SA Information Security Thermometer 2011
48
-
Upload
ronald-merwe -
Category
Documents
-
view
216 -
download
3
description
The SA IST survey is an independent national study of local information security decision-makers conducted by experienced members of Wolfpack’s research team.
Transcript of SA Information Security Thermometer 2011
Foreword
We hope you find this report useful to guide yourown information security strategy and planninginitiatives. I would like to extend my warmest thanksto all participating companies for taking the time andcourage to respond with such honesty. It is through thecommitment of a select few to improving security thatthe community as a whole will benefit.
Secondly I would like to acknowledge the companiesthat sponsored the 2011 Thermometer report and neveronce attempted in any way to interfere with itsindependence. Thanks to your generous advertisingsponsorship we were able to release the full version ofthe report to the information security community at nocharge.
Finally to my team for producing an outstanding pieceof work. The quality of the report is on par with anyinternational reports I have seen yet still so vibrantlySouth African. I am proud of what we have achieved andlook forward to many more projects in the future.
Corporate contact details:
Building 1 Prism Office ParkRuby Close, FourwaysJohannesburg, 2055Telephone: +27 11 367 0613Email: [email protected]: www.wolfpackrisk.com
Organisation & Industry Demographics
Information Security Governance
Information Security Risk
Information Security Compliance
IT and Information Security Budgets
Training & Awareness
Social Media & Mobile Security
Information Security Programme Management
Managed Services
Incident Management and Cyber Forensics.
1
2
3
4
5
6
7
8
9
10
If you require deeperinsight oranalysis:
We will facilitate an interactiveworkshop with senior members ofyour IT, Information security orPrivacy teams to compare yourorganisation to local statisticsderived from the benchmarkingexercise. More detailed quantitativedata will be shared to providevaluable insight into your budgetingand strategic planning processes.
As part of our mentorship offeringwe can provide independent inputto your steering committee oroversight of key projects.
For these and other services contactus at [email protected] formore information.
1
2
Service
Craig RosewarneManaging DirectorWolfpack Information Risk (Pty) Ltd
The 2011 SOUTH AFRICAN INFORMATION SECURITY THERMOMETER report is an independent nationalbenchmarking exercise conducted with local companies by Wolfpack’s research team in Q4 of 2011.
Our intention was to measure the maturity of information security management practices across a rangeof medium to large companies from different industries. Our survey asked IT and information securitydecision-makers 50 challenging questions across 10 areas:
Table of ContentsForeword 1
The Information Security Group of Africa (ISG Africa) 3
South African Chamber of Commerce and Industry (SACCI) 4
Research Domains 5
1 Organisation & Industry Demographics 5
2 Information Security Governance 8
3 Information Security Risk 13
4 Information Security Compliance 18
5 IT & Information Security Budgets 25
6 Training & Awareness 30
7 Social Media & Mobile Security 35
8 Information Security Programme Management 38
9 Managed Services 39
10 Incident Management & Cyber Forensics 41
Company Directory 44
1
(Association incorporated in terms of section21 - 2006/001533/08)
About Us
“The main object of thecompany as an associationnot for gain, is to carry on,establish, promote, manageand control, various interestand user groups, for thepromotion of education, andawareness of informationsecurity.”( Source : I SG AFR ICAM E M O R A N D U M O FASSOCIATION)
Active chaptersGautengWestern CapeKwaZulu -NatalNigeria
Special Interest GroupsPrivacyPayment Card Industry (PCI)CybercrimePenetration testing / Vulnerability managementInformation Security ManagementDisaster Recovery
FOR MORE INFORMATION OR DETAILS ON HOW TO JOINPlease visit www.isgafrica.org or contact [email protected]
The Information Security Group of Africa (ISG Africa)
ISG Africa is a non-profit organisation formed in 2005 and was created in response tothe increase of information security threats facing companies in Africa. This volunteerGroup consists of over 4000 security professionals from Corporate, Government and IT/ Legal firms within Africa. ISG Africa’s aim is to provide the mechanism for regularexchange of information security knowledge and to facilitate networking betweenmembers and the stakeholder community whilst raising awareness of vulnerabilities andglobal threats in the context of Africa.
www.sacci.org.za
As we enter 2012, the contributions of legitimate entrepreneurship and entrepreneurial activities will take on evengreater economic significance. Although businesspersons have resigned themselves to dealing with the numerouschallenges associated with a protracted economic recovery, they remain challenged by illegitimate activities andcriminal activities. Such activities are not only an impediment to greater levels of international trade, as it fundamentallyundermines the trust necessary to conduct business across borders, but it continues to erode both domestic business-to-business relationships and undermine business-consumer relationships.
While South African authorities continue to meet these challenges with a growing spate of first world “protectionlegislation”, the pace of technological development, criminal ingenuity and lack of enforcement capacity currentlycontributes to this being a losing battle. As with any problem, the first step towards addressing or resolving the problemis to understand the problem, it is on this basis that the 2011 Information Security Thermometer was developed toprovide specific insights into the scope, nature and trends relating to information protection and cybercrime. It iscontemplated that the thermometer would inform and form the basis of both corporate strategies as well as nationalregulation in addressing this impediment to business.
