Essay: Establishing an IT policy for Colloge using COBIT 5

Chapter 1
INTRODUCTION
Topic:
Establishing an IT policy for Colloge using COBIT 5.
Objective:
To find out the possible ways of managing Security pertaining to IT related goals in an educational Institute and perform information classification, risk assessment, and risk analysis to identify threats, categorise assets, and rate system vulnerabilities so that they can be used in the formulation of an IT policy for college .
Methodology:
Exploratory methodology will be followed in our research, to find out the possible ways of managing Security pertaining to IT related goals in an educational enterprise. For reference purpose it may be required to use the COBIT’s diagnostic tools and auditing procedures and guidelines. Based on the domains and processes identified key goal indicators (KGIs) and key performance indicators (KPIs) will be utilised to Manage Security. [1]
Scope:
In this Research Project, the exploration will examine professional and personal needs pertaining to IT related goals in an educational enterprise. Scope will include the security management related processes for managing the IT Enterprise of our educational institute. COBIT 5 being a vast framework, shortlisting of AP013 Manage Security under supporting process for Security function has been identified. This includes following Key Management Practices:
AP013.01- Establish and maintain an ISMS
AP013.02- Define and manage an information security risk treatment plan
AP013.03- Monitor and review the ISMS
Introduction:
Security management is the identification of an organization\’s assets (including information assets), followed by the development, documentation, and implementation of policies and procedures for protecting these assets. An organisation uses such security management procedures as information classification, risk assessment, and risk analysis to identify threats, categorise assets, and rate system vulnerabilities so that they can implement effective controls.
This Research is concerned with issues relating to the management of information security in Educational institute, motivated by the need to Manage security in College.
Universities face a variety of Information security threats. These include disruption to the functioning of a university network, through to more general and targeted attempts to obtain valuable information from networks and their users.
The aim of this Research is to establish an IT policy for the college using COBIT’s diagnostic tools and auditing procedures and guidelines to ensure that staff and students of the SCIT all understand the importance of Information Security Management as defined above and in the policy as it relates to the information they gather, process and store and the legal and ethical responsibilities that are incumbent on them both as individuals and as members of the SCIT staff.
Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. The COBIT 5 framework is built on five basic principles, which are covered in detail, and includes extensive guidance on enablers for governance and management of enterprise IT.
The COBIT 5 processes are split into governance and management “areas”. These 2 areas contain a total of 5 domains and 37 processes:
• Governance of Enterprise IT
o Evaluate, Direct and Monitor (EDM) – 5 processes
• Management of Enterprise IT
o Align, Plan and Organize (APO) – 13 processes
o Build, Acquire and Implement (BAI) – 10 processes
o Deliver, Service and Support (DSS) – 6 processes
Monitor, Evaluate and Assess (MEA) – 3 processes
The framework mentions about the below core processes for the Managing Security Function in COBIT 5.
FIG 1: Processes in COBIT 5
As Mentioned above our scope is confined to one of the 13 processes in Align, Plan and Organize i.e.AP013-Manage Security.  
Chapter 2
LITERATURE REVIEW:
COBIT 5 is an open standard for IT controls, and provides generally accepted standards for security management and IT control practices to support management. The COBIT framework is a set of guidelines that consist of Maturity-Model, Critical Success Factors, Key goal indicators and Key performance Indicators.
Improvements in the performance and capacity of high performance computing facilities, the introduction by many institutions of massive open online courses, the enhancements in virtual learning environment systems and the increasing use of mobile devices by students and staff are just some of the changes in technology that present both significant opportunities, but also considerable risks. These areas have changed the way that universities deliver their learning, teaching and research activities but at the same time the management of new risks, particularly those associated with the security of information and systems, have not received the same. (ISACA, http://www.isaca.org/Journal/archives/2006/Volume-5/Pages/JOnline-Implementing-COBIT-in-Higher-Education-Practices-That-Work-Best1.aspx , 2012)
COBIT 5 and Security Management
The COBIT 5 process APO13 requires that an Information Security Management System be developed and implemented to coordinate and manage effectively and efficiently the resources and processes used, and the controls required to ensure ongoing confidentiality, integrity and availability of information and information systems in line with predefined operational and strategic objectives.
