Survey finds corporate IT still vulnerable

Corporate information systems remain porous against cyberattacks, and many IS managers do not consider security practices and policies to be a top priority in their organization, according to a survey by Computer Sciences Corp. (CSC) this week.

Geared specifically toward information security, the study’s findings are an addendum to CSC’s 14th Annual Critical Issues of Information Systems Study released in August. The survey questioned more than 1,000 IT executives around the world.

The new data introduced this week examines responses following the Sept. 11 terrorist bombings, said Ronald Knode, director of global security service delivery for El Segundo, Calif.-based CSC.

The survey showed that 46 per cent of respondents do not have a formal information security policy in place, 59 per cent do not have a formal compliance program to support there IS efforts, and 68 per cent do not conduct regular security risk analysis or security status tracking.

Despite the growing number of complex computer assaults, Knode said many organizations still consider information security to be an IT issue and as such do not adequately prepare for its potential impact on general business operations.

“We believe that information risk management ought to be as much a part of a business decision as any other perspective or activity,” Knode said. “It needs to be measured frequently to tell if [a company] is getting better or worse. Make security part of the business not only as sheriff, but enhancer or business enabler.”

According to the CSC survey, the two most pressing issues to global technology executives were extracting the most value out of their existing enterprise systems and optimizing organizational value from senior management on down in a collaborative effort.

Knode said that if a customer has the ability to test and re-test the company’s threshold of defense, IT managers can then pool the necessary elements to act on a security problem. In addition, assets can then be re-allocated and monitored more strictly in vulnerable areas within an infrastructure, he said.

But with very few exceptions, there are no globally accepted information security standards that are easily measured and interpreted, he noted.

Knode said CSC’s security customers have expressed interest in predominantly two things since Sept. 11: doing a vulnerability assessment and determining the proper questions to ask internally and of a service provider once the vulnerability answers are clear. CSC operates a host of outsourced security services through its CSC CyberCare initiative.

“That’s a tremendously encouraging sign – it says companies are willing to redefine the level of services they want and they never redefine it lower. It is a normal impulse to elevate,” Knode added.

CSC recommends that businesses undertake the following steps to bolster their existing information security policy and procedures:

– Create a task force accountable for the operation and designation of an information security policy program

– Establish a clear and concise information security agenda

– Carry out regularly scheduled audits and investigate results

– Disperse information to teams within an organization, define roles.