Managing risk is an increasingly important part of the job of CIOs and IT executives. Risk management includes securing corporate systems, networks, and data, ensuring availability of systems and services, planning for disaster recovery and business continuity, complying with government regulations and license agreements, and protecting the organization against an increasing array of threats such as viruses, worms, spyware, and other forms of malware.
The following is a list of recent advisory reports within this section.
Security Incident Management Adoption Trends
Computer Economics research shows that security incident management as a best practice is only moderately mature. Despite the escalation in threat levels over the past few years, many companies are choosing to operate with informal management of security incidents. However, this is a practice that every IT organization should embrace with some level of rigor. In this study, we introduce this best practice and look at adoption trends by organization size and sector. We also introduce some providers of security incident management systems and services. (14 pp., 5 fig.)
Disaster Recovery Outsourcing Trends and Customer Experience
Because information technology plays a significant role in the functioning of nearly all business operations, it is essential for IT organizations to be able to restore services after a disaster. This report analyzes the percentage of organizations outsourcing disaster recovery capabilities (frequency), the scope of work outsourced (level), and the change in the amount of work being outsourced (trend). We also present data on the cost and service experiences of IT organizations that outsource disaster recovery, and we identify the business sectors most likely to outsource their disaster recovery operations. (18 pp., 9 fig.)
Security Compliance Audit Adoption and Best Practices
Periodic audits of IT security policy compliance are a mandate for many organizations, particularly those that process and store personal data such as patient information and customer financial records. This study examines the extent to which IT organizations have made use of IT security policy audits and measures the level of engagement in the practice. We also look at how adoption of this best practice differs by organization size and sector. Finally, we provide recommendations for monitoring the success of security audits. (15pp., 5 fig.)
IT Security Spending Benchmarks
Although IT security spending as a percentage of the IT budget is flat year over year, the trend has been upward over the past four years. This study establishes benchmarks that enable organizations to assess their spending on IT security software, hardware, and services. The benchmarks include IT security spending as a percentage of the IT budget and IT security spending per user. We examine the four-year trend in these benchmarks as well as variances by organization size and sector. We conclude with recommendations for optimizing IT security costs and ensuring the budget is spent effectively. (19 pp., 10 fig.)
IT Security Outsourcing Trends and Customer Experience
IT security is a critical area for enterprise IT managers, who face a growing number of threats. In light of the new realities, this study is designed to help IT executives compare their outsourcing activity with other IT organizations. We use three metrics to measure IT security outsourcing activity: how many organizations outsource IT security (frequency), how much of the workload is typically outsourced (level), and the change in the amount of work being outsourced (trend). We also measure the cost and service experience of companies that outsource this function. (18 pp., 8 fig.)
IT Security Staffing Ratios
IT security staffing is rising in the wake of a continuing drumbeat of security breaches. For many IT organizations, this means reassessing the adequacy of their IT security budgets and staffing levels. In this study, we present data about the five-year trend in IT security staffing. In light of current trends, we help IT executives assess their security staffing needs by providing four benchmarks: IT security specialists as a percentage of the IT staff, IT security specialists as a percentage of the Network and Communications Group, applications per IT security specialist, and network devices per IT security specialist. We also assess the influence of organization size and sector on staffing requirements. (20 pp., 11 fig.)
Disaster Recovery as a Service May Be in Your Future
The ability to recover from scheduled or unscheduled downtime is becoming more affordable due to an increasing number of disaster-recovery-as-a-service (DRaaS) providers. Over the past 18 months, the number and scope of DRaaS options has grown, and more managed service providers are building out cloud-based disaster recovery service operations with varying costs and capabilities. This report covers the key components of a DRaaS solution, the advantages and disadvantages of cloud-based disaster recovery, and key vendors in this growing market. (11 pp., 4 fig.)
A Practical Framework for Business Continuity Planning
Too often, disaster recovery is simply an information-technology-led exercise. There is a growing recognition, however, that contingency planning needs to go beyond recovery of IT systems to become a business-led process that prepares the organization for many forms of disruption and ensures that the business itself—not just the IT systems—will continue uninterrupted. This report provides practical guidance on best practices for business continuity planning. (11 pp., 2 fig.)
