Radian Compliance Management Services

Worries Regarding Corporate Reputation Making Information Security Top Priority Worldwide

April 28, 2008 - http://www.contingencyplanning.com/articles/61452/ 

Avoiding reputation damage to the organization was viewed as a top priority for security programs by three-quarters of information security professionals surveyed in a worldwide study launched recently by (ISC)² .

The 2008 Global Information Security Workforce Study (“GISWS”) was conducted by analyst firm Frost & Sullivan on behalf of (ISC)². It surveyed 7,548 information security professionals, including more than 1,500 ‘C-suite’ executives and security managers, as well as IT and other professionals with responsibility for information security, from companies and public sector organizations in more than 100 countries.

Respondents came from the three major regions of the world: Americas (41 percent); Asia-Pacific (34 percent); and Europe, Middle East and Africa (25 percent). Web-based surveys were distributed to targeted information security respondents worldwide in the third quarter of 2007.

“This fourth edition of the study demonstrates more than ever before that information security has become a business imperative for organizations of all sizes, with far-reaching concerns such as corporate reputation, the privacy of customer data, identity theft, and breach of laws and regulations driving information security governance,” said Rob Ayoub, Frost & Sullivan industry manager, network security.

Pressure over data loss and compliance has driven accountability for information security to the executive level, with 49 percent of information security professionals reporting to executive management or boards of directors. Other study highlights include:

• Smaller organizations (up to 500 employees) accounted for nearly 60 percent of respondents, signifying a move from security as a priority for mostly larger organizations to organizations of all sizes due to business requirements and compliance, including the impact of the payment card industry’s PCI-DSS.
• A third of respondents said their primary functional responsibilities are mostly managerial. An additional 48 percent also reported that their functional responsibilities will be mostly managerial in the next two to three years, suggesting a changing focus in their roles.
• Approximately 20 percent of respondents were at the executive (Chief Information Officer, Chief Information Security Officer, Chief Security Officer, Chief Risk Officer) or manager level.
• Communications skills were seen as “very important” or “important” by 81 percent of respondents to be a successful professional. Business skills were also seen as very important or important by 69 percent of respondents.
• Information security is moving beyond the perimeter and becoming more data-focused, protecting data both at rest and in transit, with wireless security solutions, cryptography, storage security and biometrics represented in the top five technologies being deployed in most regions.
• Information security awareness is appreciated as a significant factor in effective information security management: Users following information security policy was identified as the most important factor in a security professional’s ability to protect the organization. In addition, 51 percent of respondents identified internal employees as the biggest threat to their organizations.
• Globally, average annual salaries for professionals with at least five years of experience are reported at $94,500 for respondents identifying themselves as members of (ISC)2 and $73,856 for all other participants. The majority of (ISC)2 members (70 percent) considered themselves to be information security professionals; the majority of non-members (66 percent) to be information technology professionals.
• The profession is maturing, with average experience levels reported at 9.5 years in the Americas, 7.1 years in Asia-Pacific, and 8.3 years in EMEA. Professionals across all regions also reported high levels of post-secondary education.

“This year’s study acknowledges that effective information security programs enable businesses to grow and prosper,” said Eddie Zeitler, CISSP, executive director of (ISC)2. “Consequently, professionals are being tasked more with the business of security, managing and consulting on its broad contribution to the business, while the administration of technical solutions is being integrated into the IT department.

“Opportunities in the information security field will continue to grow despite slower economic growth worldwide due to the increased pressure on professionals to ensure responsible and secure business interactions coming from consumers, B2B customers, strategic partners and regulatory bodies.”

Frost & Sullivan estimates the number of information security professionals worldwide to be approximately 1.66 million. This figure is expected to increase to almost 2.7 million professionals by 2012, displaying a compound annual growth rate (CAGR) of 10 percent. A strong outlook is also depicted for professional development in the sector, with the great majority of respondents expecting either stability or an increase in training budgets. Other highlights include:

• Respondents reported that information security spending on personnel remained stable in the Americas and EMEA in 2007 compared to 2006. In contrast, Asia-Pacific respondents anticipated an increase in information security spending across the board.
• Almost 60 percent of respondents with less than 10 years of experience reported an expected increase in training budgets over the next year, often to get up to speed on emerging technologies and threats. More than half of respondents in operational roles expected an increase.
• Top training topics included security administration, application and systems security, business continuity and disaster recovery planning, privacy, and information risk management.
• Seventy-eight percent of hiring managers cited certifications as either “very important” or “somewhat important.” While “quality of work” and “company policy” were the top reasons given for certification’s importance, a new reason — “customer requirement” — was identified by 33 percent of respondents requiring certifications.

