Results of BSA/ISSA Information Security Survey

1
Results of BSA/ISSA Information Security Survey

• January 31, 2005

2
Methodology

• Penn, Schoen and Berland Associates conducted 850
  interviews of members of the Information Systems
  Security Association (ISSA)
• Research was conducted online and took place
  between December 8, 2004 and January 24, 2005
• Margin of error for the entire sample is 3.4,
  and larger for subgroups

3
Key Findings Major Trends

• Since October 2003
• Awareness of cyber security issues has increased
• The amount of security professionals taking
  precautions has increased
• Organizations are increasing cyber security
  budgets to fund these precautions
• Larger organizations and North American
  organizations are more likely to be taking more
  precautions to deal with potential cyber security
  attacks
• Similarly, security professionals with six or
  more years of experience are more likely to be
  taking precautions than those with less
  experience
• Larger organizations are more likely to have
  increased their information security budgets in
  last 12 months

4
Key Findings Risk of Attack

• A majority of respondents (59) say the risk a
  major cyber attack on their organization is
  likely during the next 12 months.
• This is a slight decrease from 2003 (65).
• Respondents from larger companies think an attack
  is more likely 65 with 1000 or more employees
  say an attack is likely 52 of those with fewer
  than 1000 employees.
• Respondents in North America and other regions
  are equally likely to think an attack might
  happen.

5
Key Findings Preparedness

• As in 2003, nearly 8 in 10 (78) of respondents
  say their organization is prepared to defend
  against an attack.
• Respondents at companies with more than 1000
  employees and more than 500 million in revenue
  are more likely to say their companies are
  prepared
• North American respondents more likely to say
  their companies are prepared
• Respondents with more than 5 years of experience
  more likely to say their companies are prepared
• However, only 19 say employees at their
  organization are adequately in their information
  security duties and responsibilities.

6
Key Findings Practices

• 78 say their organizations have formal
  Information Security Programs
• Larger companies much more likely to say this
• Since 2003, certain practices have become near
  universal
• 93 have written information security policies
  (was 72)
• 91 have access controls (was 73)
• 91 now have a designated person responsible for
  information security (was 78)
• Of the nine practices we asked if were part of
  respondents information security programs, every
  one was up at least 15 from 2003
• Again, larger and North American organizations
  are more likely to have adopted most practices
• This also true of respondents with more than 5
  years of experience

7
Key Findings Practices

• There was a significant increase in the
  deployment of the following personnel security
  safeguards
• Employee security handbook (from 43 in 2003 to
  51)
• Sanction policy for noncompliance (from 39 to
  48)
• Employee transfer checklist (from 34 to 42)
• There was a significant increase in the
  deployment of the following security
  technologies
• Email filtering (from 74 in 2003 to 88)
• Personal firewalls on laptops (from 44 to 51)
• Companies are more likely to monitor employee
  activity
• 70 monitor web activity (was 63)
• 49 monitor internal emails (was 40)
• 36 monitor instant messaging (was 30)
• 50 monitor Internet emails (was 47)
• Large organizations are more likely to be taking
  these steps.

8
Key Findings Challenges

• The top challenges organizations face in
  implementing information security systems remain
• Availability of budget, employee awareness, and
  security staffing
• However, fewer respondents are now naming budget
  and employee awareness than in 2003, consistent
  with other data showing that both awareness and
  budgets are up.
• Budget is a bit more of a concern in North
  America than elsewhere.

9
Key Findings New Laws

• Respondents believe Sarbanes-Oxley is helping
• 60 say Section 302 is improving security
  (requiring CEO and CFO to assess and report
  effectiveness of internal controls around
  financial reporting)
• 62 say Section 404 is improving security
  (requiring corporations to assess effectiveness
  of internal controls and report annually to the
  SEC)
• Respondents from large organizations more
  positive about SOX requirements
• 46 say current cyber laws have made their
  organization more secure, up from 33 in 2003.
• 53 think more cyber laws will help even more
  only 30 think new laws will not help.