Disaster Recovery Spending Benchmarks
How much should an IT organization be spending on its disaster recovery efforts? In this study, we look at disaster recovery spending per user, per server, and as a percentage of the IT operational budget. We also examine differences in disaster recovery spending by organizational size and sector. Finally, we assess how many organizations are periodically testing their disaster recovery plans, a best practice that is all too often ignored. The metrics provided in this report can be used to benchmark an organization’s disaster recovery spending and testing practices against industry standards. (15 pp., 10 figs.)
Malicious Insider Threats
This special report, based on our survey of IT security professionals and executives worldwide, analyzes malicious insider threats to businesses. Basic categories of malicious threats include accessing confidential information without authorization, disclosing confidential information, executing fraudulent transactions, and sabotage of the organization’s systems, network, or data. For each of these four categories of threat, we present data concerning the perceived seriousness of the threat and actual incidents and risks of each type. We then analyze the popularity of various methods for preventing, countering, and detecting incidents of malicious insider activity. (47 pp., 27 figs.)
Preparing IT for a Different Kind of Disaster: an Influenza Pandemic
Public health authorities warn risks of a pandemic are growing in light of the swine flu outbreak and avian flu cases. Because pandemics are fundamentally different from the disasters commonly envisioned in business continuity plans, most IT organizations are not prepared to face this threat. This updated report outlines the specific ways in which pandemics are different from other types of disasters. It suggests three planning scenarios, and it outlines specific actions that IT risk managers should consider to prepare for a potential flu pandemic. If adequately prepared, the IT group will be able to continue to support critical business functions, and it can provide solutions to help the organization get through a pandemic. (12 pp., 1 fig.)
Insider Misuse of Computing Resources
This special report, based on our survey of IT security professionals and executives worldwide, analyzes the threat of insider misuse of computing resources--that is, any violation of an organization's policies regarding acceptable use. Examples include unauthorized file copying; downloading of software, music, or other media; P2P file-sharing; rogue remote access programs, modems, and wireless access points; misuse of business or personal email; instant messaging; blogging and posting to message boards; and personal web surfing. For each of these types of insider misuse, we present data concerning the perceived seriousness of the threat, typical organizational policies or lack thereof, frequency of violations against company policy, analysis of preventive and detective actions taken by organizations to deter the misuse, and typical levels of enforcement. (77 pp., 75 figs.)
Mitigating Security Threats by Minimizing Software Attack Surfaces
An important method for improving the security of software is to assess and minimize the system's "attack surface." In this report, we provide a conceptual understanding of attack surfaces and explore how to use this concept to improve security of both internally-developed software as well as systems purchased as off-the-shelf software. We conclude by recommending best practices for limiting attack opportunities on IT systems. (4 pp., 2 figs.)
Business Continuity Spending: How Much Is Enough?
How much business continuity spending is appropriate for the level of risk an organization is willing to accept? In this study, we look at average spending on business continuity as a percentage of the IT budget. Because risks and compliance issues can vary widely from sector to sector, we break down spending by industry to provide more targeted metrics. We also analyze spending by organizational size and look at the change in spending levels from 2006 to 2007. Finally, we investigate how organizations rank disaster recovery improvements as a budgetary priority. (4 pp., 5 figs.)
Moving Security Beyond Regulatory Compliance
Organizations today must comply with a greater number of regulations than ever before, many of which deal with information and system security. While the intent of these regulations is good, their proliferation is burdensome. Even more troubling, it is possible to be compliant but not secure. Based on our survey of 100 security, IT, and compliance professionals, this article proposes four principles for establishing a security program that goes beyond regulatory compliance. (5 pp., 6 figs.)
Making Security an Integral Part of Project Management
Vulnerabilities are often introduced into an organization when changes are made to its technology, business processes, or facilities. Therefore, security should be an important element of project management, to ensure that the security implications of these changes are addressed. However, a recent survey by Computer Economics suggests that executives have not adequately integrated their security and project management functions. This article presents the results of our survey on the role of security in project management. Additionally, we review the positive impact that security can have on project management practices. (5 pp., 9 figs.)
Resolving the Data Center Power and Cooling Crisis
This article investigates the current crisis in data center power and cooling and provides recommendations for resolving it. It provides forecasts of computer power usage and energy costs and identifies the sources of demand for power in the data center. Unfortunately, common practices of data center managers often worsen the problem. Finally, we outline new approaches that organizations can take to gain control over power and cooling requirements. (3 pp., 2 figs.)
