Survey: Corporate IT still vulnerable to attack

From...

By By Brian Fonseca

(IDG) -- According to a survey by Computer Sciences (CSC), many corporate information systems remain open to cyberattack.

And many IS managers don't consider security practices and policies to be a top priority in their organizations.

Geared specifically toward information security, the study's findings are a new addendum to CSC's 14th Annual Critical Issues of Information Systems Study released in August. The survey questioned more than 1,000 IT executives around the world.

IDG.net INFOCENTER InfoWorld Main Page InfoWorld Test Center Subscribe to InfoWorld Newsletters Infoworld Opinions and Spotlights Related IDG.net Stories 2001 InfoWorld security solutions research report Security concerns top Comdex agenda IBM creates institute, council on privacy Features PC World.com Product Finder Bluetooth wireless connectivity set to take off DSL in distress Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

The new data introduced this week examines responses following the September 11 attacks, says Ronald Knode, director of global security service delivery for CSC, which is based in El Segundo, California.

The survey showed that 46 percent of respondents don't have a formal information-security policy in place, 59 percent don't have a formal compliance program to support their information-system efforts, and 68 percent don't conduct regular security-risk analysis or security-status tracking.

Despite the growing number of complex computer assaults, Knode says many organizations still consider information security to be an IT issue and as such don't adequately prepare for its potential impact on general business operations.

"We believe that information risk management ought to be as much a part of a business decision as any other perspective or activity," Knode says. "It needs to be measured frequently to tell if (a company) is getting better or worse. Make security part of the business -- not only as sheriff, but enhancer or business enabler."

According to the CSC survey, the two most pressing issues for global technology executives are extracting the most value out of their existing enterprise systems and optimizing organizational value -- from senior management down -- in a collaborative effort.

Knode says that if a customer has the ability to test and retest the company's threshold of defense, IT managers can then pool the necessary elements to act on a security problem; assets can then be re-allocated and monitored more strictly in vulnerable areas within an infrastructure.

But with very few exceptions, there are no globally accepted information security standards that are easily measured and interpreted, he says.

Knode says that CSC's security customers have expressed interest in predominantly two things since September 11: doing a vulnerability assessment and determining the proper questions to ask internally and of a service provider once the vulnerability answers are clear. CSC operates outsourced security services in a program called CyberCare.

"That's a tremendously encouraging sign -- it says companies are willing to redefine the level of services they want and they never redefine it lower. It is a normal impulse to elevate," Knode says.

CSC recommends that businesses undertake the following steps to bolster their existing information-security policy and procedures.

•  Create a task force accountable for the operation and designation of an information-security policy program.

•  Establish a clear and concise information-security agenda.

•  Carry out regularly scheduled audits and investigate results.

•  Disperse information to teams within an organization, define roles.

Brian Fonseca is an InfoWorld staff writer.