Chapter 4: Data Analysis - Shodhganga

Chapter 4: Data Analysis

A Study of Information Security Policies Page 76

CHAPTER 4

DATA ANALYSIS

4.1 INTRODUCTION:

For every researcher, Data analysis is the most important task during entire research

process. This is the next step after data collection. Data collected by the researcher

must be scientifically and systematically processed or analyzed so as to achieve

objectives of research study. Data processing involves editing, coding, classification

and tabulation of collected data so that it should be completely ready and capable

for analysis in all respects. Data analysis is referred to calculations and

computations of data based on certain parameters along with searching for pattern

of relationship that exists among data groups which is then tested with hypothesis of

the study through the support of statistical tools.

This Researcher has collected data from selected IT companies. Furthermore, this

data is classified into three groups namely software, BPO and Hardware. Then, this

data is segregated into all twelve domains of security policy and coding of data is

made with the help of MS Excel. Final master copy is made for consolidated data for

all IT companies in MS excel, which is further imported into SPSS [1]

. Data analysis

techniques such as frequency-distribution, chi-square test and cross tabulations are

carried out with SPSS in order to test the hypothesis.

4.2 TESTING OF HYPOTHESIS:

Hypothesis is the principal element in the research [2]

. The main function of

hypothesis is to suggest new principles, laws or observations. Hypothesis can be

defined as a simple assumption or some supposition to be proved and disproved.

4.2.1 Hypothesis Tests:

Researchers follow a formal process to determine whether to accept or reject a null

hypothesis, based on sample data. This process is called as hypothesis testing. This

involves stating the null and alternative hypotheses. The hypotheses are stated in

such a way that they are mutually exclusive. That is, if one is true, the other must be



false. The important concept in the context of hypothesis testing is the level of

significance. It is always some percentage which should be usually chosen

throughout.

The hypothesis may not be proved absolutely, but in practice, it is accepted if it has

withstood a critical testing. This Researcher has tried to prove the hypothesis by

considering various parameters associated with it. These parameters were

considered and selected from various domains of security policy which are

correlated with the hypothesis.

Table 4.2.2: Domains of Policy and Major Parameters for data analysis.

SL.NO. Policies Under

Domain

Major Parameters

1 User-Access Existence, Training, IT plan, Risk, Resistance,

password, user authorization and profile, Group user

account.

2 Data-Access Password, read only permissions, IT plan, Risk

3 Physical-access User ID card, automatic door-lock, password,

permission to storage media, policy existence, Best

practices

4 Internet-access IT plan, Risk, policy existence, implementation

5 E-mail policy Company e-mail account, user profile, Risk, Audit

6 Software

Acquisition

Vendor analysis, steering committee, performance

rating documented policy, IT plan , Risk,

implementation

7 Hardware

Acquisition

Hardware Inventory management, Non-discloser

agreement, IT plan , Risk, Maintenance Agreement

8. Outsourcing Contract, sharing of resources, timeframe, existence

9. Digital Sign Private and Public keys, key maintenance, existence

10. Network/Telecom Client-server Architecture, Firewall, VPN, IT Plan

11. BCP/DRP BDC, backup process, data loss, IT infrastructure

12. Security Structure Existence, security team, training, IT plan, Risk



4.3. ANALYSIS OF DOMAIN RELATED QUESTIONS:

The Researcher has first considered analysis for questions related to domains and

then subsequently for critical analysis of hypothesis related questions.

Domain 1: User Access Policy or Accepted usage Policy:

Table: 4.3.1.1: Respondent for existence of User policy * comp _type

Q2 by COMP_TYP

Q3 by COMP_TYP

Chart 4.3.1.1: Distribution for existence of user policy for organization

The table and chart 4.3.1.1, Shows that total 44 companies, out of 45 companies are

having user policy. This implies that 98% of companies have user policies and only

2% of companies are not having user policy for their organization.

44, 98%

1, 2%

Do you have user-access policy for organization?

Yes No

Parameter

COMP_TYP Total

ITB ITH ITS

Do you

have

user

access

policy

for

organiza

tion?

No 0 1 0 1

Yes

15 14 15 44

Total 15 15 15 45



Table: 4.3.1.2: Respondent for User authorization * comp _type.

Chart 4.3.1.2: Distribution for organizations with user authorization.

The Table and chart 4.3.1.2, indicates that from total sample of 45 companies, 42

companies follow the rule for user authorization. This further indicates that 93% of

companies are having user authorization and rest of 7% companies do not follow the

rule for authorization of users.

42, 93%

3, 7%0, 0%

Whether all users are authorized users?

Yes

No

not sure

Parameter

COMP_TYP Total

ITB ITH ITS

Whether all

users are

authorized

users?

No 1 2 0 3

Yes

14 13 15 42

Total 15 15 15 45



Table: 4.3.1.3: Respondent for user authorization based on user profile*

comp_type.

Chart 4.3.1.3: Respondent with user authorization based on user profile*comp

type.

From the above table and chart 4.3.1.3 it is very clear that all 45 companies have

user authorization based on user profile. This indicates that 100% companies made

it stringent that user access must be based on user policy which also shows that

companies are not only having information user policies but they are implementing

these policies rigorously.

45100%

00%

00%

Whether users authorization is based on user profile?

Yes

No

not sure

Parameter COMP_TYP Total

ITB ITH ITS

Whether users

authorization is

based on user

profile?

No 0 0 0 0

Yes

15 15 15 45

Total 15 15 15 45



Table: 4.3.1.4: Respondent for user policy based training* comp_type.

Chart: 4.3.4: Respondent for user policy based training

From the Table and the chart 4.3.4 it shows that 43 out of total 45 companies

provide user policy based training to the users while only two companies have not

provided policy based training. 96% IT companies are providing policy based

training to the users and 4% companies do not provide policy based training.

4396%

24%

00%

Whether policy based training was given to the users?

Yes

No

not sure

Parameter COMP_TYP Total

ITB ITH ITS

Whether policy

based training

was given to

the users?

No 0 2 0 2

Yes

15 13 15 43

Total 15 15 15 45



Table: 4.3.1.5: Respondent for User’s resistance * comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Was there any

resistance from

the users to

implement this

policy?

NR 1 0 0 1

No 12 12 13 37

Yes

2 3 2 7

Total 15 15 15 45

Chart 4.3.1.5: Respondent for User’s resistance.

The above table and chart 4.3.1.5, shows that there was no resistance from the users

from total 37 companies while 7 companies have faced this problem with the

resistance from users. There was no response from one company. Hence, for 82%

companies there was no resistance from users.

716%

3782%

12%

Was there any resistance from the users to implementation this policy?

Yes No not sure



Table: 4.3.1.6: Respondent for IT plan changed with policy* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Whether your

user policy

changes with

the IT Plan?

NR 0 1 0 1

No 1 4 1 6

Yes 14 10 14 38

Total 15 15 15 45

Chart 4.3.1.6: Respondent for IT plan changed with policy.

The table and chart 4.3.1.6, shows that from total sample of 45 companies, 38

companies user policy changes with IT plan and 6 companies have mentioned that

there user policy is not changed with IT plan. There was not sure response from one

company for this question. Hence, 85% companies’ user policy changes with

change in their IT plan.

3885% 6

13%

12%

Whether your user policy changes with IT plan?

Yes

No

not sure



Table: 4.3.1.7: Respondent for risk in existing user policy * comp_type

COMP_TYP Total

ITB ITH ITS

Is there is any

risk in your

existing user

policy?

NR 0 2 0 2

No 15 11 14 40

Yes 0 2 1 3

Total 15 15 15 45

Chart 4.3.1.7: Respondent for risk in existing user policy

The table and chart 4.3.1.7 shows that for 40 companies out of total 45 do not have

any risk in their existing policy while users of 3 companies feel like having some

risk in their existing policy and remaining 2 companies are not sure about this.

Hence, 89% companies responded that there is no risk in their existing user access

policy.

37%

4089%

24%

Is there is any risk in your existing user policy?

Yes

No

not sure



Table: 4.3.1.8: Respondents for specific time slot for loin and logout*

comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

specific time slot

for Login and

Log out?

NR 1 0 0 1

No 4 13 14 31

Yes 10 2 1 13

Total 15 15 15 45

Chart 4.3.1.8: Respondents for specific time slot for loin and logout.

The table and chart 4.3.1.8, Represents that 13 companies have specific time slot for

login and logout and 31 companies do not follow login and logout from specific

terminals. There is one company which is not sure about it. This implies that login

and logout is from specific terminals is applicable for only 13% companies.

1329%

3169%

12%

Do you have specific time slot for Login and Log out?

Yes

No

not sure



Table: 4.3.1.9: Respondents for length of password more than 4 *comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Whether the

length of

password is

more than 4?

No 0 2 0 2

Yes

15 13 15 43

Total 15 15 15 45

Chart 4.3.1.9: Respondents for length of password more than 4

The Table and chart 4.31.9, shows that it is mandatory for 43 companies that the

length of password should be more than 4 and for two companies it is not. That

means 96% companies consider this as a need to protect user information.

Yes43

96%

No2

4%

Whether the length of password is more than 4 ?



Table: 4.3.1.10: Respondents for single user and group user

ccounts*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

single user

accounts and

group accounts

both?

NR 0 0 0 0

No 3 5 5 13

Yes

12 10 10 32

Total 15 15 15 45

Chart 4.3.1.10: Respondents for single user and group user accounts.

As per the table and chart 4.3.1.10, from the total sample of 45 IT Companies

depicted, which include 15 Software, 15 Hardware and 15 BPO companies, the

researcher has evaluated 32 IT companies in which users are having separate single

user and group user account. Hence 71% companies provide both single user and

group user account.

3271%

1329%

00%

Do you have single user accounts and group accounts both?

Yes No not sure



Table: 4.3.1.11: Respondents for disabling user account* Comp_Type

Parameter

COMP_TYP Total

ITB ITH ITS

Whether user

account can be

disabled if he or

she is not on the

task or duty?

No 3 6 3 12

Yes

12 9 12 33

Total 15 15 15 45

Chart 4.3.1.11: Respondents for disabling user account

From the Table and chart 4.3.1.11, 33 IT companies follow disabling user account if

the user is not on the task or duty while rest of twelve companies do not follow this.

This means that in 73% companies, user account can be disabled if he or she is not

on the task or duty, whereas for 27% companies, it is not applicable.

3373%

1227%

00%

Whether user account can be disabled if he or she is not on the

task or duty?

Yes No not sure



Table 4.3.1.12: Respondents for logging in from specific terminals * company

type.

Parameter

COMP_TYP Total

ITB ITH ITS

Is it mandatory

for you to login

from specific

terminal?

No 4 11 12 27

Yes

11 4 3 18

Total 15 15 15 45

Chart 4.3.1.12: Respondents for logging in from specific terminals

The Table and Chart 4.3.12, shows that only 17 companies restrict the users to log

in from specific terminals while 28 companies do not have this restriction. Thus,

only 38% companies follow this mandatory log in from specific terminal.

1738%28

62%

00%

Is it mandatory for you to login from specific terminal?

Yes No not sure



Table 4.3.1.13: Respondent for event viewer tool* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

event viewer

tool for

monitoring the

users on

terminals?

NR 1 0 1 2

No 1 7 3 11

Yes

13 8 11 32

Total 15 15 15 45

Chart 4.3.1.13: Respondent for event viewer tool

From the table and the chart 4.3.1.13, it shows that the event viewer tool is

monitored by 32 IT companies, while 11 companies do not have this tool and rest of

two IT companies are not sure about this question. Thus, only 71% companies have

event viewer tool for monitoring users on the terminals.

3271%

1124%

25%

Do you have event viewer tool for monitoring the users on terminals?

Yes No not sure



Table 4.3.1.14: Respondent for development of user policy* comp_type.

COMP_TYP Total

ITB ITH ITS

Have you

adopted

the policy

immediatel

y after

establishm

ent of your

company?.

NR 0 1 0 1

No 0 3 0 3

Yes

15 11 15 41

Total 15 15 15 45

Chart 4.3.1.14: Respondent for development of user policy.

The Table and chart 4.3.1.14, shows that 41 companies that they have immediately

adopted the policies while 3 companies have not adopted immediately. There was

no response from one company. Hence, 91% companies have adopted the policies

immediately.

4191%

37%

12%

Have you adopted the policy immediately after the establishment

of your company ?

Yes No not sure



4.3. DOMAIN 2: Data Access Policy: This policy is usually helpful to the

organizations from the point of view of complete protection of data.

Table: 4.3.2.1: Respondents for sharing information in digital

form*comp_type.

Chart 4.3.2.1: Respondents for sharing information in digital form

The Table and chart 4.3.2.1, shows that 91%, companies have adopted policies for

sharing data in digital form while 9% companies have not adopted it.

4191%

49%

00%

Whether orgnization adopted policies or guidelines regarding access to, and

sharing of data in digital form?

