Risk preparedness in Business in the field of Network and Information Security

Survey to Assess Risk Preparedness in European businesses Done for the European Commission and

ENISA (http://www.enisa.eu.int)

European Network and Information Security Agency

Dear Survey Respondent, Thank you for taking the time to participate in this survey to assess the risk preparedness of enterprises across Europe in the field of IT and network security. The study on Risk Preparedness in Business in the Field of Network and Information Security has been commissioned by the European Commission to gain insight into the awareness, motivation and attitude towards ICT risk preparedness in the field of networking and information security. This study is of strategic importance to the European Commission since an expected result of the study is a set of recommendations regarding the future European policy that could develop a more secure and favourable environment for European industries, depending on their size and activity. Your participation in this survey is therefore of great importance and provides you with the unique opportunity to express your opinion and have a voice in the creation of future policies. On receipt of the completed questionnaire, we will send you the Awareness Folder CD that contains detailed material on risk preparedness, the list of potential vulnerabilities and corresponding possible measures, illustrated by examples, case studies and extracts from existing papers, communications and studies, to help them secure their enterprises against any ICT disaster. We welcome your feedback and comments and thank you once again for your cooperation. Best regards,

The Risk Preparedness Study Team

If you are returning this questionnaire by post, please send it to: Unisys Belgium SA Attn. The Risk Preparedness Study Team Business Centre Av. du Bourget 20 1130 Brussels Belgium If you are returning this questionnaire by email, please email it to: Risk-Preparedness@unisys.com

Unisys Belgium SA / RAND Europe, 2005

UNISYS

All data will be treated with the utmost confidentiality

Risk preparedness in Business in the field of Network and Information Security

Survey to Assess Risk Preparedness in European businesses

Specific Privacy Statement
Open consultation on Risk Preparedness in the Field of Network and Information Security 1. Processing The objective of this survey, operated by Unisys during the execution of the contract: Risk Preparedness in Business in the Field of Network and Information Security for the European Commissions Directorate General for Information Society, DG INFSO, is to collect information about the level of risk preparedness of enterprises in the 25 European Union Member States. 2. What personal information do we collect, for what purpose and through which technical means? The following personal data are collected through the survey: the role of the respondent within his/her company and the country where the company is registered or has its main location. On a strictly voluntary basis, the respondent is also invited to provide his/her name, his/her organisation details, and his/her postal address. This data is collected with the sole purpose of sending the respondent the awareness folder and the study results, when published. This information will be kept separate from the responses to the questionnaire and no link will be made to the responses to the questionnaire. Survey information: The survey is disseminated in the following ways: 1. Downloadable PDF that can be printed, filled out and posted to the return address specified on the questionnaire 2. Paper survey that can be filled out and posted to the return address specified on the questionnaire 3. Who has access to your information and to whom is it disclosed? Any personal information can only be accessed by the Unisys team responsible for the development of the survey and the Unisys team performing the study on Risk Preparedness in Business in the Field of Network and Information Security. 4. How do we protect and safeguard your information? Immediately after the submission of the form, your replies are recorded in a database and hosted by Unisys. The database is password protected and is not accessible from outside Unisys. Inside Unisys the database can be accessed only by the team working on the Risk Preparedness in the Field of Network and Information Security project and the Unisys personnel in charge of setting up the survey. 5. How can you verify, modify or delete your information? You have no direct access to your personal data stored in the database. If you wish to modify or delete your reply, please send a message to the contact point provided in the form. 6. How long do we keep your data? Your personal data will remain in the database until the results have been completely analysed and will be rendered anonymous when they have been usefully exploited. At the latest after 3 years from the end of the consultation, the data will be deleted. 7. Contact Information In case you have questions or requests concerning the information submitted by you with this questionnaire, please contact: Unisys Belgium SA Risk Preparedness Study Team Business Centre Avenue du Bourget, 20 B-1130 Brussels Belgium Email: Risk-Preparedness@unisys.com

