Case Study on Information Security Policy of Any IT Industry

Information technology has contributed to the tremendous growth of major organizations and businesses. An upgrade in technology brings more ease in doing business, but along with it, it also brings various threats such as unauthorized access to data, unwarranted changes to data, and so on.

These threats can lead to huge losses for an organization and not just in the monetary sense; thus, organizations are always looking to employ people who have completed Stanford advanced cyber security course and acquired relevant skills that will help them deal with security issues.

The demand for security experts is very high in the industry, and opportunities for those who have completed a postgraduate diploma in cyber security can also get a job, provided they also have acquired exceptional skills.

Cyber security involves using various skills and tactics to safeguard an organization’s assets. In any organization, cyber security, also referred to as information security, needs to be managed, and this is done under information security management. In this, all the resources used for security purposes are managed. Every organization that uses tech for its operations must have a proper security structure.

Information security management (ISM) is not the responsibility of just the security experts in the organization, but of each and every employee. ISM involves communicating the dos and don’ts related to the organization’s information to every employee and associated parties.

Literature review:

ISM is not just a computer security measure anymore. Due to advancements in technology, it involves taking physical security measures, technical security measures, mobile security measures, and so on. It is essentially a multidimensional field taking care of various aspects that could potentially harm a company’s digital assets.

ISM of any organization faces many challenges due to many factors, which are classified under human, technical, and organizational factors. There are also certain strategic, technical, and operational factors in building a robust information security governance model. Different organizations require a different balance of these factors to have a rock-solid information security management system.

Case study:

Company X, located in New Delhi, launched in 2011, is a software solution provider company. It develops software solutions for clients on a project basis and also provides technical and business support to clients in an outsourcing capacity. Their primary focuses are IT consulting, web design and development, mobile application development, software development, robotics, and internet marketing.

Key observations:

Given the field in which Company X operates, it is understood that their information security management must be rock solid, yet no such control was found to be in place. Any incident related to cyber security could lead to loss of data, clients losing their trusts, tarnished reputation, financial losses, delayed projects, loss of intellectual property, among many other things.

Though aware of the lack of security management, the top management wasn’t too enthusiastic about setting up the same. This is mainly because of budget constraints and such issues being taken lightly by the firm’s upper management.

The information security policy of the firm is ad-hoc at best. In this, employees manage information security issues by taking action on their own if the need arises. There is no formal approach or procedure for any security issue, nor is any training given beforehand to the employees.

All these lead to employees being unaware of various security threats they might face, and even if some knew, they had no idea what should be done to mitigate those issues. Lack of proper security management can cause significant damage to the organization.


Newer technologies provide businesses with better ways to conduct daily operations and provide them with newer threats that could seriously damage the organization. Hence, information security management should be of great importance in the organization. It falls on the upper management to plan a proper security structure depending on the organization.

In the absence of any security policy or structure, no adequately defined roles and responsibilities, organizations are making themselves more vulnerable to various information attacks. Thus, management should make sure that they properly train and educate their employees regarding various threats out there, what can be done to prevent those issues, and how they can tackle them.

Furthermore, proper security management should be formed so that employees can reach out to them in case of any security troubles. Regular audits of such security systems should also be conducted to ensure that the security system so designed is efficient and what improvements can be made, if any.

The study was limited to one small organization in New Delhi, and its conclusions cannot be generalized. However, it can be seen as an example of what organizations lack and how they can fix it in this industry.