Yes No not applicable

Parameter

COMP_TYP Total

ITB ITH ITS

Whether

organization

adopted policies

or guidelines

regarding access

to, and sharing of

data in digital

form?

No 0 4 0 4

Yes 15 11 15 41

Total 15 15 15 45



Table: 4.3.2.2: Respondents for the data access policy supporting existing IT

plan* company type.

Parameter

COMP_TYP Total

ITB ITH ITS

Does the policy

support your

existing IT plan?

NR 0 3 0 3

No 0 1 0 1

Yes

15 11 15 41

Total 15 15 15 45

Chart: 4.3.2.2: Respondents for the data access policy supporting

existing IT plan.

Table and Chart 4.3.2.2 shows that 41 companies are having data access policies

which support their IT plan. But it is not applicable to 3 companies and only one

company policy does not support its existing IT plan. It means 91% companies have

their data access policy which supports their existing IT plan.

4191%

12%

37%

Does the policy support your existing IT plan?




Table: 4.3.2.3: Respondent for the risk after adoption of the policy*comp type.

Parameter

COMP_TYP Total

ITB ITH ITS

Is there is any

risk after adoption

of this policy?

NR 0 2 0 2

No 14 12 14 40

Yes

1 1 1 3

Total 15 15 15 45

Chart: 4.3.2.3: Respondent for the risk after adoption of the data access policy.

The Table and chart 4.3.2.3 represents that 40 companies do not find any risk after

adoption of this policy and 3 companies might have found the risk after adoption of

the policy. It is not applicable to remaining two companies. Hence, 89% companies

have no risk after adoption of data access policy.

37%

4089%

24%

Is there is any risk after adoption of this policy?




Table: 4.3.2.4: Respondent for virus protection software*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Have you

purchased virus

protection

software or

subscription?

No 0 2 0 2

Yes

15 13 15 43

Total 15 15 15 45

Chart: 4.3.2.4: Respondent for virus protection software

From the above table and chart 4.3.2.4, the total number of companies which have

purchased virus protection software (antivirus) are 43 out of 45. Remaining two

companies have not purchased virus protection software. This table and graph

indicates that 96% companies have virus protection software which is one of the

aspects of threat and security.

4396%

24%

00%

Have you purchased virus protection

software or subscription?




Table: 4.3.2.5: Respondents for usage of portable storage media* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you allow your

staff to use or

receive data from

other storage

media like

Floppy, CD-ROM

or flash Drive?

No 13 9 15 37

Yes

2 6 0 8

Total 15 15 15 45

Chart 4.3.2.5: Respondents for usage of portable storage media

The Table and chart 4.3.2.5 represents that 37 companies do not allow the staff to

use or receive data from other storage media like floppy, CD-ROM or flash drive.

Hence 82% companies do not permit their staff to receive data from any of the

storage media.

818%

3782%

00%

Do you allow your staff to use or receive data from other storage media like Floppy, CD-ROM or

flash Drive?




Table: 4.3.2.6: Respondents for use of pirated or unlicensed

oftware*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Does your staff

use any other

pirated or

unlicensed copies

of the software?

No 15 9 12 36

Yes

0 6 3 9

Total 15 15 15 45

Chart 4.3.2.6: Respondents for use of pirated or unlicensed software.

From the table and chart 4.3.2.6, there are 36 companies which do not use pirated

software and 9 companies are still using pirated software. Hence, 80% companies

are not using pirated or unlicensed software.

920%

3680%

00%

Does your staff use any other pirated or unlicensed copies of the software?




Table: 4.3.2.7: Respondents with read only permissions * comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you provide

read-only

permission to

specific data?

No 1 2 0 3

Yes

14 13 15 42

Total 15 15 15 45

Chart 4.3.2.7: Respondents with read-only permissions.

The table and chart 4.3.2.7 represents that 42 companies protect their data based on

read-only permission. Companies which do not protect their data with read-only

permission are only 3. Hence, 93%companies prefer to use read-only permission for

protection of data.

4293%

37%

00%

Do you provide read-only permission to specific data?




Table 4.3.2.8: Respondents for access to specific hardware*comp_type

Parameter

COMP_TYP Total

ITB ITH ITS

Have you allotted

use of specific

hardware

resources to

provide access to

specific group of

people?

No 2 3 4 9

Yes

13 11 12 36

Total 15 15 15 45

Chart 4.3.2.7.8 Respondents for access to specific hardware

The Table and chart 4.3.2.8, that 80% companies allow access to specific resources

to a specific group of people. While 20% companies do not follow this rule.

3680%

920%

00%

Have you allotted use of specific hardware resources to provide access

to specific group of people?




Table:4.3.2.9: Respondents for sharing of research data to become policy

issue*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you expect

access to, and

sharing of,

research data to

become a policy

issue of

significant

importance over

the next 3 years?

NR 0 2 0 2

No 3 4 2 9

Yes

12 9 13 34

Total 15 15 15 45

Chart 4.3.2.9: Respondents for sharing of research data to become policy issue.

As shown in the table and chart 4.3.2.9, from total 45 companies, employees from

34 companies feel like sharing of research data may become policy issue of

significant importance over the next three years.

3476%

920%

24%

Do you expect access to, and sharing of, research data to

become a policy issue of significant importance over …




Table: 4.3.2.10: Respondents for dumb terminals* comp_type

Parameter

COMP_TYP Total

ITB ITH ITS

Do you use only

dumb terminals?

NR 2 0 0 2

No 10 13 12 35

Yes 3 2 3 8

Total 15 15 15 45

Chart: 4.3.2.10: Respondents for dumb terminals

From table and chart 4.3.2.10, only 8 companies have dumb terminals and 35

companies do not have only dumb terminals and this is not applicable for two

companies. Hence, only 18% companies have dumb terminals.

818%

3578%

24%

Do you use only dumb terminals?




Table:4.3.2.11: Respondents for policy implementation * comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Are you

implementing this

policy

immediately after

it was developed

?

NR 0 1 0 1

No 14 9 14 37

Yes

1 5 1 7

Total 15 15 15 45

Chart 4.3.2.11: Respondents for policy implementation immediately.

The chart and table 4.3.2.11 indicates that 82% companies have started

implementing data access policy before last two years and 16% have not started

implementing since last two years.

716%

3782%

00%

Are you implementing this policy immediately after it was developed?




Table 4.3.2.12: Respondents for data redundancy* comp_type

Parameter

COMP_TYP Total

ITB ITH ITS

Do you avoid

data redundancy

for maximum

utilization of

storage media?

NR 1 0 0 1

No 3 4 4 11

Yes

11 11 11 33

Total 15 15 15 45

Chart: 4.3.2.12: Respondents for data redundancy

The Table and chart 4.3.2.12 indicates that 73% companies avoid data redundancy

for maximum utilization of storage media and 25% do not avoid this data

redundancy for maximum utilization of storage media, while this is not applicable

for one company.

3373%

1125%

12%

Do you avoid data redundancy for maximum utilization of storage

media?




Table: 4.3.2.13: Respondents for protection of data only by password*

comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you protect

your data only by

assigning the

password?

No 5 3 10 18

Yes

10 12 5 27

Total 15 15 15 45

Chart: 4.3.2.13: Respondents for protection of data only by password

The Above table and chart 4.3.2.13, shows that 60% companies protect their data

only by assigning password and 40% companies do not protect their data only by

assigning password.

2760%

1840%

00%

Do you protect your data only by assigning the password?




4.3.3: DOMAIN 3: Physical Access Policy

This policy addresses physical protection of resources including employees,

hardware and supporting system elements with control of information in all states

including storage, processing and transmission.

Table 4.3.3.1: Respondents for existence of physical policy * comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

physical

access policy?

No 0 4 0 4

Yes

15 11 15 41

Total 15 15 15 45

Chart 4.3.3.1: Respondents for existence of physical policy

The Table and chart 4.3.3.1 represents that 41 companies have their physical policy

in place and rest of 4 companies do not have physical policy. Hence, 91%

companies are having physical access policy.

4191%

49%

00%

Do you have physical access policy?




Table 4.3.3.2: Respondents for use of Identity card at the entry*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you use

identity card at

entry of the

gate or door?

No 0 4 0 4

Yes

15 11 15 41

Total 15 15 15 45

Chart 4.3.3.2: Respondents for use of Identity card at the entry.

From the table and chart 4.3.3.2 it shows that 41 companies follow the use of

identity card at the entrance and 4 companies do not follow this. This means that

91% companies uses identity card at the entry.

4191%

49%

00%

Do you use identity card at entry of the gate or door?




Table 4.3.3.3: Respondents for use of swipe card at the entrance* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you use

swipe card at

the entrance?

No 1 5 0 6

Yes

14 10 15 39

Total 15 15 15 45

Chart 4.3.3.3: Respondents for use of swipe card at the entrance

The Table and chart 4.3.3.3 indicates that 39 companies have swipe card facility at

the entrance and 6 companies do not have swipe card facility. Hence, 87%

companies are making use of swipe card at the entrance.

3987%

613%

00%

Do you use swipe card at the entrance?




Table 4.3.3.4: Respondents for biometric identification facility*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

biometric

identification

facility?

No 11 13 12 36

Yes

4 2 3 9

Total 15 15 15 45

Chart 4.3.3.4: Respondents for biometric identification facility.

The Table and chart 4.3.3.4, indicates that 80% Companies have biometric

identification facility and 20% companies do not have this biometric identification

facility.

920%

3680%

00%

Do you have biometric identification facility? (Thumb impression, facial

identification, focal length of retina)




Table 4.3.3.5: Respondents having automatic door lock facility* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

automatic door

lock facility?

No 1 7 0 8

Yes

14 8 15 37

Total 15 15 15 45

Chart 4.3.3.5: Respondents having automatic door-lock facility.

The Table and chart 4.3.3.5, shows that 37 companies have automatic door lock

facility and 8 companies are not having this automatic door lock facility. This

indicates that 82% companies have automatic-door lock facility which is a physical

access control parameter.

3782%

818%

00%

Do you have automatic doorlock facility?




Table 4.3.3.6: Respondents for allowing staff to receive data from other storage

media*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you allow

your staff to

use or receive

data from other

storage media

like Floppy,

CD-ROM or

flash Drive?

No 1 5 0 6

Yes

14 10 15 39

Total 15 15 15 45

Chart 4.3.3.6: Respondents for allowing staff to receive data from other storage

media

Above table and chart 4.3.3.6 represents that 87% companies do not allow their

staff to receive data from other storage media as it could be concern with security

issue.

613%

3987%

00%

Do you allow your staff to use or receive data from other

storagemedia like Floppy, CD-ROM or flash Drive?




Table 4.3.3.7: Respondents for physical access check with media sensor or

scanner* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you use

media sensor

or scanner for

physical

access?

No 5 12 7 24

Yes

10 3 8 21

Total 15 15 15 45

Chart 4.3.3.7: Respondents for physical access check with media sensor

The Table and chart 4.3.3.7 shows that only 47% companies use media sensor or

scanner for physical access and 53% companies do not have this physical intruder

detection system.

2147%

2453%

00%

Do you use media sensor or scanner for physical access?




Table 4.3.3.8: Respondents for maintaining manual records of incoming and

outgoing persons* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you

maintain

manual record

of incoming

and outgoing

persons?

No 2 2 1 5

Yes

13 13 14 40

Total 15 15 15 45

Chart 4.3.3.8: Respondents for maintaining manual records of incoming and

outgoing persons.

Above table and chart 4.3.3.8, shows that 89% companies maintain manual records

of incoming and outgoing persons and 11% companies do not maintain manual

records. This manual record helps to detect the identity of intruders.

4070%

1730%

00%

Do you maintain manual record of incoming and outgoing persons?




Table 4.3.3.9: Respondents showing resistance from their side * comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Was there any

resistance from

the users?

NR 1 0 1 2

No 13 15 13 41

Yes

1 0 1 2

Total 15 15 15 45

Chart 4.3.3.9: Respondents showing resistance from their side.

The Table and chart 4.3.3.9 shows that 91% companies have not faced with any

resistance from employees side while implementing this policy and 5% companies

have faced resistance from the employee’s side and there was no response from

remaining 4% companies.

25%

4191%

24%

Was there any resistance from the users?




Table 4.3.3.10: Respondents for reduction in risk after policy adoption*

comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Has there been

any reduction

in the risk after

adoption of

Internet access

policy?

NR 0 1 0 1

No 15 10 14 39

Yes

0 4 1 5

Total 15 15 15 45

Chart 4.3.3.10: Respondents for reduction in risk after policy adoption.

From the table and chart 4.3.3.10, 87% companies which are implementing physical

policy can make out that the risk factor is reduced after adoption of this policy. 11%

companies are not completely sure about the risk factor and 2% companies have not

responded for this question.

511%

3987%

12%

Has there been any risk reduction after adoption of Internet access

policy?




Table 4.3.3.11: Respondents support of policy with existing IT

Plan*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Does the

physical policy

support your

existing IT

plan?

NR 0 1 0 1

No 0 0 1 1

Yes

15 14 14 43

Total 15 15 15 45

Chart 4.3.3.11: Respondents support of policy with existing IT Plan

The table and chart 4.3.3.11, shows that existing IT plan for 96% companies

supports their existing physical policy and 1% of company policy does not support

their IT plan and 1% of company is not sure about this.

4396%

12%

12%

Does the physical policy support your existing IT plan?




Table 4.3.3.12: Respondents feel policy as best practices *comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you feel

that it is the

best practice

for you?

NR 0 1 0 1

No 0 2 1 3

Yes

15 12 14 41

Total 15 15 15 45

Chart 4.3.3.12: Respondents feel policy as the best practices.

From the Table and chart 4.3.3.12, Employees of 41 companies feel that

implementation of the policy is the best practice for them and employees of 3

companies do not feel this as the best practice and there was no response from one

company. Hence, 91% companies have confirmed that this is the best practice for

them.

4191%

37%

12%

Do you feel that it is the best practice for you?




Table 4.3.3.13: Respondents having video camera to detect

intruders*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

video camera

to detect the

intruders?

No 4 7 3 14

Yes

11 8 12 31

Total 15 15 15 45

Chart 4.3.3.13: Respondents having video camera to detect intruders.

The Table and Chart 4.3.3.13, indicates that 31 companies have video camera for

intruder detection and 14 companies are not having camera for intruder detection.

Hence, this implies that only 69% companies have intruder detection with video

camera and others do not have this facility.

3169%

1431%

00%

Do you have video camera to detect the intruders?




Table 4.3.3.14: Respondents for implementation of physical policy from

current year*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Have you

started

implementing

this policy from

current year?

No 0 3 2 5

Yes

15 12 13 40

Total 15 15 15 45

Chart 4.3.3.14: Respondents for implementation of physical policy from

current year.

The table and chart 4.3.3.14, shows that only 5 companies started implementing the

policies from current year while 40 companies have started implementing this

policy few years back. Hence 89% companies are implementing this physical access

policy since last few years and 11% companies are implementing this policy from

current year.

511%

4089%

00%

Have you started implementing physical policy from current year?




4.3.4: DONAIN 4: INTERNET ACCESS POLICY

This Internet access policy covers the issues related to existence of policy, training,

implementation, and change in IT Plan, 24-hrs Internet access, subscription for

specific sites, and access to specific sites.

Table 4.3.4.1: Respondents for existence of Internet Access policy*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

Internet access

policy?

No

Yes

0

15

0

15

0

15

0

45

Total 15 15 15 45

Chart 4.3.4.1: Respondents for existence of Internet Access policy.

The table and chart 4.3.4.1 shows that all 45 companies have Internet Access policy.

Hence all 100% companies have Internet Access Policy. This further represents that

Information security is the need of all IT enabled global organizations.

45100%

00%

00%

Do you have Internet access policy?




Table 4.3.4.2: Respondents for changes in the policy as per IT plan *

comp_type.

Chart 4.3.4.2 Respondents for changes in the policy as per IT plan.

The Table and chart 4.3.4.2 shows that Internet policy of the 44 companies changes

with change in their IT plan. One company has not given any response for this.

Hence, for 98% companies, the Internet policy of the company changes with change

in IT plans.

4498%

00%

12%

Does the policy changes as per IT plan?


Parameter

COMP_TYP Total

ITB ITH ITS

Does the policy

changes as per

IT plan?

NR 0 1 0 1

Yes

15 14 15 44

Total 15 15 15 45



Table 4.3.4.3: Respondents for reduction in risk after Internet access policy

adoption*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Has there been

any reduction in

risk after adoption

of this policy?

NR 0 1 0 1

No 0 3 2 5

Yes 15 11 13 39

Total 15 15 15 45

Chart 4.3.4.3: Respondents for reduction in risk after Internet access policy

adoption.

The table and chart 4.3.4.3 indicates that with this Internet access policy, 87%

companies are confirming that there is reduction in the risk. 11% companies cannot

predict any reduction in the risk and there was no response from one company.

3987%

511%

12%

Has there been any reduction in risk after adoption of this policy?




Table 4.3.4.4: Respondents for 24 hrs Internet access facility* comp_type.

Chart 4.3.4.4: Respondents for 24 hrs Internet access facility

The Table and chart 4.3.4.4, represents that 84% of the companies have 24-hours

Internet access to users or employees and 16% companies do not provide 24-hours

Internet access to the users or employees of the companies.

3884%

716%

00%

Do you have 24 - hours Internet access to the users?


Parameter

COMP_TYP Total

ITB ITH ITS

Do you have 24 -

hours. Internet

access to the

users?

No 2 4 1 7

Yes

13 11 14 38

Total 15 15 15 45



Table 4.3.4.5: Respondents for access to specific sites* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you provide

access to the

specific sites?

No 0 5 1 6

Yes

15 10 14 39

Total 15 15 15 45

Chart 4.3.4.5: Respondents for access to specific sites.

The table and chart 4.3.4.5 shows that 87% companies provide access to specific

sites only and 13% companies have no restriction for access to specific sites. As the

access for the sites is restricted, it will help the companies to protect their

information.

3987%

613%

00%

Do you provide access to the specific sites?




Table 4.3.4.6: Respondents for paid subscription of sites * Comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have paid

subscription

sites?

No 12 11 4 27

Yes

3 4 11 18

Total 15 15 15 45

Chart 4.3.4.6: Respondents for paid subscription of sites.

The Table and chart 4.3.4.6, shows that only 40% companies have paid subscription

sites while 60% companies do not have paid subscription sites.

1840%

2760%

00%

Do you have paid subscription sites?




Table 4.3.4.7: Respondents using proxy server* comp_ type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have a

proxy server

installed on your

network?

NR 0 1 1 2

No 4 6 1 11

Yes

11 8 13 32

Total 15 15 15 45

Chart 4.3.4.7: Respondents using a proxy server.

Table and Chart 4.3.3.7, shows that there are 32 companies which have installed a

proxy server and 11 companies do not have this proxy server installed on their

network. There is no. response from rest of the two companies. Hence 71%

companies have installed proxy server on their network.

3271%

1124%

25%

Do you have a proxy server installed on your network?




Table 4.3.4.8: Respondents for remote login facility*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

remote login

facility?

No 4 5 4 13

Yes

11 10 11 32

Total 15 15 15 45

Chart 4.3.4.8: Respondents for remote login facility.

The Table and chart 4.3.4.8 represents that 71% companies have remote login

facility and 29% companies do not provide remote login facility to the users or

employees of the companies.

3271%

1329%

00%

Do you have remote login facility?




Table 4.3.4.9: Respondents for IP telephony facility*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you provide IP

telephony facility?

No 3 8 6 17

Yes 12 7 9 28

Total 15 15 15 45

Chart 4.3.4.9: Respondents for Internet telephony facility.

The Table and chart 4.3.4.9, indicates that 28 companies have IP telephony facility

while 17 companies are not having this IP telephony facility. Hence, it shows that

62% companies have remote login facility and 38% companies do not have remote

login facility.

2862%

1738%

00%

Do you provide IP telephony facility?




Table 4.3.4.10: Respondents for implementation of Internet access

policy*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Are you

implementing this

policy

immediately after

it was

developed?

No 1 6 0 7

Yes

14 9 15 38

Total 15 15 15 45

Chart 4.3.4.10: Respondents for implementation of Internet access policy.

The Table and chart 4.3.4.10, shows that 38 companies are implementing the policy

immediately after it was developed and 7 companies are not implementing the same.

This shows that 84% companies implement Internet access policy once it was

developed.

3884%

716%

00%

Are you implementing this Internet access policy immediately after it was

developed?




Table 4.3.4.11: Respondents for Internet policy based training *comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Whether Internet

policy based

training was

given to the

users?

No 0 2 0 2

Yes

15 13 15 43

Total 15 15 15 45

Chart 4.3.4.11: Respondents for Internet policy based training.

The Table and chart 4.3.4.11, shows that 43 companies have given training to the

users and 2 companies have not given any training to the users. Hence, 96%

companies have given policy based training.

4396%

24%

00%

Whether Internet policy based training was given to the users?




4.3.5: DOMAIN 5: E-mail Policy

This policy takes care of parameters such as organizational e-mail account, policy

training and implementation, disk usage quota, access to other e-mail servers,

change in policy with the IT plan, restricted use of email account and conduct of

Information system audit for e-mail utility.

Table 4.3.5.1: Respondents for organizational e-mail accounts * comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Whether all the

employees have

organizational e-

mail account?

No 0 1 0 1

Yes

15 14 15 44

Total 15 15 15 45

Chart 4.3.5.1: Respondents for organizational e-mail accounts.

The table and chart 4.3.5.1, represents that 98% companies have created

organizational e-mail account for their employees and 2% companies have not

created this organizational e-mail account for their employees.

4498%

12%

00%

Whether all the employees have organizational e-mail account?




Table 4.3.5.2: Respondents for implementation of policy* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Have you

implemented the

e-mail policy

immediately

after it was

developed?

No 1 2 0 3

Yes

14 13 15 42

Total 15 15 15 45

Chart 4.3.5.2: Respondents for implementation of policy

The Table and chart 4.3.5.2 shows that 93% of the companies are implementing e-

mail policy immediately after it was developed and 7% companies have not

implemented e-mail policy immediately after it was developed.

4293%

37%

00%

Have you implemented the e-mail policy immediately after it was

developed?




Table 4.3.5.3: Respondents for E-mail policy based training * comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Whether the

training was

given to you

before the policy

was

implemented?

No 2 3 2 7

Yes

13 12 13 38

Total 15 15 15 45

Chart 4.3.5.3: Respondents for E-mail policy based training.

The table and chart 4.3.5.3 shows that 84% companies have been given training to

the employees before implementation of e-mail policy and 16% companies have not

given training to the employees before implementation of e-mail policy.

3884%

716%

00%

Whether the training was given to you before the policy was

implemented?




Table 4.3.5.4: Respondents for access to email servers other than

organizational e-mail server* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Whether

employees can

access other

email servers

than the

organizational e-

mail server?

No 14 11 15 40

Yes

1 4 0 5

Total 15 15 15 45

Chart 4.3.5.4: Respondents for access to email servers other than

organizational e-mail server.

Table and chart 4.3.5.4 shows that 40 companies do not allow their employees to

access other e-mail servers than the organization e-mail server and 5 companies

allow their employees to access other e-mail servers. Hence, 89% companies try to

protect their confidential information from external use.

511%

4089%

00%

Whether employees can access other email servers than the organizational

e-mail server?




Table 4.3.5.5: Respondents for disk usage quota for e-mail facility*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Whether the

disk usage

quota is allotted

to the individual

user?

No 2 4 0 6

Yes

13 11 15 39

Total 15 15 15 45

Chart 4.3.5.5: Respondents for disk usage quota for e-mail facility.

The Table and chart 4.3.5.5, indicates that 39 companies have allotted disk usage

quota to the individual users and 6 companies have not allotted any disk usage

quota. Hence, 87% companies allow disk usage quota to the individual users.

3987%

613%

00%

Whether the disk usage quota is allotted to the individual user?




Table 4.3.5.6: Respondents for same organizational e-mail accounts *

comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you use the

same e-mail

accounts for

Inter-

organizational

communication?

No 1 1 0 2

Yes

14 14 15 43

Total 15 15 15 45

Chart 4.3.5.6: Respondents for same organizational e-mail accounts.

The table and chart 4.3.5.6, shows that 44 companies use same e-mail accounts for

inter-organizational communication and only one company which does not follow

this. Hence, 98% companies are using same e-mail account for inter organizational

communication.

4498%

12%

00%

Do you use the same e-mail accounts for Inter-organizational

communication?




Table 4.3.5.7: Respondents for e-mail policy which meet IT plan of

organization * comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Does e-mail

policy meet IT

plan of your

organization?

NR 0 1 0 1

No 1 0 0 1

Yes

14 14 15 43

Total 15 15 15 45

Chart 4.3.5.7: Respondents for e-mail policy which meet IT plan of

organization.

The Table and chart 4.3.5.7, indicates that for 43 companies, the e-mail policy

meets IT plan of organization and one company does not meet this IT plan for e-

mail policy and there was no response from one company. Hence, it shows that 96%

companies e-mail policy meets IT plan of organization.

4396%

12%

12%

Does e-mail policy meet IT plan of your organization?




Table 4.3.5.8: Respondents for risk reduction with adoption of e-mail

policy*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Whether there is

any risk

reduction with

adoption of e-

mail policy?

No 2 5 1 8

Yes

13 10 14 37

Total 15 15 15 45

Chart 4.3.5.8: Respondents for risk reduction with adoption of e-mail policy.