Neren RauChief Executive OfficerSouth African Chamber of Commerce & Industry
While the formulation of such strategies and regulations take shape, we can each lookwithin our own enterprises and communities and address the ethical and conduct issuesthat spawn such criminal activity. We can each inculcate a culture premised on DoingNo Harm.
Total number of companiesapproached
Total responses received
Valid responses used
1.1.1 Regional participation
Gauteng
50%
10%
14%
2%1%
Free State
Gau
teng
Nor
th
Cape
KZN
Organisation &Industry Demographics
1208877
1
1.1.2 Role participation
IT Executive / CIO / IT Director
Chief Information Security Officer / GM IS
Information Security Officer
Risk Manager / Information Risk / Compliance
IT Manager / Network Manager
Enterprise Architect / IS Architect
IT Security Officer / IT Risk Officer
Security Admins / Security specialists
IT Audit Manager / Technology Audit Manager
10
16
21
8
6
2
10
2
2
Answer Count
Less than 100
101-1,000
1,001-5,000
5,001-10,000
10,001-50,000
More than 50,000
1%
22%
32%
16%
24%
6%
1%
24%
42%
13%
17%
5%
1.1 Your company industry sector
Banking / Financial SectorInsurance / Medical Technology, Media, Telecommunications (TMT)Mining & Metals Manufacturing Retail Government / Parastatal / SOEHospitalityPharmaceuticalsOtherTOTAL
149
16566
14214
77
Answer Count
1.4 Number of IT staff
1-15
17%
26-50 9%
51-100 15%14% 151-300
7% 301-500
14% More
than 500
6% O
ther101-150 20%
1 Ratio of IT Staff to EmployeesThe table below shows that ITstaffing levels can varysignificantly according to thesize of the company.(Source: workforce.com)
500 -1,000 1:25
1,000 to <5,000 1:23
5,000 to <10,000 1:25
10,000 or more s1:40
Employee SizeRatio of IT staff tototal employees
1.2 Organisation size
1.3 Number of computerusers in SA supportedby IT
Opinion
None 1-5 6-10
61%
32%
47%
12%
9%
10%2%
3% 6% 9%3%
www.uniteddecisions.com
1.6 Number of part-time /contractor information securitystaff
1.5 Number of information security staff (who have more than 50% IS responsibility)
InterestingObservation
There was no pattern as to which sectoremployed the most part-time or contractor ISstaff – The top 5 employers were spread across
the financial, government, retail,mining and industrial sectors
11-20 21-30 31-50 51-100 Morethan 100
Other
Opinion
Information Security Governance2.1 Do you have a dedicated
Information Security Officer(ISO) or equivalent senior roledevoted entirely toinformation security?
Yes 69.14%
No 22.22%
In the process of appointing 8.64%
Answer Percentage
2.2 To whom does the head of information security directlyreport to?
67%CIO (Chief Information
Officer or relevant IT executive)
CEO (Chief Executive Officer 1
%
or Managing Director)
CFO (Chief Financial Officer
or Financial Executive)5%
COO (Chief Operations Officer) 6%
Physical security executive 2%
Risk management executive 5%
Compliance executive 6%
Steering comm
ittee 4%A
rchitecture 1%G
overnance role 2%
21Despite the increase of threats facing
companies today, it is difficult tobelieve that over 30% of medium tolarge SA companies still do not havea dedicated information securitymanagement position. What is evenmore concerning is the probable ratioin the small to mid-sized sector ofthe economy.
1From a participant –
“The ISO role has beendelegated by the CEO toan Executive as anadditional functionwithin their portfolio.”
Opinion
2.3 Do you have an information security charter in place?Answer Percentage
Yes and signed by senior management 41.98%
Yes but not yet signed off 9.88%
Currently in development 28.40%
No 17.28%
No comment 2.47%
An IS charter is a clearcommunication of seniormanagement’s expectationthat information securityand governance objectivesare suppor ted andachieved.
1
2.4 Do you have an established information security steering committee (ISSC)?
An ISSC consists of seniorstakeholders that arefocused on resolvinginformation security andprivacy challenges in themost effective way possible.
126%
26%23%
22%
3%Yes and represented by seniormanagement across thebusiness
Yes but only represented by IT
Not yet but plan to establishshortly
No
No Comment
In my opinion this is one of the mosteffective ways of bridging the voidbetween information security and thebusiness.The typical committee may includesenior representat ives f rom:
• HR / Procurement• Legal / Compliance• IT• Risk / BCM / Internal audit• Physical security• Key business areas• Outside information
security specialists
www.netcure.com
Opinion
2.5 Do you have external expertise represented at the information security steering committee (ISSC)?
Answer Percentage
Yes – our ISSC is chaired by an outside subjectmatter expert
Yes - part of the committee only
Not yet but plan to bring in someone shortly
No
No comment
2.47%
11.11%
12.35%
71.60%
2.47%
1It is interesting when one analyses advice from King III regarding the structure of acompany’s board:
2.16. The board should elect a chairman who is an independent non-executive director.
Why? The non-executive chairman can play a critical role in representing the differentconstituencies in the company with an impartial viewpoint. The chairman helps maintaincontinuity during times of management change; is independent of “company politics”; canplay an effective role as mediator and can assist the CEO with difficult public relationsissues.
2 2.18.1 The majority of board members should be non-executive directors.
Why then is this wisdom forgotten when it comes to other important areas of the business– especially the structuring of the information security steering committee (ISSC)? Only asmall percentage of SA companies utilise outside subject matter experts. If you are ableto locate the correct person/s I can guarantee you that the small outlay to “beef up” yourISSC with hired expertise will help reduce risk and generally improve the maturity of yourIS management capability.
www.partnersconsult.net
2.6 Has your board assumed responsibilityfor the governance of information securityas per KING III (Section 5.6 - The boardshould ensure that information assetsare managed effectively)?
Answer Percentage
Yes – documented evidence 41.98%
Not yet but plan to shortly 35.80%
No plans 8.64%
Don’t know 11.11%
No comment 2.47%
41.98%
35.8%
8.64%
11.11%2.47%
2.7 How often is information security an item on theboard’s agenda?
Answer Percentage
It is a standing agenda item 29.63%
Seldom 23.46%
Only when you have an incident 24.69%
Never 4.94%
Don’t know 14.81%
No comment 2.47%
2.8 In your opinion how aligned isinformation security to the businessobjectives of the organisation?
From participants –
“The group companypolicies are aligned tocompany businessstrategy but has notbeen reviewed latelyfor relevance.”
“Information securityis not consideredspecifically in businessobjectives.”
1From participants –
“IT is on the agenda -n o t i n f o r m a t i o nsecurity”
“ En te rp r i s e R i skmanagement has onlyrecently extracted anInformation SecurityRisk report from ITRisk report.”
“It is incorporated aspart of IT, and onlydiscussed if there hasbeen an incident orthere is a requirementt o i m p l e m e n t asecurity solution.”
“Not yet, getting there.”
2
3
12
21%
Fu
lly a
ligne
d
59% Somewhat aligned
Not at all aligned 14%
Don’t know 4%
No comment 2%
4
Yes and represented by senior management across the business 55.26%
Yes but not represented by business 14.47%
Not yet but plan to establish shortly 10.53%
No 10.53%
Don’t know 7.89%
Other 1.32%
3.2 Do you have an established enterprise risk management (ERM) committee?
Answer Percentage
3.1 In your opinion how mature is your enterprise risk management (ERM) function?
Extremely mature and functions efficiently
Somewhat mature
Immature and large room for improvement
No ERM function
Don’t know
17%
53%
28%
3%
Information Security Risk3Enterprise risk management (ERM) can be described as a risk-based approach to managing an enterprise,integrating concepts of internal control and strategic planning. ERM is evolving to address the needs ofvarious stakeholders, who want to understand the broad spectrum of risks facing complex organisationsto ensure they are appropriately managed.
www.mcafee.com
3.3 Does a representative from information security /information risk form part of the enterprise riskmanagement (ERM) committee?
Answer Percentage
Yes 48.68%
Not yet but plan to shortly 11.84%
No 35.53%
Don’t know 3.95%
From participants –
“Information Security hasbeen asked not to getinvolved with ERM”
“An IT Risk Committee(chaired by the CIO) isheld every quarter andtracks progress on ITRisks. Enterprise RiskManagemen t t e amattends and challengesIT feedback.”
12
3.4 How often do you conduct a formal organisation -wide information security assessment?
Every Two Years 5%
More than Two Years 13%
Other (please comment) 6%
Don’t know
4%
14%
Every
Six M
onths
or le
ss
From participants –
“There has never been a reviewaccording to my knowledge”
“We do it when we are requestedto do it, but there are regular ISSCmeetings to discuss progress onvarious projects and Internal Auditare also very closely involved.”
“Security assessments and auditsare done annually, however theseare done in pockets and notorganisation wide.”
123
www.citicus.com
3.6 Are all major IT risks reported to enterprise riskmanagement (ERM)?
3.5 Are all major information security risks reported toenterprise risk management (ERM)?
Yes – IS risk forms anintegral part of ERM
More ad-hoc reportingfor now
Not yet but plan toshortly
No
Don’t know
41%
36%
9%
11%
4%
50%
30%
7%
9%
4%
Opinion
Having reviewed the feedback above therecertainly appears to be a higher priority toreport IT related risks to the Enterprise Riskfunction than information security risks.Why is this? It is probably due to the factthat the IT function has existed for longerthan information security and is thereforemore engrained in the business.
www.barnowl.co.za
3.7 Which tool do you currently use to capture & reporton risks within the organisation?
Microsoft Office (Excel / Word)
ERM vendor tool (please specify)
Internally developed tool (i.e. using Sharepoint)
A combination of the above
No tool yet but currently investigating
None
Other
Answer Percentage
A list of some of the popular ERMtools used by SA companies in thesurvey:• BarnOwl• Cura• KnowRisk• Openpages• TeamMate
Opinion
Traditional Excel and Word it seems arestill the preferred methods of capturingand reporting risk for most SAorganisations. I often find companies beginthis way and as the risk process maturesthey migrate to an ERM tool. This I believeis a better approach to rushing out andbuying a tool without a working processin place.
InterestingObservation
46.59%
27.27%
13.64%
14.77%
4.55%
2.27%
5.68%
Information Security Compliance44.1 Please confirm your organisations readiness to comply with
the following:1 = Fullycompliant
2 = Somewhatcompliant
3 = About tostart
4 = Notapplicable
5 = Unsure
Regulation of Interception ofCommunications Act 70 of 2002(RIC Act)
Payment Card Industry DataSecurity Standard
KING III Code of Governance forSA 2009
Electronic Communications andTransactions Act 25 of 2002 (ECTAct)
Protection of PersonalInformation Bill (PoPI)
36.49%
10.81%
17.57%
28.38%
9.46%
20.27%
33.78%
50.00%
48.65%
36.49%
13.51%
6.76%
13.51%
5.41%
32.43%
12.16%
36.49%
5.41%
5.41%
2.70%
17.56%
12.16%
13.51%
12.16%
18.92%
Opinion“It was interesting to note that nearly one third of participating companiesare yet about to embark on a project to meet the requirements of the Protectionof Personal Information Bill (PoPI). I firmly believe that most local companiesare still not aware of the full magnitude of meeting the requirements of PoPIand other privacy-related laws.If they think this is simply another project for IT or information security tohandle they are in for a rude awakening. Once enacted PoPI will fundamentallychange how a business manages personal information. Expect a major revampto the following processes within your business as a start - Sales and marketing,IT, HR, Risk and compliance and of course Information security.”
www.exponant.com
4.2 Which standards or best practice guidelines do you currentlyuse in your information security practice?
1 = Fullyutilised
2 = Somewhatutilised
3 = About tostart
4 = Notapplicable
5 = Unsure
31.08%
29.73%
25.68%
14.86%
ISO 27002 (Previously ISO 17799)
Cobit 4.1
ITIL 3.0
Information Security Forum (ISF)
44.59%
44.59%
51.35%
29.73%
5.41%
8.11%
8.11%
6.76%
10.81%
9.46%
5.41%
31.08%
8.10%
8.10%
9.46%
17.56%
www.kpmg.co.za
4.3 What is your position on achieving external ISO 27001certification for your company?
We have conducted a
gap analysis against
ISO 27001 and may
consider certification
46% We are not convinced ofthe business benefits andare not consideringcertification
Unsu
re 1
4%
We have already
achieved certification 4%
We are seriouslyconsidering obtainingISO 27001 certification 8%
22%
www.jtwo.co.za
Comment
I believe with stricter privacy compliancerequirements and mounting third party assurancepressures on South African companies we are goingto see an increase in the number of local ISO 27001certifications. If we compare ourselves to otherdeveloping countries such as India (526) and China(492) we still have a long way to go. If we as acontinent wish to attract foreign investment thiswill highlight our good governance in providingindependent assurance to our investment partnersthat we take information security seriously.
Source -http://www.iso27001certificates.com/Register%20Search.htm
Number of Certificates Per CountryJapanIndiaChinaUKTaiwanGermanyKoreaCzech RepublicUSASpainHungaryItalyPolandMalaysiaIrelandThailandAustriaRomaniaHong KongGreeceAustraliaSingaporeMexicoFranceTurkeyBrazilSlovakiaUAESloveniaBulgariaCroatiaNetherlandsPhilippinesIranPakistanVietnamIcelandIndonesiaSaudi ArabiaColombiaKuwaitNorwayPortugal
386252649247743117410610310175686858554241393532302929272624232320191817161514141413131311111010
1010
9985555544433332222222222221111111111111
7346
Russian FederationSwedenCanadaSwitzerlandBahrainEgyptOmanPeruSouth AfricaSri LankaDominican RepublicLithuaniaMoroccoChileGibraltarMacauQatarAlbaniaArgentinaBelgiumBosnia HerzegovinaCyprusIsle of ManKazakhstanLuxembourgMacedoniaMaltaUkraineMauritiusArmeniaBangladeshBelarusDenmarkEcuadorJerseyKyrgyzstanLebanonMoldovaNew ZealandSudanUruguayYemenTotal
www.7daystech.comwww.titus.com
www.securingthehuman.orgwww.securingthehuman.org
www.securingthehuman.org
23 24
5.1 What was your company’s annual IT Budget for FY2010?
5.2 What is your company’s annual IT Budget for FY2011?
Budget percompany
employee size
Averageamount
101-1,0001,001- 5,0005,001 - 10,00010,001-50,000More than 50,000
32,6M112M138,4M443,4M586,7M
Budget percompany
employee size
Averageamount
101-1,0001,001- 5,0005,001 - 10,00010,001-50,000More than 50,000
34,7M122,9M155,2M434,1M650M
IT & Information Security Budgets5
Comment
The above figures areaverages for each ofthe category sizes. Fora n a n a l y s i s o findividual budgets perindustry sector pleasecontact us to arrangea more detailed reportand feedback session.
(All figures quoted in Rands ZAR)
(All figures quoted in Rands ZAR)
5.3 How are informationsecurity budgetstypically determinedin your organisation?(select those that apply)
5.4 What was your annual information security budget forFY2010?
Budget percompany
(employee size)
Operational /Business asUsual (BAU)
Special projects /Consulting fees /
Hardware /Softwarepurchase
TOTAL Amount(All figures
quoted in RandsZAR)
101-1,0001,001- 5,0005,001 - 10,00010,001-50,000More than 50,000
1,2M4,6M2,4M15,7M16,5M
1,4M5,2M660K2,9M5,5M
1,2M938K1,2M5,4M2,7M
3,8M10,7M4,2M24,1M24,7M
5.5 What is your annual information security budget forFY2011?
Budget percompany
(employee size)
Operational /Business asUsual (BAU)
Special projects /Consulting fees /
Hardware /Softwarepurchase
Other TOTAL Amount(All figures
quoted in RandsZAR)
101-1,0001,001- 5,0005,001 - 10,00010,001-50,000More than 50,000
1,6M4,9M3,7M20M24,5M
2,2M5,6M900K17,6M19,1M
900K2,5M880K4M3M
4,8M13M5,5M41,6M46,6M
Other
Based on a budget defined
by head of information security 25%
No official budget but defined
by business requirements 19%
Other 6%
17%
A perce
ntage
of IT
budg
et
35%Based on projects approved
for the year6%
A percentage of risk management
11% Based on incidents
More than R1,5M per annumBetween R1M to R1,49MR750K to R999KR500k to R749kLess than R500kDon’t knowNo answer
5.7 What is the typical annual salary scale (excluding bonuses)for the following professionals in your organisation -CIO or IT Exec?
29.23%
26.15%9.23%
4.62%
1.54%
23.08%
6.15%
5.6 What change do you envisage to your FY2012 informationsecurity budget?
From participants –
“PoPI Compliance is a major driver.”
“We have a requirement for encryption and two factorauthentication.”
“Focus areas - ISO 27001 gap analysis / Improveeducation and awareness / 1 additional resource fore-mail management / Further network vulnerabilitytesting.”
2012Large increase Small
increaseNo change
Smalldecrease
Largedecrease
Don’t know No Answer22% 45% 15%
2% 3%6% 8%
123
www.telspace.co.za
5.8 What is the typical annual salary scale (excluding bonuses)for the following professionals in your organisation -CISO or Information Security Exec?
5.9 What is the typical annual salary scale(excluding bonuses) for thefollowing professionals inyour organisation –IS Officer or IS Manager?
More than R1,5M per annum
Between R1M to R1,49M
R750K to R999K
R500K to R749K
Less than R500K
Don’t know
No answer
5%
8%
32%
18%
5%
28%
5%
Less than R500k 15%
Don’t know 22%
No A
nswer 6%
7%Be
twee
n R1M
to R
1,49M
22% R750K to R999K
31%R500k to R749k
6.1 What is your typical professional training budget perinformation security staff member per annum? (includingclassroom / onsite / e-learning / conferences)
Training and awareness6Training
Percentage
13.56%
11.86%
32.20%
18.64%
8.47%
15.25%
More than R50,000
Between R25,000 to R49,999
Between R10,000 to R24,999
Less than R10,000
No training budget
Don’t know
2010
6.2 What are the current or preferred methods of trainingused by your information security team?
Awareness6.3 What percentage of your information security budget was
spent on awareness in FY2010?
1 - Popular 2 - Busyinvestigating
3 - Seldomuse
4 - Neveruse
5 - Unsure
59.32%
32.20%
54.24%
23.73%
33.90%
10.17%
6.2.1 Classroom based – offsite
6.2.2 Classroom based - onsite
6.2.3 Self study
6.2.4 Virtual classroom /Webinar (With remote humaninstructor)
6.2.5 e-Learning / Computerbased only
6.2.6 Simulations / Seriousgaming
11.86%
10.17%
16.95%
23.73%
16.95%
10.17%
11.86%
23.73%
6.78%
18.64%
13.56%
44.07%
3.39%
5.08%
3.39%
5.08%
6.78%
11.86%
13.56%
28.81%
18.64%
28.81%
28.81%
23.73%
7% 2%
12%
22%
46%
12%
From participants –“While wedo run awareness campaigns,there is little budget dedicatedto this. We try to use existingresources and technologies”.
“It is amazing that a companyis willing to spend millions ont h e l a t e s t s e c u r i t ytechnologies but not have aformal budget to run anawareness programme.Employees are still gettingcaught out with planted USBflash drives, are still clickingon dangerous l inks orattachments and are stillg i v i n g o u t s e n s i t i v ein fo rmat ion to soc ia lengineers.”
6.4 What percentage of your information security budget willbe spent on awareness in FY2011?
www.mistieurope.com
20111%
2%
14%
20%
41%
14%
"What percentage of securitybudget should be spent onsecurity awareness?" A goodquestion, which deserves morethan the obvious answer of “alot more”. My immediateresponse was that it dependswhere you are in terms ofprocess maturity and otherfactors that might shape yourpriorities, but in my view itshould be 10-20% of securitybudget, i.e. at least 10% and nomore than 20%. This mightsound a l o t t o manyorganisations but it reflects theimportance of the subject, theneed to do it properly and thes u b s t a n t i a l r e t u r n o ninvestment from reducing thenumerous incidents caused byignorance and bad practices.(CISO.com)
www.securingthehuman.org
33
34
6.5 Do you envisage a change to your FY2012 informationsecurity awareness budget?
6.6 Awareness programmes - How effective have the followingmethods of raising overall awareness been in your organisation?
Veryeffective
Somewhateffective
Not veryeffective
Investigatingthis option
Unsure
22.03%
11.86%
18.64%
3.39%
15.25%
11.86%
20.34%
11.86%
6.6.1 Formal security inductiontraining
6.6.2 Compulsory e-learning /CBT sessions
6.6.3 Designated formal briefingsessions at staff gatherings
6.6.4 Ambush theatre (i.e. actorsplay out a “live” scenario incanteen)
6.6.5 Messages in companynewsletters
6.6.6 Distributing small giftswith security reminders
6.6.7 Awareness linked to staffperformance measures (KPIs)
6.6.8 Using social media tools
37.29%
20.34%
27.12%
3.39%
28.81%
18.64%
10.17%
13.56%
20.34%
25.42%
16.95%
23.73%
13.56%
18.64%
23.73%
28.81%
10.17%
30.51%
22.03%
57.63%
16.95%
33.90%
30.51%
33.90%
10.17%
11.86%
15.25%
11.86%
25.42%
16.95%
15.25%
11.86%
201220%
Large increase Small increase
No change
Smalldecrease
Largedecrease
Don’t know42% 31%
0% 0% 7%
There are many reasons why security awarenessinitiatives fail to make an impact. Often the materialis dull, people have difficulty relating to it, it’s poorlydesigned and presented, and the consequences offollowing (or not) the advice are not sufficientlypersonal, immediate or certain. Security managersand in-house communications staff are not the bestdesigners of educational material. It normally paysto get external professional assistance.
From part ic ipants
“We are not allowed tobe "in your face" withour users aroundawareness, so there isno budget for this.”
1
35
7.1 Please indicate the current status of the following socialmedia platforms in your company
7.2 LinkedIn
Social Media & Mobile Security7
Blocked – no corporate access allowedCertain staff allowed access based on roleor during certain hoursNo restrictions – full access Don’t know
8.47%
40.68%
49.15%
1.69%
7.3 Twitter
22%
61%
17%
0.00%
29%
46%
22%
3%
www.sevendaystech.com
36
7.4 You Tube
Blocked – no corporate access allowed Certain staff allowed access based on role or during certain hoursNo restrictions – full access Don’t know
47.46%
45.76%
3.39% 3.39%
From participants
“The marketing and communicationdepartment have access to all social mediasites as part of their role.”
“We allow limited time on social media sitesthat don’t have an adverse effect onbandwidth to all users. We limit bandwidthintensive sites to authorised users onlywhere there is a specific business need.”
12
www.sevendaystech.com
37
Blackberry / RIM platformIOS platform (Apple iphone / ipad)Android platformWindows platformSymbian (Nokia) platformAll platform access allowed - No centralised mobilemanagement solution currently in placeAll blocked – no corporate calendar / email accessallowed on mobile devices
7.5 Please indicate which mobile devices your staff are allowedto use to access their corporate emails and calendarfunctionality (select all that apply)
1.14
22.73
29.55
45.45
32.95
42.05
60.23
Which parts of managing your information security programmedo you find challenging?
38
Information Security Programme Management8Major
frustrationVery
challengingRoom for
improvementWorking well Unsure
26.79%
32.14%
17.86%
21.43%
44.64%
23.21%
14.29%
30.36%
10.71%
10.71%
25.00%
19.64%
26.79%
44.64%
25.00%
32.14%
8.1 Overall lack of commitment fromsenior management to informationsecurity
8.2 Enforcing policy / standardrequirements across all users
8.3 Information security compliancemanagement
8.4 Running an original and effectiveawareness campaign
8.5 Insufficient budgets to do athorough job
8.6 Constantly evolving threatuniverse to manage effectively
8.7 Complex security programmemanagement
8.8 Attracting & retaining suitablyqualified staff
8.9 Complexity of technologies tomanage
8.10 Managing risk introducedthrough social media
8.11 Managing data expansion -knowing where my data resides /classification
8.12 Policy and standards lifecyclemanagement – ensuring documentsare updated, signed, communicated
8.13 Endpoint & mobile protection
8.14 Preventing data leakage
8.15 No national SA informationsecurity incident response centre(CIRT) to assist in case of crisis
8.16 Identity and Access management
32.14%
33.93%
48.21%
41.07%
21.43%
37.50%
35.71%
26.79%
51.79%
35.71%
50.00%
30.36%
37.50%
32.14%
28.57%
23.21%
23.21%
17.86%
10.71%
14.29%
14.29%
12.50%
17.86%
23.21%
12.50%
16.07%
8.93%
19.64%
16.07%
7.14%
7.14%
19.64%
1.79%
1.79%
3.57%
7.14%
1.79%
3.57%
5.36%
7.14%
1.79%
10.71%
3.57%
1.79%
1.79%
1.79%
14.29%
3.57%
16.07%
14.29%
19.64%
16.07%
17.86%
23.21%
26.79%
12.50%
23.21%
26.79%
12.50%
28.57%
17.86%
14.29%
25.00%
21.43%
“Whilst many companies are finding it difficult to run an effective information securityprogramme in the current climate, things are only going to get tougher. There is a globalincrease in threats and compliance requirements facing companies. The two biggestheadaches for local information security decision-makers are insufficient budgets anddata leakage management. The challenge - trying to safeguard expanding informationassets with fewer resources. I like to use the analogy of a farmer attempting to protecthis fields from 360 degree attacks – from birds above, from bugs below and otherneighbourhood threats. Information security “farmers” have the same challenges but ona far larger scale – every single “bird”, “bug”, “thief”, “crop disease” and so forth on theentire planet has the potential to become a major threat.”
39
“Apart from firewall and email management, it appears South African informationsecurity decision-makers are not all that comfortable yet with outsourcing.Policy and compliance management are on the opposite side of the spectrum as thoseleast likely to be outsourced. What does this spell out to local managed security serviceproviders? Maybe their value proposition does not provide a sufficient enough returnon investment (ROI) to justify a move or perhaps corporates still believe they can dothe job better themselves?”
Managed services9How do you currently manage the following information securitycomponents?
Alreadyoutsourced
Investigatingoutsourcing
Sharedresponsibility
Managedin-house
Unsure
3.57%
12.50%
5.36%
26.79%
19.64%
23.21%
12.50%
7.14%
19.64%
10.71%
5.36%
0.00%
9.1 Entire Information securityfunction
9.2 Vulnerability management
9.3 Identity and accessmanagement
9.4 Email hygiene & contentfiltering
9.5 Web application security
9.6 Network firewall management
9.7 Endpoint security
9.8 Compliance monitoring
9.9 IDS / IPs management
9.10 Log monitoring
9.11 Data leakage protection
9.12 Policy management
3.57%
5.36%
0.00%
1.79%
1.79%
0.00%
0.00%
1.79%
0.00%
8.93%
5.36%
3.57%
57.14%
37.50%
62.50%
39.29%
37.50%
48.21%
51.79%
64.29%
44.64%
44.64%
48.21%
80.36%
3.57%
1.79%
7.14%
1.79%
7.14%
0.00%
5.36%
10.71%
7.14%
10.71%
16.07%
5.36%
32.14%
42.86%
25.00%
30.36%
33.93%
28.57%
30.36%
16.07%
28.57%
25.00%
25.00%
10.71%
www.reportstar.net
40
10.1 We have an information security & privacy incidentmanagement plan
41
Incident Management & Cyber Forensics10A formal privacy and information security incident management capability is essential. Aspects to includeinvolve funding and cost models; analysis, containment and recovery responsibilities; decision makingauthority for notifications; legal and/or law enforcement involvement; forensic investigations; responsibilityfor after-incident debriefing; communication process; testing and process improvements.
Yes – defined, approved by topmanagement and tested regularly
Yes – defined, approved by topmanagement but not tested
Yes – defined, but not approved bytop management & not tested
Informal / Ad hoc
No defined information security &privacy incident management plan
30%
14%
21%
21%
13%
“Talk to any security or privacy professional who has experienceda major incident and they will highlight the importance of havinga tried and tested incident management capability in place. Overone third of local companies analysed have no incident managementplan (or at minimum an informal one) implemented which putstheir company at risk. Forewarned is forearmed I say.”
10.2 We have a defined cyber forensics / computer forensicsfirst responders team?
42
On theincrease
No change On thedecrease
No reports ofthis
Unsure
21.43%
12.50%
10.71%
26.79%
5.36%
12.50%
5.36%
12.50%
10.3 Online fraud
10.4 Identity theft
10.5 Intellectual Property theft
10.6 Laptop / computer theft
10.7 Industrial espionage
10.8 Customer records / data loss
10.9 Third party lost our customerinformation
10.10 Extortion from syndicates
10.71%
12.50%
19.64%
42.86%
17.86%
19.64%
14.29%
12.50%
50.00%
53.57%
48.21%
5.36%
51.79%
46.43%
66.07%
57.14%
12.50%
12.50%
12.50%
10.71%
23.21%
10.71%
12.50%
14.29%
5.36%
8.93%
8.93%
14.29%
1.79%
10.71%
1.79%
3.57%
10.3 IncidentsRate the occurrence of the following incidents in your companyover the last 12 months
Yes – defined and efficient
Yes – somewhat established but notyet put to the test
Ad hoc / informal
No – we outsource this capability
Nothing yet in place
Unsure
13%
18%
25%
7%
36%
2%
1 From participants
“We have no computer forensic capability as yet.This is being investigated.”
“Our Forensics unit claim to be responsible forinvestigating and responding to cyber threats, butour Information Security policy states otherwise.”2
“What is the cost of cybercrime to the South African economy? Whilst cybercrime is still a crime andneeds to be reported as such to the South African Police Services there is no specific indication ofthe true cost of cybercrime to our country. Upcoming legislation (the Protection of Personal Informationact) will go a way to force companies to disclose breaches of personal information but for now mostcompanies are tight-lipped on the full extent and cost of these types of incidents.
A recent 2011 UK Cabinet Office report “The Cost of Cybercrime”, produced by Detica in partnershipwith the Office of Cyber Security and Information Assurance estimates the cost of cybercrime to theUK economy at £27 billion a year, and growing.”
We plan to undertake a South African Cybercrime Barometer study in 2012 to analysethe true extent of cybercrime activity in the South African environment. Hopefully thiswill better equip all relevant stakeholders to ensure the correct measures are in placeto deal with this scourge threatening our country.
www.drs.co.za
43
www.TheInternetPassport.com
www.barnowl.co.za
www.citicus.com
www.drs.co.za
www.tscm-za.com
www.netcure.com
www.exponant.com
www.focalcommunications.co.za
www.gtsp.co.za
www.ifacts.co.za
www.isolvtech.com
www.itcompliance.co.za
44
Single Signon solution with 100%Non-repudiation.
Integrated Enterprise RiskManagement, Internal Audit &Compliance Software.
Risk and compliance managementsoftware. In-house or Saasimplementation.
IT security, security solutions, dataprotection, managed securityservices, forensics.
TSCM, technical surveillancecountermeasures, sweeping &debugging, countersurveillance,technical security, informationsecurity, risk management.
Security Health Checks, Education,Awareness, Information SecurityManagement, Consulting,Dashboards, Data AssuranceServices.
Specialist Solutions for SIEM, LogManagement, Security Monitoringand Control.
Telephone voice recordingequipment, call monitoringsoftware, trunk radio loggers.
Penetration Testing, Vulnerabilityand Risk Assessment, CEH & CHFITraining.
Employee screening, Credit checks,Educational Qualifications, IDVerification, CCMA Cases, CriminalChecks.
Public key infrastructure, biometrics,identity management, securecommunications, lawfulinterception.
PCI DSS & ISO 27001 ComplianceFramework (SAAS), Technical &Operational Due Diligence.
www.jtwo.co.za
www.kpmg.co.za
www.lawtrust.co.za
www.maxtec.co.za
www.mcafee.com
www.michalsons.co.za
www.mimecast.co.za
www.mistieurope.com
www.netsecurity.co.za
www.outpost24.com
www.pandasecurity.co.za
www.partnersconsult.net
www.remoteq.com
www.reportstar.net
45
Policy enforcement, Unified emailmanagement, Security Audits.
Focuses on the risks specificallypertaining to the technologysystems used to support clients’business objectives throughproviding advice and solutions thatassist in releasing value frominformation technology.
PKI Solutions, SSL Certificates,Biometric Solutions, SignatureSolutions, Symantec CCS, StrongAuthentication, Consulting Services,Training, Non-RepudiationSolutions.
Network Solutions, SecuritySolutions, Storage Solutions, Repairs& Support.
Information protection, software &hardware products to protectinfrastructure, information,systems, databases, identitymanagement.
ICT Legal Specialists.
Mimecast delivers email security,continuity, archiving to simplifyemail management.
The Global Leader in Audit, Risk,Fraud and Security Training.
Secure network design and systemsimplementation.
Proactive security solutions inVulnerability Management - SecurityMade Easy.
Antivirus, security, enterprisesolutions, perimeter security, spamprotection, network security.
Information Security ManagementSystems, Governance, Architectureand Technology Leadership,Advisement Services.
Antivirus, Firewalls, WANOptimization.
Unified Threat Management,DataLoss Prevention,SIEM,Compliance,Internet/Email Analysis,ManagedSecurity Services, SOC services,Security Systems Monitoring.
www.sacci.org.za
www.sensepost.com
www.sevendaystech.com
www.symantec.com
www.technoblegy.co.za
www.telspace.co.za
www.sans.org
www.thinksmart.co.za
www.uniteddecisions.com
www.wolfpackrisk.com
www.zenithsystems.co.za
www.ziliant.com
46
South African Chamber ofCommerce and Industry.
Security Assessments, ManagedVulnerability Scanning, SecurityTraining and Consulting Services.
Data Classification, Data LeakagePrevention, Data Encryption, SocialMedia Security & Compliance,Unified Communications Security &Compliance, Sharepoint Securityand classification, Mobile DeviceSecurity, Endpoint RiskAssessments, Data RiskAssessments, PCI & PPI RiskAssessments and Solutions.
Symantec is a global leader inproviding security, storage andsystems management solutions tohelp consumers and organizationssecure and manage theirinformation-driven world.
IT Training, Security Awareness,Networking, Support.
Attack and Penetration testing, WebApplication Assessments, SecurityConsulting and Service LevelAgreements.
The most trusted and by far thelargest source for informationsecurity training in the world.
Application (software) security:assessments; design; training.Pentests. PCI/SAS70. Securitypolicies.
SIR10T, is aimed at business leaderswith a desire to gain better controlover projects in their drive toachieve returns on their strategicinvestment.
Awareness, online & classroomtraining, simulations, mentorship,research, toolkits & programmemanagement.
QRadar SIEM: Log, Threat andCompliance Management.
Consulting (PKI, Authentication,Cryptography). InfoSec ProductDevelopment.
www.symantec.com
www.symantec.com
47
www.wolfpackrisk.com