Unisys Belgium SA / RAND Europe, 2005

UNISYS

All data will be treated with the utmost confidentiality

Risk preparedness in Business in the field of Network and Information Security

Survey to Assess Risk Preparedness in European businesses Done for the European Commission and

ENISA (http://www.enisa.eu.int)

European Network and Information Security Agency

Personal Information a. Company (This field is not mandatory. If you would like to receive the Study materials, you may mention any convenient address in field c. below)

b. Where did you obtain this questionnaire? workshop event in from the website via direct email

If you would like to receive the study framework, awareness folder, presentations and materials, please indicate below the address to which they should be sent. c. Address:

Privacy Policy This section is a separate sheet. It will be processed separately and confidentially from the rest of the questionnaire. No link will be established between this section and the questionnaire

Unisys Belgium SA / RAND Europe, 2005

UNISYS

All data will be treated with the utmost confidentiality

Risk preparedness in Business in the field of Network and Information Security

Survey to Assess Risk Preparedness in European businesses Done for the European Commission
1. General Information 1.1 Your role 1. What is your role within your company (tick one only)? Owner / Proprietor /CEO / MD Board level Director IT Management Business Management Information Security Management Internal Audit Office Worker / Administrator Accounts / Financial Director / Financial Controller Company Secretary Operations Manager Design Engineer HR Manager Health and Safety Manager Purchasing Manager Marketing Manager R & D Manager Other (please state) 1.2 Country of operation 2. In what European country is your organisation legally registered, has its headquarters or main location (tick one only)? Austria Latvia Belgium Lithuania Cyprus Luxembourg Czech Republic Malta Denmark Netherlands Estonia Poland Finland Portugal France Slovakia Germany Slovenia Greece Spain Hungary Sweden Ireland United Kingdom Italy Other (please state) 1.3 Business Activity 3a. In what sector is your main business activity (tick one only)? Financial Services Manufacturing Telecoms Retail Technology Construction Travel, Leisure and Entertainment Professional services Utilities Other (please state) 3b. In what sector is your secondary business (tick one only)? Financial Services Telecoms Technology Travel, Leisure and Entertainment Utilities activity Manufacturing Retail Construction Professional services Other (please state)

and

ENISA

(http://www.enisa.eu.int)

European Network and Information Security Agency

1.5 Value of company 6. In your last fiscal year, what was your estimated turnover (m of Euro) (tick one only)? More then 125 Less then 10 Dont Know 10 - 50 50 - 125 7. Can you estimate the value of your companys reputation or brand? If so, how much is it worth (m of Euro) (tick one only)? Less then 10 More then 125 10 - 50 Dont Know 50 - 125 2. Technological Environment 2.1 View of ICT 8. Please indicate the importance of ICT to your business (tick one only)? very. important not important important not very important neither important nor not important 9. Please indicate how long you imagine your business could last without ICT (tick one only)? Less than 1 day 3-7 days 1 day Longer than 7 days 1-3 days 2.2 IT investment 10. What is your operating budget (m of Euro) (tick one only)? More then 125 Less then 10 Dont Know 10 - 50 50 - 125 11. What is your IT budget (m of Euro) (tick one only)? Less then 10 More then 125 10 - 50 Dont Know 50 - 125 2.3 Size of IT operation 12. How many staff work in the IT dept (tick one only)? Above 250 1-10 Dont know 10-50 50 250 13. How many computers (including servers, mainframes, desktops, laptops) does your company have? Above 250 1-10 Dont know 10-50 50 250 14. Tick all of the below that your company has or supports Mobile phones File server Personal Digital Assistants (PDAs) Email server Other (please state) Database server Wireless network 2.4 Extent of Outsourcing 15a. Do you outsource any IT functions or services? Yes No 15b. If so, please indicate which ones: Frontline IT Support Security Network and Infrastructure All IT functions Software and services Other (please state) IT System Management