As per the table and chart 4.3.5.8, shown above 37 companies confirms risk

reduction after adoption of e-mail policy and 8 companies are not sure about this.

Hence, 82% companies have confirmed about risk reduction after adoption of this

policy.

3782%

818%

00%

Whether there is any risk reduction after adoption of e-mail policy?




Table 4.3.5.9: Respondents for receiving SPAM on their mail

server*comp_type.

Chart 4.3.5.9: Respondents for receiving SPAM on their mail server

The Table and chart 4.3.5.9, represents that 25 companies receive SPAM on their

mail server and 20 companies still receive SPAM on e-mail server. Hence, only

56% companies are not receiving SPAM on their mail server.

2044%25

56%

00%

Do you receive SPAM on your E-MAIL SERVER?


Parameter

COMP_TYP Total

ITB ITH ITS

Do you receive

SPAM on your

E-MAIL

SERVER?

No 10 5 10 25

Yes

5 10 5 20

Total 15 15 15 45



Table 4.3.5.10: Respondents for restricted use of company e-mail account*

comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you use

company e-mail

account only for

official purpose?

No 0 6 1 7

Yes

15 9 14 38

Total 15 15 15 45

Chart 4.3.5.10: Respondents for restricted use of company e-mail account.

As per the table and chart 4.3.5.10, from the sample of 45 companies there are 38

companies providing use of e-mail account for official purpose and for 7 companies

there is no such restriction for the use of company e-mail account. Hence, 84%

companies have restricted the use of company e-mail account only for official use.

3884%

716%

00%

Do you have use company e-mail account only for official purpose?




Table 4.3.5.11: Respondents for full use of e-mail account prior to management

approval * comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Can you utilize

additional e-

mail usage

quota prior to

management

approval??

No 8 6 11 25

Yes

7 9 4 20

Total 15 15 15 45

Chart 4.3.5.11: Respondents for additional usage of e-mail account prior to

management approval.

The Table and chart 4.3.5.11, represents that 20 companies provide full use of e-

mail account prior to management approval and 20 companies do not provide this

facility. Hence, only 44% companies provide full use of management approval.

2044%

2556%

00%




Table 4.3.5.12: Respondents for conduct of Information system audit for e-mail

utility*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you conduct

Information

system audit for

e-mail utility?

No 1 9 2 12

Yes

14 6 13 33

Total 15 15 15 45

Chart 4.3.5.12: Respondents for conduct of Information system audit for e-mail

utility.

The Table and chart 4.3.5.12, indicates that only 73% companies conduct

Information system audit for e-mail utility. This parameter is of major concern as

Information system audit is to safe guard assets of organization.

3373%

1227%

00%

Do you conduct Information system audit for e-mail utility?




4.3.6: DOMAIN 6: Software acquisition policy.

This policy mainly addresses parameters about existence of written policy, support

for existing IT plan, formation of steering committee, time frame, comparative

analysis, performance ratings of vendors, source code availability, acceptance

testing, prototype, maintenance agreement and penalty schedule.

Table 4.3.6.1: Respondents for availability of written software acquisition

policy* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

documented

Software

acquisition

policy?

NR 0 1 0 1

No 0 4 1 5

Yes

15 10 14 39

Total 15 15 15 45

Chart 4.3.6.1: Respondents for availability of written software acquisition

policy.

The table and chart 4.3.6.1, shows that 39 companies have software acquisition

policy and 5 companies do not have this policy and there was no response from one

3987%

511%

12%

Do you have documented Software acquisition policy?




company. Thus 87% companies have software acquisition policy.

Table 4.3.6.2: Respondents for policy support for change in IT plan.

Parameter

COMP_TYP Total

ITB ITH ITS

Does the policy

change with

change in IT

plan?

NR 3 3 0 6

No 0 2 1 3

Yes

12 10 14 36

Total 15 15 15 45

Chart 4.3.6.2: Respondents for policy support for change in IT plan.

From above table and chart 4.3.6.2, total 36 Companies change their software

acquisition policy with change in their IT plan and 3 companies do not support this

while for six companies this is not applicable. Hence 80% companies software

acquisition policy changes with change in IT plan.

3680%

37%

613%

Does the policy change with change in existing IT plan?




Table 4.3.6.3: Respondents having steering committee * comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

steering

committee for

software

acquisition?

NR 0 2 1 3

No 3 3 1 7

Yes

12 10 13 35

Total 15 15 15 45

Chart 4.3.6.3: Respondents having steering committee.

The Table and chart 4.3.6.3, shows that 35 companies have steering committee for

acquisition of software, and 7 companies do not have this steering committee. It is

not applicable to remaining three companies. This further shows that 78%

companies have steering for software acquisition.

3578%

715%

37%

Do you have steering committee for software acquisition?




Table 4.3.6.4: Respondents for providing time frame for system to be

functional *comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you provide

time frame

within which

the system is

required to be

functional?

NR 0 2 1 3

No 1 1 0 2

Yes

14 12 14 40

Total 15 15 15 45

Chart 4.3.6.4: Respondents for providing time frame for system to be

functional.

The Table and chart 4.3.6.4, represents that 40 companies provide time frame for

software development and 2 companies do not provide any time frame, while it is

not applicable to remaining 3 companies. This indicates that 89% companies

provide time by which the system to be functional.

4089%

24%

37%

Do you provide time frame within which the sytem is required to be

functional?




Table 4.3.6.5: Respondents for providing complete information under

requirement definition*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you provide

complete

information

under

requirement

definition?

NR 2 4 1 7

No 0 0 0 0

Yes

13 11 14 38

Total 15 15 15 45

Chart 4.3.6.5: Respondents for providing complete information under

requirement definition.

The Table and chart 4.3.6.5 shows that 38 companies provide complete information

under requirement definition and this is not applicable for remaining 7 companies.

Hence, 84% companies provide complete information under requirement definition.

3884%

00%

716%

Do you provide complete information under requirement difinition?




Table 4.3.6.6: Responders for visiting various sites of vendors for comparative

analysis* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you visit

various sites of

different

vendors for

comparative

analysis?

NR 3 2 1 6

No 4 2 2 8

Yes

8 11 12 31

Total 15 15 15 45

Chart 4.3.6.6: Responders for visiting various sites of vendors for comparative

analysis.

The Table and chart 4.3.6.6 indicates that 31 companies go for comparative analysis

of vendors in terms of visiting various sites and 8 companies do not go for

comparative analysis and 6 companies have not given any response for this

parameter.

3169%

818%

613%

Do you visit various sites of different vendors for comparative analysis?

Yes

No

not applicable



Table 4.3.6.7: Responders for performance ratings* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

any

performance

rating for

analysis of

vendors?

NR 1 2 2 5

No 2 3 1 6

Yes

12 10 12 34

Total 15 15 15 45

Chart 4.3.6.7: Responders for performance ratings

The Table and chart 4.3.6.7 indicates that 34 companies perform performance

analysis of vendors and 6 companies do not perform this. This is not applicable for

remaining five companies. Hence, 76% companies go for performance analysis of

vendors.

3476%

613%

511%

Do you have any performance rating analysis of vendors?




Table 4.3.6.8: Respondents for source code availability* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you check

about source

code

availability

(escrow

facility)?

NR 3 4 0 7

No 2 7 2 11

Yes

10 4 13 27

Total 15 15 15 45

Chart 4.3.6.8: Respondents for source code availability.

The Table and chart 4.3.6.8 indicates that only 27 companies have this source code

availability and 11 companies do not provide source code availability and there was

no response from 7 companies. This shows that only 60% companies provide source

code facility.

2760%

1124%

716%

Do you check about source code availability (escrow facility)?




Table 4.3.6.9: Respondents for provision for reasonable period for acceptance

testing * comp_type.

Chart 4.3.6.9: Respondents for provision for reasonable acceptance testing

Period.

From above table and chart 4.3.6.9, it shows that 33 companies have a provision for

reasonable acceptance testing period before the product purchase decision is made

and 5 companies have not this provision while this is not applicable for remaining 7

companies. Thus, it represents that 73% companies have this provision.

3373%

511%

716%

Do you have provision for reasonable acceptance testing

peroid?


Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

provision for

reasonable

period for

acceptance

testing?

NR 3 3 1 7

No 2 1 2 5

Yes

10 11 12 33

Total 15 15 15 45



Table 4.3.6.10: Respondents for making maintenance agreement with

vendors*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you make

maintenance

agreement with

the vendor?

NR 3 2 1 6

No 1 2 0 3

Yes

11 11 14 36

Total 15 15 15 45

Chart 4.3.6.10: Respondents for making maintenance agreement with

vendors.

The table and chart 4.3.6.10 represents that 36 companies make maintenance

agreement with vendors and 3 companies are not making it at present while this is

not applicable for six companies.

3680%

37%

613%

Do you make maintenance agreement with the vendor?




Table 4.3.6.11: Respondents having penalty schedule for vendors*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

penalty clause

and payment

schedule?

NR 3 2 1 6

No 2 5 1 8

Yes

10 8 13 31

Total 15 15 15 45

Chart 4.3.6.10: Respondents having penalty schedule for vendors.

Above table and chart 4.3.6.10, indicates that 31 companies apply penalty clause to

vendors for late delivery of product and 8 companies do not follow this while this is

not applicable for 6 companies Hence 69% companies have penalty clause for

vendors.

3169%

818%

613%

Do you have penalty clause and payment schedule?




Table 4.3.6.12: Respondents for using their original data for acceptance

testing*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you use

your own

original data for

acceptance

testing?

NR 4 3 1 8

No 2 1 2 5

Yes

9 11 12 32

Total 15 15 15 45

Chart 4.3.6.12: Respondents for using their original data for acceptance

testing.

From the table and chart 4.3.6.12, it shows that 32 Companies uses their original

data for acceptance testing and 5 companies do not use their data for acceptance

testing. This is not applicable for remaining 8 companies. Hence, 71% companies

use their data for acceptance testing.

3271%

511%

818%

Do you use your own data for acceptance testing?




Table 4.3.6.13: Respondents using prototyping before acceptance testing*

comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you use

prototyping

method before

acceptance

testing?

NR 5 4 2 11

No 2 3 2 7

Yes

8 8 11 27

Total 15 15 15 45

Chart 4.3.6.13: Respondents using prototyping before acceptance testing.

As per the table and chart 4.3.6.13, it represents that 27 companies are using

prototyping method before acceptance testing whereas 7 companies do not follow

this method and this is not applicable to remaining 11 companies. Hence, 60%

companies are using prototyping before acceptance testing.

2760%

716%

1124%

Do you use prototyping method before acceptance testing?




Table 4.3.6.14: Respondents for software acquisition policy implementation

*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Have you

implemented

the policy

immediately

after it was

developed?

NR 3 3 1 7

No 2 5 1 8

Yes

10 7 13 30

Total 15 15 15 45

Chart 4.3.6.14: Respondents for software acquisition policy implementation

The Table and chart 4.3.6.14, represents that 32 companies have implemented

software acquisition policy immediately after it was developed and 6 companies

have not implemented this policy. Hence, 71% companies have implemented

software acquisition policy immediately after it was developed.

3271%

613%

716%

Have you implemented the policy immediately after it was developed?




4.3.7: DOMAIN 7: Hardware Acquisition Policy.

This Hardware acquisition policy is concerned about safeguarding hardware

components and resources which are carrier of information.

Table 4.3.7.1: Respondents for having standard or proprietary Hardware.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

standard

(proprietary /

specific)

configuration for all

computers?

NR 2 1 1 4

No 1 7 0 8

Yes

12 7 14 33

Total 15 15 15 45

Chart 4.3.7.1: Respondents for standard or proprietary Hardware.

The table and chart 4.3.7.1, represents that 33 companies have standard or

proprietary configuration for all computers and 8 companies do not have such

configuration for all types of machines and it is not applicable for rest of the four

companies. Hence 73% companies have standard or proprietary configuration.

3373%

818%

49%

Do you have standard (proprietary / specific) configuration for all

computers?




Table 4.3.7.2: Respondents for sending request for proposal*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you send

request for

quotation to

number of

vendors?

NR 2 1 1 4

No 1 4 0 5

Yes

12 10 14 36

Total 15 15 15 45

Chart 4.3.7.2: Respondents for sending request for proposal

The table and chart 4.3.7.1 indicates that 36 companies send request for proposals to

vendors and 5 companies do not send this proposal and this is not applicable for

remaining 4 companies. Hence, 80% of the companies are sending request for

proposals to the vendors.

3680%

511%

49%

Do you send request for quotation to number of vendors?




Table 4.3.7.3: Respondents for performance analysis of vendors* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have any

performance

ratings analysis of

vendors?

NR 2 1 1 4

No 2 6 0 8

Yes

11 8 14 33

Total 15 15 15 45

Chart 4.3.7.3: Respondents for performance analysis of vendors.

