In Brief

How Does Your Company Stack Up?

First results from the CSO/CERT Security Capability Model survey

By CSO Contributor

January 01, 2005 — CSO — Managing Risks

Respondents indicate a widespread lack of sophistication in addressing security at the level of risk management. Any organization that regularly reviews processes for vulnerability assessments and threat assessments is well ahead of the pack.

Process in place Process owner identified Process repeatable Process documented Process regularly updated

Do regular vulnerability assessments 60% 49% 42% 30% 22%

Act on assessment results in a timely way 55% 39% 32% 22% 16%

Identify critical information assets 61% 35% 34% 26% 18%

Identify threats to critical information assets 56% 31% 27% 18% 16%

Determine potential impacts of attack on critical information assets 30% 19% 16% 12% 9%

Manage risks to information assets similarly to other key business risks 41% 29% 23% 17% 13%

Setting Policies

In the absence of a true risk management approach, the next best step is to at least address security on a policy level. Respondents show decent involvement by senior management in setting security policies. However, few succeed in making security a regular part of staff or management meetings.

Process in place Process owner identified Process repeatable Process documented Process regularly updated

Have senior managers establish security policy (both IT and physical) 73% 52% 45% 48% 36%

Link policies to specific business objectives and risk areas 37% 26% 22% 18% 14%

Inform all managers of responsibilities regarding security 47% 29% 26% 23% 18%

Make security a regular agenda topic at management and staff meetings 34% 22% 19% 13% 12%

Train end users on security policy prior to receiving system accounts 49% 33% 30% 28% 20%

Conduct periodic independent audit of compliance with company policies 43% 28% 27% 20% 17%

Securing Systems and Networks

Survey results show that most organizations approach information security at a technical level. While some technology-oriented processes are more prevalent than others, CERT notes that without attention to risk management and security policies, money spent on technical solutions may be misdirected.

Process in place Process owner identified Process repeatable Process documented Process regularly updated

Assign, manage and update user identities and access permissions 80% 57% 57% 44% 33%

Manage system/network changes and configuration, including patches 76% 53% 50% 36% 29%

Regularly scan for viruses and other malware on all systems 82% 58% 60% 40% 35%

Monitor for, detect, report and act on suspicious files/behaviors/events 81% 53% 51% 31% 25%

Actively work to contain the damage caused by viruses and malware 57% 40% 37% 22% 19%

Recover/restore compromised files, systems, networks in a timely manner 74% 48% 46% 30% 23%

Handling Corporate Security

Respondents display a variety of capability levels with regard to basic physical and corporate security processes. Access control is widespread; employee training is not.