The process APO13 (Information security management) addresses a broad range of issues and assets that support business operations. There is hardly an IT activity that is not linked to information security. In COBIT 5 every process has an aspect that impacts information security or is impacted by information security.
Because the need is ubiquitous, information security is best managed with a single, holistic management system. This is similar to ISO 27001, which also requires a set of interrelated, or interacting elements that organizations use to direct and control how security policies are implemented and security objectives are achieved. As with the COBIT 5 APO13 management system for information security, the purpose of the ISO 27001 management system is to orchestrate and co-ordinate the various actions required to design, implement, execute and sustain the desired level of information security across the organization. (Governance, 2013)
FIG 2 : Align, Plan and Organise
RACI matrix is used to implement COBIT in an organization but no prior study or research has been done in the field of implementing COBIT in educational sector so I’ll be using the same methodology while implementing COBIT in education sector.
A responsibility assignment matrix (RAM), also known as RACI matrix describes the participation by various roles in completing tasks or deliverables for a project or business process. It is especially useful in clarifying roles and responsibilities in cross-functional/departmental projects and processes.
FIG 3 : RACI
Processes describe an organised set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals.
The information security planning, designing, deployment and monitoring is done for these individual components. This approach keeps the teams focused. The policies, procedure, guidelines, standards, technologies and tools are built for these components. This approach provides granularity in managing each focus area and also leads to defense-indepth architecture. Each of the components contributes to building the control standards and control procedures that satisfy high-level policy requirements. This is a bottom-up approach which serves to mitigate the top-level security concerns for business processes by providing adequate security for the assets used by these processes. The work of mapping all business processes with assets is currently being carried out. The business processes are being ranked based on the criticality and impact they may have on the business. If one asset, e.g., a server, is hosting multiple IT processes supporting multiple business processes, it gets the ranking attributed to the most critical business process. (Kadam, Information Security Management at HDFC Bank: Contribution of Seven Enablers, 2015)
This research focuses on the COBIT framework and the importance of its adoption in academic institution, universities and organizations. Based on case studies are selected and analysed of adopting COBIT framework in higher education institutions. Three case studies are employed based on the framework from Australian Higher Education Institutions, Curtin University of Technology, and Viana do Castelo Polytechnic Institute. (Othman, 2013)
Australian Higher
Education Institutions Curtin University of
Technology Viana do Castelo
Polytechnic Institute
(IPVC)
Goals The main goals are to
attain excellence in teaching, learning, research, and development Reduce the time required
for the implementation of
its IT governance program, success in achieving its fundamental goals of IT governance transform organizational practices In order to make sure IT governance through effective mechanisms, it is necessary to manage and monitor the information technology.
Framework The COBIT 3.0 & 4.0 frameworks are implemented for the evaluation of IT processes in the institution. IT governance has also been
implemented by both
institutions through a
combination of structures,
processes and relational
mechanisms. The COBIT 4.1 framework is implemented to clarify the confusion existing in the practices that have evolved through the years. It assists
employees in understanding and acknowledging that there are enhanced methods of carrying out their missions and responsibilities. The COBIT4.1 framework is
implemented at the institution to guarantee positive outcome of quality services certification and management and control
of IS and IT. Consequently, the results were effective.
Findings Institution A proceeded
with the implementation of
COBIT 3.0 to improve
individual processes for
tackling the requirement
for a centralized decision making. Institution B preceded with the implementation of COBIT 4.0 framework to improve process throughout the university as opposed to confining it to central IT.
• The COBIT implementation in both institutions provided
experiences for institutions of the same caliber in the domain of Information Technology.
• In both institutions, the Communication enhancement between IT and business has resulted in the increasing acceptance of IT.
• The COBIT framework needs the utilization of an effective project management methodology. The Information Management Services (IMS) claims that
COBIT provides a framework characterized as facilitating economical continuous improvement.