The Business Case for Keystroke Dynamics in Multi-Factor Authentication
Username and password pairs as authentication factors are as weak as they are ubiquitous. They can be phished, stolen, discovered, and cracked in a number of ways. Use of a single factor of authentication is so weak that the Federal Financial Institutions Examination Council (FFIEC) is requiring that all online banking services adopt multi-factor authentication by the end of 2006. In light of these needs, a technique known as keystroke dynamics (or, typing dynamics) is emerging as an effective way to strengthen user authentication. This special report provides scenarios that illustrate the application of keystroke dynamics. We then present a probability model that can be used to analyze the security benefits of multi-factor authentication. Finally, we present an economic analysis of the financial benefits of keystroke dynamics. (8 pp., 5 figs.)
The Relative Effectiveness of Spam-Blocking Solutions
Are we winning the battle against spam? This report, based on a survey of over 100 IT managers, email/security professionals, and end-users finds that perceptions differ between these groups. Furthermore, experiences differ according to the choice of four types of spam-blocking products: third-party spam-blocking services, server-based anti-spam software, client-based spam-filters, and antispam appliances. The survey also explored the reasons that executive management approve spam-fighting technology. (8 pp., 9 figs.)
Organizations are at Risk from Lax Wi-Fi Security
According to our research, laptop computers comprise about one-third of all personal computers in U.S. and Canadian businesses, and most of them include wireless communications capabilities. But according to data from our 2006 IT Security Study, many IT organizations fail to grasp many of the easier concepts and configurations that are available to secure wireless networks. This article quantifies the adoption rate for two public wireless security standards (WEP and WPA) and breaks down the analysis by organizational size (based on the number of laptops supported.) The article also includes practical recommendations for securing wireless networks and itemizes the reasons that organizations should upgrade to the WPA standard as soon as possible.
Overcoming Obstacles to Data Classification
A formal data classification scheme is fundamental to information security. Yet, many organizations--even those that profess a commitment to protecting company and customer information--fail to implement data classification. This article looks at the reasons that data classification can be difficult to develop and implement in practice and offers several practical guidelines to overcome these obstacles.
Combating Back Door Vulnerabilities in Data Center Procedures
Although IT professionals usually adhere to strict security guidelines when dealing with user systems, they sometimes drop their guard when the implement systems and procedures in the data center itself. This article highlights the security weaknesses that can be created by such administrative procedures and outlines common sense management practices that can close such back door vulnerabilities.
Countering the Phishing/Pharming Threat
Phishing attacks are growing in number and in technical sophistication. Furthermore, the impact of these incidents is increasing, with a significant portion in the form of pharming attacks, the newest and most deadly form of phishing. This article explains the evolution of phishing attacks and outlines the countermeasures that organizations need to defend effectively against them (9 pp., 2 figs.)
Disaster Recovery Lessons Learned from Hurricane Katrina
Katrina exposed a weakness in the disaster recovery plans of many organizations. In addition to providing a secondary data center to recover critical IT business systems, companies must also plan to relocate key IT support personnel and key users to administer those systems. This article outlines key considerations in preparing for a Katrina-level disaster and provides updated guidelines for the safe distance and location of the recovery data center. (5 pp., 1 fig.)
Data Center Recovery Site Planning: Geographic Considerations
The U.S. federal government and private industry have developed new guidelines that can be helpful in deciding the optimal distance between the data center and its recovery site. Based on various studies conducted over the past few years, it is clear that the placement of a recovery site too far away from the main data center can be as much of a problem as placing it too close. This research report provides guidelines for the optimal distance.
Organizations Are Not Adopting Measures to Limit Impact of Security Intrusions
The increasing threat of security intrusions has failed to motivate many organizations to take the steps necessary to protect their software, hardware, and data. Clearly the increase in these incidents shows a growing sophistication on the part of those that launch these attacks. The problem is however, exacerbated by organizations failing to adopt prudent measures that would either prevent intrusions or mitigate their impact. This article highlights the extent of security intrusions in surveyed companies by point of entry and by type, and it documents the extent to which the same companies are not implementing common security measures to defend against such attacks. (7 pp., 6 figs.)
To find articles on other topics,
simply use the search field in the header area of each page.