Results of BSA/ISSA Information Security Survey - PowerPoint PPT Presentation

1 / 44
About This Presentation
Title:

Results of BSA/ISSA Information Security Survey

Description:

Awareness of cyber security issues has increased ... Organizations are increasing cyber security budgets to fund these precautions ... – PowerPoint PPT presentation

Number of Views:95
Avg rating:3.0/5.0
Slides: 45
Provided by: issa72
Category:

less

Transcript and Presenter's Notes

Title: Results of BSA/ISSA Information Security Survey


1
Results of BSA/ISSA Information Security Survey
  • January 31, 2005

2
Methodology
  • Penn, Schoen and Berland Associates conducted 850
    interviews of members of the Information Systems
    Security Association (ISSA)
  • Research was conducted online and took place
    between December 8, 2004 and January 24, 2005
  • Margin of error for the entire sample is 3.4,
    and larger for subgroups

3
Key Findings Major Trends
  • Since October 2003
  • Awareness of cyber security issues has increased
  • The amount of security professionals taking
    precautions has increased
  • Organizations are increasing cyber security
    budgets to fund these precautions
  • Larger organizations and North American
    organizations are more likely to be taking more
    precautions to deal with potential cyber security
    attacks
  • Similarly, security professionals with six or
    more years of experience are more likely to be
    taking precautions than those with less
    experience
  • Larger organizations are more likely to have
    increased their information security budgets in
    last 12 months

4
Key Findings Risk of Attack
  • A majority of respondents (59) say the risk a
    major cyber attack on their organization is
    likely during the next 12 months.
  • This is a slight decrease from 2003 (65).
  • Respondents from larger companies think an attack
    is more likely 65 with 1000 or more employees
    say an attack is likely 52 of those with fewer
    than 1000 employees.
  • Respondents in North America and other regions
    are equally likely to think an attack might
    happen.

5
Key Findings Preparedness
  • As in 2003, nearly 8 in 10 (78) of respondents
    say their organization is prepared to defend
    against an attack.
  • Respondents at companies with more than 1000
    employees and more than 500 million in revenue
    are more likely to say their companies are
    prepared
  • North American respondents more likely to say
    their companies are prepared
  • Respondents with more than 5 years of experience
    more likely to say their companies are prepared
  • However, only 19 say employees at their
    organization are adequately in their information
    security duties and responsibilities.

6
Key Findings Practices
  • 78 say their organizations have formal
    Information Security Programs
  • Larger companies much more likely to say this
  • Since 2003, certain practices have become near
    universal
  • 93 have written information security policies
    (was 72)
  • 91 have access controls (was 73)
  • 91 now have a designated person responsible for
    information security (was 78)
  • Of the nine practices we asked if were part of
    respondents information security programs, every
    one was up at least 15 from 2003
  • Again, larger and North American organizations
    are more likely to have adopted most practices
  • This also true of respondents with more than 5
    years of experience

7
Key Findings Practices
  • There was a significant increase in the
    deployment of the following personnel security
    safeguards
  • Employee security handbook (from 43 in 2003 to
    51)
  • Sanction policy for noncompliance (from 39 to
    48)
  • Employee transfer checklist (from 34 to 42)
  • There was a significant increase in the
    deployment of the following security
    technologies
  • Email filtering (from 74 in 2003 to 88)
  • Personal firewalls on laptops (from 44 to 51)
  • Companies are more likely to monitor employee
    activity
  • 70 monitor web activity (was 63)
  • 49 monitor internal emails (was 40)
  • 36 monitor instant messaging (was 30)
  • 50 monitor Internet emails (was 47)
  • Large organizations are more likely to be taking
    these steps.

8
Key Findings Challenges
  • The top challenges organizations face in
    implementing information security systems remain
  • Availability of budget, employee awareness, and
    security staffing
  • However, fewer respondents are now naming budget
    and employee awareness than in 2003, consistent
    with other data showing that both awareness and
    budgets are up.
  • Budget is a bit more of a concern in North
    America than elsewhere.

