Abstract:
Academic institutions have always been a hub of learning in the world, and are considered to be the strength of a country. Due to a vast increase in the development in Information Technology, all the academic institutions have a huge setup of research labs, internet, intranet, databases, management information system, accounts information, online examinations, online courses and many more such services. Also, with a vast development in IT services, increase in threats to information assets has also been increased. In case of academic institutions, main threats can be from inside of the environment, i.e. leakage of examination papers from the faculty computers, manipulation of results, and alteration in finance information. What makes it possible is the use of vulnerabilities in the installed system, e.g. OS specific vulnerabilities, application vulnerabilities, lack of confidentiality, integrity or availability mechanisms. These vulnerabilities are exploited by the hackers using hacking techniques. In order to make an information system secure, security mechanisms are applied to the system and then checked against certain attacks using a technique known as penetration testing, in which, a penetration tester is assigned a task to evaluate the security mechanisms, find out the vulnerabilities and then assess them in accordance with the policy of the organization. This thesis deals with the classification of information in academic institutions, assessment of implemented ISO controls on these assets and then finding out the vulnerabilities in them.
