COMPUTER BUSINESS REVIEW

Critical. Authoritative. Strategic.

TECHNEWS

CBR is proudly produced & published
by Technews
www.technews.co.za
Issue Date: August 2000 (es)

Time to elevate IT security to the boardroom

August 2000

IT security needs to be elevated to board level if companies are to prevent the type of security breaches which are making headlines worldwide. "Security is part of the business and it is imperative to assign responsibility for managing information to board level as it is a valuable and critical corporate asset," says Allen Lewis, Product Management Executive at CCH Enterprise Solutions.

His comments follow the publication of the UK Department of Trade and Industry's Information Security Breaches Survey 2000 (ISBS 2000). The survey reveals that:
* 60% of companies interviewed have suffered a security breach within the past two years.

* 64% of companies with a serious breach maintain 'nothing has changed' since the breach occurred.

* 40% of companies reporting security breaches say they were due to human error.

* Only one company in seven had a formally defined policy describing its information security management system.

* Organisations reported that security breaches cost between £20 000 and well in excess of £100 000. Lewis says the survey shows that in spite of companies rushing to trade electronically, they are still not adopting best practices in information security management.
"The survey highlights the levels of security breaches in today's business environment and the impact they have on organisations," says Lewis. "It clearly shows that companies need to adopt better security practices if they are to survive in today's Internet-driven society." The survey shows that organisations appear to rely on technical and product-based fixes.
"Technology cannot provide all the answers to what are effectively problems posed by humans. Information security is not a technical issue but a business and management one. Given the prominence of 'people issues' - ranging from user and operator error through to fraud - as the main causes of security breaches, the need for implementing a framework for an information security management system is stronger than ever before." Lewis notes that the survey found that organisations where responsibility for information security rests at board level are also those most likely to have formal policies in place.
"The presence of a formal policy is one of the most important issues in reporting and resolving security breaches." It is critical that planning for the information security infrastructure is aligned with the strategic goals of the company.
"This cooperation and focus can be accomplished when executive officers share a full commitment to strategic planning by their involvement in the process and their assignment of responsibility, authority and resources," Lewis comments.
The survey advocates that an information security management model needs to be created to counter specific threats facing the organisation and to build these into day-to-day business operations instead of bolting it on as an optional extra. Companies are also advised to carry out risk assessments to balance the cost of security controls against the value of the information and other assets at risk and the business implications of these risks.
Good information security management is about organisations understanding the risks and threats they face and the vulnerabilities in their current computer processing facilities. It is about implementing common-sense procedures to minimise the risks and about educating all the employees about their responsibilities.
"Most importantly, it is about ensuring that the policy on information security management has the commitment of senior management. It is only when these procedural and management issues have been addressed that organisations can decide on what security technologies they need," the survey states.
For details, contact Allen Lewis of CCH Enterprise Solutions on tel: (011) 808 3200 or e-mail: allenl@cch.co.za


Others who read this also read these articles

Search Site





Search Directory

  • Search for:





Subscribe

Previous Issues