Approaches to Information Security Implementation

The implementation of information security in Software Development Companies in India must begin somewhere, and cannot happen overnight. Securing information assets is in fact an incremental process that requires coordination, time, and patience. Information security can begin as a grassroots effort in which systems administrators attempt to improve the security of their systems.

IT companies in India often referred to as a Bottom-Up Approach. The key advantage of the bottom-up approach is the technical expertise of the individual administrators. Working with information systems on a day-to-day basis, these administrators possess in-depth knowledge that can greatly enhance the development of an information security system. They know and understand the threats to their systems and the mechanisms needed to protect them successfully. Unfortunately, this approach seldom works, as it lacks a number of critical features, such as participant support and organizational staying power.

The Top-Down Approach, in which the project is initiated by upper-level managers who issue policy, procedures and processes, dictate the goals and expected outcomes, and determine accountability for each required action, has a higher probability of success. This approach has strong upper-management support, a dedicated champion, usually dedicated funding, a clear planning and implementation process, and the means of influencing organizational culture.

The most successful kind of top-down approach also involves a formal development strategy referred to as a systems development life cycle. For any organization-wide effort to succeed, however, management must buy into and fully support it. The role played in this effort by the champion cannot be overstated.

Typically, this champion is an executive, such as a Chief Information Officer (CIO), or the Vice President of Information Technology (VP-IT), who moves the project forward, ensures that it is properly managed, and pushes for acceptance throughout the organization. Without this high-level support, many of the mid-level administrators fail to make time for the project or dismiss it as a low priority.

Also critical to the success of this type of project is the involvement and support of the end users. These individuals are most directly affected by the process and outcome of the project and must be included in the information security process. Key end users should be assigned to a developmental team, known as the Joint Application Development team (JAD).

To succeed, the JAD must have staying power. It must be able to survive employee turnover and should not be vulnerable to changes in the personnel team that is developing the information security system. This means the processes and procedures must be documented and integrated into the organizational culture. They must be adopted and promoted by Software Development Companies in India. The organizational hierarchy and the bottom-up and top-down approaches are illustrated in Figure

Figure: Approaches to Information Security Implementation
Source: http://www.ustudy.in/node/11832