Information Security Management (ISM) Practices

Information Security Management (ISM) Practices: Lessons from Select Cases from India and Germany Abhishek Narain Singh, Arnold Picot, Johann Kranz, M. P. Gupta & Amitabh Ojha Global Journal of Flexible Systems Management ISSN 0972-2696 Volume 14 Number 4 Glob J Flex Syst Manag (2013) 14:225-239 DOI 10.1007/s40171-013-0047-4

1 23

Your article is protected by copyright and all rights are held exclusively by Global Institute of Flexible Systems Management. This eoffprint is for personal use only and shall not be self-archived in electronic repositories. If you wish to self-archive your article, please use the accepted manuscript version for posting on your own website. You may further deposit the accepted manuscript version in any repository, provided it is only made publicly available 12 months after official publication or later and provided acknowledgement is given to the original source of publication and a link is inserted to the published article on Springer's website. The link must be accompanied by the following text: "The final publication is available at link.springer.com”.

1 23

Author's personal copy Global Journal of Flexible Systems Management (December 2013) 14(4):225–239 DOI 10.1007/s40171-013-0047-4

ORIGINAL ARTICLE

Information Security Management (ISM) Practices: Lessons from Select Cases from India and Germany Abhishek Narain Singh • Arnold Picot • Johann Kranz • M. P. Gupta • Amitabh Ojha

Received: 3 August 2013 / Accepted: 15 October 2013 / Published online: 1 November 2013  Global Institute of Flexible Systems Management 2013

Abstract The increasing dependence of businesses over information and the changing ways of information usage with modern IT/ICT tools and mediums, have created an unavoidable need of information security in organizations. Earlier, the technical measures were used to fulfill this need; however, it has been realized that technology alone is unable to address the challenges of information security management (ISM) in organizations. Management and behavioral aspects are pivotal to build an ISM system in organizations. This paper makes an attempt to understand and examine the current ISM practices of two large size, global IT and management services and consulting organizations, one from India and another from Germany. In a case design, the study adopts qualitative research route

and semi-structured interviews were conducted across hierarchy in both the organizations. Observations from interviews are portrayed using descriptive analysis methodology. Further, to draw learning from the cases, SAPLAP method of inquiry was used to understand the present status of ISM practices in both the organizations. Finally, the paper discusses the implications of the findings and scope for the future research. Keywords Information security
Information security management (ISM)
SAP-LAP
Case study

Introduction A. N. Singh (&)
M. P. Gupta Department of Management Studies, Indian Institute of Technology Delhi, Vishwakarma Bhawan, Shaheed Jeet Singh Marg, Hauz Khas, New Delhi 110016, India e-mail: [email protected] M. P. Gupta e-mail: [email protected] A. Picot Institute for Information, Organization, and Management, Ludwig-Maximilians-University, 80539 Munich, Germany e-mail: [email protected] J. Kranz Management Information Systems and Methods, University of Go¨ttingen, 37073 Go¨ttingen, Germany e-mail: [email protected] A. Ojha Research Design and Standards Organization, Ministry of Railway, Government of India, Lucknow 226011, Uttar Pradesh, India e-mail: [email protected]

The day-to-day increasing usage of IT/ICT tools to conduct various business processes in modern organizations has created an alarming need to secure the business information and related assets. With the changing ways of information interaction, the nature of risks and threats has also changed. In the global networked environment, organizational boundaries have become blurred, thus increasing the challenges for information security (Chaturvedi et al. 2011). In its 2012 Global Information Security Survey, Ernst and Young highlighted the gaps in ISM practices worldwide, as: alignment with the business; adequate resources with the right skills and training; processes and architecture; and, new and evolving technologies. Key obstacle to information security effectiveness in organizations, as highlighted by the respondents, include, budget constraints, lack of skilled resources, lack of tools, and lacking executive support (Ernst and Young 2012). Earlier, major emphasis was to address the information security challenges at operational level through various technical

123

Author's personal copy 226

Global Journal of Flexible Systems Management (December 2013) 14(4):225–239

measures; such as, encryption, network security, access controls, etc. Whereas, it has been realized that managing information security is no longer only a technological challenge (von Solms and von Solms 2004; Chang and Ho 2006); it is a governance issue and management aspects are pivotal for organizational Information Security Management (ISM). ISM consists the set of activities involved in configuring resources in order to meet information security needs of an organization. To achieve this, organizations need to identify their critical business assets, risks/threats to those assets and their countermeasures. A balanced mix of technical, management and human aspects of information security is essential to build an overall ISM system in the organization. The present study explores and examines the ISM practices of two large size IT and management services and consulting organizations one from Germany and other from India. The paper aims to address following research objectives: Objective 1 To understand and examine the current ISM practices of two IT and management services companies in India and Germany Objective 2 To derive learning from the cases to draw implications for improving various organizational ISM practices The rest of the paper is organized as follows. The next section discusses various management factors of organizational information security. The methodology employed in the paper is discussed in the next section, followed by the key observations from the cases using descriptive analysis approach. SAP-LAP inquiry methodology is used in the next section to highlight the key learning derived from the cases. Finally, the paper concludes with the implications of the research findings and scope for the future research in this direction.

Background As defined by Hong et al. (2003), ‘‘…information security is the application of any technical methods and managerial processes on the information resources (hardware, software and data) in order to keep organizational assets and personal privacy protected…’’. ISM is a multi-faceted phenomenon. The ISO/IEC 27001:2005 standard defines eleven domains of organizational ISM, namely: security policy; organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition, development and maintenance; information security incident management; business continuity management; and, compliance. Putting all-together, these domains cover

