|
Keynote
A CIO’s security priorities
Sunil Chandiramani, Partner, Risk Advisory Services,
Ernst & Young, delivered the keynote on the Ernst & Young Global Information
Security Survey 2006.
Sunil Chandiramani |
One of the key findings of an Information Security survey
conducted by E&Y was that all companies were making significant progress
when it came to IT security. About 1,200 organisations, of which 144 were Indian,
were surveyed across 48 countries and 23 industries. Out of the respondents,
82 percent were CIO, CISO or other IT executives. It was a questionnaire based
survey. An ISO 17799 based benchmark that focussed on all domains allowing CTOs
to benchmark their practices [was used].
|
An information security resource
shortage is driving corporate level outsourcing. However, 40 percent or
more are not reporting routinely on information security
|
Chandiramani pointed out that there is greater board involvement and that regulations
are having a positive impact. He said, “More detailed regulations will
emerge.”
Five priorities that emerged out of the survey were:
- Integrating information security into the organisation
- Extending the impact of compliance
- Managing risks of third-party relationships; supply chain
entities
- Focussing on privacy and protecting personal data
- Designing and building information security [systems]
Two-thirds of the respondents use meetings, steering groups and frameworks.
43 percent have integrated risk management into their information security set-ups.
This helps at the board level. That’s up from 40 percent in 2005. ISO 17799-based
benchmark suggests that information security is better integrated. An information
security resource shortage is driving corporate level outsourcing. However,
40 percent or more are not reporting routinely on information security.
It emerged that compliance was the top driver or catalyst for information security.
Clause 49 affects the CFO or CEO and BASEL II banks. 80 percent of respondents
said that regulatory compliance had helped improve information security at their
organisations. Only half were proactively involved in compliance. “We don’t
have a law regarding data privacy in the country,” commented Chandiramani.
|
80 percent have identified and
prioritised critical processes in their Business Continuity Planning.
For 75 percent of these companies, IT risk assessment is a part of BCP.
50 percent acknowledge that new technologies pose a security risk
|
Globally, less than 50 percent meet with business leaders about information
security issues. In India, over 60 percent do so annually or more frequently.
Compliance processes have not been fully deployed. Privacy and data protection
are the other key strategic drivers for information security. Three-fourths
of the respondents are proactive when it comes to privacy or personal data protection.
66 percent have formal processes for personal data protection.
Only a third meet with a company’s own privacy organisation.
A quarter have a privacy project underway. There is low user awareness about
access controls.
80 percent have identified and prioritised critical processes
in their Business Continuity Plans. For 75 percent of these companies, IT risk
assessment is a part of BCP. 50 percent acknowledge that new technologies pose
a security risk. E.g. removable media, mobile computing—data on PDAs or
smartphones, wireless networks etc.
A third say that DR timescales have not been decided upon.
Compliance, privacy, certification, benchmarking, risk management—these
will be the drivers in 2007 and beyond. TRAI’s ‘do not call’
registry is an example of this trend.
|