Posted in Business Continuity Management, Disaster Recovery, Information Security | No Comments »

New ISO Standard For IT Disaster Recovery Released

From fires to earthquakes to pandemics, businesses and other organizations may become the victims of disaster at any time. In order to deal with the unexpected and safeguard the interests of their stakeholders, as well as their reputation, brand and value-creating activities, a new ISO/IEC International Standard will help them mitigate risks and be prepared to respond to crises.

ISO/IEC 24762:2008, Information technology – Security techniques – Guidelines for information and communications technology disaster recovery services aims to offer guidance on the information and communications technologies and services necessary for disaster recovery (ICT DR) as part of business continuity management. With this guidance, the standard supports the operation of an information security management system (ISMS) by addressing the information security and availability aspects of business continuity management in time of crisis.

A business continuity plan comprises an organization’s strategies to prepare for future national, regional or local crises that could jeopardize its capacity to continue with its core mission, as well as its long term stability.

According to ISO/IEC 24762:2008, business continuity management is an integral part of any holistic risk management process and involves:

• Identifying potential threats that may cause adverse impacts on an organization’s business operations, and associated risks.
• Providing a framework for building resilience for business operations.
• Providing capabilities, facilities, processes, action task lists, etc., for effective responses to disasters and failures.

With this new standard, organizations will be able to build resilience into their information and communications technology (ICT) infrastructure critical to their key business activities. This will complement their business continuity management initiative (to better manage relevant risks possibly interrupting their business activities) and their information security management initiative (to effectively protect the confidentiality, integrity and availability of information).

“This next generation standard takes into account today’s technological developments to minimize damage in a crisis situation from an information security and communication standpoint,” said Philip Sy, project editor of ISO/IEC 24762:2008. “The fallback arrangements included in the standard will help out both during periods of minor outages and, more importantly, will play an essential role in ensuring information and service availability during a disaster or failure, and for a long-term complete recovery of activities.

“This is particularly important today as organizations around the world are increasingly vulnerable to threats of terrorism, natural disasters, piracy and other crises.”

The standard includes guidelines on the implementation, testing and execution aspects of disaster recovery, and can be applicable to both “in-house” and “outsourced” ICT DR service providers of physical facilities and services. It provides guidance on:

• Implementing, operating, monitoring and maintaining the necessary facilities and services necessary for disaster recovery (such as the implementation of a public announcement system to alert personnel to leave a building, or the requirement that all electronic doors can be opened manually from the inside).
• Fallback and recovery support for the organization’s ICT systems.
• The capabilities which outsourced ICT DR service providers should possess and the practices they should follow, so as to provide basic secure operating environments and facilitate the organizations’ recovery efforts.
• The selection of a recovery site (e.g. considering factors such as environmental stability, good infrastructure, etc.).
• Requirements for ICT DR service providers to continuously improve their ICT DR services. ISO/IEC 24762:2008 is an initiative of ISO and the International Electrotechnical Commission (IEC) developed within the joint technical committee ISO/IEC JTC1, Information technology, subcommittee SC 27, IT Security techniques.

This international standard can be complemented by two other joint ISO/IEC standards providing control objectives for information security aspects of business continuity management to further reduce risk:

• ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements, and
• ISO/IEC 27002:2005, Information technology – Security techniques – Code of practice for information security management.

The standard can be found at http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=41532.

Posted in Disaster Recovery | No Comments »

NIST seeks comments on information risk management publication

The National Institute of Standards and Technology (NIST) has released the second public draft of NIST Special Publication 800-39, ‘Managing Risk from Information Systems: An Organizational Perspective’, for comment. This is the flagship publication in a series of standards and guidelines developed by NIST that relate to the Federal Information Security Management Act.

Special Publication 800-39 provides a framework for managing the risk arising from the operation and use of information systems and is built upon a common foundation of best security practices. The target audience for this publication includes agency heads, chief information officers, information system designers, developers and administrators, auditors and inspectors general.

The public comment period is from April 7-30, 2008. Comments should be emailed to sec-cert@nist.gov

Download a copy of the publication here (PDF).

Posted in Disaster Recovery, Information Security | No Comments »