Rapid diffusion of the Internet while bringing numerous benefits, also demonstrated the urgent need to craft effective information security management practices to protect information assets of organizations from security intrusions and attacks. Building and managing such security infrastructure could be potentially very expensive, especially for small and medium size organizations and non-profit organizations such as educational institutions. We use a case study based approach to analyze the issues in managing information security in such an organization. Management Development Institute (MDI), one of the premier teaching and research business schools in India, embarked on implementing a robust security management infrastructure after a spate of virus attacks crippled its messaging infrastructure. The case highlights the challenges in managing information security in a typical open access academic community and describes how MDI went about deploying its information security infrastructure during the different phases of the security system development life cycle. In particular, the process of developing security policy document and challenges in selecting security components that conform to the developed policies are discussed. The case poses interesting challenges to future proof information security infrastructure of academic institutions in an era of ever evolving security threats.

AT&T (2005), ‘Evolving your Messaging Environment: Security, Scalability, and Sourcing’, http://www.webtorials.com, 9 July 2005.

AT&T (2006), ‘Business Continuity Preparedness Handbook’, http://www.webtorials.com, 21 July 2006.

BBC (2006), ‘Criminals Recruit Tech Students’, http://news.bbc.co.uk, 8 December 2006.

Benbasat, I., Goldstein, D. and Mead, M. (1987), “The Case Research Strategy in Studies of Information Systems”, MIS Quarterly, 11(3), 369-386.

Berghel, H. (December, 2003), “The Malware Month”. Communications of the ACM. 46(12), 15-19.

Berghel, H. (April, 2006), “Phishing Mongers and Posers”, Communications of the ACM. 49(4), 21-25.

Bragg, R., Rhodes-Ousley, M., and Strassberg, K. (2004), Network Security: The Complete Reference, Tata McGraw-Hill, New Delhi, India.

Calabrese, T. (2004), Information Security Intelligence: Cryptographic Principles and Applications, Thompson Deemar Learning, Chennai, India.

Chen, P.,Kataria, G., and Krishnan, R. (November 23, 2005), “On Software Diversification, Correlated failures and Risk Management”, Heinz School of Public Policy and Management, Carnegie Mellon University, Pittsburgh, U.S.A., Unpublished monograph.

CNet. (2002), “University Systems, A Haven for Hackers”, news.com.com, 5 April 2002.

Cronan, P., Foltz, B., and Jones, T. Piracy (2006), “Computer Crime and IS Misuse at the University”, Communications of the ACM, 49(6), 85-90.

CSI/FBI. (2006), “Computer Security Institute (CSI)/ federal Bureau of Investigation (FPB) Computer Crime and Security Survey”, http://www.gocsi.com, 8 August 2006.

Dhillon, G. (1997). Managing Information Systems Security. Macmillan Education, Ltd., New York, USA.

Dhillon, G. (2007). Principles of Information Systems Security: Texts and Cases. John Wiley & Sons, Ltd., New York, USA.

Dutta, A., and McCrohan, K. (2002),  “Management’s Role in Information Security in a Cyber Economy”, California Management Review. 45(1), 67-87.

Fadia, A. (2004), The Ethical Hacking Guide to Corporate Security. Macmillan India Ltd.,  New Delhi, India.

Fraser, B. (1997), “RFC 2196: Site Security Handbook”, http://www.faqs.org/rfcs/rfc2196.html, 13 April 13 2002.

Gartner (2002), “Deep Packet Inspection: The Next Phase of Firewall Evolution: Gartner Research Note T-18-0340”, gartner.com, 6 December 2002.

Hoe, N. (2006), “Breaking Barriers: The Potential of Free and Open Source Software for Sustainable Human Development – A Compilation of Case Studies from Around the World”, http://www.undp.apidp.net 17 November 2006.

Krempl, S. (September-October, 2006), “Universities Need Lessons in IT Security”,  Infosecurity Today, 24-26.

Mamaghani, F. (2002), “Evaluation and selection of an antivirus and content filtering software”, Information Management & Computer Security, 10(1), 28-32.

New Scientist (2006), “Spam Choking the Internet Again”, http://www.newscientist.com, 12 December 2006.

Panko, R. (2003), Corporate Computer and Network Security. Pearson Education, New Delhi, India.

Ramim, M., and Levy, Y. (2006), “Securing E-Learning System: A Case of Insider Cyber Attacks and Novice IT Management in a Small University”, Journal of Cases in Information Technology. 8(4), 24-34.

Sadowsky, G., Dempsey, J., Greenberg, A., Mack, B., and Schwartz, A. (2003),  “Information Technology Security Handbook”, infodev.org, 1 June 2006.

Sridhar, V. (2005), “Are you Blo(a)ck Listed?”, Economic Times, 1 December 2005.

Sridhar, V., and Bhasker, B. (2003), “Managing Information Security on a Shoestring Budget”, Annals of Cases on Information Technology, 5, 151-167.

Sridhar, V., and Jain, P. (2004), “The Elusive Last Mile to the Internet”, Annals of Cases on Information Technology, 6, 540-560.

Stallings, W. (2000), Cryptography and Network Security: Principles and Practices. Prentice Hall, Upper Saddle River, New Jersey, USA.

Uchamballi, V., Chakrabarty, S., and Saha, B. (2005), “An Overview of SPAM: Impact and Counter Measures”, cert-in.org.in/knowledgebase/whitepapers/index.html, 12 December, 2006.

von Solms, R. (1998), “Information Security Management (2): Guidelines to the Management of Information Technology Security”, Information Management & Computer Security, 6(5), 221-223.

Whitman, M., and Mattord, H. (2003), Principles of Information Security. Thomson Course Technology, New Delhi.

Wilson, J. (May, 2005), “The Future of the Firewall”, Business Communications Review. 28-32.