123

multiple areas of organizational ISM. The adopted PlanDo-Check-Act process model suggests information security as a continuous and self-improvement management exercise for organizations to build an organizational ISM system (ISO/IEC 27001 2005). Knapp et al. (2006) highlighted various information security concerns faced by organizations worldwide. The top ten issues include: top management support; user awareness (training and education); malware; patch management; vulnerability and risk management; policy related issues; organizational culture; access control and identity management; internal threats; and, business continuity and disaster preparation. Successful implementation of information security requires the active participation of executives to assess the environment, current threats and the ways to protect the organization against such threats/vulnerabilities (Kankanhalli et al. 2003). Senior executives are responsible to provide strategic vision to align information security requirements to the business objectives of the organization (Gupta et al. 2004). The top management’s role becomes critical in preparing a risk management plan to effectively utilize resources to fulfill organizational information security needs. Understanding the importance of ISM for business continuity and communicating this message to employees is a top management responsibility (Hu et al. 2012). A successful ISM requires active participation of employees across the hierarchy in organization. This can be achieved through proper communication and involvement of employees in various organizational ISM functions. First step towards this is to have a clearly defined and documented information security policy. Policy gives a management direction and support to various information security activities in the organization. Hone and Eloff (2002) describe various supporting activities for effective information security policy, such as, development, presentation, commitment, dissemination, maintenance, and styling. Communicating policies to all the stakeholders is necessary for its implementation and compliance. Information security training and awareness programs are useful in this regard. Training employees to the changing business requirements and accordingly varying risks enables to create an up-to-date human firewall to secure information and related assets of the organization. Puhakainen and Siponen (2010) argued that regular information security training improves employees’ information security compliance behavior. Through an intervention study, Albrechtsen and Hovden (2010) showed the positive outcomes of information security awareness workshops on employees’ individual and group behavior towards information security. With such regular training and awareness programs, employees become vigilant to the information security issues in their routine work that leads to building

Author's personal copy Global Journal of Flexible Systems Management (December 2013) 14(4):225–239

an information security informed workforce in the organization. Gradually, information security become the norm for employees and becomes the part of organizational culture. An information security culture is about shared beliefs and attitude of employees towards the organizational information assets and systems in their day-to-day activities (Veiga and Eloff 2010). A proper classification and control system to manage organizational information assets reduces risk for the business. Risk assessment and management plan for critical business information assets is essential for smooth business operations (Chang and Ho 2006). Various international ISM standards, such as, BS7799, COBIT, GMITS, GASSP, etc. provide best practice guidelines for managing information security in organizations. Organizations need to review their compliance to such industry standards, as it gives assurance to partners and clients/customers (Humphreys 2008). To deal with various threats, internal and external, organizations need to have an incident management plan. Employees need training in advance to detect and report the information security incidents (Werlinger et al. 2009). Ahmad et al. (2012) suggested an incident learning system for organizations to understand the causal structures and draw learning from it for such future events. Periodic internal as well as external information security audits are helpful in monitoring the conformity of various processes with respect to organizational information security policies and guidelines. Audits are useful tools to verify the effectiveness of information security implementation in the organization and its compliance to regulatory requirements (Hagen et al. 2008).

Methodology In a multi-case study design, the present study examines the ISM practices of two large size, global IT and management services and consulting organizations one from Germany (ITComp 1) and another from India (ITComp 2). Using qualitative research approach, the study adopts a semistructured interview methodology to understand and investigate the current ISM practices of the organizations. A semistructured interview questionnaire template was used for this purpose. The template consists of thirty-nine questions categorized in twelve ISM factors identified from literature review. These factors include: information security requirements, top management support, information security policy, information security training, information security awareness, information security culture, information security audit, ISM best practices, asset management, information security incident management, information security regulations compliance, and ISM effectiveness. Table 1 presents the twelve management factors, the

227

interview questions, and their key references. In addition to these identified questions, some supplementary questions were also asked to the interview respondents to clarify the issues discussed with them. Purposive and snow-ball sampling techniques were used to identify the respondents across the hierarchy and functions in selected organizations. Total 14 interviews were conducted; six from case A and eight from case B (Table 2). Interviews were conducted face-toface, in the regular setting of the respondents. Each interview lasted around 45–50 minutes. All the interviews were audio recorded and transcripts were made for further analysis. A two step approach is employed to explore and analyze the cases under study. First, the observations derived from interviews have been portrayed using descriptive analysis methodology. Descriptive method congregates the findings of the present state of the case to illustrate its current situation, and examines the cause/s of general and particular phenomena (Creswell 1994). That results in descriptive review of current organizational practices to reflect upon points of interest to fulfill the objectives of the study (Babbie 2004). At second step, the cases have been analyzed using SAPLAP method of inquiry (Sushil 2000, 2001). SAP-LAP abbreviation stands for ‘Situation’, ‘Actor’, ‘Process’,— ‘Learning’, ‘Action’, ‘Performance’ (Fig. 1). A situation characterizes the present state of the phenomenon in organization and the surrounding in which it functions. Actors are the entities (individual/s or group/s) engaged in various situations to drive multiple activities while conducting a range of business process/es. The process is a conversion of set of inputs into desired outputs to fulfill the objectives of organization. A situation involves an actor or a set of actors to conduct various processes engrossed in it. The interplay and synthesis of SAP leads to various LAP activities. Based on the learning derived from SAP, various actions are identified. The effect of action/s can be examined for the improved performance of situations, actors or processes. A number of researchers (Sushil 2001; Husain et al. 2002; Kak 2004) have used SAP-LAP models in examining various case studies. Thakkar et al. (2008a, b) discussed the issues relating to IT implementation in SMEs using SAP-LAP approach. In the context of present study, SAP-LAP methodology complements the observations derived from the descriptive analysis and is helpful in systematically analyzing various organizational ISM practices of the case organizations in terms of situations, actors, and processes.

Case Study Case A: ITComp 1 As a global management consulting, technology services and outsourcing company, with offices in more than 200

123

Author's personal copy 228

Global Journal of Flexible Systems Management (December 2013) 14(4):225–239

Table 1 ISM factors, interview questions, and key references ISM factors

Interview questions

Key references

Information security requirements

Information is a critical business asset Importance of information security for organization

Chang and Ho (2006), Humphreys (2008)

Effect of an information security breach incident Top management support

Availability of required resources

Top management support for information security activities

Information security policy

Policy specifies the roles and responsibilities of employees

Is there an information security policy in organization

Hu et al. (2012), Kankanhalli et al. (2003) Hone and Eloff (2002), Ma et al. (2008)

Policy for contractors/third party vendors Reviewing policy for its effectiveness and completeness Information security training Information security awareness

Conducting information security training programs for employees Usefulness of training programs Dedicated steering committee for conducting training programs Communication of information security policies, objectives, roles, responsibilities, and risks

Horrocks (2001), Puhakainen and Siponen (2010) Albrechtsen and Hovden (2010), Upfold and Sewry (2005)

Educating employees on acceptable behavior, penalties, and legal consequences of non-compliance Advisor to coordinate ISM activities Information security culture

Employees see and practice information security as a part of their regular job Veiga et al. (2007), Veiga and Eloff (2010)

Information security is built into operational systems

A forum to discuss and resolve employees’ information security concerns/ issues Information security audit

Process for monitoring and making logs of access records Organization conducts internal information security audits

Hagen et al. (2008), Humphreys (2008), Ma et al. (2008)

Review/update information system to ensure compliance to organizational information security policies, standards, and procedures External audit by an independent third party for ISM certification ISM best practices

Risk management plan Protecting integrity and security of software/hardware against virus, malware, etc.

