ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Sample Master's Thesis: Chapter 2 - Information Security Governance and Practices

Updated on June 11, 2012

Published: January 20, 2012

Revised: January 23, 2012

Delivering policies that enhance the organization’sinformation security posture with regard to confidentiality, integrity, and availability could be very restrictive in nature. Some may argue that the formation of such policies would deter innovation. The information security governance of the organization combined with the organizational culture may, however, promote innovation when applied correctly.


"People think of governance as something very constraining and resourcefulness as something innovative, but in fact, governance is a core component of resourcefulness," says Howard Rubin, executive vice president at Meta Group. "It’s hard to foster resourcefulness without governance." In other words, a solid governance structure promotes resourceful thinking within an organization. (Dragoon, 2003)

Information security governance and practices at Dayton College highlight some key concepts defined by Dragoon (2003), these concepts comprise the following:

Demand Value

Dayton College operates on a tight budget. Information security projects must demonstrate value to the organization, just like all other IT projects. Projects that provide little or no return on investment are discontinued.

Require Formal Project Proposals

History shows that most IT project failures can be traced back to poor planning. Good planning begins with a formal project proposal that defines the project’s scope and cost. Dayton College requires formal project proposals before projects are approved and project plans must be developed before any work on a project begins.

Recycle Material

New resources are only procured when no existing equipment fits a requirement. The Virtual IT Lab Project demonstrates this concept by leveraging computers donated by other departments and re-provisioning a computer to act as a router and firewall, thus lowering implementation costs.

Provide Short Iterations and Quick Delivery

Projects must be completed while the project goals are still relevant to the organization’s business requirements. Dividing projects into smaller manageable chunks ensures timely completion of project deliverables while those deliverables still fit in with the organization’s strategic goals. The timeline for the Virtual IT Lab Project is short so the college will experience beneficial results almost immediately.

Avoid Extreme Measures

Systems can be built that are very usable but not secure or very secure but not usable. The proper mix between security and usability must be maintained. The goal of information security governance at Dayton College is to gain voluntary compliance of security measures and controls from users, students and staff alike. Measures that will persuade users to circumvent the system are to be avoided. The move to a virtual lab environment should not be viewed as an extreme measure when viewed in the context that students will not notice the difference between a virtual environment and a production network as long as their activities remain consistent with the purpose for being in the lab.

Good governance can also shape that environment to a certain extent. According to Meta Group’s Rubin, governance should set boundaries but not mandate the use of this technology or that. Instead of establishing governance practices that focus on constraining and setting limits, Rubin says, organizations should set policies that feed innovation and resourcefulness. (Dragoon, 2003).

Existing Information Security Practices and Purpose

Control mechanisms are necessary to protect the organization and demonstrate that the guidelines of following due diligence and due care are followed. The concerns of Information Security are to ensure that the information security qualities of confidentiality, integrity, and availability are maintained at acceptable levels. To this end, control mechanisms are put in place to maintain those qualities.

The International Standards Organization has developed a set of controls that are directed toward various aspects of Information Security. Applied to this project, the most relevant guidelines are contained in the summary of the objectives of the seventh section of ISO 17799 which include the following:

  • Ensure the secure operation of information processing facilities
  • Minimize the risk of systems failures
  • Protect the integrity of information and software
  • Maintain the availability and integrity of information and processing facilities
  • Ensure the protection of information in networks and of the supporting infrastructure
  • Prevent unauthorized disclosure, modification, removal or destruction of assets.
  • Prevent unauthorized disruption of business activities.
  • Detect unauthorized information processing activities
    (ISO 17799 Portol, 2007)

To this end, controls are divided into three organization categories; which include technical controls, physical controls, and administrative controls.

Technical Controls

Authentication controls are lacking in the student domain of the network. A single username/password combination is used; which is equivalent to not controlling access to the network. Logging and monitoring activities are ineffective because individuals are not identified as part of the authentication process. The reasoning for the lax control mechanism is that the college only employs a single network administrator and management feels that reducing the workload is more important than securing the student domain of the network.

While protections on the student domain lack effectiveness, the college’s production domain is adequately protected. Access control is tight, system desktops are locked down, and the college employs a strong password policy. The purpose for these controls is to protect the sensitive information for which the college is responsible.

Physical Controls

Physical controls to regulate access to equipment are in place at the college. All lecture rooms and computer labs are maintained in a lock-down status when not occupied by an instructor. Only the network administrator has access to the server room; which houses the servers and network distribution equipment. Video surveillance is in place to help alert security personnel when unauthorized individuals enter critical areas.

Administrative Controls

The college employs a strict change-management policy. Any change to the production environment requires a project plan to include test results that indicate the effect on existing systems in the test environment and a back-out plan to mediate a change that does not go as planned.

The college is beginning to issue uniforms to students and instructors so they are easily identifiable; individuals not wearing a uniform will stand out and the purpose of their presence can then be investigated. ID cards are issued to staff and students. Lanyards have been issued and a directive that the ID cards be displayed as badges has been issued.