10
Information Security Program
11
Formal Information Security Program

• 78 of respondents say their organization has a
  formal Information Security Program function
• Of those who have a formal Information Security
  Program function, 95 say it is approved by top
  management

Does your organization have a formal Information
Security Program function?
12
Information Security Program Practices

• Organizations show increases in all program
  practices since October 2003

13
Information Security/Privacy Officers

• 91 have an Information Security Officer
  responsible for information security and related
  compliance issues
• 55 have a Privacy Officer responsible for
  privacy compliance
• Of those who have both, 72 say they function
  separately

14
Security Management Practices
15
Implementation Challenges

• Availability of budget remains the top challenge
  organizations face in implementing their
  information security programs

16
Program Budgets

• Nearly 4 in 10 (39) said that their
  organizations information security program
  budget has increased in the past 12 months, while
  38 say it remained the same
• Up from 34 increased in October 2003
• Increases were more likely at bigger companies,
  such as those with over 1,000 employees (45),
  and with more than 500 million in yearly revenue
  (42)
• In the next year, 38 believe their organization
  plans to increase the information security
  programs budget, while 37 believe it will
  remain the same
• 20 did not know
• In regions outside of North America, 45 expected
  to increase their budgets in the next year

17
Management Information Security

• 65 say their organizations top management
  receives periodic updates on the status of
  information security
• Updates are more common in larger firms (69) and
  higher revenue firms (68)
• More so in North America (67) than other regions
  (59)
• Responsibility for information security issues is
  mostly in the hands of Chief Information Officers
  and Chief Security Officers

18
Information Security Auditing

• Audits by outside entities are more common than
  in October 2003
• More so at larger, higher revenue organizations

Does your organization have a periodic review or
audit of its information security function by an
outside entity?
19
Governance

• 44 say their organization treats information as
  a governance issue involving active participation
  from the Board, CEO and/or senior management, up
  from 39 in October 2003
• Of those who treat it as a governance issue
• 89 would be likely (43 very likely) to devote
  the resources and achieve accountability
  necessary for better results
• 76 believe it has put their company at a
  competitive advantage because its security is
  more up-to-date, and it is able to minimize
  company downtime as a result of worms or viruses

20
Personnel Security
21
Training Programs

• 61 have an active information security awareness
  and training program for all employees, including
  management
• 37 have such a program for non-employee users
  such as consultants, contractors or temporary
  employees
• Only 19 believe their employees are adequately
  trained in their information security duties and
  responsibilities, 46 believe they are somewhat
  trained, and 33 say not adequately trained

22
Activity Monitoring

• Monitoring of employee online activities has gone
  up, and is higher at larger and high revenue
  organizations

23
Administrative Safeguards

• Organizations have increased personnel security
  by increasing administrative safeguards
• Biggest increases involve keeping employees
  informed, through orientation sessions and policy
  handbooks, as well as implementing sanction
  policies for non-compliance

24
Security Architecture and Models
25
Security Technologies

• Anti-virus software and firewalls have become
  almost universal, while email filtering for SPAM
  increased to almost 90

26
Security Management

• Most organizations use network groups to manage
  their security safeguards and technologies
• Smaller and low revenue organizations are less
  likely than their larger counterparts to use
  security groups

27
Security Software

• Respondents now believe proprietary source
  software is more secure
• This is particularly true outside of North America

Which type of security software do you consider
more secure?
28
Telecommunications Network Internet Security
29
Preparation for Cyber Attacks

• Respondents are slightly less fearful of a major
  cyber attack on their organization than in 2003
• Those who are more likely to believe that an
  attack is likely are also more likely to say that
  they are prepared to defend against it