Ma et al. (2008), Upfold and Sewry (2005)

Information security good practices of the organization Asset management

Information asset classification system Determine critical risks to organization’s information assets

Chang and Ho (2006), Upfold and Sewry (2005), Veiga et al. (2007)

Physical security control mechanism Access control mechanism for IT systems and services Information security incident management

Risk mitigation plan Steps to respond to an information security incident

Ahmad et al. (2012), Werlinger et al. (2009)

Business continuity and disaster recovery plan Backup and recovery process to maintain the integrity and availability of business information Information security regulations compliance

Mechanism to comply with software licenses and prohibit the use of unauthorized software

Chang and Ho (2006), Hagen et al. (2008)

Compliance to an ISM certification (e.g. ISO/IEC 27001, etc.) Protecting privacy of the data of clients/customers and employees

ISM effectiveness

Organization’s information security policies and security standards are effective? If no, drawbacks, and suggestions for improvement? Adequate procedures and guidelines to operationally enforce organization’s information security policies and standards? If no, drawbacks, and suggestions for improvement? Process to regularly review and update organization’s information security policies, standards and procedures

123

Kankanhalli et al. (2003), Ma et al. (2008)

Author's personal copy Global Journal of Flexible Systems Management (December 2013) 14(4):225–239 Table 2 Respondents’ profile Case A (ITComp 1)

Case B (ITComp 2)

229

Job profile

Work experience (years)

Managing Director (Germany region)

25

Senior executive

22

Data privacy and information security officer

20?

Network manager

13

IT consultant

10

Business consultant

6

Director—Human Resource

17

Head—information security and privacy

13?

Head—business continuity and disaster recovery

20?

Head—IT operations

20?

Network administrator

13

Human resource manager

8

Senior manager—finance

10

IT consultant

5?

Fig. 1 SAP-LAP method of inquiry

Actor

Process

Situation

Interplay of SAP-LAP

Learning

Performance

Action

cities in 54 countries around the globe, the company is headquartered in Dublin, Republic of Ireland. The company has an employee base of 257, 000 (as of September, 2012) in more than 120 countries serving clients across the industries such as; airline, automotive, banking, energy, insurance, chemicals, travel, and public services and government, etc. In the fiscal year ended in August, 2012, the company generated net revenues of US$ 27.9 billion. The major areas of operation of the company include: IT technology services (application and data), innovating emerging technologies for business solutions, alliances, and business process outsourcing (custom and standard services). In Germany, the company has offices in five different locations.

Case B: ITComp 2 ITComp 2 is the information delivery platform, enabling its customers to deliver, share, process and store their vital business information. As listed on London Stock Exchange, the company works as established leader in delivering integrated computing and network services to major organizations, midsized businesses and wholesale customers, across 22 European countries and the United States. The company serves networking, communication and IT infrastructure integrated managed services/solutions to more than 30,000 organizations in both the private and public sector, ranging from multinational or national corporations to smaller companies in industries such as,

123

Author's personal copy 230

Global Journal of Flexible Systems Management (December 2013) 14(4):225–239

financial services, legal, media, healthcare, and government. The company owns 43,000 km communication network that includes metropolitan area networks in 39 major European cities with direct fiber connections and 20 carrier neutral data centers of its own. Various products and services of the company include: application hosting, cloud services, consultancy and professional services, interactive voice, internet services, infrastructure hosting, data networking, IT security services, telephony, and data centre services. The company has 5,200? employee strength across globe, out of which, around 1,300 employees work in India. In India, the company operates from two locations.

Key Observations from Cases Information Security Requirements For ITComp 1, information is a critical important business asset. Securing business information is important for various reasons, such as; uninterrupted business processes; to safeguard the knowledge and intellectual property; to stay ahead of competitors; and to avoid data and information leakage that may result in legal penalties for the organization. According to the Data Privacy and Information Security (DPIS) officer, ‘depending upon the severity of breach, an information security incident can affect multiple functional areas of the organization at all levels’. For the company, securing internal data is as critical as of protecting clients’ data. Data management is one of the key operations of the ITComp 2. The head of IT operations thinks that ‘if the security controls are not properly implemented and some critical information is leaked and falls in competitors’ hand, it would be a huge business risk for the company’. The critical business information include business plans, financial numbers, clients’ data, customer information, process details, internal employee records, etc. A compromise of these can result into financial loss for the company and more than that can defame company’s image. Top Management Support In ITComp 1, information security is considered among one of the top ten risks for the company and top management is concerned about the issue. Latest technologies were adopted to meet the organizational information security requirements. However, a need to deploy more resources in terms of manpower and budget was highlighted in course of interview. There is a committee that reports to senior executives about information security functions of the organization.

123

…to be very honest, this (providing information security) could be better. there is a need, that is known, but it’s could definitely be improved in terms and budget… [Case A]

resources for I would say, not ideal… it of manpower

Top management in ITComp 2 understand the significance of information security for company and they are ready to provide necessary support for its implementation. As described by information security head, ‘there is an information security factor in the mind of top management while taking any decision’. Senior executives are involved in ISM related decisions and monitoring.

Information Security Policy ITComp 1 has a comprehensive information security policy that clearly defines information security roles and responsibilities of employees. It also illustrates the accountability of employees for company’s data/assets and that violation may lead to termination or stern legal action against employees. There is a meeting of information security committee on quarterly basis to review and update organizational information security policy and its legal compliance. Company also has a policy for contractors/vendors mentioning that when entering in a contract with company, they have to agree to organizational information security policies covering various issues, such as; data privacy, usage of electronic media, external devices, etc. There is a specific information security policy in ITComp 2. While making any new security policy, there is a procedure to check for the available standards for the same and after implementation of the policy, compliance to those standards are checked. Policy describes roles, responsibilities and accountabilities of employees. It also outlines employees’ as well as contractors’ expected behavior towards company’s assets and systems. Company reviews its information security policies annually. …we have a comprehensive information security policy with lots of annexure describing mechanisms for its implementation. Resource management, incident management, business continuity, and all other aspects are discussed in detail. In current risk environment, you cannot have a four line information security policy… [Case B] Information Security Training In ITComp 1, an online training program, conducted once a year, is mandatory for every employee. Employees find this training program useful for their day-to-day operations. The information security committee reviews training needs

