Research reveals that companies are still not taking security
seriously, reports Bill Goodwin.
Cutting edge research by the Human Firewall Council, a body of
specialists devoted to disseminating best practice in IT security,
shows that even the best prepared companies have a long way to go
before their organisations' systems and information assets are
adequately protected.
The council has pioneered a sophisticated online assessment tool,
the Security Management Index, which allows IT and security
managers to compare the performance of their companies against
their peers and the internationally recognised security management
standard, ISS17999.
More than 1,000 businesses and public sector organisations around
the world, including 116 in the UK, completed the 30-minute
assessment, supplying illuminating data that reveals just how well
- or rather how badly - different sectors of the economy manage
security.
The index shows that eight out of 10 organisations score 70% or
less. Three out of four organisations do not fully implement their
security policies and only one in five actively reviews them and
keeps them up-to-date.
The results provide unequivocal proof that most organisations think
of security as a problem that can be solved through technical
fixes, such as installing a new firewall or a better intrusion
detection system, rather than a management problem for the whole
organisation.
"When you look at security management as a discipline it is not
just a technology issue, it is about people, security policies and
processes. A lot of times people just want one of those things to
save them, and it cannot," said the council's chairman, Steve
Kahan.
Although the results highlight serious shortfalls for all
businesses, some sectors are worse than others. Not surprisingly
companies in the defence industry score highest for security
management. Financial services were next in line, with the
healthcare sector bringing up the rear.
But no sector can afford to relax, said Kahan. The US has
introduced new laws requiring healthcare companies to keep
information secure. If security management is not up to scratch,
they could find themselves legally liable.
Where organisations fall down particularly badly is their failure
to ensure that staff are aware, understand and remember their
corporate security policies. Almost 40% of organisations simply
gave their employees printed manuals containing security policies
on the day they started. Few kept policies up to date or had taken
steps to ensure that their staff had genuinely read and understood
them. Almost 50% of companies had no formal IT security
training.
It is not surprising, said Kahan, that employees simply do not know
how to recognise a security incident or, if they do, know how to
react to it. "If you are a vice-president for information security
you should be able to look the chief executive officer in the eye
and prove to him that everyone has read and understood the company
policy. You should be able to produce a report that proves
it."
Another area where companies fall down is in managing access to
information systems. Only a quarter of the organisations that
completed the Security Management Index have fully implemented
access control. Most do not have formal registration of new
employees or deregistration of former employees, and password
management is woefully inadequate.
Overall it is vital for organisations to ensure that each employee
feels a responsibility for security, said Kahan. This might be
through sending pop-up awareness notices to their PCs, formal
training or holding quizzes about security policies.
The key to security management is the integration of policy and
technology. "You must view it in an integrated way, and not try to
solve it with a piece-meal approach," Kahan said.
What does the Security Management Index
measure?
The index allows organisations to assess their security
management performance, and to compare it with companies of similar
size in similar business areas. It covers:
- How well security policy is implemented and kept
up-to-date
- Security and classifications of assets and resources
- Personnel security
- Physical security
- Communications and operations, including documentation of
procedures for incident management, back-up and recovery
- Control of access to systems
- Systems development and maintenance
- Business continuity
- Legal compliance.
More details from
www.humanfirewall.org
Lax security is still commonplace
Eight out of 10 organisations score less than
70% for security management
Three out of four do not fully implemented
security policies
Four out five could be breaking the law because
they do not have adequate compliance programmes
Eight out of 10 have not fully implemented
business continuity plans
Only one in four has fully implemented access
controls
Only 16% have fully implemented secure policies
for systems development and systems integration
Only two out of five have fully implemented
personnel security policies
Fewer than 20% have proper incident reporting
procedures
More than half do not have a system of asset
classification and control
The average score for organisations that
completed the index was 52 out of 100.
The Management Security Index is sponsored by the InfoSecurity
Europe show (29 April to 1 May) and Computer Weekly
www.infosecurity.co.uk