Академический Документы
Профессиональный Документы
Культура Документы
Contents
Contents
Page
3
13
16
20
23 34 39
Page 2
Page 3
Ernst & Youngs Global lnformation Security Survey (GISS) is a survey conducted annual by Ernst & Young world-wide. The first GISS was conducted in 1998. We invited CIOs, CISOs, CFOs, CEOs and other information security executives to participate. The majority of the survey responses were collected during face-to-face interviews. When this was not possible, the questionnaire was conducted online. If you wish to participate in Ernst & Youngs 2013 Global Information Security Survey, please contact your local Ernst & Young office, or visit www.ey.com/US/en/Home/Home-ContactUs and complete a simple request form.
Ernst & Youngs Global Information Security Survey 2012
Page 4
Japan
Asia Pacific
Americas
Page 5
Prior to 2006, information security was seen as an important component of mitigating financial risk and meeting new compliance requirements, such as SOX 404. After 2006, the scope of information security expanded in two directions: 1. Information security needed to protect the organisations more broadly, especially in a globalised world. 2. Information security needed to have a clear return on investment, requiring an alignment of risk and performance.
In 2008, information security matured beyond compliance. Protecting brand and reputation became the primary driver in an environment of escalating threats, through managing new risks and leveraging technology. At the same time, the world changed dramatically: A global financial crisis and economic downturn hit many organisations hard. Emerging markets gained much more prominence. The competitive landscape changed. Confronted with these challenges, organisations focused on restructuring and reinventing to keep up with the new requirements and increasing cost pressures.
Impact 2006 2008 Stay proactively involved in achieving Take a more business-centric view regulatory compliance Keep up investments in information security despite economic pressures Improve risk management of third-party Invest in training and awareness programs to keep people from being relationships the weakest link Invest more in privacy and personal data 2009 protection Co-sourcing to address a lack of resources and tighter budgets 2007 Assess the potential impact of new technology and the organisations Align information security with the business ability to protect its assets Face challenges of staffing information Survey Know 2012 the risks posed by increasing external and internal threats Page 6 theErnst & Youngs Global Information Security security functions Recommended steps
Key trends
Impact 2010 Address the risks associated with emerging technologies Increase investment in data loss prevention tools Take an information-centric view of security that better aligns to the business 2011 Bring information security into the boardroom Protect the information that matters most Embrace encryption as a fundamental control Page 7 & Youngs Global Information Security Survey 2012 Focus onErnst the fundamentals
Key trends
2012 Continue to make information security a board-level priority Develop an integrated strategy around corporate objectives, and consider the whole risk landscape Use data analytics to test the risk landscape and understand the data you need to protect most Use a three- to five-year horizon for budgeting to enable long-term planning Innovate, innovate, innovate Start working on a fundamental transformation
Recommended steps
What is happening
The gap is widening This year survey shows that threats are accelerating significantly faster than the enhancements organisation are making.
Page 8
What is happening
Accelerating threats
In 2012, 77% of respondents noticed an increase in external attacks (statesponsored espionage, hacktivism, organised crime and terrorism), comparing to 72% and 41% in 2011 and 2009; This year, 46% of respondents noticed an increase in internal vulnerabilities (in term of evolving technologies - mobiles, insufficient IS resources);
37% ranked careless or unaware employees as the threat increased the most over the last 12 months;
The gap is kept widening because of compounding issues of: mis-alignment of IS strategy/framework and the business; insufficient resources for information security activities; inadequate IS processes and architecture; and the fastest-ever blooming of new technologies.
Page 9
What is happening
The information security agenda continues to be IT-led rather than focused on the overall business strategy 46% of respondents almost never or never discuss information security strategy with the top governing structure of their organisation Only 42% of respondents say their Information Security strategy is aligned to their business strategy Only 5% have information security reporting to the chief risk officer the person most responsible for managing the organisations risk profile 63% of organisations have placed responsibility for Information Security with the IT function 70% of respondents indicate that their information security function only partially meets organisational needs and improvements are underway
What is happening
B. Resources contraints
D. A torrent of technology
New technologies with new threats and risks: virtualisation, cloud computing, social media, BYOD, mobile devices 38% of respondents say they have not take any measures to mitigate the risks of using cloud computing services 38% of respondents say they do not have a coordinated approach to address social media Only 40% adopted encryption techniches to protect data on their mobile computing channel
Ernst & Youngs Global Information Security Survey 2012
Page 11
What is happening
The key issues causing the widening gap
Key issues: Mis-alignment with the business Insufficient resources with the appropriate experiences, skills and training Inadequate processes and architecture New and evolving technologies More specific for Vietnams context:
Lack of implementation of a formal IS framework, IS strategy Significantly lack of resources with the appropriate experiences, skills and training Informal and changing operational processes and corporates organisational structure New and evolving technologies (cloud computing, BYOD, mobile, social media) Emerging market with ever-changing governmental regulations Information Security is a strategic business imperative and requires an enterprise response.
Page 12
2. A fundamental transformation
Page 13
1 2
Link the information security strategy to the business strategy, and the overall desired results for the business.
Start with a blank sheet when considering new technologies and redesigning the architecture, to better define what needs to be done. This presents an opportunity to break down barriers and remove existing biases that may hamper fundamental change.