Author's personal copy Global Journal of Flexible Systems Management (December 2013) 14(4):225–239

of employees in regard to current business requirements of the organization and accordingly makes necessary changes in the online training module. There is an e-learning module along with an online exam exercise on data privacy, security and business continuity for employees at the time of joining in ITComp 2. This training is mandatory for each and every employee in the company, globally. Even the trainees and contracted employees from vendors also have to undergo this training program. And, if any employee fails for any reason, he/she has to go through it again and clear the exam. In addition to the online training, training sessions have also been conducted by external agencies, such as BSI, etc. 3–5 people from every team (functional area) go for these trainings; they come back and train others. That builds a habit of knowledge sharing among employees. To understand the training requirements of employees and give feedback to the senior management, there is a steering committee in the company having members from different functional areas. Organization has an information security curriculum for employees and it maintains a knowledge repository for the same. …so, there are 5 to 10 slides on data privacy, data security, protection etc.; and then there is an exam consisting around 50-60 questions. 75 % is the pass mark for this exam. Questions are very critical sometimes, so we have to study them carefully and then answer… [Case B] Information Security Awareness ITComp 1 exercises multiple ways to educate employees and make them aware about information security. Some of these methods include: announcement e-mails from DPIS office about latest information security updates; online training of employees once a year; and, a regular column on information security in monthly newsletter of the company. There is another quarterly newsletter specific to different departments or business units within the company that contains issues related to ISM pertaining to that department. There is a policy/guideline enumerating employees’ acceptable behavior regarding data privacy and security. In addition to this, there are regular programs/ workshops/events round the year about data privacy and security to keep employees aware of latest information security risks/threats and their countermeasures. …we have a separate column in our company’s monthly newsletter that talks about interesting up-todate topics of information security; like, printing with pin, how to comply with our policies, not to install any software from internet, etc… [Case A]

231

In ITComp 2’s employees’ monthly newsletter, a part of information security policy is been published and communicated to the employees. Sometimes, in case of any policy/procedural change, there are sessions being conducted to address employees that there is a policy change, although the document will come shortly, but since it is required, they have to follow the new policy/procedure. Employees are communicated about the dos and don’ts related to ISM, for example, not to share passwords or access pins, shredding papers having sensitive information, clean desk policy, etc. …I may not do it knowingly, but when I access some kind of sites and start downloading something, I am caught for unwanted reasons. So, they have been told to be very careful and not to get into unwanted sites. If you need something, we have policies, go through the policy, raise a request, let them approve and we will do it. If it’s a business case, we have to do it… [Case B] Information Security Culture ITComp 1 has a global information security advisor who coordinates various information security functions with the geographical DPIS heads. Any suggestion/improvement is then further transferred to the local information security committee for implementation. Thus, there is a clear structure for ISM in organization. Employees are being educated throughout the year with fliers of small and digestible sizes. There are circulars and posters displaying at common places in the organization about various information security tips. For example, ‘not to leave your assets unattended’, ‘take print-outs with your ID’, etc. …we have employees who are perfectly adhering to information security behavior. Then, we have employees who consider this as a burden. I would roughly say, 60 per cent support it full-heartedly and 40 per cent are may be still doing the journey… [Case A] In ITComp 2, a culture of information security has been cultivated among employees through regular communications on various issues of information security. There are clearly defined processes/procedures for ISM and checks and controls to monitor bypasses. For any information security concern related to their work, employees can raise a request. Every such request has a turnaround time in which the concerned authority has to respond to that concern. Employees are allowed to bring their smart phones in office, but without having a security certificate and VPN application installed in it, they cannot connect it to the company’s network. There is a mechanism to monitor and track records of every such device.

123

Author's personal copy 232

Global Journal of Flexible Systems Management (December 2013) 14(4):225–239

…sometime they (employees) come to us and say that this is not adhering to the policy and I think we need to double check… [Case B] …suppose I have to open a firewall. I can do it on phone also, right, but they don’t accept it. They say that there has to be a service request for this; information technology service request, which is raised by the employee and manager approves it. Now, manager is equally answerable that why he is asking for this kind of request. Every such thing is documented. So, if I am approving something, I am equally accountable… [Case B] Information Security Audit According to DPIS officer, ‘in ITComp 1, we are monitoring process and make logs of access, but only when they are legally allowed and applicable’. There are regular reviews/audits conducted internally by DPIS team to check the conformance of information security policies/guidelines. Internal audit is conducted once a year. Audit reports are shared with steering committee and senior management to find-out the deviations; and accordingly the corrective actions are taken. In addition to internal audit by DPIS team, company conducts audit by a team from some other geographical location, once a year. The company has obtained ISO/IEC 27001 ISM certification for its two data centers. ITComp 2 conducts internal information security audits to check the compliance of security policies, procedures and guidelines. PricewaterhouseCoopers does an external information security audit for ITComp 2, where the auditors verify the group controls and general controls for ISM. There is a pre-defined schedule for audits; accordingly, internal audits are being conducted once in 6 months, and external audits are conducted annually. …everything is monitored, if they need to. If they want to keep an eye on someone that what he/she is doing; they can do it… [Case B] …in internal audits, we check whether everything is done correctly or not. Are there any leakages? And then we try to see what is the back-up plan to encounter such situation… [Case B] ISM Best Practices ITComp 1 operates from thirteen geographies, and the company has similar standard procedures globally to implement and practice information security. For risk assessment and management, company uses ‘as-is’ approach. First, the risks are identified and rated (based on severity). From this rating, a management process is