• From COBIT, staff can acquire global-standard methods, self-auditing standards, best practices and almost every requirement guiding the university\’s attempts for process improvement.
• COBIT Audit Guidelines allowed the staff to create initial strategies to enhance the audit objectives maturity. • Through the implementation of COBIT at IPVC, the quality care of the administrative services has improved and the IS is efficiently controlled and managed.
• COBIT minimized to
about 90% the number of communication failures between services and users, and assisted in defining indicators to assess the performance of the services in information technology.
• COBIT enabled the setting of plans and policies to manage IT and reduced the time of task execution by about 25%. Controls and
Monitoring technological
Infrastructure components were more efficient.
• COBIT minimized by 30% the number of incidents resolved and finalized by several IT departments and
minimized by over 10%
the number of recurring incidents.
Table1. Summary of three case studies (Placeholder2)
The above study didn’t figure out the Security management perspective. The above literature study provides an overview on IT governance, the necessity of IT governance in organizations and Higher Education, COBIT framework and the concepts related to the framework Implementation. By examining previous studies, the awareness between business and IT is important because it is possible that an organization has all IT governance structures and processes in place. In order to reach effective IT governance, the business and IT should understand each other.
Chapter 3
Chapter 3
Analysis of Problem under Research:
No Information Security Policy in College. Information Systems play a major role in supporting the day-to-day activities of the College. The availability, confidentiality and the data integrity of the College\’s information systems are essential to the success of its academic and administrative activities. Effective security is achieved by working with a proper discipline, in compliance with legislation and College policies and by adherence to approved College Codes of Practice.
Alternate Solutions and their advantages and disadvantages:
To develop an Information security policy by referring to ISO27001.
ADVANTAGES OF ONLY USING ISO27001 TO MAKE IS POLICY.
1. ISO 27001 certification serves as a public statement of an organization’s ability to manage information security.
2. It ensures that information security management system and security policies continue to evolve and adapt to changing risk.
DISADVANTAGES OF ONLY USING ISO27001 TO MAKE IS POLICY.
1. It is a stand-alone guidance and it is not integrated into a wider framework for IT governance.
So we must relate and construct a mapping between COBIT 5.0 framework and ISO 27001 standard for making IS policy for college. Both of the frameworks are complementary and may be more beneficial, provided that they are used together to fulfill the information security governance issues. Using only COBIT addresses all of the information security duties. However, collaborating it with ISO 27001 will describe the duties in a more comprehensive manner than does COBIT 5.0.
Proposed Solution:
In this Research Project, I will be using COBIT 5.0 framework’s sub process APO 13 “Manage Security” to frame an Information Security policy for our college.
Steps for Implementing APO 13 “Manage Security”
• Determine the goal of an Entrerprise.
• To align operations with enterprise goals, cascade down to processes and identify key practices, activities and tasks within the processes.
• For each process selected, clarify the outcomes and identify the key practices and related work products.
• Map these key practices and work products to the underlying support processes.
• Check the logical sequence of these support processes, keep only what is essential.
• Assign process tasks(i.e issues) to relevant persons.
• Track each assigned task through to completion.
Goal of the Enterprise.
In order to make sure IT governance through effective mechanisms, it is necessary to manage and monitor the information technology.
APO 13 “Manage Security”
Fig 4. Establish and maintain an ISMS
Fig 5. Define and manage an Information security Risk
treatment plan and Monitor and Review the ISMS
AP013.01 Establish and maintain an ISMS
Activities involved under this process are.
• Define the scope and boundries of the ISMS in terms of the characteristics of the enterprise, the organisation,its location, assets and technology ,inlude details of and justification of any exclusion.
The scope of ISMS is the whole college and all the departments within the college.
• Define an ISMS in accordance with enterprise policy and aligned with the enterprise, the organisation, its location, assets and technology.
Formulated an IT policy For SCIT.
• Align the ISMS with the overall enterprise approach to the management of security.
Policy is Aligned with Other policies of the SCIT.
• Obtain management authorisation to implement and operate or change the ISMS.
That has been done.
• Prepare and maintain a statement of applicability that describes the scope of the ISMS.