1.4 Size of your company 4. How many staff in total does your company have (tick one only)? 1-10 250 1000 10-25 1000 and above 25-100 Dont know 100 250 5. How many offices or facilities do you have (tick one only)? 1 20 or above 2-10 Dont know 10-20

All data will be treated with the utmost confidentiality

16. Are these services or functions covered by formal Service Level Agreements (SLA)? Yes No Dont know 2.4 IT systems in use 17a. Does your company have an Internet connection? Yes No 17b. If so, please indicate which type: Dialup Modem Broadband (e.g. ISDN or ADSL) v. high speed (e.g. leased line or T1 or better) Other (e.g. satellite) 18a. Does your company use email? Yes No 18b. If so, which type: Internal to the organisation only (e.g. Exchange or Lotus Notes) Internal and external (via the open Internet) Only via a website (e.g. Hotmail) 19a. Does your company have a website? Yes No 19b. If so which type: Hosted by my company Hosted by an external third party 20. Can your staff access company IT resources (email, files) remotely e.g. from home, airports or hotels? Yes No Dont know 3. Organisation and Management 3.1 Perception of IT security 21. Please indicate your level of agreement with the following Strongly Agree Neither Agree Disagree Strongly statements:
Agree nor Disagree IT security is vital to my companys existence The security measures are in place in my company My company can easily deal with any security incident My company is aware of every security incident

23. Please indicate the extent to which you agree or disagree with the following statements:
Strongly Agree Agree The Head of my company is always aware of security issues The Head of my company takes security seriously The Head of my company treats IT security in the same way to physical security The Head of my company takes an active interest in the regularly reviews of the IT security arrangements Neither Agree nor Disagree Disagree Strongly Disagree

24a. Does your organisation have a security strategy or security policy? Yes No Dont know 24b. If so how often is this reviewed? Every three months Every six months Every year Occasionally Never Dont Know

3.3 Security organisation 25a. Does your organisation review IT Security issues at a regular meeting? Yes No Dont know 25b. If so, please indicate how often this occurs Every six months Whenever there is an incident Once a year Once a week Occasionally Once a month Every three months 3.4 Investment in IT Security 26. Please indicate the extent to which you agree or disagree with the following statements:
Strongly Agree Agree Neither Agree nor Disagree Disagree My company spends enough on information security It is comparatively easy for my company to justify investment in information security Investment in information security has increased in the last three years in my company My company has a process for investment in IT security that is clearly part of the overall ICT investment process

Disagree

Strongly Disagree

3.2 Leadership on IT security issues 22a. Does your organisation have a single individual responsible for IT security? Yes No Dont Know

22b. If so please indicate his job title: Chairman / President / Director Chief Executive Officer Chief Operating Officer Chief Financial Officer Senior vice president Security Manager Dont know Other (please state) 22c. Is this individual also responsible for physical security? Yes No Dont know

27. In your last fiscal year, how much did you spend on IT security (million Euro)? Less then 10 50 - 125 10 - 50 More then 125 28a. Do you economically measure the benefits of security? Yes No Dont know 28b. If so, what method do you use?
Return on Security Investment Internal Rate of Return Net Present Value Proprietary/Consultant method Other (please state)

All data will be treated with the utmost confidentiality

3.5 Risk Awareness 29. Do you maintain a record of incidents? Yes No 30. Please indicate which of the following you know your company has suffered or you believe may have occurred (You may tick more than one): Recorded Possibly or
or certain Scanning attempts Denial of Service attacks Unauthorised access by staff Infringements of laws / regulations Misuse of email Misuse of web-browsing Received viruses Virus infections Unauthorised intrusion attempts Network penetration by an outsider Systems failure Financial fraud Telecom fraud Theft or disclosure of confidential information Physical theft of computer hardware Other (please state) uncertain