123

identified that how this risk can be approached. Either action is taken to resolve the risk or the risk is taken as-itis. Every business unit maintains a risk register where risks along with the action taken are documented. Company uses firewall and penetration testing to verify the protection against viruses/malwares. …every business unit receives their specific risk register with risk management plans. They have to confirm that they will take action and suggest the time frame until the action will be taken. So, we can conduct an audit… [Case A] ITComp 2 has a password policy where every password is getting changed after 90 days. 90 days is the maximum limit, after that, in some applications, system generates the alert that ‘you need to reset your password, it is going off’. In some cases, it simply would not allow the user to enter; employees have to reset it by force. Even the system does not allow to set a password from the recently used 2–3 passwords for the same system. Internet access is filtered in the company. Moving files from company’s network to a public network like Yahoo, Gmail or any public domain is being monitored and can be traced, if required. Employees cannot download everything from the public domain. There is a restriction on downloading. Downloaded files come under a secure area and then authorities can question about the downloaded materials. There are standard procedures of firewall and antivirus software running on systems. Identification and analysis of risks for all the company’s assets and resources is done. As described by the network administrator, ‘for example, if we need to give access of any server to some external party, we have to take all the security approvals before doing that, and there is a defined procedure that is to be followed’. For transferring data and files, company uses secured file transfer protocol. Using personal USB-drives to transfer data from company’s systems is prohibited. The network operating centre (NOC) gets an alert as soon as any such thing is connected to the company’s network. The hard disk drives of all the laptops and systems are encrypted. So, even if someone has stolen the laptop, he/she cannot get into it, data is protected. And, since on daily basis everything is stored on shared server, there is no loss of data; business continuity is maintained. …ISM is about setting right processes. Unless the process is adhered, my gateway is not opened, I cannot access certain URLs, and I cannot transmit the information… [Case B] Asset Management There is a highly conventional system for asset classification (based on criticality) in ITComp 1 and this is known to

Author's personal copy Global Journal of Flexible Systems Management (December 2013) 14(4):225–239

all business unit heads. Different units maintain their own asset registers along with the associated risks for individual assets. Then, there are risks identified that are common to all the areas; they are circulated to all the units. Company has different physical access control mechanisms in place, such as; guards, card readers, and CCTV surveillance. For access control of various IT systems and applications, there are authentication mechanisms, access rights with read– write–delete options, and user groups with varying privilege levels. There is a workstation policy that clearly defines how to securely manage organizational information assets. …our employees are the most important asset or treasure for our company… [Case A] ITComp 2 has an asset management system in which all the assets are recorded and classified based on the criticality. Ownerships are defined and owners are responsible to take care of their assets. Employees are considered as intellectual assets or resources for the company and there is a mechanism to create a shadow back-up for every such resource serving critical roles. This arrangement is made to cover the risk of unavailability; so that projects should not get delayed. Head of operations defines this as one of the top most priorities for the company. Then, there is physical access control system via an electronic ID card at the building’s entrance. Depending upon the sensitivity of the data and systems, different areas of the building have separate physical access controls. Similarly, there are three layers of authentication required to get access to the company’s network. Employees are assigned different access rights and privilege levels based on their roles. …we keep a person in shadow. If I am here, I have a person in my shadow. He comes into role, when there is some crisis, or person is on vacation or anything. When required, may not be 100 per cent, but almost 60-70 per cent human resource back-up coverage we can do… [Case B]

233

that report, so that action can be taken’. Company has a life safety, business continuity and disaster recovery plan. Employees are given training like; fire drill, evacuation exercise, etc. once or twice per year for emergency situations. The company has alternate communication mechanism identified in case of a disaster. There is a decision board, who will be informed to the take action in such situations. The company take regular back-ups, at a different location than office premises to ensure disaster recovery and business continuity. ITComp 2 has a back-up policy where back-ups are taken based on the criticality of application or process. Incremental back-ups are taken every day and at weekends, complete back-up is taken. For all critical applications, company has back-up servers. For uninterrupted business continuity, there are mirror servers for critical applications. To safeguard against disasters, these servers are located at different geographical location. The company has a documented incident management plan and there is a security operation center located in United Kingdom that manages information security incident cases and does a post-incident analysis on that. All the critical information is being managed at central pool data centers located in Europe. In case of policy violation or non-compliance e.g. downloading some software, which is not allowed, the employees can even be sacked. The company has a very rigid policy on that and employees are aware of this fact. The company has a BS 25999 certification for business continuity management. …I know a person got sacked because he connected his hard disk during Christmas time, when nobody was there. And some viruses moved to the network. The NOC team immediately identified that from this particular node and machine this has been done. There was an audit investigation. And, after a couple of months, he was showed that this is what you have done, a lot of questioning happened and finally, ha had to leave the organization… [Case B] Information Security Regulations Compliance

Information Security Incident Management In ITComp 1, there is a security operation center that educates employees about what to do in case of a data breach or information security incident. There is an emergency number that is available 24 9 7. Employees can call in case they want to report an information security breach incident. According to DPIS officer, ‘when you make such a call, there is automatically given an incident number. You receive a short report via e-mail, outlining, what happened, the type of incident, etc. We distinguish between logical and physical incidence. And then you have the names of all the people who need to be informed on

ITComp 1 has a mechanism to run a monthly scan that checks the software on employees’ laptops. And then employees are asked to explain that either they have bought the licenses or asked to delete the software. This is done for every employee. Employees have to sign a data secrecy agreement that is the compliance of Sect. 5 of Federal Data Protection Act. This holds until termination of employment or even beyond. The same applies for third party contractors/vendors. The company has a global data privacy policy and also a policy for the acceptable usage of the company equipments. Company has ISO/IEC 27001 ISM standard certification for its two data centers.

123

Author's personal copy 234

Global Journal of Flexible Systems Management (December 2013) 14(4):225–239

…we have communications from our firm secretary on quarterly basis; highlighting and giving examples that went very well or very bad. For example, ‘this employee could have done better to avoid those consequences’. So, we are using all kinds of illustrations to continually educate our employees on compliance issues, without boring or making them tired… [Case A] In ITComp 2, there is a separate team to manage software licenses. On demand, this team approves to extend or buy new software licenses. Until it is given in written, it is restricted for employees to download any software from Internet. If somebody is caught for using unlicensed software during audits conducted by information security team, they can face serious consequences for that. Third parties have to sign ‘data privacy and protection agreement’ that they are not going to export this information to anybody else. Based on all that documentation, appropriate authorities approve that this thing is going to be used by this and this and for this purpose. …being in senior management level too, I do not have administrative rights on lot of things. If I need to download anything from internet, I have to go to a concerned department and take their approval for this… [Case B] ISM Effectiveness In ITComp 1, information security policies and standards were found effective. As indicated by DPIS officer, there is room for improvement when it comes to making resources available (budget and manpower). The company has a risk management plan. So, employees know; what are the risks and what they can do to manage or avoid those risks. Adequate procedures were found in place to operationally enforce the organizational security policies and standards …I would say that a continuous education must be a standard, because this is the project that never ends; this is not a one stop situation; this is ongoing… so, at this point in time there was no data security breach incident during my tenure. And I hope this will stay same… [Case A] ITComp 2 has effective information security standards. There are controls to continuously monitor the effectiveness of organizational information security policies and guidelines. There are regular communications with employees on information security policies, processes, and procedures. The business continuity and disaster recovery head indicated the need to strengthen the mechanism of post-incident analysis of information security breach cases

123

triggering immediate review of policies and make suitable changes.

