Corporations waking up to real threat of data loss

Still, while the problem is gaining attention in the boardroom, one
quarter of companies currently have privacy projects underway and fifty
per cent of survey participants cited removable media, mobile computing
and wireless networks as significant risk to their organizations. As
globalization and e-commerce advance, the amount of personal
information that is shared continues to grow exponentially, meaning
these risks will only increase. The Following are some tips from the
report on what all companies should be doing to avoid security leaks:
 
”¢        Spell it out.  Establish formal internal policies for privacy and protection of customers’ personal information.
”¢        Verify your vendors. Enforce standard procedures and
requirements for vendors and third parties who handle your company’s
customer data.
”¢        Take out the guesswork.  Formalize access controls for information and information processes.
”¢        Get on the same page. Make sure every employee receives privacy training.
”¢        Keep a look out.  Routinely assess your organizations privacy risks.
 
In this report, Ernst & Young has identified five major trends
driving information security practices globally. In addition to
personal data protection, they are compliance, vendor/third-party risk,
business continuity, and the “mainstreaming” of information security. 
 
Facts from E&Y’s Global Information Security Survey 2006:
 
Priority 1: Integrating Information Security with the Organization
”¢        Two in five organizations (43 per cent) say their information
security function is integrated with the organization’s risk management
programs and processes, up from 40 per cent a year ago.
”¢        Nearly two thirds (61 per cent) use regular meetings, steering groups and formal frameworks to ensure involvement.
”¢        Compliance is the main driver for information security being
brought into the risk process, as well as proactively identifying and
managing other enterprise risk areas.
”¢        Information security policies, roles and responsibilities are
reasonably well developed and more clearly and effectively communicated
or understood.
”¢        While an overwhelming majority of organizations are emphatic
about not wanting to outsource any part of their information security
activities, the biggest information security challenge is availability
of skilled staff, and nearly two thirds (60 per cent) of those who are
outsourcing information security see it as a way to make more of these
scarce resources available.
”¢        Areas for continuous improvement:
”¢        Over half of organizations still need to integrate information security into their overall risk management activities.
”¢       Many companies need to make further progress in strengthening
their information security culture with improved reporting at the top
level.
”¢        Companies need to explore outsourcing as a solution to their customer and industry information security requirements.
 
Priority 2: Extending the Impact of Compliance
”¢        Compliance is the top driver impacting information security.
The work on compliance has had a positive impact on overall information
security say four out of five respondents (80 per cent).
”¢        A majority confirm their compliance work is part of an
integrated organizational effort and framework, suggesting information
security is progressing along a maturity curve.
”¢        Areas for continuous improvement:
”¢        Only half of companies report that they are actively involved
in achieving regulatory compliance and this needs to grow if compliance
is to continue to be an enabler for information security improvements.
”¢       Information security compliance processes have not been fully
and sustainably deployed within many organizations, and fewer than half
of information security leaders meet regularly with business unit
leaders to identify and address their is needs.
”¢      Looking beyond the initial cycles of compliance work, it will be
important for companies to be proactive in carrying out security
rationalization and optimization, to sustain and embed their
information security compliance controls and processes into their
normal operations.
 
Priority 3: Managing the risks in third party relationships
”¢        Over a third of companies address vendor risk management on a formal basis.
”¢        A third of companies believe their vendor partners can support
their own information security policies, procedures and practices.
Vendors also recognize the importance of information security in their
third party arrangements and expect to spend more time complying with
information security certification requirements.
”¢        Areas for continuous improvement:
o        More companies need to adopt formal processes for vendor risk management and have those procedures validated.
o        But only 6 per cent use formal procedures validated by a third
party; a third address these issues only on an informal basis; and one
in five (21 per cent) do not address them at all.
o        Only 14 per cent have had their partner’s practices reviewed
by independent third parties and only a quarter (23 per cent) say their
vendors are aligned with a recognized standard.     
 
Priority 4: Focusing on Privacy and Personal Data Protection
”¢        The pressure to control and protect individual’s personal
information will increase, and government and legislative activism will
almost certainly grow in proportion to public concerns over ineffective
controls and criminal abuse.
”¢        Nearly three-quarters of survey participants rank privacy and
personal data protection as the area in which they are most proactive.
”¢        The question is whether organizations that collect use and
store data are taking a proactive and comprehensive approach to
mitigating the risks related to privacy.
”¢        The intensifying pressure to address privacy is slowly
resulting in the increased formalization of protocols and practices.
”¢        Areas for continuous improvement:
”¢        Only a third of organizations meet at least annually with their privacy organizations.
”¢        Only just over a quarter of organizations have privacy projects underway.
”¢       Less than 40 per cent of executive management receives training on privacy. 
 
Priority 5: Designing and Building Information Security 
”¢        75 per cent have undertaken an IT risk assessment in
developing their business continuity plans, and 80 per cent have identified and
prioritized critical business processes.
”¢        Nearly half have plans to formally adopt or become certified against a standard.
”¢        Most strongly support a structured evaluation of their
information security posture, with internal audit (71 per cent) and
external audit (62 per cent) as the most common evaluation methods,
followed by self-assessment.
”¢        Independent third party assessment is cited by 38 per cent.
”¢        Two thirds of companies have agreed on disaster recovery
timescales and more than half have tested their recovery plans.
”¢        Over half have agreed on escalation procedures in response to a disaster.
”¢        Areas for continuous improvement:
”¢        A third of companies have not agreed on recovery timescales,
more than two fifths (43 per cent) have not tested their recovery plans
and a similar number have not agreed escalation procedures to assess
the response to a disaster.
”¢        Only 46 per cent have developed an internal and external
communications strategy as part of their disaster recovery planning.   

”¢        New technology is one of the areas where information security executives are least proactive.
”¢        Over half of companies recognize the three most popular new
technologies — mobile computing, removable media and web applications —
pose the most significant information security risk.
     However, addressing new technologies is one of the areas in which
information security is least proactive today. Information security has
the business mandate to take a proactive lead in tracking new
technologies and assessing how they can be securely implemented into
the business — having the answers before they are asked.