Plans by an industry consortium to
develop a corporate checklist for assessing cyber threats could
help IT directors justify security spending and help protect
companies against hackers, according to industry
experts.
The consortium, which includes the Big Four
accounting firms and insurance giant AIG international, aims to
agree a cyber-risk model that can be used by companies in all
industries.
Auditors and insurers could also use the "risk
preparedness index" to help decide whether a company has adequate
IT security arrangements.
Although details of the framework have yet to
be finalised, security experts believe it will focus on an
organisation's IT security safeguards, such as its firewalls and
anti-virus software, and compare this against the security threats
it faces.
IT directors welcomed the initiative.
"IT infrastructure risk management is of
critical importance to the industry and Barclays broadly welcomes
the principles behind this initiative," said Barclays group chief
technology officer Kevin Lloyd.
"We will continue to monitor the development
of this framework with interest and potentially inclusion in the
shaping of the framework."
Nick Leake, director of operations and
infrastructure at ITV, said, "I think the real value of this
approach is in sorting out the companies with dreadful levels of
non compliance/operation from those with high levels - it won't be
much use in distinguishing the better of two already very compliant
operations. And as with all these things, it will have to be kept
up to date."
Industry experts said that an accepted model
for measuring security risk would be a breakthrough if widely
adopted and would also help IT departments justify security
spending.
"The new security standard looks promising,
although a lot of the devil will be in the detail," said Graham
Titterington, principal analyst at Ovum. "It will make it easier
for people to justify spending on IT security because of the
backers of the standard are blue chip companies, which gives it
credibility with the board."
Existing standards for information security,
such as BS7799, do not primarily focus on assessing security risks
to a business, added Titterington
Neil Barrett, technical director of security
consultancy information risk management, said the proposed security
standard would allow IT directors to measure their organisation's
security arrangements against a benchmark.
The Big Four firms contacted by Computer
Weekly declined to comment.