SAP-LAP Analysis of Cases Situation involves the present conditions of various ISM practices of the organization. It is the investigation of, how the organization has reached to the present condition? And, what are the expected future trends or possibilities towards this? Here, the situation factor majorly deals with the ‘WHAT’ aspect of ISM in the organization. Actors are individuals or groups involved in managing various ISM related functions in the organization. As stakeholders dealing with different roles and capacities, they affect various ISM functions in the organization. The actor majorly deals with the ‘WHO’ aspect of ISM in the organization. Process involves various functions related to ISM in the organization. It helps to identify the need and characteristics of various ISM activities in the organization. Here, the process factor majorly deals with the ‘HOW’ aspect of ISM in the organization. Learning are the findings derived from interplay of various situations, actors and processes (SAP) factors involved in various ISM activities of the organization. Learning helps to identify gaps in the current organizational ISM practices and the areas of improvement. Through learning, specific actions ought to be identified to improve various SAP factors of organizational ISM. Performance factor considers the learning drawn from the synthesis of SAP in terms of various ISM practices of the organization; and identifies ways of their improvement. Performance factors are presented here as the good ISM practices of the organization that will help to achieve its business objectives. Table 3 presents the SAPLAP analysis of the cases under study. ISM has given a high priority in ITComp 1. With a comprehensive corporate policy and global information security advisor, different regions have their own dedicated information security leads to manage it locally. With the help of annual training and regular communications through newsletters on information security issues, ITComp 1 has built a good information security culture in the organization. There are annual audits conducted once by internal team, and once by external trusted third party to check organization’s compliance to its policies, guidelines, existing laws, and regulations. With the compliance ratio of 60:40, employees need to be regularly educated on ISM good practices and their compliance behavior. As highlighted, more support is required in terms of budget and manpower to effectively manage organizational ISM functions. Ultimately, with its sound ISM practices and strict regulations compliance, ITComp 1 gains competitive

Process

Actor

Situation

Strict monitoring for compliance of information security policies and guidelines Internal information security audits being conducted periodically on 6 months

Company owns two ISO/IEC 27001 certified data centers

Internal information security audit conducted by information security lead, once in a year

Information infrastructure team Network operation center (NOC) Security operation center Employees Clients/customers

Steering committee for ISM

External information security auditor Employees

Clients/customers

Contractors/third party vendors

Steering committee for gathering employees’ information security training requirements and conduct trainings accordingly

A specific column on information security in monthly newsletter of organization

Regular coordination and communication among global information security advisor, information security lead and local teams

Audit reports are submitted to steering committee to check for any deviations

Periodic internal as well as external audits to check whether to build additional operational systems to comply with organizational information security policy/ guidelines

Proper documentation for each and every process Internal information security audits conducted periodically at 6 months

Once in a year online information security training for employees

There is a defined process of taking incremental back-up on daily basis and complete back-up at weekends

Asset classification based on criticality and ownership

Resource shadowing i.e. back-up of critical tangible and non-tangible assets including human resources

Annual external information security audit

Password policy to change system and application passwords within maximum 90 days Non-disclosure-agreement to be signed by contractors/third party vendors

Information security committee meeting on quarterly basis to review and update information security policies and its legal compliance

Information security issues are discussed quarterly in group/department specific newsletter

Security approval for downloading or uploading any data from company network

A well defined and documented risk management process for each department

Vendors/contractors

Internal audit team PricewaterhouseCoopers (external auditor)

Information security lead

Information security manager

A global advisor for information security

Chief executive officer (CEO)

External audits being conducted once in a year

Company has BS 25999 standard certification for business continuity management

Employees’ information security compliance ratio is around 60:40 (comply fullheartedly : still doing the journey)

Periodic external information security audits conducted by trusted third party

Company has ISO/IEC 27001 Information Security Management System certification

There is a compulsory e-learning training module for every employee, trainee and third party employees

Employees are aware of their information security roles, responsibilities and accountabilities

There is a policy on employees’ behavior for data privacy, data security and information security

There is specific information security policy in the organization that defines roles, responsibilities and accountabilities of employees

The same approach and deployment for information security for every geography globally

Company has a documented information security policy Top management is concerned and provides required resources for various ISM activities of the organization

Information security is among one of the top ten management risks for the company

Case B (ITComp 2)

Top management is concerned and shows support for information security functions

Case A (ITComp 1)

Table 3 SAP-LAP analysis of cases

Author's personal copy

Global Journal of Flexible Systems Management (December 2013) 14(4):225–239 235

123

123 Clear communication of information security policies, guidelines, acceptable behavior and consequences of non-compliance to employees, contractors and vendors leads to the better compliance behavior Information security is not a hindrance, it ensures productivity against risks

Top-down and bottom-up, both way communications are essential to build an information security informed workforce in the organization

Identifying critical business assets, associated risks and mitigation plans is necessary for continuity of business processes Continuous information security education of employees is must to build a human firewall for information security

Quick incident response and recovery Ensure business continuity Minimize losses because of information security incidents

Stay ahead of competitors in business

Avoid data/information leak that may result in legal penalties

Trust to clients/customers

Compliance to information security and data privacy laws/regulations

Effective risk management

There can be a forum for employees where they can raise or discuss various information security related issues among themselves

Continuous education for employees on information security to keep them updated on information security issues

Uninterrupted business processes

Awareness among employees related to information security to reduce unintentional policy violation incidents/cases

More resources in terms of budget and manpower can be provided to effectively manage various information security functions in the organization

Information security is not a one stop situation, it is ongoing activity

Regular information security awareness programs help to create an information security culture in the organization

A consistent top management support encourages employees compliance behavior to information security policies and guidelines of the organization

Good ISM practices give additional trust and confidence to clients/customers

Resource risk assessment is critical to select appropriate information security controls

Case B (ITComp 2)

There is an overlap in information security and data privacy

Case A (ITComp 1)

236

Performance

Action

Learning

Table 3 continued

Author's personal copy Global Journal of Flexible Systems Management (December 2013) 14(4):225–239

Author's personal copy Global Journal of Flexible Systems Management (December 2013) 14(4):225–239

advantage, avoids information security breach incidents and wins the trust of its clients/customers. As a technology solutions provider, ITComp 2 sets the benchmark for managing information security by its own practices. Company owns ISO/IEC 27001 ISM certification along with BS 25999 certification for business continuity management. Security operation center and network operation center have dedicated command on various ISM functions of the organization. With compulsory web module and e-learning training, employees are trained and aware towards their roles and responsibilities for ISM. Organization has a resource risk management plan for every critical IT and non-IT business asset. The key learning derived from the case of ITComp 2 is that ‘information security is not a hindrance to productivity, if managed properly’. There can be a forum or platform in the organization where employees can discuss and raise concerns regarding issues related to ISM. The good ISM practices of ITComp 2 have ensured effective risk management, business continuity, and minimized information security incidents for its customers across 22 European countries and others.