9
Key Findings New Laws
  • Respondents believe Sarbanes-Oxley is helping
  • 60 say Section 302 is improving security
    (requiring CEO and CFO to assess and report
    effectiveness of internal controls around
    financial reporting)
  • 62 say Section 404 is improving security
    (requiring corporations to assess effectiveness
    of internal controls and report annually to the
    SEC)
  • Respondents from large organizations more
    positive about SOX requirements
  • 46 say current cyber laws have made their
    organization more secure, up from 33 in 2003.
  • 53 think more cyber laws will help even more
    only 30 think new laws will not help.

10
Information Security Program
11
Formal Information Security Program
  • 78 of respondents say their organization has a
    formal Information Security Program function
  • Of those who have a formal Information Security
    Program function, 95 say it is approved by top
    management

Does your organization have a formal Information
Security Program function?
12
Information Security Program Practices
  • Organizations show increases in all program
    practices since October 2003

13
Information Security/Privacy Officers
  • 91 have an Information Security Officer
    responsible for information security and related
    compliance issues
  • 55 have a Privacy Officer responsible for
    privacy compliance
  • Of those who have both, 72 say they function
    separately

14
Security Management Practices
15
Implementation Challenges
  • Availability of budget remains the top challenge
    organizations face in implementing their
    information security programs

16
Program Budgets
  • Nearly 4 in 10 (39) said that their
    organizations information security program
    budget has increased in the past 12 months, while
    38 say it remained the same
  • Up from 34 increased in October 2003
  • Increases were more likely at bigger companies,
    such as those with over 1,000 employees (45),
    and with more than 500 million in yearly revenue
    (42)
  • In the next year, 38 believe their organization
    plans to increase the information security
    programs budget, while 37 believe it will
    remain the same
  • 20 did not know
  • In regions outside of North America, 45 expected
    to increase their budgets in the next year

17
Management Information Security
  • 65 say their organizations top management
    receives periodic updates on the status of
    information security
  • Updates are more common in larger firms (69) and
    higher revenue firms (68)
  • More so in North America (67) than other regions
    (59)
  • Responsibility for information security issues is
    mostly in the hands of Chief Information Officers
    and Chief Security Officers

18
Information Security Auditing
  • Audits by outside entities are more common than
    in October 2003
  • More so at larger, higher revenue organizations

Does your organization have a periodic review or
audit of its information security function by an
outside entity?
19
Governance
  • 44 say their organization treats information as
    a governance issue involving active participation
    from the Board, CEO and/or senior management, up
    from 39 in October 2003
  • Of those who treat it as a governance issue
  • 89 would be likely (43 very likely) to devote
    the resources and achieve accountability
    necessary for better results
  • 76 believe it has put their company at a
    competitive advantage because its security is
    more up-to-date, and it is able to minimize
    company downtime as a result of worms or viruses

20
Personnel Security
21
Training Programs
  • 61 have an active information security awareness
    and training program for all employees, including
    management
  • 37 have such a program for non-employee users
    such as consultants, contractors or temporary
    employees
  • Only 19 believe their employees are adequately
    trained in their information security duties and
    responsibilities, 46 believe they are somewhat
    trained, and 33 say not adequately trained

22
Activity Monitoring
  • Monitoring of employee online activities has gone
    up, and is higher at larger and high revenue
    organizations

23
Administrative Safeguards
  • Organizations have increased personnel security
    by increasing administrative safeguards
  • Biggest increases involve keeping employees
    informed, through orientation sessions and policy
    handbooks, as well as implementing sanction
    policies for non-compliance

24
Security Architecture and Models
25
Security Technologies
  • Anti-virus software and firewalls have become
    almost universal, while email filtering for SPAM
    increased to almost 90

26
Security Management
  • Most organizations use network groups to manage
    their security safeguards and technologies
  • Smaller and low revenue organizations are less
    likely than their larger counterparts to use
    security groups

27
Security Software
  • Respondents now believe proprietary source
    software is more secure
  • This is particularly true outside of North America

Which type of security software do you consider
more secure?
28
Telecommunications Network Internet Security
29
Preparation for Cyber Attacks
  • Respondents are slightly less fearful of a major
    cyber attack on their organization than in 2003
  • Those who are more likely to believe that an
    attack is likely are also more likely to say that
    they are prepared to defend against it