34c. Please state how often this risk assessment occurs? Every six months Other (please state) Every year Occasionally 34d. Is the assessment based on a risk assessment methodology? Yes No 34e. If yes, please indicate which approach was used: Common sense CRAMM EBIOS IT BPM MEHARI Proprietary by a consultant (Please detail) Other (please state) 34f. What is included in the results of the risk assessment (tick all that apply)? A list of impacts A list of threats A list of vulnerabilities A list of risks on ICT resources, ordered by their priority A list of risks relating to people and facilities, ordered by priority A list of critical business processes 34g. How are the results of the risk assessment exploited? No action taken so far Results are presented to executives; no further action has been taken so far The ICT department took the initiative to cover some risks There is a commitment by management to cover the identified risks through security measures; budgets are allocated; a secu rity individual is made responsible for its implementation Other (please state) 35. Which source of information are you using to stay aware of the risks and of the way they can be managed (tick all that apply)? Awareness centres, e.g., CERT, Secunia (please state)? Professional associations, e.g., Chamber of Commerce, Clubs for Inforamtion Security Professionals, ISF, IAAC, etc Standard bodies: which ones? Consultants Software and hardware vendors Service providers, e.g., Managed Security Services Courses, seminars (please state) 36. If you did not undertake a risk assessment exercise in your last financial year please indicate why: Not deemed necessary No sufficient resource There has been a feasibility study, which showed that is would be too expensive Not a priority No company-wide co-ordination Other (please state) 3.7 Security Measures 37. Please indicate which of the following security measures your company operates? Currently Considering
Operating Anti-virus software Intrusion Detection Systems Firewalls Content filtering Denial of Service defences Web proxy Vulnerability scanning Network security appliances Remote management, monitoring and auditing Multiple Internet service providers Virtual Private Networks Operating

31. Please rate each of the following according to the relevance for your company:
Highly Relevant Scanning attempts Denial of Service attacks Unauthorised access by staff Infringements of laws / regulations Misuse of email Misuse of webbrowsing Received viruses Virus infections Unauthorised intrusion attempts Network penetration by an outsider Systems failure Financial fraud Telecom fraud Theft or disclosure of confidential information Physical theft of computer hardware Other (please state) Relevant Neither relevant nor irrelevant Irrelevant Highly Irrelevant

32. Which is the basis for your rating? internal record of breaches and intrusions periodic internal assessments unrecorded experience of key staff Other (please state) 3.6 Risk Assessment 34a. Has your company undertaken a risk assessment exercise in your last financial year? Yes No Dont know 34b. If you have, please indicate your motivations for undertaking this process Previous incident Contractual requirements Awareness from competitor Result of an audit Competitive advantage Other (please state) Legal requirements

All data will be treated with the utmost confidentiality

File Encryption Digital Certificates Secure Sockets Layer (HTTPS) Wireless Enabled Privacy (WEP) Biometrics Two-factor authentication (e.g., password-generating token, smart card) Penetration testing Logging and auditing Off site backup Physical security measures Other (please state)

44. Do you regularly monitor the changes to legislation? Yes No Dont know 4.3 Conformity to standards 45a. Are you certified against BS7799:2 Specification for an Information Security Management System? Yes No Dont know 45b. If not why? Too expensive No business need No providers to put the measures in place to comply Certified against another Standard (please state): ????? Other (please state) 5. Ethical and Privacy Issues 5.1 Privacy controls 46. Please indicate your agreement with the following statement:
Dont Know Strongly Agree Agree Neither Agree nor Disagree Disagree My company has sufficient means in place to ensure the privacy of sensitive or personally identifiable information My company receives sufficient assurances that private / personally identifiable information is appropriately secured

38. Please indicate how regularly you do the following:

Happens Automatically Update anti-virus software Patch software (O/S & applications) Update IDS / firewall definitions / policy Once a day Once a week Once a month Never