Implications Being a global firm, information security counts among the top business risks for any organization. A consistent top management commitment is the key driving force towards overcoming this risk. Setting the right strategy and aligning information security needs to the business objectives of the organization is the responsibility of board and top executives (Knapp et al. 2006). Therefore, it becomes essential to have a corporate information security governance plan to guide ISM practices of the organization across different regions globally. In the current threat scenario (internal as well as external), considering information security as a critical element for uninterrupted business processes, a dedicated ISM policy covering multiple aspects, such as, defining roles, responsibilities and accountabilities of employees as well as contractors/third party vendors; risk assessment and management; asset classification and control; business continuity and disaster management, etc. is mandatory. It is important to review and update the information security policy with the changing business requirement and environmental needs (e.g. technology, legal/regulatory requirements, etc.) of the organization. Thus, role of information security steering committee becomes pivotal. Regular communication at all levels keeps everyone informed in the hierarchy about various risks/threats, vulnerabilities, countermeasures, and latest developments in the area. Gathering requirements and accordingly provide relevant training to employees keep

237

them up-to-date and ready to counter any information security breach incident (Puhakainen and Siponen 2010). And thus, builds a strong information security culture in the organization. Sharing best practices from different locations helps in learning from the successful experiences of others, as evident in case of ITComp 1. Periodic internal as well as external information security audits are helpful in monitoring employees’ compliance to the organization’s information security policies/guidelines and its adherence to the relevant laws/regulations. Monitoring employees’ compliance behavior is a great challenge. It was observed during the interview that, …though these things (information security practices) facilitate business, but still, with market change there is a focus on getting revenues rather than putting information security as a fore-front thing. At the end of the day, we are all here to do business. So, it is good, but sometimes, laws, policies or controls are so stringent that it hinders the business… There is nothing like 100 % security; because all possible risks, threats and vulnerabilities are never known. Many a times, there are unidentified links and dependencies among different systems which cascade the effects of information security incident cases (Ahmad et al. 2012). To reduce the losses and maintain business continuity, it is always recommended to take back-up of critical business applications and processes. As humans are the most unpredictable beings, the resource back-up technique used in ITComp 2 is noteworthy. A clearly defined roles, responsibilities and processes for disaster and incident cases gives assurance to the management as well as clients/ customers that the critical data are safe and company can resume its operations with minimum loss or delay. An organization which has an ISM certification, gives additional trust to its clients/customers that their data is in safe hands.

Conclusion In a dynamic environment where organizations have become, to an extent, over dependent on IT/ICT tools or medium for conducting business; technology alone is unable to provide solution to organizational information security needs and challenges. Thus, having an appropriate set of technology is required, but is not sufficient. Organizations need a balanced approach for various technical, human and organizational challenges of ISM (Werlinger et al. 2009). Having clearly defined policies along with management processes for its implementation is crucial to address the challenge. The present study aspires to understand and examine the current ISM practices of two large

123

Author's personal copy 238

Global Journal of Flexible Systems Management (December 2013) 14(4):225–239

size, global IT and management services and consulting organizations. In an exploratory approach, the cases have been analyzed using SAP-LAP method of inquiry. The findings of the study cannot be generalized, as this is the examination of the ISM practices of two specific companies one from India and another from Germany. However, the learning derived from the cases can be definitely useful for other organizations. As a limitation of this study, the effects of local culture was not examined on various ISM practices of the organizations; this opens the possibility for future research. As the present study examines two large size organizations operating in IT and services domain, it will also be interesting to see the practices of small and medium size companies functioning in similar as well different areas. As a further extension of this study, authors are also interested to examine the interplay of identified ISM factors. It would be worth finding the linkages among the factors and the causal relationships among them. That could further be tested empirically and the implications drawn from it would help practitioners to manage various ISM functions in organizations. Acknowledgments The authors wish to thank Deutsche Akademischer Austausch Dienst (DAAD) for providing financial assistance to conduct this research study. Also, we are grateful to the interview participants for their valuable time and inputs that made this study possible.

References Ahmad, A., Hadgkiss, J., & Ruighaver, A. B. (2012). Incident response teams—Challenges in supporting the organizational security function. Computers & Security, 31(5), 643–652. Albrechtsen, E., & Hovden, J. (2010). Improving information security awareness and behavior through dialogue, participation and collective reflection: An intervention study. Computers & Security, 29(8), 432–445. Babbie, E. (2004). The practice of social research. Belmont, CA: Wadsworth/Thomson Inc. Chang, E. C., & Ho, C. B. (2006). Organizational factors to the effectiveness of implementing information security management. Industrial Management & Data Systems, 106(3), 345–361. Chaturvedi, M., Gupta, M. P., & Bhattachrya, J. (2011). Information security issues with emerging next generation networks in Indian context. In Proceedings of 8th international conference on EGovernance (pp. 78–90). Institute of Management, Nirma University, Ahmedabad, India. Creswell, J. W. (1994). Research design—Qualitative and quantitative approaches. London: Sage. Ernst & Young. (2012). Fighting to close the gap—Global information security survey. http://www.ey.com/Publication/vwLUAssets/ Fighting_to_close_the_gap:_2012_Global_Information_Security_ Survey/$FILE/2012_Global_Information_Security_Survey___ Fighting_to_close_the_gap.pdf. Gupta, M. P., Kumar, P., & Bhattacharya, J. (2004). Government online: Opportunities and challenges. Meeting security challenges in e-Governance. New Delhi: TMH. Hagen, J. M., Albrechtsen, E., & Hovden, J. (2008). Implementation and effectiveness of organizational information security

