Still, while the problem is gaining attention in the boardroom, one quarter of companies currently have privacy projects underway and fifty per cent of survey participants cited removable media, mobile computing and wireless networks as significant risk to their organizations. As globalization and e-commerce advance, the amount of personal information that is shared continues to grow exponentially, meaning these risks will only increase. The Following are some tips from the report on what all companies should be doing to avoid security leaks:
 
”¢        Spell it out.  Establish formal internal policies for privacy and protection of customers’ personal information.
”¢        Verify your vendors. Enforce standard procedures and requirements for vendors and third parties who handle your company’s customer data.
”¢        Take out the guesswork.  Formalize access controls for information and information processes.
”¢        Get on the same page. Make sure every employee receives privacy training.
”¢        Keep a look out.  Routinely assess your organizations privacy risks.
 
In this report, Ernst & Young has identified five major trends driving information security practices globally. In addition to personal data protection, they are compliance, vendor/third-party risk, business continuity, and the “mainstreaming” of information security. 
 
Facts from E&Y’s Global Information Security Survey 2006:
 
Priority 1: Integrating Information Security with the Organization
”¢        Two in five organizations (43 per cent) say their information security function is integrated with the organization’s risk management programs and processes, up from 40 per cent a year ago.
”¢        Nearly two thirds (61 per cent) use regular meetings, steering groups and formal frameworks to ensure involvement.
”¢        Compliance is the main driver for information security being brought into the risk process, as well as proactively identifying and managing other enterprise risk areas.
”¢        Information security policies, roles and responsibilities are reasonably well developed and more clearly and effectively communicated or understood.
”¢        While an overwhelming majority of organizations are emphatic about not wanting to outsource any part of their information security activities, the biggest information security challenge is availability of skilled staff, and nearly two thirds (60 per cent) of those who are outsourcing information security see it as a way to make more of these scarce resources available.
”¢        Areas for continuous improvement:
”¢        Over half of organizations still need to integrate information security into their overall risk management activities.
”¢       Many companies need to make further progress in strengthening their information security culture with improved reporting at the top level.
”¢        Companies need to explore outsourcing as a solution to their customer and industry information security requirements.
 
Priority 2: Extending the Impact of Compliance
”¢        Compliance is the top driver impacting information security. The work on compliance has had a positive impact on overall information security say four out of five respondents (80 per cent).
”¢        A majority confirm their compliance work is part of an integrated organizational effort and framework, suggesting information security is progressing along a maturity curve.
”¢        Areas for continuous improvement:
”¢        Only half of companies report that they are actively involved in achieving regulatory compliance and this needs to grow if compliance is to continue to be an enabler for information security improvements.
”¢       Information security compliance processes have not been fully and sustainably deployed within many organizations, and fewer than half of information security leaders meet regularly with business unit leaders to identify and address their is needs.
”¢      Looking beyond the initial cycles of compliance work, it will be important for companies to be proactive in carrying out security rationalization and optimization, to sustain and embed their information security compliance controls and processes into their normal operations.
 
Priority 3: Managing the risks in third party relationships
”¢        Over a third of companies address vendor risk management on a formal basis.
”¢        A third of companies believe their vendor partners can support their own information security policies, procedures and practices. Vendors also recognize the importance of information security in their third party arrangements and expect to spend more time complying with information security certification requirements.
”¢        Areas for continuous improvement:
o        More companies need to adopt formal processes for vendor risk management and have those procedures validated.
o        But only 6 per cent use formal procedures validated by a third party; a third address these issues only on an informal basis; and one in five (21 per cent) do not address them at all.
o        Only 14 per cent have had their partner’s practices reviewed by independent third parties and only a quarter (23 per cent) say their vendors are aligned with a recognized standard.     
 
Priority 4: Focusing on Privacy and Personal Data Protection
”¢        The pressure to control and protect individual’s personal information will increase, and government and legislative activism will almost certainly grow in proportion to public concerns over ineffective controls and criminal abuse.
”¢        Nearly three-quarters of survey participants rank privacy and personal data protection as the area in which they are most proactive.
”¢        The question is whether organizations that collect use and store data are taking a proactive and comprehensive approach to mitigating the risks related to privacy.
”¢        The intensifying pressure to address privacy is slowly resulting in the increased formalization of protocols and practices.
”¢        Areas for continuous improvement:
”¢        Only a third of organizations meet at least annually with their privacy organizations.
”¢        Only just over a quarter of organizations have privacy projects underway.
”¢       Less than 40 per cent of executive management receives training on privacy. 
 
Priority 5: Designing and Building Information Security 
”¢        75 per cent have undertaken an IT risk assessment in developing their business continuity plans, and 80 per cent have identified and prioritized critical business processes.
”¢        Nearly half have plans to formally adopt or become certified against a standard.
”¢        Most strongly support a structured evaluation of their information security posture, with internal audit (71 per cent) and external audit (62 per cent) as the most common evaluation methods, followed by self-assessment.
”¢        Independent third party assessment is cited by 38 per cent.
”¢        Two thirds of companies have agreed on disaster recovery timescales and more than half have tested their recovery plans.
”¢        Over half have agreed on escalation procedures in response to a disaster.
”¢        Areas for continuous improvement:
”¢        A third of companies have not agreed on recovery timescales, more than two fifths (43 per cent) have not tested their recovery plans and a similar number have not agreed escalation procedures to assess the response to a disaster.
”¢        Only 46 per cent have developed an internal and external communications strategy as part of their disaster recovery planning.   
”¢        New technology is one of the areas where information security executives are least proactive.
”¢        Over half of companies recognize the three most popular new technologies — mobile computing, removable media and web applications — pose the most significant information security risk.
     However, addressing new technologies is one of the areas in which information security is least proactive today. Information security has the business mandate to take a proactive lead in tracking new technologies and assessing how they can be securely implemented into the business — having the answers before they are asked.