• Define and communicate Information security management roles and responsibilities.
• Communicate the ISMS approach.
AP013.02 Define and manage an information security risk treatment plan.

Maintain an information security plan that describes how information security risk is to be managed and aligned with the enterprise strategy and enterprise architecture. Ensure that recommendations for implementing security improvements are based on approved business cases and implemented as an integral part of services and solutions development, then operated as an integral part of business operation.
Activities involved under this process are.
• Formulate and maintain an information security risk treatment plan aligned with strategic objectivesand the enterprise architecture. Ensure that the plan identifies the appropriate and optimal management practices and security solutions, with associated resources, responsibilities and priorities for managing identified information security risk.
The below mention risk assessment process will be used and after identifying all the risk it will be entered into risk treatment template as shown below. A questionnaire will be designed by me for the staff of the college and the knowledge analysis of the staff from information security perspective will be done.
Fig 6. SAQ for Gap Analysis
Fig7. Risk Treatment Plan.
Fig8. Risk Treatment template.
• Maintain as part of the enterprise architecture an inventory of solution components that are in place to manage security-related risk.
Will be done once the Risk treatment plan is in action
• Develop proposals to implement the information security risk treatment plan, supported by suitable business cases, which include consideration of funding and allocation of roles and responsibilities.
Once the risk treatment plan is ready it will be approved from the management.
• Provide input to the design and development of management practices and solutions selected from the information security risk treatment plan.
• Define how to measure the effectiveness of the selected management practices and specify how these measurements are to be used to assess effectiveness to produce comparable and reproducible results.
• Recommend information security training and awareness programmes.
Training will be given to the staff and based on that training assessment will be taken and results of awareness will be compared
• Integrate the planning, design, implementation and monitoring of information security procedures and other controls capable of enabling prompt prevention, detection of security events and response to security incidents.
APO13.03 Monitor and review the ISMS. ( will be done after Policy making)
Maintain and regularly communicate the need for,
and benefits of, continuous information security improvement. Collect and analyse data about the ISMS, and improve the effectiveness of the ISMS. Correct non-conformities to prevent recurrence. Promote a culture of security and continual improvement.
Activities involved under this process are.
• Undertake regular reviews of the effectiveness of the ISMS policy and objectives and review of security practices. Take into account results of security audits, incidents, results from effectiveness measurements, suggestions and feedback from all interested parties.
• Conduct internal ISMS audits at planned intervals.
• Undertake a management review of the ISMS on a regular basis to ensure that the scope remains adequate and improvements in the ISMS process are identified.
• Provide input to the maintenance of the security plans to take into account the findings of monitoring and reviewing activities.
• Record actions and events that could have an impact on the effectiveness or performance of the ISMS.
Chapter 4
FINDINGS AND CONCLUSION
The Policy on Green IT in SCIT Lab is in conjunction with the document on
Policy and Procedure
SCIT Lab has policies laid down policies and procedures for daily operation and best practices for maintenance of equipment and facilities. Towards this a special mention is called for enunciating a policy on Green IT in the SCIT Lab. The aspect including procurement, Usage and Disposal are covered.
The objective of the Green IT policy is to ensure the spirit of Reuse, Reduce and Recycle is followed in spirit and action. The policy encompasses the following areas of the Lab:
Equipment Procurement: Efforts will be taken for procurement of all equipment from Energy Star partners. Desk top should be selected with low energy consumption and the Laser printers with Green functionality. Server virtualization should be in the agenda to effect saving of energy. The consumables with recycling material be procured wherever possible. Use of Refilled printer cartridges be encouraged as well as use of recycled papers.
Daily operation: There should be no wastage of power in the Lab. Only the necessary light points and fans are to be switched on and those not required should consciously be switched off. Similarly the equipment -PC, Printers, laptops and similar electronic equipment- not required be kept in powered off state. Air conditioning be kept running mainly for operational and environmental purposes. Newly designed racks must be used for avoiding uneven flow of air conditioners over the equipment lessening the demand of cooling.