30
Cyber Defense Capabilities

• Though down from the last survey, respondents are
  optimistic about improvements in their cyber
  defense capabilities and their ability to cope
  with new threats and vulnerabilities
• More than 7 in 10 (73) say in the past year
  their organizations ability to defend itself has
  gotten better
• 23 say it has gotten much better
• Slightly down from 78 in October 2003
• 70 say that recent cyber threats and
  vulnerabilities have caused their organizations
  capabilities to become more secure
• 18 say much more secure
• 76 said more secure in October 2003
• 9 in 10 say their software security patches to
  known vulnerabilities are up-to-date, up from 87
  in October 2003

31
Effect on Management Awareness

• Recent cyber threats and vulnerabilities have
  been increasing awareness of security issues
  among senior executives
• 65 reported this increased awareness, 72 in
  October 2003
• Increased awareness of security issues at the
  senior executive level are leading to more
  increases in financial resources for improving
  security than in October 2003

32
Cyber Liability Insurance

• Cyber liability insurance remains a little-used
  option for most organizations, though many
  respondents were unsure as to whether or not
  their organization even had it
• Only 9 say their organization carries cyber
  liability insurance, while 46 dont know
• Slightly up from 6 in October 2003
• Very few of the respondents at organizations that
  do not currently carry this insurance believe
  that they will consider getting covered in the
  future
• 57 said they would not consider carrying cyber
  liability insurance, and 27 said they didnt know

33
Business Continuity Planning
34
Business Continuity Plan

• 64 of organizations have a documented business
  continuity plan covering personnel and facility
  issues
• 45 have tested the plan in the past 6 months,63
  in the last year
• Only 10 have never tested the plan

35
Disaster Recovery Plan

• 70 of organizations have a documented disaster
  recovery plan regarding critical business
  applications and supporting technology
• 45 have tested the plan in the past 6 months,
  66 in the last year
• Only 9 have never tested the plan

36
Law, Investigations, and Ethics
37
Sarbanes Oxley

• Respondents were largely positive about the
  effect the Sarbanes Oxley requirements were
  having on security
• Those with larger and higher revenue
  organizations, those with at least 6 years of
  experience, and those in North America were more
  likely to say the measures have led to improved
  security

38
Cyber Incidents Laws

• Only 15 say their organization has reported a
  cyber incident or intrusion to law enforcement or
  other government organization during the last 12
  months
• Down from 19 in October 2003
• Of those who have reported an incident, 82 say
  their organization has assisted law enforcement
  in the investigation of the reported incident
• 46 say that current cyber laws have made their
  organizations cyber defense capability more
  secure
• In October 2003, only 33 shared this view
• More than half (53) believe these cyber laws
  will make their cyber defense capability more
  secure
• Up from 47 in October 2003

39
Impact of Privacy and Security Laws

• Respondents were most likely to cite increased
  top management awareness of importance of privacy
  and security as the top impact of privacy and
  security laws
• These increases in managements awareness have
  not led to as many increases in security budget
  or security personnel staff

40
ISSA
41
3rd Party Providers

• Larger and higher revenue organizations are more
  likely to employ the services of 3rd Party
  Providers, and those that do are more likely to
  conduct security screening and auditing on these
  providers
• 42 of organizations use 3rd Party Providers that
  store and/or transmit sensitive data about their
  organization
• Of those who do, 56 require them to undergo
  independent security reviews
• 34 audit 3rd Party Providers security policies
  and procedures
• 64 of those who do conduct the audit before
  using their services, 27 conduct the audit while
  using them
• 27 include reviews of 3rd Party Providers
  security procedures as part of their legislative
  compliance requirements

42
ISSA Sponsored Events

• 43 of respondents have attended at least one
  ISSA sponsored training event in the past 12
  months
• 17 have been to at least three training events
• 44 have attended at least one ISSA sponsored
  conference in the past 12 months
• 14 have been to at least three conferences

43
ISSA Sponsored Events

• 62 prefer attending conferences, while 30
  prefer viewing webinars
• 84 would be more likely to attend regional
  conferences than the ISSA International annual
  conference
• 54 are familiar with the ISSA sponsored CISO
  Executive Forum

44
Future ISSA Topics