Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Assurance Market Research June 2009. Executive Summary Small response rate (n=43) General low awareness of information security controls and.

Published byNorman Cunningham Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Assurance Market Research June 2009. Executive Summary Small response rate (n=43) General low awareness of information security controls and."— Presentation transcript:

1 Information Assurance Market Research June 2009

2 Executive Summary Small response rate (n=43) General low awareness of information security controls and legislation 42% of organisations surveyed currently have an information security policy in place Only 6% of those who don’t currently have a policy, have plans to introduce one Training in information security viewed with average, or increasing importance amongst respondents 12% currently interested in training or support with information risk management, 23% would potentially be interested in the future. Low awareness of potential funding available

3 Survey Sample E-survey sent to following distribution lists: –Business School contact list (n~ 270) –Midlands Excellence contact list (n~ 300) –BDO contact list (n~ 20) 43 Responses received Response rate estimated at 9%

4 Demographics Size of organisation –Micro (<11 employees)- 35% –Small (11- 49 employees)- 19% –Medium (50- 249 employees)- 19% –Large (250+ employees)- 26% Over 50% of respondents had ultimate or shared responsibility for information security compliance within their organisation

5 Industry Sector (n=43)

6 Is your organisation ISO9001 Compliant? (n=43)

7 Are you aware of the BS7799 quality standard? (n= 43) A set of information security controls for an organisation's processes derived by the British Standards Institute

8 Are you aware of the ISO27001 quality standard? (n= 43) Internationalisation of the British standard on information security

9 Have any supply chain partners or potential partners asked you whether you are ISO27001 certified or working towards certification? (n=43)

10 Are you aware of the credit card companies PCI DSS (Payment Card Industry Data Security Standard) regulations? (n=43)

11 Are you aware of the recent changes to the Data Protection Act in 2008, which make anything defined therein as "reckless handling" of data to be an offence for which imprisonment is a potential outcome? (n=43)

12 Information Security Policy and Procedures

13 42% of respondents currently have an information security policy in place in their organisation (n=43)

14 Please tell us a little about the process you went through in implementing your information security policy and how you put it into practice. Reviewed best practice guidelines and adapted policy of a larger organisation to suit our operation Developed by head of knowledge management Discussed with Business Link and used their templates. We involved an IT Security Consultant and wrote the Information Security Policy based upon the guidelines in BS ISO/IEC: 17799. We also developed a shorter document that summarises the security policies and this is signed by all new members of staff using the IT systems. Via outside consultancy We reviewed guidance from National Government, Cabinet Office, the Information Commission and BS 7799 before creating an IT policy that contained statements covering each of these areas. Made people aware of how the internet, networks and PCs can be both tools and security threats. Provided examples of how companies and individuals suffered through lax security. Put in place safeguards against these threats: a single station and telephone line for internet use, unattached to any other computing equipment. refused to allow any unauthorised software or files from third parties to be loaded on to systems. Made these conditions part of the employment contract, with disciplinary sanctions for transgressors. Written taking best practice from 27001 and the wider IT sector plus personal experience.

15 How do you communicate your information security policy to your employees? (n= 18)

16 How do you detect breaches of the information security policy? (n=18)

17 Do you keep a record of security policy breaches? (n=18)

18 What action do you take when information security breaches are identified? Responses included: Disciplinary action including dismissal Have not identified any as yet Investigate, review information and decide how to ameliorate breach and prevent repetition through revisions to security processes

19 Of the 26% (16) of respondents who currently didn’t have an information security policy in place in their organisation, only 6% (1) had any plans to introduce one in the future

20 When asked to consider who they would look to for assistance in implementing an information security policy, the most popular response was a specialist information security company (38%,6), closely followed by an internal IT Department (31%, 5). 6% (1) of respondents would consider a University for this. Respondents were only prepared to invest a very small proportion of their time in implementing such a policy (50% 1 day or less)

21 Information Risk Management Training

22 How important do you consider training in information risk management to be? (n=43)

23 21% of respondents had participated in risk management training in the past. –In the majority of cases these were internal courses. –External courses mentioned were BSI Information Security Best Practice BS 7799 and as part of a Chartered Manager impact submission 42% of respondents had never participated in risk management training

24 Would you be interested in training concerning risk management? (n=43)

25 In which of the following areas of information risk management might you be interested in external support with? (n=19)

26 What format of training would you prefer? (n=16)

27 How much time would you be prepared to invest in information security training? (n=12)

28 Are you aware of any of the following funding opportunities which may make you eligible to receive financial assistance towards training?

29 Recommendations Generally little awareness of, or interest in, information assurance matters from respondents, therefore concerns regarding product viability in its current conception and would benefit by further research into specific market barriers and leverage points. The focus group will thus be ‘held in reserve’ for a suitable event with a relevant target audience with whom future products/packages could be ‘road tested’ To progress product scoping, in-depth one-to-one research interviews with interested respondents could be utilised to: –reveal insights as to potential recognition strategies towards increasing awareness –help to ascertain why companies are not more concerned about information security issues Subject matter expert to identify niche SME market attributes, prior to future product development using specialist knowledge of companies most ‘at risk’ from information security issues. This phase could facilitate the development of a stronger business case behind product design.

Download ppt "Information Assurance Market Research June 2009. Executive Summary Small response rate (n=43) General low awareness of information security controls and."

Similar presentations

UMC for Consulting & Services. UMC UMC for Consulting & Services UMC Profile UMC Profile UMC Range of Consulting Services UMC Range of Consulting Services.

UMC for Consulting & Services. UMC UMC for Consulting & Services UMC Profile UMC Profile UMC Range of Consulting Services UMC Range of Consulting Services.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Purpose & Values Purpose:

Purpose & Values Purpose:
AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.

AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
The Business Plan.

The Business Plan.
PCI Compliance Roundtable Update Presented by the PCI Compliance Task Force.

PCI Compliance Roundtable Update Presented by the PCI Compliance Task Force.
Internal Audit Awareness

Internal Audit Awareness
The Legal Series: Employment Law I. Objectives Upon the completion of training, you will be able to: Understand the implications of Title VI Know what.

The Legal Series: Employment Law I. Objectives Upon the completion of training, you will be able to: Understand the implications of Title VI Know what.
Security Controls – What Works

Security Controls – What Works
Information and Publicity Requirements Kirsti Mijnhijmer, Joint Secretariat Lead Partner Seminar 24th March 2015, Svolvær, Norway.

Information and Publicity Requirements Kirsti Mijnhijmer, Joint Secretariat Lead Partner Seminar 24th March 2015, Svolvær, Norway.
Viewpoint Consulting – Committed to your success.

Viewpoint Consulting – Committed to your success.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
EEN [Canada] Forum Shelley Borys Director, Evaluation September 30, 2010 Developing Evaluation Capacity.

EEN [Canada] Forum Shelley Borys Director, Evaluation September 30, 2010 Developing Evaluation Capacity.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Schools’ Data Collection for National Partnerships Agreements (NPA) Educational Measurement and School Accountability Directorate (EMSAD)

Schools’ Data Collection for National Partnerships Agreements (NPA) Educational Measurement and School Accountability Directorate (EMSAD)
SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Complaint Handling.

SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Complaint Handling.
ASPEC Internal Auditor Training Version 1.0 2013.

ASPEC Internal Auditor Training Version
1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.

1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.
ZHRC/HTI Financial Management Training

ZHRC/HTI Financial Management Training

Similar presentations

Ads by Google