123

measures. Information Management & Computer Security, 16(4), 377–397. Hone, K., & Eloff, J. H. P. (2002). What makes an effective information security policy? Network Security, 2002(6), 14–16. Hong, K. S., Chi, Y. P., Chao, L. R., & Tang, J. H. (2003). An integrated system theory of information security management. Information Management & Computer Security, 11(5), 243–248. Horrocks, I. (2001). Security training: Education for an emerging profession. Computers & Security, 20(3), 219–226. Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012). Managing employee compliance with information security policies: The critical role of top management and organizational culture. Decision Sciences, 43(4), 615–659. Humphreys, E. (2008). Information security management standards: Compliance, governance and risk management. Information Security Technical Report, 13(4), 247–255. Husain, Z., Sushil, & Pathak, R. D. (2002). A technology management perspective on collaborations in Indian automobiles industry: A case study. Journal of Engineering Technology Management, 19(2), 167–201. ISO/IEC 27001:2005. (2005). Information Technology—Security techniques—Information security management systems— Requirements. Kak, A. (2004). Strategic management, core competence and flexibility: Learning issues for select pharmaceutical organizations. Global Journal of Flexible Systems Management, 5(4), 1–16. Kankanhalli, A., Teo, H. K., Tan, B. C. Y., & Wei, K. K. (2003). An integrative study of information systems security effectiveness. International Journal of Information Management, 23(2), 139–154. Knapp, K. J., Marshall, T. E., Rainer, R. K., & Morrow, D. W. (2006). The top information security issues facing organizations: What can government do to help? Information Security and Risk Management, 2006, September/October (pp. 51–58). Ma, Q., Johnston, A. C., & Pearson, J. M. (2008). Information security management objectives and practices: A parsimonious framework. Information Management & Computer Security, 16(3), 251–270. Puhakainen, P., & Siponen, M. (2010). Improving employees’ compliance through information systems security training: An action research study. MIS Quarterly, 34(4), 757–778. Sushil, (2000). SAP-LAP models of inquiry. Management Decision, 38(5), 347–353. Sushil, (2001). SAP-LAP models. Global Journal of Flexible Systems Management, 2(2), 55–61. Thakkar, J., Kanda, A., & Deshmukh, S. G. (2008a). A conceptual role interaction model for supply chain management in SMEs. Journal of Small Business and Enterprise Development, 15(1), 74–95. Thakkar, J., Kanda, A., & Deshmukh, S. G. (2008b). Interpretive structural modeling (ISM) of IT-enablers for Indian manufacturing SMEs. Information Management and Computer Security, 16(2), 113–136. Upfold, C. T., & Sewry, D. A. (2005). An investigation of information security in small and medium enterprises (SMEs) in the EasternCape. In Proceedings of the ISSA-2005 new knowledge today conference, South Africa. Veiga, A. D., & Eloff, J. H. P. (2010). A framework and assessment instrument for information security culture. Computers & Security, 29(2), 196–207. Veiga, A. D., Martins, N., & Eloff, J. H. P. (2007). Information security culture—Validation of an assessment instrument. Southern African Business Review, 11(1), 147–166. von Solms, B., & von Solms, R. (2004). The 10 deadly sins of information security management. Computers & Security, 23(5), 371–376.

Author's personal copy Global Journal of Flexible Systems Management (December 2013) 14(4):225–239 Werlinger, R., Hawkey, K., & Beznosov, K. (2009). An integrated view of human, organizational, and technological challenges of IT security management. Information Management & Computer Security, 17(1), 4–19.

Key Questions 1. What are the prevailing information security management practices in your organization and industry? 2. What are the key challenges of information security management in your organization? 3. Identify various situations, actors, and processes related to information security management in your organization? 4. What are the key learning derived from various information security management practices of your organization? Identify key actions and how it affect the overall performance of your organization?

Author Biographies Abhishek Narain Singh is a PhD Scholar in the Department of Management Studies, Indian Institute of Technology Delhi, India. Mr. Singh holds Maters and Bachelor Degree in Computer Science and Engineering. His current research interests includes information security management and e-Governance. He has presented the research work at national and international fora. He was a visiting scholar to Ludwig-Maximilians-University at Munich in Germany on ‘Doctoral Student Exchange Program’ as fellow of Deutscher Akademischer Austausch Dienst.

Arnold Picot is a Professor of Business Administration at Munich School of Management (Ludwig-Maximilians-University) Munich, Germany and the Director of the Institute for Information, Organization, and Management. His research focuses on the interdependencies between information and communication technologies and structures of organizations and markets. He has published numerous books and articles dealing with information and communication management and the evolution of strategies and organizational forms, including topics such as office communication,

239

electronic data interchange, telecommunications, electronic markets, virtual organization, and regulation. He holds several editorial positions and is a member of the Bavarian Academy of Sciences. Johann Kranz is an Assistant Professor of Business Information Systems and Chair of Management Information Systems and Methods at the University of Goettingen, Germany. He obtained PhD from Ludwig-Maximilians-University at the Munich School of Management, Germany and was a visiting scholar at the Columbia University, New York. He holds a Masters Degree in Business Information Systems from the University of Leipzig and Masters Degree in business research from the University of Munich. His primary research interests include IT-service innovations, Green-IS, Strategic IT Management and e-commerce. His research has been published in Energy Policy and various proceedings of leading information systems and management conferences. M. P. Gupta is Professor and Chair of Information Systems & E-governance at the Department of Management Studies, Indian Institute of Technology Delhi, India. He has contributed significantly in the areas of e-commerce & e-governance. He has also authored/co-authored book ‘‘Government Online: Opportunities and Challenges’’ and several papers that appeared in national and international journals/conference proceedings. He founded the ‘International Conference on E-governance’ (ICEG) in 2003 which is running into its 10th year. He is involved in several policy making committees on ICT in the Center and State Governments in India. He is the recipient of the Best Professor Award in 2012 at Singapore and prestigious Humanities & Social Sciences (HSS) fellowship of Shastri Indo Canadian Institute, Calgary (Canada) and was a Visiting Fellow at the University of Manitoba in 1996. Amitabh Ojha is a senior civil servant with Government of India. He has had tenures as a Second Secretary at High Commission of India, London and as a Director with Government of India, Ministry of Development of North Eastern Region, New Delhi. Dr. Ojha holds Doctoral Degree from Indian Institute of Technology Delhi, India. His research interests include e-Government adoption, effect of e-Government on citizens’ trust in government agencies, and administrative reforms through e-Government. His research has been published in various national and international journals.

123