To select and implement a formal information security architecture framework (ISO 27001, Open Group Architecture Framework)
Page 14
Execute the transformation by creating an environment that will enable the organisation to successfully and sustainably change the way information security is delivered.
Make leaders accountable for delivering results and visibility throughout the life of the program To commit on providing sufficient resources for IS program organisation-wise in a long term
When considering new technologies, conduct a deep dive into the opportunities and the risks they present. Social media, big data, cloud and mobile are here to stay, but organisations must prepare for their use. For every new technology implemented, besides all the benefits and oppoortunities, carefully consider the new threats and risks they present
To regularly assess on the changes of business environment to identify new risks and threats for immediate actions
Page 15
Page 16
Conclusion
Changing environment
New technology:
virtualisation
Cloud computing
Social media
Redefined strategies
Installed new information security function components Added more people
Mobile
However, our survey results suggest that companies have NOT improved enough
Page 17
Effective
information security transformation does NOT require complex technology solutions. requires leadership and the commitment, capacity and willingness to act.
It
Page 18
What has your organisation done to adjust information security to address the changing environment? Has your organisation implemented the necessary information security improvements to keep up with the pace of change?
How is your budget compared to internaltional standard in term of percentage of Page 19 Ernst & Youngs Global Information Security Survey 2012 annual revenue?
Page 20
Ernst & Youngs Information Security services started very early in the 90s
Were proud to have our IS professionals as the authors of the famous Hacking exposed series First in 2002, Ernst & Young has established our global network of Advanced Security Centers (ASCs) provide controlled and physically secure environments in which our dedicated team of leading security professionals can conduct assessment focused on clients infrastructure, applications and people. Our IS professionals comprise former CSOs, CIOs and specialised subject matter professionals from all over the world. Drawing on our in-depth knowledge and extensive experience working with major organisations for nearly 20 years, we work with clients to deliver sustainable, measurable results in:
Page 21
Page 22
Page 23
Page 24
Compared to the previous year, does your organisation plan to spend more, spend relatively the same amount or spend less over the next year for the following activities?
Page 25
What threats and vulnerabilities have most increased your risk exposure over the last 12 months?
Page 26
How does your organisation assess the efficiency and effectiveness of information security?
Page 27
What formal security architecture frameworks are used (or are you planning to use) within your organisation?
Page 28
Which of the following controls have you implemented to mitigate the new or increased risks related to the use of cloud computing?
Page 29
Which of the following controls have you implemented to mitigate the new or increased risks related to the use of social media?
Page 30
Does your organisation currently permit the use of tablet computers for business use?
Page 31
Which of the following controls have you implemented to mitigate the new or increased risks related to the use of mobile computing including tablets and smartphones?
Page 32
Which of the following actions has your organisation taken to control data leakage of sensitive information?
Page 33
Page 34
Survey methodology
Ernst & Youngs Global Information Security Survey was conducted between May 2012 and July 2012. We had 1,836 respondents across all major industries and in 64 countries participated.
Japan
For our survey, we invited CIOs, CISOs, CFOs, CEOs and other information security executives to participate. We distribute a questionnaire to designated Ernst & Young professionals in each country practice, along with instructions for consistent administration of the survey process.
The majority of the survey responses were collected during face-to-face interviews. When this was not possible, the questionnaire was conducted online. If you wish to participate in Ernst & Youngs 2013 Global Information Security Survey, please contact your local Ernst & Young office, or visit www.ey.com/US/en/Home/HomeContactUs and complete a simple request form. Page 35 Ernst & Youngs Global Information Security Survey 2012
Asia Pacific
EMEIA
Americas
Survey methodology
Respondents by industry (1,836 respondents from 64 countries)
Page 36
Survey methodology
Respondents by total annual company revenue
Page 37
Survey methodology
Respondents by position
Page 38
Page 39
Page 40
Contacts
Global
Norman Lonergan Paul van Kessel Adivisory Services Robert Patton Andrew Embury Doug Simpson Shohei Harada Americas Leader Europe, Middle East, India and Africa Leader Asia-Pacific Leader Japan Leader +1 404 817 5579 +44 20 7951 1802 +61 2 9248 4923 +81 3 3503 2033 robert.patton@ey.com aembury@uk.ey.com doug.simpson@au.ey.com harada-shh@shinnihon.or.jp Advisory Services Leader IT Risk and Assurance Services Leader
Telephone
+44 20 7980 0596 +31 88 40 71271
Email
norman.lonergan@uk.ey.com paul.van.kessel@nl.ey.com
Bernie Wedge
Manuel Giralt Herrero Jenny Chan
Americas Leader
Europe, Middle East, India and Africa Leader Asia-Pacific Leader
bernard.wedge@ey.com
manuel.giraltherrero@es.ey.com jenny.s.chan@cn.ey.com
Haruyoshi Yokokawa
Henri Hoang Page 41
Japan Leader
yokokawa-hrysh@shinnihon.or.jp
henri.hoang@vn.ey.com
Vietnam Leader Security Survey 2012 +84 97 205 4888 Ernst & Youngs Global Information
Page 42