technology plays a pivotal role in information security, but there must
also be a focus on training and awareness programs for information security to operate effectively. Organizations must
view their people to be as critical as any other information security component so they can help prevent and properly
respond to information security incidents in an effective and timely manner.
Volume 2, Issue 11, November 2013
Page 63
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 11, November 2013
ISSN 2319 - 4847
The following graph shows that the Indian Universities are lagging behind in almost all the areas, except in the area of
application code review, which is perhaps the strength of the Indian Universities. This suggests that level of awareness
need to be improved and more efforts are required to strengthen existing training and awareness programs.
Information Security Penetration Testing
140
120
100
80
60
40
20
0
Internet
testing
Infrastructure
testing
Remote
access
Physical
access to
secure areas
Wireless
testing
Application
Social
source code engineering
reviews
attempts
E & Y 2008
Other
Indian Universities
Figure 6: Information Security Penetration Testing
5.11 Software Development Process within the Organization:
In order to reduce vulnerabilities of software developed in-house, certain procedures should be followed. Some
organizations have focused on educating their development teams on practices that help prevent the inadvertent
introduction of vulnerabilities as applications are created or maintained.
The following graph shows that the Indian Universities are far behind the global developers, in adopting the formal
secure development procedures. Moreover, the global figures are also not very encouraging, less than forty percent
organizations are following formal development procedures. It has been observed that the operating system vulnerabilities
have declined during past few years. Therefore, hackers are now targeting the vulnerabilities present in the applications,
developed in-house.
In-house software development Process
45
40
35
30
25
20
15
10
5
0
39
34
30
29
23
22
CSI 2008
Indian Universities
11
8
3
1
Formal
Process
Established
Formal
Process
Being
Developed
Don’t Know
Other
Informal
Process
Figure 7: In-house Software Development Process
5.12 Major Barriers in Ensuring Information Security
Not surprisingly, budget constraints and the lack of qualified professionals occupy the first two spots, 74% and 56%,
respectively. Current economic crisis has further reduced the IT and security budgets. Respondents have given lowest
priority to the privacy issue, which is bit surprising. If we compare the responses with the “global information security
survey”, conducted by the Deloitte, less number of Indian Universities has considered technology as a barrier. Perhaps,
this indicates that we are good at technology absorption.
Issues like, “increasing sophistication of threats” and “inadequate functionality/interoperability of software” are also at
low priority and not considered as a very significant barrier. Survey shows that management support is far better in the
other part of the world, 45% respondents have reported lack of management support.
Volume 2, Issue 11, November 2013
Page 64
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 11, November 2013
ISSN 2319 - 4847
Major Barriers in Ensuring Information Security
Budget constraints and/or lack of resources
Increasing sophistication of threats
Emerging technologies
Inadequate availability of security professionals
Indian Universities
Deloitte 2009
Privacy issues and concerns
Inadequate functionality/interoperability of security s/w
Lack of information security strategy
Lack of management support
0
10
20
30
40
50
60
70
80
Figure 8: Major Barriers in Ensuring Information Security
5.13 Top Internal/External Audit Findings during the Year
The top audit finding indicates that the “segregation of duties”, has got the highest priority. There are reports, which
show that cases of forged mark-sheets are higher in those universities, where same persons are involved in the
preparation of the duplicate mark-sheet and verification as well. Indian respondents have identified “Excessive access
rights” as the more serious concern compared to the global respondents. Top three findings are “segregation of duties”
(41%), “access control compliance procedures” (35%) and “lack of clean-up of access rules following a transfer” (32%).
State of “excessive access rights” is better in the Indian Universities compared to the global statistics. Auditors and
regulators expect that individuals will have rights only to the data/information that are needed to perform their jobs. And
when those rights are no longer needed to perform the job, they also expect the rights to be revoked. And “revoked” does
not just mean at some point in the future, it means in a timely fashion. As simple as this sounds in theory, in practice, it is
not. Given changing job responsibilities, a more mobile workforce, employee turnover, and corporate reorganizations and
mergers, this is a big challenge.
