Organisation.doc
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Organisation.doc

on

  • 405 views

 

Statistics

Views

Total Views
405
Views on SlideShare
405
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Organisation.doc Presentation Transcript

  • 1. Organisation Production WHITE PAPER – Volume 2 www.lecercle.biz Media partner Sponsor www.cigref.fr Towards IT Security benchmarking ? Since 2003, the Cercle Européen de la Sécurité achieves a survey on IT security functions and organisation. More than a statement, the results focus on major trends in IT risk management and provides new perspectives for professionals. In 2004, over 60 figures were published in the first White Paper of the Assises de la Sécurité named « For a strategic management of cyber-risks ». This was a first step towards benchmarking IT security practices. In 2005, the survey will focus on indicators, dashboards and management tools. The results will be published in the White Paper – Volume 2 named « Towards IT security benchmarking ? » THE PANEL Officers, Directors, Managers of Information Systems, IT security or IT risks. Any company based in France, UK, Germany, Switzerland, Benelux, Spain, Italy. IMPORTANT Participants are kindly invited to attend The Assises de la Sécurité – 20th - 22nd october 2005 at Monaco. Please contact Pierre-Augustin (pierre-a@dgconsultants.fr) to organize your journey. Travel from Paris and hotel expenses are free of charge. Sponsors Chambre de Commerce et d’Industrie de Paris Organisation : Le Cercle Européen de la Sécurité « IT security jobs and management in Europe » 25/05/2010 Production : Comprendre et Réussir 2005 survey All rights reserved Comprendre et Réussir
  • 2. RESPONDANT LAST NAME: First name: Phone: JOB TITLE: email: COMPANY: Number of employees: PLEASE READ THIS PORTION BEFORE ANSWERING THE QUESTIONNAIRE Only provide answers to the questions related to your activities. No confidential information is requested. You will need about 30mn to answer all the questions. Return the questionnaire :  In electronic form (double click on then change « default value » to select an item). Email the document to: vp@comprendre-et-reussir.com  Or in paper form (print and fill in) Fax the document to : +33 (0) 145 75 99 97 Before july 15th Do not forget to email at pierre-a@dgconsultants.fr if you plan to attend the Assises de la Sécurité 2005 (before june 1st). THANK YOU VERY MUCH FOR YOUR PARTICIPATION! Organisation : Le Cercle Européen de la Sécurité « IT security jobs and management in Europe » 25/05/2010 Production : Comprendre et Réussir 2005 survey All rights reserved Comprendre et Réussir
  • 3. THEME 1 : THE RESPONDANT AND HIS TEAM 1.1 Are you dedicated to IT security activities? Yes No 1.2 What is your position within a Board or Executive committee member? N-1 N-2 N-3 N-4 et + IT Managing Director 1.3 What is the job / function of your manager ? Finance Security / Safety Audit Risk Management 1.4 Do you have a formal / legal responsibility in terms of ? Security laws, Privacy, … Budgets 1.5 For how many years have you been employed … ? In your current job : In IT security : 1.6 Does your activity focus on : Strategy = “risk “ oriented Strategy Operations Both Operations = “tools and organisation” oriented 1.7 Are you invited to speak at least once a year in an executive committee? Yes No 1.8 Are you involved in international activities / operations? Worldwide Europe 1.9 How did you start in your current job? Internal promotion Personal job search After being a Through a consultant recruitment firm less than 60k€ from 60 to 80 k€ 1.10 What is your global salary in 2005 (including bonus, car)? from 80 to 100 k€ more than 100 k€ Organisation : Le Cercle Européen de la Sécurité « IT security jobs and management in Europe » 25/05/2010 Production : Comprendre et Réussir 2005 survey All rights reserved Comprendre et Réussir
  • 4. THEME 1 : THE RESPONDANT AND HIS TEAM 1.11 Are you graduated in IT Security? Diploma : Yes No If yes, which diploma ? 1.12 Did you succeed an individual certification process? Certification : Yes No If yes, which one? 1.13 Do you plan to go through an individual certification process? In progress Certainly Don’t know No interest 1.14 How many dedicated security professionals are in your team (including Employees : Consultants : yourself)? Technical expertise Standards knowledge 1.15 What improvements are requested for your team? Professionnal behaviour (risk Business risks understanding management, legal aspects, economics, …) 1.16 Security certifications (organisations or professionals) should be Yes No Don’t know mandatory? Organisation : Le Cercle Européen de la Sécurité « IT security jobs and management in Europe » 25/05/2010 Production : Comprendre et Réussir 2005 survey All rights reserved Comprendre et Réussir
  • 5. THEME 2 : SCOPE OF ACTIVITIES Are you involved in the following domains? 2.1 computer fraud management privacy protection intellectual property protection prevention of economic espionage prevention of economic / financial fraud protection against natural hazards and catastrophes 2.2 Are you involved with your team in the following management domains? definition of security policy security standards and architecture security policy implementation security projects management definition of roles and responsibilities risk analysis of IT projects legal compliance security audits education and awareness monitoring / keeping abreast business continuity security budgets 2.3 Are you involved with your team in the following operational domains? authentication and access controls cybersurveillance, security supervision network firewalling and intrusion management disaster recovery planning malicious codes and virus protection incident management and investigations patch management physical access control wireless connections protection sites physical security data encryption secure archives electronic signature and transactions security other : Organisation : Le Cercle Européen de la Sécurité « IT security jobs and management in Europe » 25/05/2010 Production : Comprendre et Réussir 2005 survey All rights reserved Comprendre et Réussir
