Information security policies and practices for CIOs

This Executive Guide is part of the SearchCIO Executive Guide series, which is designed to give IT leaders strategic guidance and advice that addresses the management and decision-making aspects of timely topics. For a complete list of topics covered to date visit the Executive Guide section.

Table of contents

Fewer security breaches blamed on human error

Table of Contents

[Linda Tucci, Senior News Writer]

A study on information security by the Computing Technology Industry Association (CompTIA) finds that human error continues to be the main reason for security breaches, cited by 42% of the IT professionals polled. The good news is the industry can learn from its mistakes: Two years ago, that number was 59%.

The decrease in human error parallels both an increase in the number of organizations that have instituted written information security policies and a notable decline in major security breaches, suggesting that a greater awareness of IT security risks is paying off. Sixty-two percent of organizations said they had written security policies in 2006, compared with 47% in 2004. Thirty-four percent of respondents said they experienced a major security breach last year, down from 58% in 2004.

"There has been a definitive shift toward greater emphasis on making employees aware of the threats around them and having IT personnel properly trained to not only prevent IT security attacks, but also how to deal with those attacks after they occur," states the fifth annual security study from CompTIA, the industry's largest trade association.

   Learn more in "Fewer security breaches blamed on human error." Also:

• IT rank and file nervous about inadequate security (SearchSMB.com)
  IT's rank and file are just as concerned about being used as the company scapegoat in the event of a major security breach as CIOs -- maybe more so. Many believe that when under pressure, the stressed-out CIO will point the finger at them.
• Data breach concerns running rampant, survey finds (SearchOracle.com)
  IT and compliance pros think their organizations are unready for a major security breach, a new survey has found.

PCI compliance deadlines have retailers scrambling

Table of Contents

[Shamus McGillicuddy, News Writer]

With Visa U.S.A. Inc.'s first hard deadline for compliance with the Payment Card Industry's (PCI) Data Security Standard (DSS) just weeks away, merchants are ramping up efforts to get their houses in order. The question remains: Will Visa catch those who fail to get into line?

"There is a scramble going, and people are starting to take it seriously based on the financial repercussions," said Khalid Kark, an analyst at Forrester Research Inc. in Cambridge, Mass. "Over the last six months we've been getting a lot of questions and concerns about what merchants need to do and who they need to talk to. They're just so far behind the curve."

The PCI DSS is a set of policies and procedures established by the credit card industry aimed at securing transactions and cardholders' personal information. The standards were set by the industry in 2004, but experts say the extent of compliance by merchants has been spotty due to a lack of hard consequences for noncompliance. Previously, credit card companies assessed only fines for data breaches.

   Learn more in "PCI compliance deadlines have retailers scrambling." Also:

• Midmarket CIOs turning to log management for compliance (SearchCIO-Midmarket.com)
  As midmarket companies increasingly face scrutiny for compliance with PCI, HIPAA and other data protection standards, log management vendors are offering affordable products.
• PCI Data Security Standard compliance -- Three steps to success (SearchSMB.com)
  With 12 requirements, the PCI Data Security Standard can be daunting for resource-strained SMBs. Follow these steps to ease the pain and keep your customer data safe at the same time.

Offshore outsourcing: A look at the security risks

Table of Contents

[Philip Alexander, Contributor]

Offshore outsourcing can often help companies realize substantial cost savings by sending certain functions overseas, where labor costs are a fraction of those here in the United States. However, there is more to consider than just the lower labor costs of employees in India verses their domestic counterparts. In this day and age of heightened information security sensitivity, it's important to make sure that in addition to going after cheap labor, you're not buying yourself a slew of security exposures as well.

The decision on whether or not to outsource should not rest solely with the CFO. The chief security and compliance officers should also be involved because of the many security- and regulatory-related issues involved with offshore outsourcing.

   Learn more in "Offshore outsourcing: A look at the security risks." Also:

• Mitigate mobile security threats (SearchCIO.com)
  Mobile security threats aren't just a nuisance, they're also expensive. Find out how to reduce your risk with these steps.
• VoIP: Security Fear Factor (CIO Decisions)
  The time is ripe for midmarket firms to jump on the Voice over IP bandwagon. But security remains a giant hurdle.

Wikis in the enterprise face security challenges

Table of Contents

[Herman Mehling, Contributor]

While wikis are popping up everywhere in the consumer space, they're struggling to win acceptance in the enterprise due to concerns over management, security and compliance. A mere 37% of enterprises are using wikis, according to a recent study by The Nemertes Research Group Inc. in Mokena, Ill.

Still, CIOs who are adopting wikis into their organizations are seeing numerous benefits, including improved productivity, less email, fewer meetings and better knowledge-sharing.

"Our wiki has proved invaluable," said Ted Turner, CIO at Ives Group Inc., a Sutton, Mass.-based provider of market intelligence, due diligence and risk assessment information. "We are a small but growing shop, and half of us work remotely. Intelligent collaboration is a must."

   Learn more in "Wikis in the enterprise face security, compliance challenges." Also:

• Facebook, MySpace tolerated by businesses, survey says
  Despite known threats to security, bandwidth and employee productivity, nearly half of CIOs recently polled say they don't ban popular social networking sites such as MySpace and Facebook.
• IBM gets into Web security with Watchfire buy (SearchCIO.com)
  IBM has become the first major player to buy into the Web application security testing space with its offer to buy Watchfire. The deal, which is expected to close later this quarter, would bring in tooling that performs ethical hacking of Web apps based on a database of known vulnerability signatures.

More resources

Table of Contents

• Resource center: Data security and privacy (SearchCIO.com)
• Resource center: Security and risk management (SearchCIO-Midmarket.com)
• Website: SearchSecurity.com