Access control compliance has emerged above the lack of clean-up of access rules following the job change. Access and
control compliance reflects the security concern of many organizations of having controls in place to ensure users have
access only to what they need to properly do their jobs.
Auditors look for conflicts in segregation of duties in which one individual has access to responsibilities that are
inherently in conflict with one another. To use a banking example, the same person should not accept cash, record
deposits, make deposits, and reconcile the account. It is a lack of segregation of duties that allows some individuals to
circumvent intended controls.
Top Internal/External Auditor Findings
Excessive Access Rights
Segregation of duties
Access control compliance with procedures
Lack of audit trails/logging
Lack of documentation of controls
Excessive developers’ access to production systems and
data
Lack of review of audit trails
Lack of clean-up of access rules following a role change
Use of production data in testing
DRP/BCP testing
DRP/BCP documentation/currency
Lack of documented security policies, guidelines &
procedures
Servers not hardened consistent with the standards
Lack of security awareness programs
Lack of separate testing environment
Use of weak password parameters
Lack of server hardening standards
Lack of authorization of changes prior to implementation
0
5
10
Deloitte 2009
15
20
25
30
35
40
45
Indian Univers ities
Figure 9: Top External/Internal Auditor Findings
Volume 2, Issue 11, November 2013
Page 65
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 11, November 2013
ISSN 2319 - 4847
6. DISCUSSION AND CONCLUSION
We all understand that protection of institutional information is very essential for the continuity of the business or
activity. In order to develop or adopt global standard practices, understanding of present security practices and degree of
its effectiveness is very vital. Globally CMU and Earnst & Young are releasing their annual Information Security survey
reports and recommendations in the area of higher education.
However, unfortunately there is no such information available for Indian Universities and Colleges. This survey not only
gives present state of affairs in the institutes of higher education, it also compares the findings with global peers, which
include industries as well as academic campuses. This gives fair idea of where do we stand in global perspective and
helps us in making a gap analysis with global peers. This gap analysis would form a sound basis for planning and
implementation of an appropriate Information Security Management System for the institutes of higher education. The
analysis of the parameters presented in paper, when we integrate with the some results published earlier [12] gives a fair
picture of the present state of the Indian Universities. The Key findings are as follows:







Protecting reputation and image has become a significant driver for information security.
Despite economic pressures, organizations continue to invest in information security.
International information security standards are gaining greater acceptance and adoption.
Privacy is now a priority, but adequate measures needs to be deployed
People remain the weakest link for information security, insider threats are real.
Business continuity planning is still not getting enough attention
Most organizations are unwilling to outsource key information security activities and there is no information sharing on
incidents faced
The survey highlights the fact that budget allocation for Information Security is still much less compared to the Global
Universities. The technical competence of the IS personnel is also indicates much improvement is required. There are
very few organizations performing formal ethical hacking and penetration testing to assess the functioning of the security
system. At present most of the institutions are not complying with the statutory obligations and are at the risk of getting
penalized.
This sample doesn’t represent all the categories of Indian Universities and Colleges, mainly institutes of the central part
of India are covered. Due to the diverse focus of institutions surveyed and the qualitative format of our research, the
results reported herein may not be representative of each identified category. Based on these findings a Information
Security Governance plan for Institutes of Higher Education may be developed. This knowledge based solution is
expected to achieve more effective and integrated information security.
