Auditors working on cyber-risk standard

Plans by an industry consortium to develop a checklist to assess cyber-threats could help IT directors justify security spending...

Plans by an industry consortium to develop a checklist to assess cyber-threats could help IT directors justify security spending and help protect companies against hackers, according to IT directors and industry experts.

The consortium, which includes the Big Four accountancy firms and US-based insurance giant AIG International, aims to agree a cyber-risk model that can be used by companies in all industries.

Auditors and insurers could also use the risk preparedness index to help decide whether a company has adequate IT security arrangements.

Although details of the framework have yet to be finalised - and the companies involved in the consortium have declined to comment further - security experts said it will focus on an organisation's IT security safeguards, such as its firewalls and anti-virus software, and compare this to the security threats it faces.

IT directors welcomed the security initiative.

"IT infrastructure risk management is of critical importance to the industry and Barclays broadly welcomes the principles behind this initiative," said Barclays Group chief technology officer Kevin Lloyd.

"We will continue to monitor the development of this framework with interest," he said.

Nick Leake, director of operations and infrastructure at ITV, said, "I think the real value of this approach is in sorting out the companies with dreadful levels of non-compliance/operation from those with high levels. It will not be much use in distinguishing the better of two already very compliant operations.

"And as with all these things, it will have to be kept up-to date," he said.

Industry experts said a model for measuring security risk would be a breakthrough if it was widely adopted. The model would also help IT departments justify security spending.

"The new security standard looks promising, although a lot of the devil will be in the detail," said Graham Titterington, principal analyst at Ovum.

"It will make it easier for people to justify spending on IT security because the backers of the standard are blue chip companies, which gives it credibility with the board."

Current standards for information security, such as BS7799, do not focus primarily on assessing security risks to a business, Titterington added.

Neil Barrett, technical director of security consultancy Information Risk Management, said the security model would allow IT directors to measure their organisations' security arrangements against a benchmark.

Read more on IT risk management