The Table and chart 4.3.7.3 indicates that 33 companies have performance ratings

analysis of vendors for purchase of hardware products while 8 companies do not

follow this. There were four companies which were not sure about this. Hence, 73%

companies go for performance analysis of vendors.

3373%

818%

49%

Do you have any performance ratings analysis of vendors?




Table 4.3.7.4: Respondents for Non Discloser Agreement and to analyze

security and control feature of vendors* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you exercise

non-disclosure

agreement &

analyze security

and control

features for the

vendors?

NR 3 2 1 6

No 2 5 0 7

Yes

10 8 14 32

Total 15 15 15 45

Chart 4.3.7.4: Respondents for Non Discloser Agreement and to analyze

security and control feature of vendors.

The Table and chart 4.3.7.4, represents that 71% companies exercise non discloser

agreement and analyze security control feature with the vendors where as 13%

companies do not follow this and for remaining 16% companies, this is not

applicable.

3271%

613%

716%

Do you exercise non-disclosure agreement & analyze security and control features for the vendors?




Table 4.3.7.5: Respondents for monitoring and rating upgrading capacities of

vendors* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you monitor

and rate vendor’s

hardware

upgrading

capabilities?

NR 2 1 1 4

No 1 4 0 5

Yes

12 10 14 36

Total 15 15 15 45

Chart 4.3.7.5: Respondents for monitoring and rate upgrading capacities of

vendors.

From the table and chart 4.3.7.5, there exist 36 companies which monitor and rate

upgrading capabilities of vendors and 2 companies do not monitor this. This process

is not applicable to remaining four companies. Thus, this indicates that 80%

companies have monitoring and rate upgrading capability of vendors.

3680%

511%

49%

Do you monitor and rate vendor`s hardware upgrading capabilities?




Table 4.3.7.6: Respondents for time frame for installation*comptype

Parameter

COMP_TYP Total

ITB ITH ITS

Do you specify

and provide time

frame for

installation of

required hardware

devices to the

vendors?

NR 2 1 1 4

No 0 3 0 3

Yes

13 11 14 38

Total 15 15 15 45

Chart 4.3.7.6: Respondents for time frame for installation*comptype

The Table and chart 4.3.7.6, represents that 38 companies specify and provide time

frame for installation of required devices to the vendors and 3 companies do not

provide this and there was no response from remaining 4 companies. Hence, 84%

companies provide and specify time frame for vendors.

3884%

37%

49%

Do you specify and provide time frame for installation of required hardware devices to the vendors?




Table 4.3.7.7: Respondents for required access to vendors*comp.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you provide

required access to

the vendor for

installation on your

site?

NR 2 1 1 4

No 1 4 1 6

Yes

12 10 13 35

Total 15 15 15 45

Chart 4.3.7.7: Respondents for required access to vendors.

The Table and chart 4.3.7.7, shows that 35 companies give required access to

vendors and 6 companies do not provide it and for remaining four companies this is

not applicable. Hence, 78% companies give required privilege to vendors.

3578%

613%

49%

Do you provide required access to the vendors for installation on your

site?




Table 4.3.7.8: Respondents carrying rigorous testing * comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you carry

rigorous testing

after installation of

the product?

NR 2 1 1 4

No 1 2 1 4

Yes

12 12 13 37

Total 15 15 15 45

Chart 4.3.7.8 : Respondents carrying rigorous testing.

From the table and chart 4.3.7.8, there are 37 companies which carry out rigorous

testing after installation of the product and 4 companies do not follow this and it is

not applicable for remaining 4 companies. Hence 82% companies carry rigorous

testing.

3782%

49%

49%

Do you carry rigorous testing after installation of the product?




Table 4.3.7.9: Respondents for providing training after

installation*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Does your vendor

provide the

training after

installation of

hardware?

NR 2 1 1 4

No 6 4 2 12

Yes

7 10 12 29

Total 15 15 15 45

Chart 4.3.7.9: Respondents for providing training after installation.

The Table and chart 4.3.7.9 shows that 29 companies their vendor provides training

after installation of hardware and for 12 companies this support is not given by

vendors. There was no response from the vendors. Hence, for 64% companies,

training is provided by the vendors.

2964%

1227%

49%

Does your vendor provide the training after installation of

hardware?




Table 4.3.7.10: Respondents for providing post implementation support.

Parameter

COMP_TYP Total

ITB ITH ITS

Does the vendor

provide you post

implementation

service?

NR 2 1 1 4

No 0 2 0 2

Yes

13 12 14 39

Total 15 15 15 45

Chart 4.3.7.10: Respondents for providing post implementation support.

From the table and chart 4.3.7.10, it indicates that for the 39 companies the vendor

provides post implementation service however for 2 companies this type of service

is not provided and this not applicable for 4 companies. Hence, for 87% companies,

vendor provides post implementation support.

3987%

24%

49%

Does the vendor provide you post implementation service?




Table 4.3.7.11: Respondents for having hardware inventory management*

comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

Hardware

inventory

management

system?

NR 2 1 1 4

No 2 3 0 5

Yes

11 11 14 36

Total 15 15 15 45

Chart 4.3.7.11: Respondents for having hardware inventory management.

From the table and chart 4.3.7.11, it indicates that 36 companies have maintained

their hardware inventory and 5 companies have not maintained this. 4 companies

have not given any response for this. This shows that 80% companies have

hardware inventory management system.

3680%

511%

49%

Do you have Hardware inventory management system?




Table 4.3.7.12: Respondents for documented hardware acquisition

policy*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

documented

Hardware

acquisition policy?

NR

No 1 6 1 8

Yes

14 9 14 37

Total 15 15 15 45

Chart 4.3.7.12: Respondents for written hardware acquisition policy

From the table and chart 4.3.7.12, it represents that 37 companies have written

hardware acquisition policy and 8 companies are not having it. Hence, 82%

companies have written hardware acquisition policy.

3782%

818%

00%

Do you have documented Hardware acquisition policy?




Table 4.3.7.13: Respondents for having Hardware acquisition

training*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Whether policy

based training was

given to the users?

No 2 6 1 9

Yes

13 9 14 36

Total 15 15 15 45

Chart 4.3.7.13: Respondents for having Hardware acquisition training.

From the table and chart 4.3.7.13, it represents that 36 companies have training for

hardware acquisition policy and 9 companies do not provide this type of training.

Hence, only 80% companies provide training for hardware acquisition.

3680%

920%

00%

Whether policy based training was given to the users?




Table 4.3.7.14: Respondents for supporting policy to existing IT

plan*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Does the policy

supports your

existing IT plan?

NR

No 1 2 0 3

Yes

14 13 15 42

Total 15 15 15 45

Chart 4.3.7.14: Respondents for supporting policy to existing IT plan.

From the table and the chart 4.3.7.14, it represents that 42 companies hardware

acquisition policy supports their IT plan but it is not applicable for 3 companies.

Hence, for 93%, the hardware acquisition policy supports the IT plan of the

company.

4293%

37%

00%

Does the policy supports your existing IT plan?




4.3.8: DOMAIN 8: Outsourcing Policy.

This policy is focused on hiring of external resources for specific time period. These

resources could be technology, people, processes or products.

Table 4.3.8.1: Respondents for outsourcing policy*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have an

outsourcing

policy?

NR 2 2 1 5

No 3 4 5 12

Yes

10 9 9 28

Total 15 15 15 45

Chart 4.3.8.1: Respondents for outsourcing policy.

From the table and chart 4.3.8.1, it is evident that 28 companies have policy for

outsourcing whereas 12 companies do not have outsourcing policy. There was no

response from remaining 5 companies. Hence, 62% companies have outsourcing

policy.

2862%

1227%

511%

Do you have an outsourcing policy?




Table 4.3.8.2: Respondents for allowing outsourcing agency to share

resources*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you share

your resources

with the

representatives

of out sourcing

agency?

NR 0 3 0 3

No 4 4 7 15

Yes

11 8 8 27

Total 15 15 15 45

Chart 4.3.8.2: Respondents for allowing outsourcing agency to share resources.

Above table and chart 4.3.8.2, shows that 27 companies allow representatives of

outsourcing agencies to share their resources and 15 companies do not allow this.

This is not applicable for 3 companies. Hence, 60% companies allow for sharing of

resources.

2760%

1533%

37%

Do you share your resources with the representatives of sourcing agency ?




Table 4.3.8.3: Respondents for outsourcing technology*comp-type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you

outsource

specific

technology as

per the

requirements

of projects?

NR 1 3 1 5

No 10 10 9 29

Yes

4 2 5 11

Total 15 15 15 45

Chart 4.3.8.3: Respondents for outsourcing technology.

The Table and chart 4.3.8.3, indicates that only 11 companies outsource technology

whereas 29 companies do not outsource technology and this is not applicable to

remaining 5 companies. Hence, 25% companies can only outsource technology for

required projects.

1125%

2964%

511%

Do you outsource specific technology for requirements of projects?




Table 4.3.8.4: Respondents for maintaining confidentiality of information for

outsourcing * comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you maintain

confidentiality of

the information

for outsourcing?

NR 3 3 2 8

No 0 1 0 1

Yes

12 11 13 36

Total 15 15 15 45

Chart 4.3.8.4: Respondents for maintain confidentiality of information for

outsourcing.

Table and chart 4.3.8.4 indicates that 36 companies maintain confidentiality of

information and 2 companies do not maintain it. Rests of 7 companies are not sure

about maintaining confidentiality. Hence only 80% companies maintain

confidentiality for outsourcing.

3680%

24%

716%

Do you maintain confidentiality of the information for outsourcing?




Table 4.3.8.5: Respondents for signing contract for outsourcing*comp_ type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you sign

contract for

outsourcing?

NR 3 3 1 7

No 1 1 1 3

Yes

11 11 13 35

Total 15 15 15 45

Chart 4.3.8.5: Respondents for signing contract for outsourcing.

From the table and chart 4.3.8.5, it is evident that 35 companies sign contract for

outsourcing and 3 companies do not sign the contract where as there was no

response from 7 companies. Hence, 78% companies sign contract for outsourcing.

3578%

37%

715%

Do you sign contract for outsourcing?




Table 4.3.8.6: Respondents for imparting necessary training *comp type.

Parameter

COMP_TYP Total

ITB ITH ITS

Was training for

necessary

implementation

of this policy

imparted?

NR 3 3 1 7

No 2 1 0 3

Yes

10 11 14 35

Total 15 15 15 45

Chart: 4.3.8.6: Respondents for imparting necessary training.

The Table and chart 4.3.8.6, shows that employees of 35 companies imparted

training for outsourcing and for 3 companies it has not been imparted. There was no

response from 7 companies. Hence, only 78% companies have provided training for

outsourcing.

3578%

37%

715%

Was training for necessary implementation of this policy was

imparted?




Table 4.3.8.7: Respondents for support for IT plan with outsourcing

policy*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Does

outsourcing

policy support

the existing IT

plan of your

organization?

NR 2 3 1 6

No 0 1 0 1

Yes

13 11 14 38

Total 15 15 15 45

Chart 4.3.8.7: Respondents for support for IT plan with outsourcing policy.

The Table and chart 4.3.8.7, shows that 38 companies confirm that the outsourcing

policy supports existing IT plan of the company and for one company this policy

does not support IT plan. For remaining 6 companies there was no response for

this. Hence, for 85% companies their outsourcing policy supports IT plan.

3885%

12%

613%

Does outsourcing policy support the existing IT plan of your organization?




Table 4.3.8.8: Respondents for risk reduction after implementation of

outsourcing policy*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Have you

notice any

risk reduction

after

implementati

on of this

policy?

NR 1 3 2 6

No 0 1 0 1

Yes

14 11 13 38

Total 15 15 15 45

Chart 4.3.8.8: Respondents for risk reduction after implementation of

Outsourcing policy.

The Table and chart 4.3.8.8, shows that 38 companies have noticed that there was

reduction in the risk after implementation of outsourcing policy. However, it has not

been noticed by one company and six companies are not sure about it. Hence, total

85% companies have noticed reduction in the risk.

3885%

12%

613%

Have you noticed any reduction in risk after

implementation of this policy?




Table 4.3.8.9: Respondents for exercising non discloser agreement*comp type.

Parameter ITB ITH ITS Total

Do you exercise

non-disclosure

agreement and

analyze security

and control

features for the

outsourcing

process?

NR 0 2 0 2

No 0 3 0 3

Yes

15 10 15 40

Total 15 15 15 45

Chart 4.3.8.9, Respondents for exercising non discloser agreement.

From the table and chart 4.3.8.9, 89% Companies exercise non-discloser agreement

and analyze security and control features of the outsourcing process and 7%

companies do not follow this process for outsourcing.

4089%

37% 2

4%

Do you exercise non-disclosure agreement and analyze

security and control features for the outsourcing process?




