Information Assurance Market Research June 2009. Executive Summary Small response rate (n=43) General low awareness of information security controls and.

Slides:



Advertisements
Similar presentations
UMC for Consulting & Services. UMC UMC for Consulting & Services UMC Profile UMC Profile UMC Range of Consulting Services UMC Range of Consulting Services.
Advertisements

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Purpose & Values Purpose:
AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
The Business Plan.
PCI Compliance Roundtable Update Presented by the PCI Compliance Task Force.
Internal Audit Awareness
The Legal Series: Employment Law I. Objectives Upon the completion of training, you will be able to: Understand the implications of Title VI Know what.
Security Controls – What Works
Information and Publicity Requirements Kirsti Mijnhijmer, Joint Secretariat Lead Partner Seminar 24th March 2015, Svolvær, Norway.
Viewpoint Consulting – Committed to your success.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
EEN [Canada] Forum Shelley Borys Director, Evaluation September 30, 2010 Developing Evaluation Capacity.
Computer Security: Principles and Practice
Schools’ Data Collection for National Partnerships Agreements (NPA) Educational Measurement and School Accountability Directorate (EMSAD)
SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Complaint Handling.
ASPEC Internal Auditor Training Version
1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.
ZHRC/HTI Financial Management Training
The Quality Management System
ISO 9000 Introduction Imran Hussain.
RJC Certification - (COP 9) Bribery and Facilitation Payments Training Module – March 2014.
Internal Auditing and Outsourcing
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Put your organisation’s logo here. Conflicts of Interest A conflict occurs when the interests of one role/ position/ relationship are not aligned with.
An Educational Computer Based Training Program CBTCBT.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
Basics of OHSAS Occupational Health & Safety Management System
Finance and Governance Workshop Data Protection and Information Management 10 June 2014.
Policy and Procedure Inspector Christian Ellis. Policy Statement About Policy It is best practice to have up to date, clear and standardised policies.
Service Provider Examinations What You Need to Know
Sensitive Data Accessibility Financial Management College of Education Michigan State University.
HOME-BASED AGENTS Welcome to Unit 7. Review of unit reading material from textbook: Travel Career Development 8 th ed. Authors: Gagnon,P. & Houser, S.
A Model for EAP Training Development Zhiyun Zhang IDE 632 — Instructional Design & Development II Instructor : Dr. Gerald S. Edmonds.
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.
2008 New York - Member Forum Council for Responsible Jewellery Practices, Ltd. Overview of CRJP.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Logging Antivirus Examples Use recent examples from media of such attacks (RSA, Epsilon, Oak Ridge National Labs, HBGary). Articles in business magazines.
Creating and Starting the Venture
10/20/ The ISMS Compliance in 2009 GRC-ISMS Module for ISO Certification.
The TNA STEP model Target Groups Job requirements Existing
13.6 Legal Aspects Corporate IT Security Policy. Objectives Understand the need for a corporate information technology security policy and its role within.
Chemistry making a world of difference Responsible Care ® - Thrusts in Europe Dr Richard Robson Cefic Director APRCC, Manila, Philippines 17 th November.
Science, research and development European Commission IDARI Project Meeting Tartu, June 2005 Martin Greimel Scientific Officer Directorate-E ‘Biotechnology,
Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.
New York State Education Department Charter School Office Initial Statement January 2013.
BSBPMG501A Manage Project Integrative Processes Manage Project Integrative Processes Project Integration Processes – Part 1 Diploma of Project Management.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Compliance Monitoring and Enforcement Audit Program - The Audit Process.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
The World Bank 1 World Bank Reforming to Meet New Challenges: Access to Information Effective July 1, 2010 The World Bank.
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)
1 Computer Auditing ( What is it, what skill set do you require & how much can you earn?) John Mitchell Academic Relations Director ISACA London Chapter.
Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.
Session 12 Information management and security. 1 Contents Part 1: Introduction Part 2: Legal and regulatory responsibilities Part 3: Our Procedures Part.
BSBPMG501A Manage Project Integrative Processes Manage Project Integrative Processes Project Integration Processes – Part 2 Diploma of Project Management.
Fraud Risk – some context first Year ending September 2015 there were 604,601 fraud offences reported (ONS) The National Fraud Indicator report in 2013.
RISK MANAGEMENT FOR COMMUNITY EVENTS. Today’s Session Risk Management – why is it important? Risk Management and Risk Assessment concepts Steps in the.
Attendance Advisory Panels 1. Outcomes Understanding of the purpose of Attendance Advisory Panels (AAPs) as part of a plan for restoring attendance Familiarity.
The standard solutions to improving environmental performance Vicki Gomersall, Product Manager.
ISO17799 / BS ISO / BS Introduction Information security has always been a major challenge to most organizations. Computer infections.
Learn Your Information Security Management System
Meeting Planners Association
Originating the role of Information Governance Officer
Current ‘Hot Topics’ in Information Security Governance Auditing
Reporting personal data breaches to the ICO
Module 5 The Climate Expert and your role as a consultant
Slavery and Human Trafficking Statement
Presentation transcript:

Information Assurance Market Research June 2009

Executive Summary Small response rate (n=43) General low awareness of information security controls and legislation 42% of organisations surveyed currently have an information security policy in place Only 6% of those who don’t currently have a policy, have plans to introduce one Training in information security viewed with average, or increasing importance amongst respondents 12% currently interested in training or support with information risk management, 23% would potentially be interested in the future. Low awareness of potential funding available

Survey Sample E-survey sent to following distribution lists: –Business School contact list (n~ 270) –Midlands Excellence contact list (n~ 300) –BDO contact list (n~ 20) 43 Responses received Response rate estimated at 9%

Demographics Size of organisation –Micro (<11 employees)- 35% –Small ( employees)- 19% –Medium ( employees)- 19% –Large (250+ employees)- 26% Over 50% of respondents had ultimate or shared responsibility for information security compliance within their organisation

Industry Sector (n=43)

Is your organisation ISO9001 Compliant? (n=43)

Are you aware of the BS7799 quality standard? (n= 43) A set of information security controls for an organisation's processes derived by the British Standards Institute

Are you aware of the ISO27001 quality standard? (n= 43) Internationalisation of the British standard on information security

Have any supply chain partners or potential partners asked you whether you are ISO27001 certified or working towards certification? (n=43)

Are you aware of the credit card companies PCI DSS (Payment Card Industry Data Security Standard) regulations? (n=43)

Are you aware of the recent changes to the Data Protection Act in 2008, which make anything defined therein as "reckless handling" of data to be an offence for which imprisonment is a potential outcome? (n=43)

Information Security Policy and Procedures

42% of respondents currently have an information security policy in place in their organisation (n=43)

Please tell us a little about the process you went through in implementing your information security policy and how you put it into practice. Reviewed best practice guidelines and adapted policy of a larger organisation to suit our operation Developed by head of knowledge management Discussed with Business Link and used their templates. We involved an IT Security Consultant and wrote the Information Security Policy based upon the guidelines in BS ISO/IEC: We also developed a shorter document that summarises the security policies and this is signed by all new members of staff using the IT systems. Via outside consultancy We reviewed guidance from National Government, Cabinet Office, the Information Commission and BS 7799 before creating an IT policy that contained statements covering each of these areas. Made people aware of how the internet, networks and PCs can be both tools and security threats. Provided examples of how companies and individuals suffered through lax security. Put in place safeguards against these threats: a single station and telephone line for internet use, unattached to any other computing equipment. refused to allow any unauthorised software or files from third parties to be loaded on to systems. Made these conditions part of the employment contract, with disciplinary sanctions for transgressors. Written taking best practice from and the wider IT sector plus personal experience.

How do you communicate your information security policy to your employees? (n= 18)

How do you detect breaches of the information security policy? (n=18)

Do you keep a record of security policy breaches? (n=18)

What action do you take when information security breaches are identified? Responses included: Disciplinary action including dismissal Have not identified any as yet Investigate, review information and decide how to ameliorate breach and prevent repetition through revisions to security processes

Of the 26% (16) of respondents who currently didn’t have an information security policy in place in their organisation, only 6% (1) had any plans to introduce one in the future

When asked to consider who they would look to for assistance in implementing an information security policy, the most popular response was a specialist information security company (38%,6), closely followed by an internal IT Department (31%, 5). 6% (1) of respondents would consider a University for this. Respondents were only prepared to invest a very small proportion of their time in implementing such a policy (50% 1 day or less)

Information Risk Management Training

How important do you consider training in information risk management to be? (n=43)

21% of respondents had participated in risk management training in the past. –In the majority of cases these were internal courses. –External courses mentioned were BSI Information Security Best Practice BS 7799 and as part of a Chartered Manager impact submission 42% of respondents had never participated in risk management training

Would you be interested in training concerning risk management? (n=43)

In which of the following areas of information risk management might you be interested in external support with? (n=19)

What format of training would you prefer? (n=16)

How much time would you be prepared to invest in information security training? (n=12)

Are you aware of any of the following funding opportunities which may make you eligible to receive financial assistance towards training?

Recommendations Generally little awareness of, or interest in, information assurance matters from respondents, therefore concerns regarding product viability in its current conception and would benefit by further research into specific market barriers and leverage points. The focus group will thus be ‘held in reserve’ for a suitable event with a relevant target audience with whom future products/packages could be ‘road tested’ To progress product scoping, in-depth one-to-one research interviews with interested respondents could be utilised to: –reveal insights as to potential recognition strategies towards increasing awareness –help to ascertain why companies are not more concerned about information security issues Subject matter expert to identify niche SME market attributes, prior to future product development using specialist knowledge of companies most ‘at risk’ from information security issues. This phase could facilitate the development of a stronger business case behind product design.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.