Equipment Disposal: Considering the hazards of careless disposal of from scraps electronic and computer equipment a conscious policy for this has been followed. The items for scraps are never to be dumped as land- fills. An authorized agent collects the junk material from the centralized stores. The scrapping of equipment un-repairable or beyond economic repair to be isolated following established procedure and the agent be intimated through central stores. The solar panels on the top of the building supplement the power requirement in the Lab.
Green Consciousness: Volunteers from SCIT fraternity (All Staff and Students) to become Green IT champs who would make extra effort for ensuring minimum consumption of electricity in the premises. They are to make their own plan of activities , ready to perform for creating an awareness about the present crisis and also to measure the effect of their efforts. Their details can be posted on the website (including their action plan). Quarterly or biannual meets can be organized wherein they share their experiences and selected experience reports can also be posted on the website.
A. Findings
A. Findings
As per the risk assessment conducted via personal interaction with the Lab Team and few of the students and staff it was evident that the institute lacked in major perspectives with reference to Information security policy and documentation. There does lies awareness among key personnel about Information security but the roles defined and the number of resources available can be highlighted as the major reason why there is lack of implementation and inheritance of IS culture in the institute.
Key findings were:
• Non Availability of Information Security policy either at the university level or at the institute level.
• Non availability of separate dedicated resources for protection of sensitive information except the system administrators and network hardware Engineers.
• Non availability of training records for the system administrators managing the IT resources of the institute before hiring, during employment or on termination of employment.
• No budget has been allocated specifically as per the senior system administrator.
• Absence of escalation hierarchy/reporting structure for raising security incidents systematically.
• Third party vendor for attendance portal and university portal and SCIT website is being handled by SRV Media and the same follows its own IT policy to handle SCIT data. Vulnerability exists in the same but has not been identified yet.
• SCIT protects its data through Symantec End Point Security solution. USB access is blocked for students through it but access has been given to the staff members. It also protects the system from email hacking etc.
• Absence of ACLs or RBAC list. The same has neither been documented nor is it maintained suitably.
• Servers and workstations are being backed up on weekly basis on every Saturday. Storage of the same is done in USB external hard disks.
• As per requirement of the institute all systems must have antivirus as well as antispyware.
• Firewall and server logs are regularly monitored without IDS or IPS through OS firewalls. Reason provided for same was it would slow the network if switched on.
• Web browsing is protected by Cyber Roam Policy mentioned in Appendix 2. Access to entertainment sites, pornographic sites etc. has been blocked for all users.
• Patch management is done only when the service provider informs about a new version of the product appears in the market. Regular security patch updates for each software like adobe pdf reader flash player etc. are not checked manually or automatically. The approach has been reactive rather than being proactive.
• Remote access has been provided to the laptop owners. Total 10 laptops are there in the institute.
• Asset register is maintained properly and asset labelling is there on each hardware and software.
• WiFi is WEP encrypted. The same shall be WPA 2 encrypted as it is more secure.
• SCIT password policy is minimum 8 characters, having alphanumeric characters and the same needs to be changed on every 30 days.
• Fire alarm available at SAP LAB is not working since the joining of senior system administrator. Also there is absence of escalation mechanism through Purchase requisition for procurement of same.
B. Discussion
Following framework is recommended to improve the condition of SCIT regarding IS.
How would you evaluate your organization?
• Level 1: See little value in proactive risk management. Few formal risk management programs. Implement controls when faced with problem.
• Level 2: General awareness of risk management and some appreciation. Business units monitor risk, but no centralized processes, systemic monitoring, or defined accountability
• Level 3: Aware of risk management and set up some mechanisms to monitor risks, e.g., internal audit. May promote self-assessments, e.g, through checklists.
• Level 4: Risk management position created to review “hot spots,” assist in risk assessment, keep score. Consider quantitative and qualitative factors. Rely on knowledge, judgment and influence of acting CRO.
• Level 5: CEO is risk management champion. Well defined risk management process. Track progress against action plans. Balanced scorecard with continuous improvement. Trustees engaged.
