Welcome to this, the seventh edition of The ISO27000 Newsletter, designed to keep you abreast of updates and developments with respect to the ISO 17799 information security standard.
The information contained in this newsletter is free to our subscribers and provides guidance on practical issues, plus commentary on recent Information Security incidents.
Included in this issue are the following topics:
THE DTI SURVEY
A recent British Government Department of Trade and Industry (DTI) survey has stated that only around one quarter of businesses have taken security seriously enough to have developed a documented and comprehensive security policy. It also went on to say that only 15% of people responsible for IT security were aware of the contents of the information security international standard ISO 17799.
Another noteworthy statistic was that 44% of the businesses covered suffered at least one malicious security breach in the previous year and the average cost of a serious incident was estimated at US$ 50,000.
Despite this, Board Directors and Executives are slow to take firm action in meeting their legal obligations to protect their organizations from losses caused through inadequate information security measures. Directors and management are reported to be recognizing that risks do exist through poor security controls but they are still not committing sufficient funds to introduce improved systems and corrective methods.
There is also a strong trend towards outsourcing of IT and business processes and this trend is expected to continue. Very often, the driver for this change is the shortage of in-house expertise.
Tellingly, a very high proportion of organizations expect information security to be an increasingly worrying area in the future and feel that their own systems need significant improvements. People are recognized as the weakest link in the information security chain but little work is being done on effective policy distribution and enforcement. This is unfortunate, as there are now specific policy delivery systems around which simplify policy distribution and give everyone easy access to the organisation’s requirements.
All in all, a mixed picture, but at least there seems to be genuine realization of the importance of information security, and that significant implementation improvements are necessary in the short term.
Policy distribution: Security Policies Support
Outsourcing: Information and guidance at Outsourcing
Security policy content: DTI