4.3.9: DOMAIN 9: DIGITAL SIGNATURE POLICY

The confidential data which is transmitted across the Internet can be protected with

the help of digital signature. This digital signature is based on cryptography which

comprises of encryption and decryption of data. Encryption is the process of

conversion of data from plaintext to cipher text while decryption is conversion of

data from cipher text to plaintext. Cipher text takes place at the source user and

decryption takes place at the destination user. The process of protecting the data for

encryption and decryption is supported by digital signature. There are two keys

associated with digital signature, i.e. Public key and Private Key. Private Key is for

owner of electronic document showing his authenticity for the document. Public key

is for the authentic users who can access the document.

The Researcher has found out that the questions set for this domain are not

furnished by most of the IT companies. They have informed that the companies

either are not using this digital signature in practice or even if it is used, very few

top management people are implementing this digital signature. There is no separate

policy specifically set for digital signature for most of the IT companies. Some

companies have responded for this policy domain but they have mentioned that the

users are not sure about the existence and implementation of this policy. Few

companies have simply unanswered the questions for this domain. Hence, it shows

that digital signature policy is not widely implemented by IT companies.

4.3.10: DOMAIN 10: NETWORK AND TELECOMMUNICATION

SECURITY POLICY.

This policy is concerned about issues related to security of a network. The

parameters of major concern for this policy are existence of policy, type of network

architecture, protection by proxy server and firewall, use of leased lines, presence

backup domain controller and installation of VPN on the organizational network.



4.3.10.1: Respondents for network security policy * comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

separate policy

for Network

security?

NR

No 0 3 0 3

Yes

15 12 15 42

Total 15 15 15 45

Chart 4.3.10.1: Respondents for network security policy.

The Table and chart 4.3.10.1, indicates that 42 companies have separate policy for

network security and 3 companies do not have such security policy. Hence, this

indicates that 93% companies have policy for network security.

4293%

37%

00%

Do you have separate policy for Network security?




Table 4.3.10.2: Respondents for using client- server architecture* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you use client

server

architecture?

NR 3 1 0 4

No 0 2 0 2

Yes

12 12 15 39

Total 15 15 15 45

Chart 4.3.10.2: Respondents for using client- server architecture.

From above table and chart 4.3.10.2, it shows that 39 companies have client-server

architecture and 2 companies do not have this architecture. Remaining 4 companies

have not responded for this. Hence this indicates that 87% companies have client

server architecture.

3987%

24%

49%

Do you use client server architecture?




Table 4.3.10.3: Respondents for three-tier architecture*comp_type.

Parameter ITB ITH ITS Total

Do you have

three-tier

architecture?

NR 5 2 3 10

No 5 9 1 15

Yes

5 4 11 20

Total 15 15 15 45

Chart 4.3.10.3: Respondents for three-tier architecture.

The Table and chart 4.3.10.3, shows that 20 companies have three-tier architecture

and 15 companies do not have this architecture and this is not applicable for

remaining 10 companies. Hence, only 45% companies are using client-server

architecture.

2045%

1533%

1022%

Do you have three-tier architecture?




Table 4.3.10.4: Respondents for leased lines*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you use

leased lines?

NR 2 2 1 5

No 3 3 0 6

Yes 10 10 14 34

Total 15 15 15 45

Chart 4.3.10.4: Respondents for leased lines.

Above table and chart 4.3.10.4 shows that 34 companies use leased lines and 6

companies do not use these leased lines where as there was no response from 5

companies. Hence, total 76% companies have leased lines for network

communication.

3476%

613%

511%

Do you use leased lines?




Table 4.3.10.5: Respondents for back up domain controller* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Whether Backup

domain controller

(BDC) is installed

on your Network?

NR 1 2 0 3

No 3 7 1 11

Yes

11 6 14 31

Total 15 15 15 45

Chart 4.3.10.5: Respondents for back up domain controller.

The Table and chart 4.3.10.5, indicates that 31 companies have backup domain

controller on their network and 11 companies do not have BDC. This is not

applicable for remaining 3 companies. Hence, 69% companies have installed

backup domain controller on their network.

3169%

1124%

37%

Whether Backup domain controller (BDC) is installed on your Network?




Table 4.3.10.6: Respondents for installation of firewall*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Whether your

Network is

protected by

firewall?

NR

No 0 2 0 3

Yes

15 13 15 43

Total 15 15 15 45

Chart 4.3.10.6: Respondents for installation of firewall.

The Table and chart 4.3.10.6, represents that 43 companies have their network

protected by the firewall and 2 companies have not installed firewall on their

network. Hence this indicates that 96%companies have protected their network with

firewall.

4396%

24%

00%

Whether your Network is protected by firewall?




Table 4.3.10.7: Respondents for more than 100 network terminals*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

more than 100

network

terminals?

NR 0 0 0 0

No 3 4 0 7

Yes

12 11 15 38

Total 15 15 15 45

Chart 4.3.10.7: Respondents for more than 100 network terminals.

The Table and chart 4.3.10.7, shows that 38 companies have more than 100 network

terminals and 7 companies may have less than 100 terminals. This indicates that

84% companies have more than 100 network terminals.

3884%

716%

00%

Do you have more than 100 network terminals




Table 4.3.10.8: Respondents with their own organizational VPN * comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have your

own VPN for

inter-

organizational

communication?

NR 1 0 0 1

No 1 4 2 7

Yes

13 11 13 37

Total 15 15 15 45

Chart: 4.3.10.8: Respondents with their own organizational VPN.

From the above Table and chart 4.3.10.8, it represents that 82% companies have

their own VPN for inter-organizational communication which is one of the more

secured way of transferring organizational data. There are 7 companies which do

not have VPN for inter-organizational communication and there was no reply from

one company.

3782%

716%

12%

Do you have your own VPN for inter-orginizational communication?




Table 4.3.10.9: Respondents for bandwidth more than 2 MBPS.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you use

bandwidth more

than 2 MBPS for

leased lines?

NR 3 1 0 4

No 2 4 0 6

Yes

10 10 15 35

Total 15 15 15 45

Chart 4.3.10.9: Respondents for bandwidth more than 2 MBPS.

The table and chart 4.3.10.9, represents that 35 companies have bandwidth of their

leased lines more than 2 MBPS and 6 companies have the bandwidth less than 2

MBPS. Rests of 4 companies have not responded for same. Hence, there are 78%

companies with a bandwidth more than 2 MBPS.

3578%

613%

49%

Do you have bandwidth more than 2 MBPS?




Table 4.3.10.10: Respondents for development of Network security policy

before 2005* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Have you

developed this

network security

policy before

2005?

NR 1 1 0 2

No 0 3 0 3

Yes

14 11 15 40

Total 15 15 15 45

Chart 4.3.10.10: Respondents for development of Network security policy

before 2005.

The Table and chart 4.3.10.10, indicates that 40 companies have developed Network

security policy before 2005 and 3 companies have developed this after 2005 while

remaining 2 companies have responded for this. Hence 89% companies have

developed network security policy before 2005.

Yes89%

No7%

not applicable4%

Have you developed this network security policy before 2005?



Table 4.3.10.11: Respondents for RAID 5 and backup security* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

RAID 5 for

backup and

security?

NR 0 1 1 2

No 3 2 2 7

Yes

12 12 12 36

Total 15 15 15 45

Chart 4.3.10.11: Respondents for RAID 5 and backup security.

The Table and chart 4.3.10.11, represents that 36 companies use RAID 5 for

security and 7 companies do not use this. This is not applicable for remaining two

companies. Hence 80% companies follow RAID 5 for backup and security.

3680%

716%

24%

Do you have RAID level 5 for backup and security ?




4.3.11: DOMAIN 11: BCP and DRP

Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) play a

vital role in maintaining information security. BCP prepares an organization to

reestablish critical business operations during a disaster that affects operations

within the organization. If a disaster has rendered the current location unusable for

continued operations, there must be a plan to allow the business to continue to

function.

Disaster recovery planning means planning the preparation for and recovery from a

disaster, whether natural or man-made. DRP provides detailed guidance in the event

of a disaster. It also gives the information related to the roles and responsibilities of

various individuals involved in disaster recovery team.

BCP and DRP go hand in hand as disaster recovery works after the disaster occurs

and BCP helps DRP to overcome the disaster. As per the standards BS7799 and ISO

17799 the questionnaire for the domain for BCP and DRP is designed on similar

parameters by the researcher. The parameters under the study are; existence of BCP

policy and DRP , major disaster faced by organization in terms of data loss,

availability of training and awareness program, compatibility with IT infrastructure,

risk associated with the policy, backup facility and system fault tolerance level.

The parameters for the existence of BCP and DRP are viewed separately.

Remaining parameters are considered to be common for BCP and DRP both by the

researcher.

Cross Tabulations for related parameters along with respected charts are shown on

subsequent pages.



Table 4.3.11.1: Respondents for existence of BCP * comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

BCP?

NR 0 1 0 1

No 0 4 0 4

Yes 15 10 15 40

Total 15 15 15 45

Chart 4.3.11.1: Respondents for existence of BCP .

The Table and chart 4.3.11.1, shows that 40 companies have BCP policy in place

and 4 companies do not have this policy. One company has not responded for this as

the company is not sure about this. Hence, this indicates that 89% companies have

BCP policy.

4089%

49%

12%

Do you have BCP?




Table 4.3.11.2: Respondents for existence of DRP *comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

DRP?

NR 1 3 0 4

No 2 3 2 7

Yes 12 9 13 34

Total 15 15 15 45

Chart 4.3.11.2: Respondents for existence of DRP.

The Table and chart 4.3.11.2, shows that 34 companies have policy for DRP in

place and 7 companies do not have this policy and there was no response from 4

companies. Hence, it indicates that 76% companies have DRP policy in place.

3476%

715%

49%

Do you have DRP?




Table 4.3.11.3: Respondents who have faced any major data loss *comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Have you ever

faced any major

data loss

before?

NR 1 2 0 3

No 13 7 10 30

Yes

1 6 5 12

Total 15 15 15 45

Chart 4.3.11.3: Respondents who have faced any major data loss

The Table and chart 4.3.11.3, shows that 12 companies have faced major data loss

and 30 companies have not suffered from any major data loss. There was no

response from remaining 3 companies. Hence, this indicates that 27% companies

have faced major loss of data.

1227%

3067%

36%

Have you ever faced any major data loss before?




Table 4.3.11.4: Respondents for developing the policy after the disaster

occurred.

Parameter

COMP_TYP Total

ITB ITH ITS

Have you

developed this

policy after the

disaster

occurred?

NR 2 6 2 10

No 10 4 11 25

Yes

3 5 2 10

Total 15 15 15 45

Chart 4.3.11.4: Respondents for developing the policy after the disaster

occurred.

The Table and chart 4.3.11.4, represents that 10 companies have developed the

policy after facing the disaster and 25 companies have developed the policy before

and not even have faced the disaster and remaining 10 companies are not sure about

this. This confirms that, 56% companies have this policy in place before the

disaster.

1022%

2556%

1022%

Have you developed this policy after the disaster occurred?




Table 4.3.11.5: Respondents for maintaining the backup*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you maintain

data backup?

NR 0 3 0 3

No 0 0 0 0

Yes 15 12 15 42

Total 15 15 15 45

Chart 4.3.11.5: Respondents for maintaining the backup.

The Table and chart 4.3.11.5, confirms that 42 companies maintain backup of data

while there was no response from 3 companies. Hence, this indicates that

93%companies maintain data backup.

4293%

00%

37%

Do you maintain data backup?




Table 4.3.11.6: Respondents for having backup domain controller*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

backup domain

controller on

your network?

NR 2 1 1 4

No 1 5 0 6

Yes 12 9 14 35

Total 15 15 15 45

Chart 4.3.11.6: Respondents for having backup domain controller

The table and chart 4.3.11.6, represents that 35 companies have backup domain

controller on their network and 6 companies do not have backup domain controller

while this is not applicable for 4 companies. Hence, 78% companies have backup

domain controller on their respective networks.

3578%

613%

49%

Do you have backup domain controller on your network?




Table 4.3.11.7: Respondents providing specific training*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Have you given

any specific

training program

for the users to

create

awareness of

this policy?

NR 0 3 0 3

No 0 1 0 1

Yes

15 11 15 41

Total 15 15 15 45

Chart 4.3.11.7: Respondents providing specific training

The Table and chart 4.3.11.7, shows that 41 companies provide specific training for

BCP and DRP, for awareness of this policy. 3 companies do not provide training

and there was no response from one company. Hence, 91% companies provide

training for creating awareness of this policy.

4191%

12%

37%

Have you given any specific training program for the users to create

awareness of this policy?




Table 4.3.11.8: Respondents for compatibility with existing IT

infrastructure*comp_type.

Chart 4.3.11.8: Respondents for compatibility with IT infrastructure.

The Table and chart 4.3.11.8, indicates that 91% companies have their IT

infrastructure compatible for implementing this BCP/BRP where as for remaining

4% companies do not satisfy this requirement.