Source: Global Association of Risk Professionals, Harvard Business School
Limitations encountered during the project was unavailability of any reference data regarding the research in college. All data had to be manufactured right from the scratch. The non-availability of dedicated time for the research due to liabilities of other positions held in the college and engagement in multiple event coordination. Limitations were also faced in terms of non-availability of certain staff members initially due to NAAC audit and visits.
The future scope of work within this research could be to implement and test for framework proposed above.
C. Conclusion
Based on the above findings we are proposing an IT Policy Document for SCIT as a part of this research.
 
Note :
1) Security Note on Cyberoam Firewall 500 ia build 10.02.0 build 473
a) Our Cyberoam Firewall is integrated with Active Directory Services , nobody will able to access internet unless and until he registered his mac address in Wi-Fi Access point .
b) Cyberoam Control panel changes are limited to Two PCs from where the changes will be made , no other machine in network can make changes in control panel or dashboard.
c) HTTP and HTTPS Applicance Access are disable from outside, so that hacker will not able to login .
2) Switches Details
a) 3 Com 24 Ports QTY -13 (Non Manageable Switches)
3) Wi- Fi Details
a) D-Link Access Point 2100
Fig 9: SCIT network Diagram
Fig 10: SCIT network Diagram with labs and WiFi
Risk Factors:
The risk factors could be as per below mentioned sample TV analysis (Toma, Alexa, & Şarpe, 2014)
 
Table 1: Threat – Vulnerability – Risk Report & Recommendations
Risk No. Vulnerability Threat Risk of/ Compromise of Risk Summary
1 Eatables found in SCIT Data Center Rodents Availability of SCIT data Rodents would eat the wires & thus causing damage & compromising the availability of SCIT
2 SCIT user identifiers (IDs) no longer required are not Unauthorized Use Confidentiality & integrity of SCIT data. Unauthorized use of unneeded user IDs could compromise confidentiality & Integrity of SCIT data.
SCIT access Unauthorized Access Confidentiality & Unauthorized access
3 privileges are integrity of SCIT via ad-hoc privileges
granted on an ad- data. could compromise of
hoc basis rather confidentiality &
than using Integrity of SCIT data.
Pre-defined roles.
Bogus TCP Malicious Use Availability of SCIT Denial of service
4 packets (> 50000 Computer Crime and data. attack via large
bytes) directed at bogus packets sent
port 1521 will to port 1521 could
cause SCIT to stop render SCIT
responding. unavailable for use.
Outdated version of Antivirus being Used Malicious Use
Computer Crime Confidentiality &integrity of SCIT data. Exploitation of un-
patched Antivirus could
compromise
confidentiality &
integrity of SCIT data.
5
User names & Malicious Use Confidentiality & Exploitation of
passwords are in Computer Crime integrity of SCIT passwords in script
scripts & data. & initialization files
6 initialization files. could result in
compromise of confi-
dentiality & integrity
of SCIT data.
Passwords are not Malicious Use Confidentiality & Compromise of
set to expire; Computer Crime integrity of SCIT unexpired/unchanged
7 regular password data. passwords could
changes are not result in compromise
enforced. of confidentiality &
integrity of SCIT data.
8 No firewalls Illegitimate use Confidentiality &
integrity of SCIT
data. Prevention of legitimate access rights by disrupting traffic during the transaction among the users of E-Learning system.
Remote OS Malicious Use Confidentiality & enabling remote access when not necessary may compromise
of confidentiality & integrity data.
9 authentication is Computer Crime integrity of SCIT
enabled but not used. data.
Sensitive SCIT data Malicious Use Confidentiality of Loss or theft of USB
10 is stored on USB Computer Crime SCIT data. drives could result in
Drives compromise of
confidentiality of SCIT
data.
11 No key Wrapping/traffic flow security Brute-force attack
Traffic Analysis Confidentiality availability & integrity of SCIT data Leakage of information by abusing communication channel could result in compromise of confidentiality of SCIT data
12 Clear Screen Policy not implemented Unauthorised Access Confidentiality, Availability & Integrity of SCIT Unauthorised access to confidential information can lead to data being deleted or modified resulting in compromise of CIA of SCIT.
