Auditors working on cyber-risk standard

[William Knowles <wk () c4i org>]

http://www.computerweekly.com/articles/article.asp?liArticleID=129851&liArticleTypeID=1&liCategoryID=2&liChannelID=22&liFlavourID=1&sSearch=&nPage=1

by Nick Huber 
13 April 2004 

Plans by an industry consortium to develop a checklist to assess
cyber-threats could help IT directors justify security spending and
help protect companies against hackers, according to IT directors and
industry experts.

The consortium, which includes the Big Four accountancy firms and
US-based insurance giant AIG International, aims to agree a cyber-risk
model that can be used by companies in all industries.

Auditors and insurers could also use the risk preparedness index to
help decide whether a company has adequate IT security arrangements.

Although details of the framework have yet to be finalised - and the
companies involved in the consortium have declined to comment further
- security experts said it will focus on an organisation's IT security
safeguards, such as its firewalls and anti-virus software, and compare
this to the security threats it faces.

IT directors welcomed the security initiative.

"IT infrastructure risk management is of critical importance to the
industry and Barclays broadly welcomes the principles behind this
initiative," said Barclays Group chief technology officer Kevin Lloyd.

"We will continue to monitor the development of this framework with
interest," he said.

Nick Leake, director of operations and infrastructure at ITV, said, "I
think the real value of this approach is in sorting out the companies
with dreadful levels of non-compliance/operation from those with high
levels. It will not be much use in distinguishing the better of two
already very compliant operations.

"And as with all these things, it will have to be kept up-to date," he
said.

Industry experts said a model for measuring security risk would be a
breakthrough if it was widely adopted. The model would also help IT
departments justify security spending.

"The new security standard looks promising, although a lot of the
devil will be in the detail," said Graham Titterington, principal
analyst at Ovum.

"It will make it easier for people to justify spending on IT security
because the backers of the standard are blue chip companies, which
gives it credibility with the board."

Current standards for information security, such as BS7799, do not
focus primarily on assessing security risks to a business,
Titterington added.

Neil Barrett, technical director of security consultancy Information
Risk Management, said the security model would allow IT directors to
measure their organisations' security arrangements against a
benchmark.
 


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



_________________________________________
ISN mailing list
Sponsored by: OSVDB.org