30
Cyber Defense Capabilities
  • Though down from the last survey, respondents are
    optimistic about improvements in their cyber
    defense capabilities and their ability to cope
    with new threats and vulnerabilities
  • More than 7 in 10 (73) say in the past year
    their organizations ability to defend itself has
    gotten better
  • 23 say it has gotten much better
  • Slightly down from 78 in October 2003
  • 70 say that recent cyber threats and
    vulnerabilities have caused their organizations
    capabilities to become more secure
  • 18 say much more secure
  • 76 said more secure in October 2003
  • 9 in 10 say their software security patches to
    known vulnerabilities are up-to-date, up from 87
    in October 2003

31
Effect on Management Awareness
  • Recent cyber threats and vulnerabilities have
    been increasing awareness of security issues
    among senior executives
  • 65 reported this increased awareness, 72 in
    October 2003
  • Increased awareness of security issues at the
    senior executive level are leading to more
    increases in financial resources for improving
    security than in October 2003

32
Cyber Liability Insurance
  • Cyber liability insurance remains a little-used
    option for most organizations, though many
    respondents were unsure as to whether or not
    their organization even had it
  • Only 9 say their organization carries cyber
    liability insurance, while 46 dont know
  • Slightly up from 6 in October 2003
  • Very few of the respondents at organizations that
    do not currently carry this insurance believe
    that they will consider getting covered in the
    future
  • 57 said they would not consider carrying cyber
    liability insurance, and 27 said they didnt know

33
Business Continuity Planning
34
Business Continuity Plan
  • 64 of organizations have a documented business
    continuity plan covering personnel and facility
    issues
  • 45 have tested the plan in the past 6 months,63
    in the last year
  • Only 10 have never tested the plan

35
Disaster Recovery Plan
  • 70 of organizations have a documented disaster
    recovery plan regarding critical business
    applications and supporting technology
  • 45 have tested the plan in the past 6 months,
    66 in the last year
  • Only 9 have never tested the plan

36
Law, Investigations, and Ethics
37
Sarbanes Oxley
  • Respondents were largely positive about the
    effect the Sarbanes Oxley requirements were
    having on security
  • Those with larger and higher revenue
    organizations, those with at least 6 years of
    experience, and those in North America were more
    likely to say the measures have led to improved
    security

38
Cyber Incidents Laws
  • Only 15 say their organization has reported a
    cyber incident or intrusion to law enforcement or
    other government organization during the last 12
    months
  • Down from 19 in October 2003
  • Of those who have reported an incident, 82 say
    their organization has assisted law enforcement
    in the investigation of the reported incident
  • 46 say that current cyber laws have made their
    organizations cyber defense capability more
    secure
  • In October 2003, only 33 shared this view
  • More than half (53) believe these cyber laws
    will make their cyber defense capability more
    secure
  • Up from 47 in October 2003

39
Impact of Privacy and Security Laws
  • Respondents were most likely to cite increased
    top management awareness of importance of privacy
    and security as the top impact of privacy and
    security laws
  • These increases in managements awareness have
    not led to as many increases in security budget
    or security personnel staff

40
ISSA
41
3rd Party Providers
  • Larger and higher revenue organizations are more
    likely to employ the services of 3rd Party
    Providers, and those that do are more likely to
    conduct security screening and auditing on these
    providers
  • 42 of organizations use 3rd Party Providers that
    store and/or transmit sensitive data about their
    organization
  • Of those who do, 56 require them to undergo
    independent security reviews
  • 34 audit 3rd Party Providers security policies
    and procedures
  • 64 of those who do conduct the audit before
    using their services, 27 conduct the audit while
    using them
  • 27 include reviews of 3rd Party Providers
    security procedures as part of their legislative
    compliance requirements

42
ISSA Sponsored Events
  • 43 of respondents have attended at least one
    ISSA sponsored training event in the past 12
    months
  • 17 have been to at least three training events
  • 44 have attended at least one ISSA sponsored
    conference in the past 12 months
  • 14 have been to at least three conferences

43
ISSA Sponsored Events
  • 62 prefer attending conferences, while 30
    prefer viewing webinars
  • 84 would be more likely to attend regional
    conferences than the ISSA International annual
    conference
  • 54 are familiar with the ISSA sponsored CISO
    Executive Forum

44
Future ISSA Topics
Write a Comment
User Comments (0)
About PowerShow.com