[ISN] Auditors working on cyber-risk standard

From: William Knowles (wk@private)
Date: Tue Apr 13 2004 - 02:20:34 PDT

  • Next message: InfoSec News: "[ISN] Slow down the security patch cycle"

    http://www.computerweekly.com/articles/article.asp?liArticleID=129851&liArticleTypeID=1&liCategoryID=2&liChannelID=22&liFlavourID=1&sSearch=&nPage=1
    
    by Nick Huber 
    13 April 2004 
    
    Plans by an industry consortium to develop a checklist to assess
    cyber-threats could help IT directors justify security spending and
    help protect companies against hackers, according to IT directors and
    industry experts.
    
    The consortium, which includes the Big Four accountancy firms and
    US-based insurance giant AIG International, aims to agree a cyber-risk
    model that can be used by companies in all industries.
    
    Auditors and insurers could also use the risk preparedness index to
    help decide whether a company has adequate IT security arrangements.
    
    Although details of the framework have yet to be finalised - and the
    companies involved in the consortium have declined to comment further
    - security experts said it will focus on an organisation's IT security
    safeguards, such as its firewalls and anti-virus software, and compare
    this to the security threats it faces.
    
    IT directors welcomed the security initiative.
    
    "IT infrastructure risk management is of critical importance to the
    industry and Barclays broadly welcomes the principles behind this
    initiative," said Barclays Group chief technology officer Kevin Lloyd.
    
    "We will continue to monitor the development of this framework with
    interest," he said.
    
    Nick Leake, director of operations and infrastructure at ITV, said, "I
    think the real value of this approach is in sorting out the companies
    with dreadful levels of non-compliance/operation from those with high
    levels. It will not be much use in distinguishing the better of two
    already very compliant operations.
    
    "And as with all these things, it will have to be kept up-to date," he
    said.
    
    Industry experts said a model for measuring security risk would be a
    breakthrough if it was widely adopted. The model would also help IT
    departments justify security spending.
    
    "The new security standard looks promising, although a lot of the
    devil will be in the detail," said Graham Titterington, principal
    analyst at Ovum.
    
    "It will make it easier for people to justify spending on IT security
    because the backers of the standard are blue chip companies, which
    gives it credibility with the board."
    
    Current standards for information security, such as BS7799, do not
    focus primarily on assessing security risks to a business,
    Titterington added.
    
    Neil Barrett, technical director of security consultancy Information
    Risk Management, said the security model would allow IT directors to
    measure their organisations' security arrangements against a
    benchmark.
     
    
    
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Tue Apr 13 2004 - 06:14:50 PDT