Strongly Disagree

39. How do you make sure it is done well? No check ICT people sample sites to checks this ICT people check all sites for this A regular report on the effectiveness of the measures is required by management 4. Legal Issues 4.1 Use of Insurance 40. Does your general business insurance cover information risks? Yes No Dont know 41a. Do you use specific insurance for information risks? Yes No 41b. If not please detail why: No suitable providers Too expensive Does not meet requirements Too many exclusions Other (please state) 42. Please indicate your level of agreement with the following statement:
Strongly Agree Agree Neither Agree nor Disagree Disagree My company is adequately insured to cover damage arising from information security risks

47a. Does your company transfer personally sensitive data to third parties Yes No Dont know 47b. If so, are any of these third parties located outside your own country Yes No Dont know 48a. Does your company have explicit agreements in place regarding safeguarding of private / personally sensitive information with Customers Suppliers Trading Partners 48b. How often are they reviewed? Every six months Never Yearly Dont Know 49a. Does your company have a privacy statement? Yes No Dont know 49b. If so, who has access to it? Management Trading Partners Customers Everyone (posted on a website) Suppliers Dont know 6. Human Resources and Awareness 6.1 Employee Awareness 50. Please indicate where your organisation obtains its awareness of information security issues (tick all that apply) Newspapers Trade Press Email and general websites Industry websites Automated services Forums Topic working groups Professional associations Industry forums Academic lectures Specialist consultancies None of the above Other (please state)

Strongly Disagree

4.2 Awareness of legislation 43. Please indicate which of the following you are aware of. Please answer for the country where your company has its registered legal office
Data Protection legislation Financial transparency legislation Computer crime legislation Electronic commerce legislation Fraud legislation Other relevant legislation or regulations (e.g. Sarbanes Oxley, BASELII)

All data will be treated with the utmost confidentiality

51a. Do you participate in industry / chamber of commerce forums relating to information security risks? Yes No 51b. If yes, please indicate how regularly you attend Once a month Once every six months Once a year Occasionally 51c. Please indicate your level of involvement Heavy involvement (e.g. chair of a working group) Moderate involvement (regular attendance at meetings) Light involvement (irregular attendance at meetings) No involvement 52. If you do not participate in any forums relating to information security risks, please indicate why? Not enough time Too expensive Cannot justify involvement to management Other (please state) 6.2 Staff Monitoring 53. Does your company have an IT Acceptable Use Policy (AUP)? Yes No Dont know 54a. Do you undertake monitoring of staff use of IT resources? Yes No 54b. If so, please indicate how this takes place? Automatically Manually (on suspicion of an incident) 55. Are staff informed that their activities may be monitored (for example, in the company Policies and Procedures?) Yes No 56. Does your HR department have access to the results of this monitoring? Yes No Dont know 57. Do you conduct background checks on Permanent staff Part time / Temporary staff Contractors / Consultants 58. Please indicate the extent of your agreement with the following statement:
Strongly Agree Agree Neither Agree nor Disagree Disagree My company is satisfied with the security procedures for employee use of IT resources My company is fully aware of the dangers of malicious insiders

60. Are security concerns part of the responsibility of line management for subordinates? Yes No Dont know 61. Please indicate what level of specialist security training is present in your company? Second degree university level qualifications (e.g. MSc) Certified Information Systems Security Practitioner Certified Information Security Auditor Certified Information Security Manager National Computer Society / Association recognised security qualification Product vendor specific qualifications (e.g. Microsoft or CISCO) Other (please state) 7. Procedural Issues 7.1 Business Continuity Planning 62. How are responsibilities defined for Business Continuity Planning (BCP)? Not defined so far Ad-hoc development of BCP Line Manager has BCP in their job description Other (please state) 63. How is Business Continuity Planning co-ordinated within the organisation? No organisation-wide co-ordination The ICT responsible co-ordinates the BCP efforts The security responsible co-ordinates the BCP efforts Someone is appointed as a BCP co-ordinator Other (please state) 64. Which BCP development tool is used? No development tool Proprietary within the enterprise Proprietary by consultant Standard package (which one: Paragon (SunGuard), (Strohl), RecoveryPAC (CSCI), other) Other (please state)