4191%

00%

49%

Whether your existing IT infrastructure is compatible to

implement this BCP/DRP ?


Parameter

COMP_TYP Total

ITB ITH ITS

Whether your

existing IT

infrastructure is

compatible to

implement this

BCP/DRP?

NR 0 4 0 4

Yes

15 11 15 41

Total 15 15 15 45



Table 4.3.11.9: Respondents for reduction in risk after implementation of the

BCP* comp_type.

Chart 4.3.11.9: Risk reduction after BCP Implementation.

The Table and chart 4.3.11.9, shows that 38 companies confirms that there is

reduction in the risk after implementation of this policy. 4 companies have shown

that there is no risk reduction and 3 companies have not responded for this. Hence,

84% companies confirmed that there is no risk after implementation of this policy.

3884%

49%

37%

Whether there is any risk reduction after

implementation of BCP ?


Parameter

COMP_TYP Total

ITB ITH ITS

Whether there is

any risk

reduction after

implementation

of BCP?

NR 0 3 0 3

No 0 3 1 4

Yes

15 9 14 38

Total 15 15 15 45



Table 4.3.11.10: Respondents for satisfying requirements of BCP and DRP*

Comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Does this

existing policy

satisfy your

requirements for

both BCP and

DRP?

NR

Only

DRP

0

0

13

1

0

0

13

1

Only

BCP 1 1 1 3

Both

14 0 14 28

Total 15 15 15 45

Chart 4.3.11.10: Respondents for satisfying requirements of BCP and DRP.

The Table and chart 4.3.11.10, 62% companies existing policy satisfy requirements

for both BCP and DRP. There was no response from 13 i.e. 29% companies. Only

BCP is applicable for 3% companies and DRP is applicable for 2% companies.

37%

12%

2862%

1329%

Does this existing policy satisfy your requirements for both BCP and DRP?

Only BCP Only DRP Both Not applicable



4.3.12.: DOMAIN 12: SECURITY ORGANIZATION STRUCTURE

The security organization refers to the roles defined for reporting and addressing the

security implementation, incidence reporting and resolution.

Table 4.3.12.1: Respondents for having security organization

structure*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Have you build

up security

organization

structure?

NR 0 1 0 1

No 0 4 1 5

Yes

15 10 14 39

Total 15 15 15 45

Chart 4.3.12.1, Respondents for having security organization structure.

The Table and chart 4.3.12.1, shows 87% companies have security organization

structure existing in their organization

3987%

511%

12%

Have you build up security organization structure?




Table 4.3.12.2: Respondents for having separate policy for security

organization structure* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

separate policy

for maintaining

security

organization

structure?

NR 0 3 1 4

No 1 3 0 4

Yes

14 9 14 37

Total 15 15 15 45

Chart 4.3.12.2, Respondents for having separate policy for security

organization structure.

The Table and chart 4.3.12.2, represents that there are 37 companies which have

separate policy for maintaining security organization structure. Hence, 87%

companies have separate policy for maintaining security organization structure.

3782%

49%

49%

Do you have separate policy for maintaining security organization

structure?




Table 4.3.12.3: Respondents for separate security management

team*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you have

separate

security

management

team in your

organization?

NR 0 1 3 4

No 1 3 2 6

Yes

14 11 10 35

Total 15 15 15 45

Chart 4.3.12.3: Respondents for separate security management team.

The Table and chart 4.3.12.3, represents that 35 companies have separate security

management team and 5 companies do not have such separate team. Hence, 78%

companies have separate security management team.

3578%

613%

49%

Do you have separate security management team in your

organization?




Table 4.3.12.4 : Respondents for training * comp_type

Parameter

COMP_TYP Total

ITB ITH ITS

Have you given

any specific

training for the

users to create

awareness of

this policy?

NR 0 1 0 1

No 0 4 0 4

Yes

15 10 15 40

Total 15 15 15 45

Chart 4. 3.12.4: Respondents for training to create awareness.

The table and chart 4. 3.12.4, represents that 40 companies provide specific training

program to create awareness and 4 companies do not provide this. Hence, 89%

companies provide training for awareness.

4089%

49%

12%

Have you given any specific training for the users to create awareness of

this policy?




Table 4.3.12.5: Respondents for compatibility of IT infrastructure*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Whether your

existing IT

infrastructure is

compatible to

implement this

policy?

NR 0 4 0 4

No 0 1 0 1

Yes

15 10 15 40

Total 15 15 15 45

Chart 4.3.12.5: Respondents for compatibility of IT infrastructure.

The Table and chart 4.3.12.5, represents that 40 companies have their IT

infrastructure compatible with their Security organization structure policy and one

company do not have this. Hence, 89% companies have their IT infrastructure

compatible with the policy.

4089%

12%

49%

Whether your existing IT infrastructure is compatible to

implement this policy?




Table 4.3.12.6: Respondents for risk reduction after adoption of the

policy*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Whether it

reduces the risk

after adoption of

policy?

NR 1 2 0 3

No 0 1 1 2

Yes

14 12 14 40

Total 15 15 15 45

Chart 4.3.12.6: Respondents for risk reduction after adoption of the policy.

The Table and chart 4.3.12.6, indicates that 40 companies confirms that this policy

reduces the risk. Hence this shows that 89% companies confirm that adoption of

policy reduces risk for organization.

4089%

24%

37%

Whether it reduces the risk after adoption of policy




Table 4.3.12.7: Respondents for auditing of Information system*comp-type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you conduct

auditing of your

Information

system?

NR 0 2 0 2

No 1 1 0 2

Yes

14 12 15 41

Total 15 15 15 45

Chart 4.3.12.7: Respondents for auditing of Information system.

The Table and chart 4.3.12.7, represents that 41 companies conduct auditing of

their information systems. 2% companies do not conduct information system audit

and 2% companies have not responded for the same. Hence, this indicates that 91%

companies conduct information systems audit.

4191%

25%

24%

Do you conduct auditing of your Information system?




Table 4.3.12.8: : Respondents for auditing of Information system*comp-type.

Parameter

COMP_TYP Total

ITB ITH ITS

How often

you conduct

Information

Systems

auditing?

NR

Monthly

3

2

6

0

4

3

13

5

Quartely

Half yr

6

2

2

3

8

0

16

5

Yeary 2 4 0 6

Total 15 15 15 45

Chart 4.3.12.8: Respondents for conducting Information system audit

monthly, quarterly.

The Above table and chart 4.3.12.8, represents that only 11% companies conduct

information systems audit monthly and 36% companies conduct information

systems audit quarterly.

511%

1636%

511%

613%

1329%

How often you conduct Information Systems auditing?

Monthly Quarterly Half yearly Yearly Not applicable



Table 4.3.12.9: Respondents for conducting Internal audit regularly

*comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

Do you conduct

internal audit

regularly?

NR 0 3 1 4

Yes

15 12 14 41

Total 15 15 15 45

Chart 4.3.12.9: Respondents for conducting Internal audit regularly

The table and chart 4.3.12.9, represents that 41 companies conduct their internal

audit regularly and this is not applicable to 4 companies. Hence 91% companies

conduct internal audit regularly.

4191%

00%

49%

Do you conduct internal audit regularly?




Table 4.3.12.10: Respondents for security team having user profile based on

authorization* comp_type.

Parameter

COMP_TYP Total

ITB ITH ITS

For the security

team whether

authorization

based on user

profile?

NR 1 5 0 6

No 0 1 0 1

Yes 14 9 15 38

Total 15 15 15 45

Chart 4.3.12.10: Respondents for security team having user profile based on

authorization.

From the above table and chart 4.3.12.10, it represents that for 38 companies users

authorization is based on users profile and for one company it is not as per the

profile. 6 companies have not responded for this. Hence, it indicates that 85%

companies the security team has authorization based on his profile.

3885%

12%

613%

Whether users authorization is based on user profile?




4.4 Hypothesis Testing:

In this context of hypothesis testing, researcher has used level of significance in

terms of percentage of parameters applicable for the total number of IT

companies. The percentage of parameters is measured for proving the

assumption considering 75% and more, applicable for number of IT Companies.

For the sample of 45 companies, if number of companies are equal or more than

33 which follows more than 75% parameters then hypothesis is proved as there

is no significant difference between expected and observed frequency.

Following table relates hypothesis to the associated parameters for hypothesis

testing.

Table 4.4.: Reference between hypothesis and Related parameters.

SL. NO. Hypothesis Parameters ( Table references)

1. Hypothesis 1- ISP is need

of every IT enabled

organization with changing

environment.

Tables- 4.3.1.1, 4.3.1.6, 4.3.2.1,

4.3.2.2, 4.3.3.1, 4.3.3.11, 4.3.3.12,

4.3.4.1, 4.3.4.2, 4.3.5.2, 4.3.5.7,

4.3.6.2, 4.3.7.12, 4.3.8.8, 4.3.11.8,

4.3.12.5

2. Hypothesis 2- Most of IT

companies are having and

implementing ISP.

Tables- 4.3.1.4, 4.3.2.10, 4.3.3.2,

4.3.1.1, 4.3.2.1, 4.3.3.1, 4.3.4.10,

4.3.4.11, 4.3.5.1, 4.3.5.2, 4.3.5.3,

4.3.6.1, 4.3.7.10, 4.3.7.11, 4.3.8.7,

4.3.10.10, 4.3.11.7, 4.3.12.4,

4.3.12.2, 4.3.11.1, 4.3.6.13

3. Hypothesis 3- Use of this

policy (ISP), reduces risk of

stealing data and

information.

Tables- 4.3.1.7, 4.3.2.3, 4.3.3.10,

4.3.4.3, 4.3.5.8, 4.3.8.9, 4.3.11.9,

4.3.12.6.

4. Hypothesis 4- ISP improves

safeguarding assets of IT

companies like hardware,

software and people.

Tables -4.3.1.3, 4.3.1.9, 4.3.1.12,

4.3.2.4, 4.3.2.6, 4.3.2.7, 4.3.3.2,

4.3.3.12, 4.3.5.1, 4.3.5.5, 4.3.5.10,

4.3.6.3, 4.3.6.5, 4.3.6.9, 4.3.7.4,

4.3.7.7.



5. Hypothesis -5 Implementa-

tion of ISP better protects

confidential information.

Tables -4.3.7.9, 4.3.8.5, 4.3.8.10,

4.3.10.6, 4.3.10.8, 4.3.12.7, 4.3.8.6,

4.3.12.9.

6. Hypothesis 6- ISP improves

productivity in terms of

conducting Information

Systems Audit.

Tables- 4.3.1.12, 4.3.2.4, 4.3.2.5,

4.3.2.6, 4.3.2.8, 4.3.2.7, 4.3.3.2,

4.3.3.5, 4.3.5.1, 4.3.5.6, 4.3.5.12,

4.3.6.3, 4.3.6.4, 4.3.7.4, 4.3.7.9,

4.3.8.6, 4.3.8.10, 4.3.8.3, 4.3.10.5,

4.3.11.5, 4.3.12.7, 4.3.12.9

7. Hypothesis 7- Policies

developed under the

domains Physical access,

data access, user access,

Internet access, Network

access and e-mail access

are rigorously implemented

than rest of the domains.

Tables for Master domains-4.3.1.1,

4.3.1.3, 4.3.1.4, 4.3.2.1, 4.3.2.7,

4.3.3.1, 4.3.3.2, 4.3.3.12, 4.3.4.1,

4.3.4.10, 4.3.4.5, 4.3.5.1, 4.3.5.2,

4.3.5.5, 4.3.5.12, 4.3.10.1, 4.3.10.6.

Tables related to the rest of the

domains (non-master domains) -

4.3.6.1, 4.3.6.3, 4.3.7.10, 4.3.7.11,

4.3.8.1, 4.3.8.7, 4.3.11.1, 4.3.11.2,

4.3.12.1, 4.3.12.2, 4.3.10.1,

4.3.10.6.

The selected parameters are first analyzed with cross tabulation independently and

then all associated parameters are considered together as they are related with the

assumption of hypothesis. After this frequency tables are generated for respective

hypothesis and then Chi-square test is applied to find out the difference between

expected frequency and observed frequency. For the hypothesis number 7, as there

was comparison between related parameters of master domains with rest of the

domains, p value is calculated with Chi-square test to test the hypothesis.

The analysis of these hypotheses is shown on next subsequent pages.



4.4.1 Hypothesis 1:

Information Security Policy is need of every IT enabled organization in global

and changing environment.

Table 4.4.1.: parameters applicable for need of ISP * Number of IT Comp.

Chart 4.4.1.: parameters applicable and percentage of companies.

Chi square test applied to test the difference between observed number of 39 and

expected number of 34 in the category > 75%. The result shows that there is no

significant difference between observed and expected frequency i.e. hence

hypothesis is proved.

