Archive for the 'Information Security' Category

Ernst & Young 2008 Global Information Security Survey

The latest release of “Ernst & Young Global Information Security Survey” shows that a growing number of organisations recognise the link between information security and a strong brand / reputation. It covered nearly 1400 senior executives in over 50 countries, and it strongly indicates that a security incident would have a greater impact on reputation and brand than on revenues. Considering the previous results and my experience – it seems that the major drivers of information security spend are shifting from compliance to brand protection.

More importantly, it suggests that the spending is set to increase in Information Security. While, I think there will be major cutbacks in a number of existing areas and the same money will be re-channelled with more robust monitoring of the bottom line.

Survey can be found here


FSA releases report on data security for FS

FSA releases report on protection of consumer data within Financial Services industry. This review was carried out by FCID (Financial Crime and Intelligence Division) of FSA – In summary, it highlights the need for improvement in current practices deployed in the financial services industry for protecting consumer data. It also highlights and acknowledges a few good practices currently in place.

Main findings were around following themes:
– Governance
– Training and Awareness
– Staff recruitment and vetting
– Controls
– Physical Security
– Disposing of customer data
– Managing third-party suppliers; and
– Internal audit and compliance.

Click here for detailed report

2008 Data Breach Investigations Report

Some really exciting statistics reported by Verizon Business RISK team.

It is worth to note the fact that although percentage-wise the insider data breaches are 18% compared to the external 73%, later in the report is is mentioned that impact of an insider breach is relatively a lot higher than of an external breach.  Summary is below:

Who is behind data breaches?
73% resulted from external sources 
18% were caused by insiders
39% implicated business partners
30% involved multiple parties

How do breaches occur?
62% were attributed to a significant error 
59% resulted from hacking and intrusions  
31% incorporated malicious code
22% exploited a vulnerability
15% were due to physical threats

What commonalities exist?
66%  involved data the victim did not know was on the system
75%  of breaches were not discovered by the victim 
83%  of attacks were not highly difficult
85%  of breaches were the result of opportunistic attacks
87%  were considered avoidable through reasonable controls

You can find the report here

$7.5 billion trading scandal – is this the end of it?

Apparently not, FSA is urging banks to improve their controls, while a simple advice but barely followed. SocGen is a prime example. Although, other entity level and manual controls failed as well, but it was the technology that made it possible in the first place (based on the SocGen’s official statement released sometime earlier)

See here for further on this.

10th Global Information Security Survey by Ernst & Young

The 10th Annual Ernst & Young Global Information Security Survey has been released and it reveals that companies are still failing to implement a holistic approach towards Information Security as the security function remains too isolated from executive management and the strategic decision-making process.

Below are highlights of the survey results:

-Meeting business objectives is a growing focus of information security.

-Information security is now more integrated into overall risk management.

-Information security remains isolated from executive management and the strategic decision making process.

-Improving IT and operational efficiency are emerging as important objectives.

-Compliance continues to be primary driver of information security improvements.

-Privacy and data protection have become increasingly important drivers of information security.

-Organisations rely on audits and self-assessments to evaluate the effectiveness of their information security programs.

-Organisations are demanding more from vendors and business partners in managing third-party relationships.

-The greatest challenge to delivering information security projects continues to be the availability of experienced IT and information security resources.

Click here to download the survey.

PwC releases – The global state of information security 2007

PwC has released a publication titled “The global state of information security 2007”, which can be downloaded here and in particular the Financial Services industry specific results can be downloaded here

Key findings for the Financial Services sector results are:

-As the global regulatory environment becomes more complex, gains in protecting data privacy have slowed.
-The “insider threat” may actually be growing.
-Dedicating more resources to protecting data is becoming an increasingly strategic priority.
-Measurement and monitoring: Rules are only effective if they’re followed.
-Outsourcing processes to third parties doesn’t transfer risk — it often increases it.

Security Manager’s Journal: Indian Audit Comes With a Silver Lining

A challenge and market driver shared by many global organisations which is already being successfully pursued by several JV-consulting boutiques and Big4’s in the outsourcing regions (India/China/Russia/Hungary/Ireland/etc) through international referrals, joint reporting, branding, etc. They are bit more expensive though, but it reasonably mitigates the risks relating to lack of skill-set in the market place, engagement / audit and most importantly the risk of having terms and conditions with an individual rather than an established entity. Lucky find for the author, but surely it is not an easily repeatable achievement.


An assessment of a partner in India turns up some problems, but they’re small, and the auditor’s a keeper