LDRPS

Strongly Disagree

65. Which BCP strategy has been chosen? No strategy Advance arrangement with a hardware vendor for quick re placement of damaged machines Advance arrangement with a BCP service provider for the avail ability of a recovery site Electronic vaulting Fully redundant site Other (please state) 66. How was the decision made about a BCP strategy? A budget was allocated; the less expensive solution within the available budget was chosen A budget was allocated; the most powerful solution within the available budget was chosen A Business Impact Analysis (BIA) was carried out and the strategy that best fits with the BIA result was chosen Other (please state) 67. How often is the Business Continuity Plan exercised/ maintained? Never Less often than once a year Once a year More than once a year When there is a change in the continuity requirements (e.g., change in technology, new business process) Other (please state)

6.3 Education and Awareness 59. Please indicate what measures you use to raise awareness about information security risks in your company: Events & Road-shows Presentations Published security policies and procedures Security awareness training Security bootcamps Security emails or online discussion groups Other (please state)

All data will be treated with the utmost confidentiality

7.2 Security Review and Audit 68a. Do you conduct regular audits of your information security posture? Yes No Dont know 68b. If so, please detail the motivation for conducting this audit Initiative from senior management Legislative requirement Contractual requirement Plan by IT Department Other (please state) 68c. If so, please indicate how regularly this takes place Never Less often than once a year Once a year More than once a year When there is a change in the continuity requirements (e.g., change in technology, new business process) 68d. Please indicate what happens with the results of this audit Acted upon within 3 months of the audit Acted upon within 6 months of the audit Acted upon within 1 year of the audit Ignored Dont know Other (please state) 68e. Please indicate who carried out these audits Part of my company External organisation / consultant Public agency / regulator Other (please state) 7.3 Threat Assessment 69. Does your company undertake threat assessment activities? Yes No 70. If so, please indicate how regularly this takes place Automatically Once a week Once a month Every three Months Every six months Annually Occasionally 71. Does your company have a threat model or undertake threat profiling of the likely motivation and intent of potential attackers? Yes No Dont know 72. Is your company aware of the relevant law enforcement agency for computer crime? Yes No Dont know 7.4 Vulnerability Assessment 73a. Do you conduct vulnerability assessment? Yes No Dont know

73b. If so, please indicate the nature of this activity Red team (a team known only to a small group tries to breach security) White team (a team tries to breach security with the knowledge of all personnel) Green team (a team tries to breach security with the knowledge of all personnel and participates in activities to resolve the source of the vulnerability) Other (please state) 7.5 Dependency Assessment 74a. Do you conduct dependency assessment? Yes No Dont know 74b. If so, please indicate the nature of this activity Working groups to identify dependencies Use of automated tools Open forums with trading partners and suppliers Other (please state) 7.6 Information Sharing 75a. Do you participate in Information sharing activities? Yes No Dont know 75b. Please detail the nature of these activities Small Community groups (e.g. WARP) Technical bodies (e.g. CERT) Industry associations (e.g. ISF) Government run groups Ad-hoc working Groups Academic groups Online communities Other (please state) 7.7 Security Review 76a. Does your company regularly review its security arrangements? Yes No Dont know 76b. If so, please indicate how frequently this occurs Every 6 months Every two years Every year Occasionally 77. Do you undertake any form of benchmarking of your information security posture against your peers? Yes No Dont know 78. Does your company collect and review security best practices? Yes No Dont Know 8. Additional Remarks and Comments 79. Please feel free to include below any additional remarks or comments you might have about risk preparedness in general or about this survey.

Unisys Belgium SA / RAND Europe, 2005

UNISYS

All data will be treated with the utmost confidentiality