0

10

20

30

40

50

60

70

> 25 - 50 > 50 - 75 > 75 - 90 > 90%

2.2

11.1

22.2

64.4

Pe

rce

nta

ge o

f C

om

pa

nie

s

Percentage of factors

Percentage of Parameters

Number of IT

Companies

Percentage of IT

companies

> 25 – 50% 1 2.2 %

> 50 – 75% 5 11. 1%

> 75 – 90% 39 86.6 %

Total 45 100.0 %



4.4.2 Hypothesis 2:

Most of the IT companies are having and implementing Information security

policies.

Table 4.4.2: Parameters for policy implementation* Percentage of IT

companies.

Percentage of

Parameters

Number of IT

Companies

Percentage of IT

companies

> 25 – 50% 3 6.7%

> 50 – 75% 9 20.0%

> 75 – 90% 7 15.6%

> 90% 26 57.8%

Total 45 100.0%

Chart 4.4.2: Parameters (factors) for policy implementation and Percentage of

IT companies.



significant difference between observed and expected frequency i.e. hypothesis is

accepted.

-10

10

30

50

70

> 25 - 50 > 50 - 75 > 75 - 90 > 90%

6.7

2015.6

57.8

Pe

rce

nta

ge

of

Co

mp

an

ies




4.4.3. Hypothesis 3:

Use of ISP reduces the risk of stealing data and information.

Table 4.4.3.: Parameters for risk reduction and percentage of IT companies.

Percentage of

Parameters

Number of IT

Companies

Percentage of IT

companies

<= 25 % 1 2.2%

> 25 – 50% 1 2.2%

> 50 – 75% 10 22.2%

> 75 – 90% 11 24.4%

> 90% 22 48.9%

Total 45 100.0%

Chart 4.4.3: Parameters for risk reduction and percentage of IT companies.




accepted.

0

10

20

30

40

50

60

70

<= 25 % > 25 -50

> 50 -75

> 75 -90

> 90%

2.2 2.2

22.2 24.4

48.9

Pe

rce

nta

ge o

f C

om

pa

nie

s





It improves safeguarding assets of IT companies like hardware,

software and skilled people.

Table 4.4.4.: Parameters for safeguarding assets* percentage of IT

companies.

Percentage of

Parameters

Number of IT

Companies

Percentage of

IT companies

> 25 - 50 2 4.4%

> 50 - 75 9 20.0%

> 75 - 90 16 35.6%

> 90% 18 40.0%

Total 45 100.0%

Chart 4.4.4.: Parameters for safeguarding assets* percentage of IT companies.

For testing the hypothesis, the table and chart 4.4.4.1indicates that the Chi square

test is not needed to test the difference between observed number and expected

number as both the numbers are 34 in the category > 75%. As the observed and

expected number of companies is same, it shows that the hypothesis is proved.

0

10

20

30

40

50

60

70

> 25 - 50 > 50 - 75 > 75 - 90 > 90%

4.4

20

35.640

Perc

en

tag

e o

f C

om

pan

ies





Information security policies better protects confidential information:

Table 4.4.5: Parameters for protecting confidential information* percentage

of IT companies.

Percentage of

Parameters

Number of IT

Companies

Percentage of

IT companies

> 50 – 75% 5 11.1%

> 75 – 90% 12 26.7%

> 90% 28 62.2%

Total 45 100.0

Chart 4.4.5: Parameters for protecting confidential information* percentage of

IT companies.




accepted.

0

10

20

30

40

50

60

70

> 50 - 75 > 75 - 90 > 90%

11.1

26.7

62.2

Perc

en

tag

e o

f C

om

pan

ies





It improves productivity in terms of conducting Information Systems Audit.

Table 4.4.6.1: Parameters for Information systems audit * percentage of IT

companies.

Percentage of

Parameters

Number of IT

Companies

Percentage of IT

companies

> 25 – 50% 4 8.9%

> 50 – 75% 5 11.1%

> 75 – 90% 12 26.7%

> 90% 24 53.3%

Total 45 100.0%

Chart 4.4.6.1: Parameters for Information systems audit and percentage of IT

companies.


expected number of 34 in the category > 75%.The result shows that there is no


accepted.

-10

10

30

50

70

> 25 -50

> 50 -75

> 75 -90

> 90%

8.9 11.1

26.7

53.3

Perc

en

tag

e o

f C

om

pan

ies




4.4.7 Hypothesis7:

Policies developed under the domains such as Physical access, data access,

user access, Internet access and Network access and e-mail are more

rigorously implemented in the IT companies than rest of the domains.

Table 4.4.7: Comparison of Master domain with Rest of domains.

‘p’ = 0.006 Significant difference.

Chart 4.4.7.: Comparison of Master domain with Rest of domains.

-10

10

30

50

70

90

<= 25 % > 50 - 75 > 75 - 90 > 90%

6.715.6

77.8

4.4 8.915.6

33.3

Perc

en

tag

e o

f C

om

pan

ies

Percentage of Factors

Master Rest

Percentage of

Parameters

Master Domain Rest of the Domain

Number Percent Number Percent

<= 25 % 0 - 2 4.4

> 50 - 75 3 6.7 4 8.9

> 75 - 90 7 15.6 7 15.6

> 90% 35 77.8 15 33.3

Total 45 100.0 45 100.0




expected number of 34 in the category > 75%.The result shows that the percentage

of policies implemented under the master domain is 77.8% whereas for the rest of

domain it is 33.3%. Hence hypothesis is proved.

4.5 Segment wise comparison between IT companies:

Table 4.5.1: Respondents for percentage parameters for need of security

policies * software-BPO and Hardware companies.

Percentage of

Parameters for need

of security policy

type of company Total

SW & BPO HW

> 25 - 50 0 1 1

.0% 6.7% 2.2%

> 50 - 75 1 4 5

3.3% 26.7% 11.1%

> 75 - 90 5 5 10

16.7% 33.3% 22.2%

> 90% 24 5 29

80.0% 33.3% 64.4%

Total 30 15 45

100.0% 100.0% 100.0%

Comparison for > 75%:

‘p’ = 0.011 Significant difference between HW (66.6%) and rest of the companies

(96.7%).



Chart 4.5.1: Need of security policy percentage parameters and percentage of

Software- BPO and Hardware companies

Table and chart 4.5.1, shows that 96.7% Software and BPO companies follow more

than 75% parameters related to need of security policy and while in case of

hardware only 66.6% of companies follow more than 75% parameters which

represents that information security policy is need of every IT company with

changing environment. Hence the percentage of Software and BPO companies

related to need of information security policies is more than 90% but for hardware

companies the percentage is considerably less.

The Percentage parameter for policy implementation among BPO and Hardware is

shown on the next page.

0

10

20

30

40

50

60

70

80

90

100

SW & BPO HW

6.73.3

26.716.7

33.380

33.3

Perc

en

tag

e

Type of Company

25 - 50 50 - 75 75 - 90 > 90%



Table 4.5.2: Respondents for percentage parameters for policy

implementation* percentage of Software-BPO and Hardware companies.

Percentage parameters

for policy

implementation


SW & BPO HW

> 25 - 50 0 3 3

.0% 20.0% 6.7%

> 50 - 75 2 7 9

6.7% 46.7% 20.0%

> 75 - 90 6 1 7

20.0% 6.7% 15.6%

> 90% 22 4 26

73.3% 26.7% 57.8%

Total 30 15 45

100.0% 100.0% 100.0%

Chart 4.5.2: Respondents for percentage parameters for policy

implementation.

Table and chart 4.5.2, shows that 93.3% Software and BPO companies follow more

than 75% parameters related to security policy implementation and while in case of

hardware only 33.4% of companies follow more than 75% parameters which

0

50

100

SW & BPO HW

206.7

46.7

20

6.773.326.7

Perc

en

tag

e

Type of Company

25 - 50 50 - 75 75 - 90 > 90%



represents that the policy implementation about by the companies..

Table 4.5.3: Respondents for percentage parameters for risk reduction *

percentage of Software-BPO and Hardware companies.

Hypo 3 PC cat


SW & BPO HW

<= 25 % 0 1 1

.0% 6.7% 2.2%

> 25 - 50 0 1 1

.0% 6.7% 2.2%

> 50 - 75 3 7 10

10.0% 46.7% 22.2%

> 75 - 90 7 4 11

23.3% 26.7% 24.4%

> 90% 20 2 22

66.7% 13.3% 48.9%

Total 30 15 45

% 100.0% 100.0% 100.0%

0

20

40

60

80

100

SW & BPO HW

6.76.7

10

46.7

23.3

26.766.7

13.3

Perc

en

tag

e

Type of Company

<=25 25 - 50 50 - 75 75 - 90 > 90%



Chart 4.5.3: Respondents for percentage parameters for risk reduction and


From table and chart 4.5.3, indicates that 90% Software and BPO companies follow

more than 75% parameters related to security policy risk reduction and while in case

of hardware only 40% of companies follow more than 75% parameters which

represents the risk reduction by the companies.. Hence the percentage of risk

reduction with the information security policies for Software and BPO companies is

90% but for hardware companies the percentage is considerably less than 50%.

Table 4.5.4: Respondents for percentage parameters for safe guarding assets *


Hypo 4 PC cat


SW & BPO HW

> 25 - 50 0 2 2

.0% 13.3% 4.4%

> 50 - 75 5 4 9

16.7% 26.7% 20.0%

> 75 - 90 8 8 16

26.7% 53.3% 35.6%

> 90% 17 1 18

56.7% 6.7% 40.0%

Total 30 15 45

100.0% 100.0% 100.0%

From table and chart 4.5.4, it represents that 83.4% Software and BPO companies

follow more than 75% parameters related to safeguarding assets of IT companies

and while in case of hardware only 60% of companies follow more than 75%

parameters which represents that the safeguarding assets by the use of security

policies by the companies.. Hence the percentage of safeguarding assets of



information security policies for Software and BPO companies is 90% but for

hardware companies the percentage is considerably less than 50%.

Chart 4.5.4: Respondents for percentage parameters for safe guarding assets *


Table 4.5.5: Respondents for percentage parameters for protecting confidential

information * percentage of Software-BPO and Hardware companies.

0

10

20

30

40

50

60

70

80

90

100

SW & BPO HW

13.316.7

26.726.7

53.356.7

6.7

Perc

en

tag

e

Type of Company

25 - 50 50 - 75 75 - 90 > 90%

Hypo 5 PC cat


SW & BPO HW

> 50 - 75 2 3 5

6.7% 20.0% 11.1%

> 75 - 90 7 5 12

23.3% 33.3% 26.7%

> 90% 21 7 28

70.0% 46.7% 62.2%

Total 30 15 45

100.0% 100.0% 100.0%



Chart 4.5.5: Respondents for percentage parameters for protecting

confidential information * percentage of SW-BPO and Hardware companies.


follow more than 75% parameters related to protecting the confidential information

of IT companies and while in case of hardware only 60% of companies follow more

than 75% parameters which represents that the safeguarding assets by the use of

security policies by the companies.. Hence the percentage of safeguarding assets of

information security policies for Software and BPO companies is 83.4 but for


The Percentage parameters for conducting Information system audit among

software, BPO and Hardware is shown on the next page.

0

20

40

60

80

100

SW & BPO HW

6.720

23.3

33.3

7046.7

Perc

en

tag

e

Type of Company

50 - 75 75 - 90 > 90%



Table 4.5.6: Respondents for percentage parameters for conducting

information system audit among software-BPO and Hardware companies.

Percentage of

Parameters


SW & BPO HW

> 25 - 50 0 4 4

.0% 26.7% 8.9%

> 50 - 75 2 3 5

6.7% 20.0% 11.1%

> 75 - 90 5 7 12

16.7% 46.7% 26.7%

> 90% 23 1 24

76.7% 6.7% 53.3%

Total 30 15 45

100.0% 100.0% 100.0%

Chart 4.5.6: Respondents for percentage parameters for conducting

information system audit among software-BPO and Hardware companies.

0

20

40

60

80

100

SW & BPO HW

26.76.7

20

16.7

46.776.7

6.7

Perc

en

tag

e

Type of Company

25 - 50 50 - 75 75 - 90 > 90%




follow more than 75% parameters related to conducting information system audit of

IT companies and while in case of hardware only 53.4% of companies follow more

than 75% parameters which represents that the safeguarding assets by the use of

security policies by the companies.. Hence the percentage of conducting

Information systems audit of Software and BPO companies is 93.4% but for




4.6 References:

1. Ajai Gaur,sanjaya Gaur,Stastictial Methods for Practice and Research,

A guide to data analysis using SPSS, SAGE Publications [2006]

2. C.R. Kothari , Research Methodology , Methods and techniques, New

age, International (p) Ltd, Second Edition [2004], Pg.180.

3. Amir D. Aczel, Jayavel Sounderpandian, Complete Business Statistics,

McGraw Hill Companies, Sixth Edition [2007]

Documents

Chapter 4: Data Analysis - Shodhganga