13 Media Management not configured properly Unauthorised Access
Repudiation
Masquerade Confidentiality, Availability & Integrity of SCIT Unauthorised access to confidential information can lead to data being deleted or modified or accessed with login credentials resulting in compromise of CIA of SCIT.
14 No Backup Server Natural Disaster Availability of SCIT Data Loss will result in compromise of Availability of SCIT
15 Asset Labelling not implemented Sabotage Availability of SCIT Asset Loss or intentional theft or damage of unlabelled assets will result in compromise of Availability of SCIT
16 No System Documentation Loss of Critical Personnel Availability of SCIT may result in compromise of Availability of SCIT
17 Background check up of vendors pending as per Service Level Agreement(SLA) Malicious Hacker
Cyber Criminal Confidentiality, Availability & Integrity of SCIT Person with criminal background can cause damage or theft of Information Assets & result in compromise of Confidentiality, Availability & Integrity of SCIT
 
B. Discussion
Following framework is recommended to improve the condition of SCIT regarding IS.
How would you evaluate your organization?
• Level 1: See little value in proactive risk management. Few formal risk management programs. Implement controls when faced with problem.
• Level 2: General awareness of risk management and some appreciation. Business units monitor risk, but no centralized processes, systemic monitoring, or defined accountability
• Level 3: Aware of risk management and set up some mechanisms to monitor risks, e.g., internal audit. May promote self-assessments, e.g, through checklists.
• Level 4: Risk management position created to review “hot spots,” assist in risk assessment, keep score. Consider quantitative and qualitative factors. Rely on knowledge, judgment and influence of acting CRO.
• Level 5: CEO is risk management champion. Well defined risk management process. Track progress against action plans. Balanced scorecard with continuous improvement. Trustees engaged.
Source: Global Association of Risk Professionals, Harvard Business School
Limitations encountered during the project was unavailability of any reference data regarding the research in college. All data had to be manufactured right from the scratch. The non-availability of dedicated time for the research due to liabilities of other positions held in the college and engagement in multiple event coordination. Limitations were also faced in terms of non-availability of certain staff members initially due to NAAC audit and visits.
The future scope of work within this research could be to implement and test for framework proposed above.
C. Conclusion
IT POLICY
SYMBIOSIS CENTER FOR INFORMATION TECHNOLOGY
Introduction
The confidentiality, integrity and availability of information, in all its forms, are critical to the ongoing functioning and good governance of SCIT. Failure to adequately secure information increases the risk of financial and reputational losses from which it may be difficult for SCIT to recover. This information security policy outlines SCIT’s approach to information security management. It provides the guiding principles and responsibilities necessary to safeguard the security of the College’s information systems. Supporting policies, codes of practice, procedures and guidelines provide further details. SCIT is committed to a robust implementation of Information Security Management. It aims to ensure the appropriate confidentiality, integrity and availability of its data. The principles defined in this policy will be applied to all of the physical and electronic information assets for which the LSE is responsible. SCIT is specifically committed to preserving the confidentiality, integrity and availability of documentation and data supplied by, generated by and held on behalf of third parties pursuant to the carrying out of work agreed by contract in accordance with the requirements of data security standard ISO 27001.
Purpose
The primary purposes of this policy are to:
1. Ensure the protection of all SCIT information systems (including but not limited to all computers, mobile devices, networking equipment, software and data) and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems.
2. Make certain that users are aware of and comply with all current and relevant IT act.
3. Provide a safe and secure information systems working environment for staff, students and any other authorized users.
4. Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data that they handle.
5. Protect SCIT from liability or damage through the misuse of its IT facilities.
6. Respond to feedback and update as appropriate, initiating a cycle of continuous improvement.
Scope
This policy is applicable to, and will be communicated to, all staff, students, other members of the College and third parties who interact with information held by the SCIT and the information systems used to store and process it. This includes, but is not limited to, any systems or data attached to the SCIT data or telephone networks, systems managed by SCIT, mobile devices used to connect to SCIT networks or hold SCIT data, data over which SCIT holds the intellectual property rights, data over which SCIT is the data owner or data custodian, communications sent to or from the SCIT.