  • 6. THEME 2 : SCOPE OF ACTIVITIES What are the 4 roles which describe you the best in 2005? 2.4 Regulator (security policy manager) Administrator (of security tools and processes) Educator Controler (dashboard provider) Monitor (keeping abreast expertise) Auditor Architect Emergency expert (ie. « fireman ») Analyst (ok risks) Investigator (evidences provider) threats vulnerabilities If you are involved in monitoring and keeping abreast activities, you 2.5 analyse and provide information on : tools, techniques legal aspects If you are involved in investigations, you work on: evidence provision economic impacts 2.6 What is the scope of your collaboration with IT teams? 2.7 security policy definition security processes implementation security policy implementation security tools implementation and administration implementation of security within IT projects other design of technical solutions If relevant, what is the scope of your collaboration with a “personal data Privacy administration Data protection Data protection audit 2.8 protection” manager? relationships implementation Security Policy Contracts Law suites 2.9 If relevant, what is the scope of your collaboration with the legal department? Organisation : Le Cercle Européen de la Sécurité « IT security jobs and management in Europe » 25/05/2010 Production : Comprendre et Réussir 2005 survey All rights reserved Comprendre et Réussir
  • 7. THEME 2 : SCOPE OF ACTIVITIES Are you involved in the annual audit plan with the internal audit department? never once a year more than once a 2.10 year 2.11 If relevant, what is the scope of your collaboration with the internal audit Accounts certification Fraud management Compliance department? Your collaboration with the physical security department is? 2.12 frequent weak none If relevant, what is the scope of your collaboration with the physical Computer sites protection Physical access 2.13 security department? Disaster recovery and crisis Investigations management Organisation : Le Cercle Européen de la Sécurité « IT security jobs and management in Europe » 25/05/2010 Production : Comprendre et Réussir 2005 survey All rights reserved Comprendre et Réussir
  • 8. THEME 3 : INDICATORS AND DASHBOARDS 3.1 Have you implemented IT security indicators in your company / organisation? Yes In progress / scheduled No 3.2 Finance Operations They are related to: Risks Organisation 3.3 They are used to: anticipate management evolutions Measure non compliance vs objectives Understand non compliance Make decisions 3.4 Financial indicators concern: evaluation / assessment of potential risks insurances impacts of incidents, attacks, disasters ROI security expenses part of IT budget dedicated to security 3.5 Risk (threat) indicators concern: natural hazards / catastrophes and business continuity economic fraud logical attacks (virus, intrusion, sabotage, …) focused on IT activities loss of reputation, image economic espionage, information theft piracy (technologies, content, …) Organisation : Le Cercle Européen de la Sécurité « IT security jobs and management in Europe » 25/05/2010 Production : Comprendre et Réussir 2005 survey All rights reserved Comprendre et Réussir
  • 9. THEME 3 : INDICATORS AND DASHBOARDS 3.6 Organisation indicators concern: people dedicated to IT security security awareness sessions for employees certified security professionals presentations to board of directors security coordinators in business units formal security and incident procedures security training sessions security committee meetings 3.7 Operational indicators concern : patch management network access management anti-virus management incident management identity management infrastructure performance password management test of back up and recovery procedures authorisation management other: 3.8 Are they based upon: other (Bâle committee, ISO 17799 CoBIT ITIL, …) 3.9 While implementing security indicators, Sarbanes Oxley regulation impact is: High Low None 3.10 While implementing security indicators, European or domestic Privacy regulation impact is: High Low None 3.11 Your company position within BS 7799 certification is : done in progress / scheduled not planned 3.12 Dashboards are produced for: CIO Board of Directors Audit Committee THEME 3 : INDICATORS AND DASHBOARDS Organisation : Le Cercle Européen de la Sécurité « IT security jobs and management in Europe » 25/05/2010 Production : Comprendre et Réussir 2005 survey All rights reserved Comprendre et Réussir
  • 10. 3.13 According to you, these dashboards are useful to: Expenses justification Security culture development Owners’ trust Are these indicators presented in the Company annual report? Yes No 3.14 3.15 According to you, which are the items that could benchmark companies / organisations in the field of IT security? proportion of security professionals (vs number of employees) Implementation of key management items : dedicated manager, policy, audit plan proportion of IT security budget (vs IT budget) Quality of security professionals (training, certification, graduation, …) economic impacts of incidents (vs revenues) Implementation of key security technologies ISO17799 / BS 7799 compliance Corporate Chief Executive in the security committee IT security chapter included in the annual report Other Organisation : Le Cercle Européen de la Sécurité « IT security jobs and management in Europe » 25/05/2010 Production : Comprendre et Réussir 2005 survey All rights reserved Comprendre et Réussir