Emerging Threats

Emerging threats, as addressed by this project, result from unrestricted student access to the Internet. While in the existing computer labs, many of the students view idle time as an opportunity to surf the web and visit social networking sites. These visits have resulted in incidents involving downloading inappropriate content and infecting a number of workstations with Trojans. This type of activity enables three significant emerging threats to the security of information assets at the college. These threats include the following:

Proxy Sites

Firewall controls are in place to limit student Internet access; however, some students explore the non-blocked address space and discover proxy sites to use for their web-surfing activities. These proxy sites are then used to bypass existing security controls so a participating student is free to visit the sites of their choice regardless of firewall settings.


Malware is software that delivers damaging or malicious content to an unsuspecting user’s computer and continues as an emerging threat. Malware is one of the main components of botnet creation.

First there were viruses - malicious code that did something on a computer that the user did not initiate or want. Next there were worms, viruses that could spread themselves using email or by exploiting network or application vulnerabilities. …What could be worse? What if the originator of the worm could retain control of each infected PC? What if the author of the virus no longer wanted the spotlight? What if the purpose of the worm were to make money and not just to disrupt computers? These what-ifs are no longer speculation; they describe the current nature of botnets. (Schiller, 2007)

Cyber Crime

Cyber crime is a phrase coined to describe crimes that take advantage of computers as tools and the Internet as a delivery mechanism. Cyber criminals are well trained and sometimes organized into international groups as reported by the Georgia Institute of Technology (2008). Their motivation is money and the tools they use readily available online. Some sites permit visitors to rent a portion of a botnet and take control of a specific number of zombie computers for a fixed fee.

Exclusive control over a single zombie can sell for as little as 10 cents! In 2004, Botnets are well used by both hackers and spammers. Trojan software is often tailored to spamming, and some hackers even offer a “renting” alternative to spammers for less cost than buying the Botnet. (Spammer-X, 2004)


Countermeasures to curtail the emerging threats involve providing an isolated environment in the virtual IT lab and not permitting access to the public Internet by students. A dedicated connection to the Internet would be used by faculty members only and would be used to download software updates and software drivers for the operating system platforms. These updates and drivers would then be placed on a web-server within the virtual IT Lab environment for the students to access. A firewall will be placed on the dedicated Internet connection and firewall rules will be implemented to only permit Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Domain Name Services (DNS) traffic to approved sites. All administration of the firewall will be performed using secure means from an instructor PC in the virtual environment that will not be accessible by students.

Anti spyware software is installed and updated on all computers in the college’s production domains. This practice will continue in the Virtual IT Lab but updates will be directly downloaded to the lab’s web server. This practice will prevent a cross connection between the lab and production environments.

An added benefit of the Virtual IT Lab environment will be to provide the capability to identify new emerging threats in a controlled environment. Scenarios designed for the lab will include a packet analysis to aid students in network troubleshooting and the security analysis of network traffic. Results from experiments in the lab and monitoring the connection to the internet may provide evidence of new external threats. These added threats may then be analyzed for severity and mitigation activities developed to respond to the new threats.

Thesis Navigation


Accrediting Commission of Career Schools and Colleges. (2010). The Accreditation Process.Available from

Broadstairs, K. (2000). 01-2-2 Quantifying Risk. In K. Broadstairs, R. King, & D. O'Conor (Eds.), Risk Management (p. 39). GBR: Scitech Educational.

Dragoon, A. (2003). Governance: Deciding factors. CIO. Retrieved February 18, 2010 from

Eckert, J. W., & Schitka, M. J. (2006). The hacker culture. Linux+ Guide to Linux Certification (2nd Ed.) (pp. 17-18). Boston, MA: Course Technology

GAO. (1998). Executive guide: Information security management--learning from leading organizations: AIMD-98-68. GAO Reports, 1., Government Accounting Office

Georgia Institute of Technoloogy. (2008). Emerging cyber threats for 2009. CU360 , 34 (21), 4-5.

ISO 17799 Portol. (2007). What is ISO 17799? Available from

Moteff, J. (2004). Computer Security: A Summary of Selected Federal Laws, ExecutiveOrders,and Presidential Directives. Library of Congress, Congressional Research Service

Panel on Confidentiality Issues Arising from the Integration of Remotely Sensed and SelfIdentifying, & National Research Council. (2007). Putting people on the map: Protecting Confidentiality with linked social-spatial data. Washington, DC: National Academies Press.

Rainer, R., Snyder, C., & Carr, H. (1991). Risk Analysis for information technology. Journal of Management Information Systems , 8 (1), 134-135.

Schiller, C. (2007). Botnets. Network and Systems Professionals Association. Available from

Schniederjans, ,. M. (2004). Information Technology: Decision-Making Methodology (p. 140).Singapore: World Scientific Publishing Company.

Spammer-X. (2004). Inside the SPAM Cartel: Trade Secrets from the Dark Side. Rockland, MA: Syngress Publishing

Treviano, L. K., & Weaver, G. R. (2003). Managing Ethics in Organizations : A Social ScientificPerspective on Business Ethics. Palo Alto, CA: Stanford University Press.

U.S. Senate. (2009). Safe Internet act: S 1047 IS. Library of Congress.


    0 of 8192 characters used
    Post Comment

    No comments yet.


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)