Mission
The college is committed to protecting the security of its information and information systems in order to ensure that: (1) the integrity of information is maintained, so that it is accurate, up to date and fit for purpose; (2) information is always available to those who need it and there is no disruption to the business of the University. (3) Confidentiality is not breached, so that information is accessed only by those authorized to do so; (4) the University meets its legal requirements, including those applicable to personal data under the Data Protection Act; and (5) the reputation of the University is safeguarded.
Legal & Regulatory Obligations
The Symbiosis Center For Information Technology has a responsibility to abide by and adhere to all current Indian legislation as well as a variety of regulatory and contractual requirements. A non-exhaustive summary of the legislation and regulatory and contractual obligations that contribute to the form and content of this policy is provided in Appendix A. Related policies will detail other applicable legislative requirements or provide further detail on the obligations arising from the legislation summarized below.
Service and Support
Structure. At the heart of the College’s IT structure is the IT department. The IT Manager is responsible for the day-to-day running of IT services and for ensuring the priorities of work. The IT Fellow (Mr. Prashant Bhagat) is responsible to the Governing Body for all aspects of the College’s IT service, support and development. In addition, there is a Web Fellow who is separately responsible for the development of the College’s websites and for web communications.
Support Priorities. The Service Level Description (SLD) gives a detailed description of the service and support priorities currently employed by the IT department; here we give only a summary of the priorities, which are ranked A to G.
A: The first priority is to ensure the IT infrastructure remains in operation; this includes both the network and servers. From time to time upgrades and developments to the network and servers will be necessary and will take high priority in order to minimize overall disruption.
B: The College administration infrastructure is next; this includes supported departmental systems such as databases and attendance portal systems, also shared printers. Finally, within this category is equipment to be used for an imminent presentation within college.
C: Academic priorities: this includes support for Fellows and College Lecturers to ensure there is no serious interruption in the operation of their IT equipment.
D: The College computer rooms: to ensure these remain fully operational with an ordering of: (a) the network integrity for an entire room, (b) breakdown of a printer or other peripheral device, where no alternative is available locally.
E: For the single-user: breakdown of an individual computer or other college owned peripheral devices; software problems, major hardware problems affecting non-college owned equipment but being used for academic or college-related work.
F: Current students with critical problems involving their own personal PCs; single-user network or software problems.
G: Help and advice on equipment, software upgrades and general IT requests from Fellows and Lecturers. Notwithstanding the above ordering it will be open to either the IT Manager or the IT Fellow to escalate a support request if it has consequences for the operation of an immediate college activity.
Security
Network and Computers: Security of our network and of the computers used for the administration of College business is a crucial aspect of our IT-policy. For this reason, all computers attached to the network must have anti-virus software installed and in general should be checked before any connection is made to the network by the IT department. Owners of personal computers are responsible for ensuring that their software is up-to-date in terms of security patches and anti-virus updates. In general, this will be configured automatically but owners must ultimately take responsibility for their own equipment. This includes care in the choice of passwords and in the use of email accounts. Breaches in security where this is due to inappropriate computer use will be viewed seriously by the College and could result in temporary exclusion from the network.
Firewall. The College network incorporates a firewall to control data traffic into and out of our local network; this increases the security of our network and helps to keep the threat of malicious attacks to a minimum and to keep confidential information secure.
Retention of Data: Anti-terrorism, crime and security law have implications for the data we retain with regard to digital communications. In brief, the Data Retention (EC Directive) regulations of 2009 require Internet Service Providers (ISPs) to retain data necessary to: (i) trace and identify the source of communication; (ii) identify the destination of a communication; (iii) identify the date, time and duration of a communication; and (iv)identify the type of communication. In the words of the 2009 Regulations, this includes data generated or processed by means of ‘mobile telephony’, ‘internet access’, ‘internet email’ and ‘internet telephony.’ It is also necessary to identify the users’ communication equipment.