References
[1] By Mohammad H. Qayoumi and Carol Woody, “addressing information security risk”, Educause Quarterly volume
28(4), 2005
[2] 10th
Global
Information
Security
Survey,
2008
by
Ernst
and
Young,
http://www.ey.com/Publication/vwLUAssets/EY_TSRS_GISS2007/$FILE/EY_TSRS_GISS2007.pdf
[3] Robert B. Kvavik, IT Security in Higher Education, Survey by Educause Centre for Applied Research, 2006,
http://www.mis-asia.com/__data/assets/pdf_file/0004/128668/Global-State-of-Information-Security---2008-survey.pdf
[4] Roberts Richardson, 13th CSI Computer and Crime Survey, 2008, http://i.zdnet.com/blogs/csisurvey2008.pdf
[5] Peter Hind, Global State of Information Security, CIO Magazine, CSO Magazine & PWC 2008 study, October 2008,
http://www.mis-asia.com/__data/assets/pdf_file/0004/128668/Global-State-of-Information-Security---2008-survey.pdf
[6] Protecting
what matters, The 6th
Annual
Global Security Survey,
by Deloitte, 2008,
http://www2.deloitte.com/assets/Dcom-Shared%20Assets/Documents/dtt_fsi_GlobalSecuritySurvey_0901.pdf
[7] D.S. Bhilare, A.K. Ramani, S. Tanwani, “Protecting Intellectual Property and Sensitive Information in Academic
Campuses from Trusted Insiders: Leveraging Active Directory”, ACM SIGUCCS International conference 2009 on
communication and collaboration, St. Louis, USA 11-14 October, 2009, Pages 99-104, ISBN:978-1-60558-477-5,
http://doi.acm.org/10.1145/1629501.1629520
[8] Diana Oblinger, “Computer and Network Security and Higher Education’s Core Values,” (Research Bulletin, Issue
6)
(Boulder,
CO:
EDUCAUSE
Center
for
Applied
Research,2003),
http://connect.educause.edu/Library/ECAR/ComputerandNetworkSecurit/40063
[9] Walton, G., Longstaff, T., & Linger, R. “Computational Security Attributes.” Proceedings of Hawaii International
Conference on System Sciences (HICSS-42). IEEE Computer Society Press, 2009.
[10] Moore, A. P., Cappelli, D. M., & Trzeciak, R. F. “The ‘Big Picture’ of Insider IT Sabotage Across U.S. Critical
Infrastructures” in Insider Attack and Cyber Security: Beyond the Hacker, eds. Stolfo, S.J., et al., Springer Science +
Business Media, LLC, 2008. http://www.cert.org/archive/pdf/08tr009.pdf
[11] Link to questionnaire: http://www.dauniv.ac.in/questionaire
Volume 2, Issue 11, November 2013
Page 66
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 11, November 2013
ISSN 2319 - 4847
[12] D.S. Bhilare, A.K. Ramani, S. Tanwani, “An investigation of information security issues in the Indian institutes of
higher education: current security state and practices”, International Journal of Computer and Network Security,
ISSN: 2076-2739, Vol.2 No.1, pp 108-114, January 2010.
[13] Walton, G., Longstaff, T., & Linger, R. “Computational Security Attributes.” Proceedings of Hawaii International
Conference on System Sciences (HICSS-42). IEEE Computer Society Press, 2009.
[14] Moore, A. P., Cappelli, D. M., & Trzeciak, R. F. “The ‘Big Picture’ of Insider IT Sabotage Across U.S. Critical
Infrastructures” in Insider Attack and Cyber Security: Beyond the Hacker, eds. Stolfo, S.J., et al., Springer Science +
Business Media, LLC, http://www.cert.org/archive/pdf/08tr009.pdf, 2008.
[15] ISO, ISO/IEC 27001, Information technology - Security techniques - Information security management systems,
2005.
[16] ISO, ISO/IEC 27002, Information technology - Security techniques - Code of practice for information security
management (Redesignation of ISO/IEC 17799:2005), 2005.
[17] ISO, ISO/IEC 27005, Information technology - Security techniques - Information security risk management, 2008.
[18] The standard of good practice of information security, ISF, https://www.securityforum.org/?page=downloadsogp,
2007.
Volume 2, Issue 11, November 2013
Page 67
Download