Please provide clear description of each point

Scenario Starting in March, 2011, there is a New Delhi-based custom software solutions provider company. The company specializes in providing outsourced technical and business assistance to its clients, in addition to building and customizing software solutions for them on a project basis. IT consulting, web design and development, mobile app development, software development, robotics, and online marketing are among the company's primary areas of business and service. The company employs fifty individuals and serves a diverse client in fields as varied as aerospace, automotive, consumer products, food, metal fabrication, medicine, pharmaceuticals, and solar power. Information Security Requirement Since Case A is in the industry of creating software, web apps, and mobile applications, any loss of information (such as losing codes, software programs, applications, etc.) is extremely important to the company and its operations. The efficiency of a business will suffer whenever there is a breach in its information security. Serious consequences, including monetary loss, decreased productivity, postponed projects, lost intellectual property, lost customers, and, worst of all, a damaged reputation, may ensue from this. Information security is recognized as being essential to the company's operations by both upper management and software engineers.. If we are unable to complete our tasks on time, we risk losing customers, which is why maintaining productivity is so important. Additionally, if a customer no longer has faith in us, he will not continue doing business with us. The top /management(in Case A) understands the need of protecting sensitive data, but they haven't shown any real commitment to making it a priority. Insufficient funding and reluctance from upper management are primary reasons for this situation. The company does not have a dedicated information security officer or other authoritative figure. The network team oversees all ISM operations for the company. Disorganization and chaos result from this. There is occasional support from upper management, but it falls short of what is needed here. Information Security Policy No formal policy on protecting sensitive data exists. Employees' roles and obligations in maintaining the confidentiality, integrity, and availability of sensitive information are not specified. Organizational responsibility for information security tasks is not clearly delineated. Workers handle information security in their workplace in an ad hoc fashion. Information Security Training Workers (Case A) are not provided with any kind of formal training in information security, either when they first start out with the organization or at any other point in time. There is no system in place to ascertain the information security training needs of individual personnel in light of their individual positions. Workers are expected to make independent judgments about any issue involving information security. Neither a structured procedure (with predetermined procedures) nor a governing body is in place. Employees' needs for consistent information security training and awareness programs became clear throughout interviews. Information Security Awareness Staff in Case A were found to have significantly less familiarity with information security threats and mitigation strategies due to the absence of any information security training programmes. Some workers are aware of the potential threats to the information and information assets they are handling, but they are unsure of what to do because there is no policy or standards to direct them. There is a lack of clarity on who is responsible for what in terms of keeping sensitive data secure. When it comes to sanctions or legal repercussions, there is a common lack of awareness. There is no one to go to for advice on how to handle ISM issues within the company. Information Security Culture Situation A fails to provide the foundation for an ISM culture to flourish in the routine work of its employees. Staff members typically do not consider information security to be part of their duties. Information Security Audit In Case A, there is no check for the integrity of sensitive data. The company does not perform any type of information security audits either internally or externally. If there are any anomalies in the server logs, the network team is responsible for investigating them. The company lacks any credentials in the field of information security. "We are a little company; we do not require any such ISM accreditation," the company's MD said. Maybe as time goes on and the business expands, we'll consider about it. Information Security Management Best Practices There is a lack of planning and preparation in Case A's ISM procedures. Threats to the organization's diverse business operations are not being properly identified or managed. Some of the highlighted gaps include: employees taking key project data files with them when they leave, employees sharing passwords, no blocking of Internet downloads, and no regular upgrades to antivirus programs. Some theories suggest this is due to poor data protection and leadership indifference. Asset Management Case A includes both information technology and non-IT assets in its inventory system. No risk or criticality-based asset categories are in place. Since most desktops and laptops are shared, enforcing responsibility can be challenging. The organization lacks a system for determining which threats pose the most danger to its data and records. There is no system in place for restricting employees' movement to certain regions within the company, and they are free to move about the building as they see fit. There is neither an automated nor a manual identity check (and record keeping) procedure in place at the front or back doors of the building. Personal computing and storage devices are not permitted in the workplace, yet there is no mechanism in place to detect their presence. During the course of the interviews, it became clear that such regulations are not strictly enforced. All systems, including the central server, are accessible by all personnel, albeit the network team has been tasked with restricting access based on roles. The server and other systems are accessible by anybody with a password. Information Security Incident Management It was discovered through interviews that Case A has no formalized procedure for hand ling information security incidents. The repercussions of not adhering to information security rules and practices are not communicated to workers. Organizational data is stored on a single, central server, and the password to this server is known to all employees as part of the company's disaster recovery and business continuity plans. The business relies on free cloud storage services like Dropbox for its data backups. The company takes a reactive stance toward managing information security incidents. One such event, as related by an interviewee, occurred a few days ago when an employee accidentally formatted a partition of the system hard disk. Recovery software and other techniques exist to avoid this kind of situation, but nobody seems to be using them. Much of our data and test applications were deleted. My research and development files for a prototype app lost... Projects are slowed down because of these kinds of accidents... A lot of programmers have come to me recently complaining about their data loss. The R\&D effort suffers when occurrences like these occur. Information Security Regulations Compliance Case A employs licensed software, but its employees are free to and do regularly use freeware they find online. No system is in place to detect when inappropriate applications have been installed on business machines. Organization does not currently hold, nor do they have any plans to obtain, any Information Security Management (ISM) certifications. Regarding data privacy concerns, in principle, distinct groups are only given access to the data and other pertinent information that pertains to their unique work/project, but in practice, all employees have access to all sorts of data. There is no safeguard against software engineers taking sensitive project information and codes home on their own devices. There is a lack of policies and thorough documentation of all processes, both of which are required for certification. In our system, privacy does not exist. As I said, whomever wants to can take the codes wherever they like. Information Security Management Effectiveness Case A's upper management, managers, and staff all agree that information security is extremely important, yet the matter has been given relatively little attention. There are no established procedures or mechanisms for ISM since the company lacks a formal information security policy or principles. Employees lack knowledge of the various threats to information and information assets due to a lack of training or awareness campaigns. During the course of the interview, it became clearly obvious that data loss occurs frequently as a result of carelessness and unwillingness, and that this has a negative impact on the organization's productivity as a whole. Such accidents have occasionally caused delays in project execution, which has had negative result including financial losses, lost revenue, and even lost clients. The organization needs a risk assessment and management plan, but it does not currently have one... Accountabilities need to be established, and not just orally but also in writing... Now you have to create a Information security policy considering the above and following points: - 1. Purpose 2. Audience and Scope 3. Information Security Objectives 4. Authority and access control policy 5. Classify your data by security level or break down your data in hierarchy 6. Data Support and Operation 7. Components to include in security training 8. Responsibilities, rights, and duties of personnel