Study: no security standards

Nearly 20 per cent of companies have no formal IT security policy or standard in operation, according to a study conducted by Arlington, Mass.-based Cutter Consortium.

The study, conducted over the Internet, indicates that 19.7 per cent of companies have nothing in place. And while 60 per cent of this figure plan to implement something by the end of the year 2000, 13.3 per cent have no plans to implement anything at all.

Bill Malik, vice-president and research area director with Gartner Group Inc. in Stanford, Conn., said that results of

surveys such as this one may not be entirely accurate.

“I’m a little sceptical of these, you know, three-digit precision kind of numbers that are surveys of random folks,” he said.

The majority of businesses, as the survey results indicated, do have some kind of security policy in place, he said.

“When I take a look at the different strata of client, the global 2000 level clients, the majority of them do have some level of security in place,” Malik said. “It may not be ideal, it may not be up-to-date, it may not be entirely legally defensible, but if you’re earning $2 billion or more a year and you’re a publicly traded company, then you probably have something that would pass for an information security policy.”

There could be a number of reasons why some companies haven’t yet implemented a policy, according to Sheila Green, senior analyst with the Cutter Consortium. She said reasons could include that organizations haven’t thought of it yet, or that their attention has been focused on other issues such as, “Y2K activities, although that brings its own set of concerns regarding security,” she said.

Malik thinks that people may just not be aware, and depend too much on hopes.

“The reason that people haven’t developed security policies is simply because they’ve been hoping that somehow the good technical work that was done in their centralized legacy environment has had a kind of a halo effect on everything else,” he explained. “And of course computers are self-managing devices. That’s what we learned from the way mainframes were built, and so people are surprised that they need them (security policies).”

Green also said that while some companies seemed unprepared, they would be implementing some sort of security policy soon.

“We did find in our survey that the majority of companies that stated that they did not have a formal IT security policy and security standard were planning on developing such a policy and standard within the next year or so,” she said.

Ideally, Green explained, a formal security policy should include the following elements: