Presentation made to Atlanta Society for Information Managers in November 2008

2. Information security and risk management remains a
top concern for information managers. What are the
current and emerging issues in information security?
How are leading organizations dealing with these
issues? What best practices are being utilized to meet
ongoing security risks?
This presentation will attempt to answer these
questions by reviewing global trends in information
security and discussing real-life examples of how
organizations are meeting the ongoing security
challenges.

3. Evolution of information security
Current state
Current and Emerging issues

5. High
Productivity Improvement
Mobile
Reliance on IT
Increased Risk
Impact of Failure
Internet
Client/
Server
MF
Low 1970s 1980s 1990s 2000s
Low High
IT Usage
Probability of Failure

6. Information Security Organizations
•ASIS •ISACA
•ACSE •ISSA
• CSIS •IACSS
•CSI •ISC2
•CompTIA •ITGI
•HTCIA •SANS Institute
Founded in 1989, (ISC)² has certified over
60,000 information security professionals
in over 135 countries
ISACA has 55,000 certified information
system auditors

7. Critical infrastructure includes…
• agriculture, food
• healthcare
• water
• energy
• banking and finance
• national monuments and icons
• defense industrial base

10. Featuring selected results of the 2008 Ernst & Young Global Information
Security Survey

11. The survey:
Conducted in June-August 2008
Nearly 1,400 organizations participated
50 countries and all major industries represented
Areas covered:
Governance and measurement
Drivers
Organization
Standards
Activities
Survey report available at: www.ey.com

12. Documented information security strategy for next 1-3 years?
18%
33%
Yes, as an integrated part of the
organization's IT strategy
No
20%
Yes, specifically for information security
Yes, as an integrated part of the
organization's business strategy
29%
“The challenge for many organizations…is not how to make
security work better with the business but to make it part of the
business”

13. Information security is considered a key dimension of
business risk
Common framework and process for decision accountability
and issue identification
Metrics captured and shared with all levels of management
(including the Board of Directors)
Business initiatives include budget to address security issues
Information ownership and accountability a foundation for
the prioritization and development of security policies
Cross organizational custodians implement security controls defined
by information owners
Most critical information assets have been identified using some
risk/value method

14. Significant or Very Significant Consequence if Organization’s Information is Lost,
Compromised or Unavailable
“The need to protect reputation and brand has moved many companies
beyond the requirements of regulatory compliance”

15. Technology assets identified, ownership and custodial
responsibilities assigned
Data identified and linked to business processes,
applications and data stores
Owners have authority and accountability for information
assets (including protection requirements)
Custodians implement confidentiality, integrity, availability
and privacy controls
Repository of information assets maintained
Formal risk assessment process to allocate security
resources, linked to business continuity

16. Security Activities Outsourced or Considered for Outsourcing
Under evaluation /
No plans to Currently outsourced planned for
outsource (full or partial) outsourcing
Security Assessments/Audits 35% 50% 15%
Attack and Penetration testing 23% 59% 18%
Application Testing 56% 30% 14%
Security Training & Awareness 62% 21% 17%
Vulnerability/Patch management 67% 24% 9%
Disaster Recovery/Business Continuity Management 65% 22% 13%
eDiscovery, Forensics / Fraud Support 66% 19% 15%
Incident Response 77% 15% 8%
7%
Help Desk (password reset/access issues) 66% 27% 6%
“So much emphasis is often placed on technology that the “people”
component of information security is frequently overlooked”

17. Outsourcing of certain security functions
Security policy and compliance functions report
outside of IT, typically to a risk function
Roles and responsibilities are defined using a model
such as “RACI” (Responsible, Accountable,
Informed, Consulted)
Training, development and certification of
personnel with security responsibilities
Security awareness /education program
implemented for various audiences

19. Managing to many different standards
Managing security in the extended enterprise
Determining the “right” investment in information
security
Integrating security into the enterprise architecture
and planning process
Data-centric vs. perimeter protection security
Managing identities and access
Dealing with changing threat/technology
environment

21. How involved is your information security team with
enterprise risk assessment?
What management reports are provided on
information security? To whom?
How are information security needs identified?
How sustainable are information security compliance
efforts?
Have you identified all your vendor relationships and
data interchanges?
How are you managing vendor security-related risks?
What type of controls have you implemented to
protect personal information?
How integrated are privacy and security efforts?
How do you evaluate information security?
How complete is your business continuity program?

22. Stoddard Manikin
Graeme Payne
Stoddard.Manikin@ey.com
payney@bellsouth.net
404 817 5349
770 619 4278