Holisitc approach to information security urged

[InfoSec News <alerts () infosecnews org>]

http://www.tradearabia.com/tanews/newsdetails_snECO_article117330.html

TradeArabia News Service
January 09, 2007
Dubai

A survey released by the advisory practice of KPMG in the UAE shows that 
73 per cent of UAE companies are either operating or implementing a 
business continuity plan, driven by factors such as customer service, 
compliance and safety issues, with 57 per cent naming regulatory issues 
as a key concern.

However, the survey also shows that only 20 to 24 per cent of companies 
have an enterprise-wide security or continuity plan in place, with up to 
50 per cent of companies confining continuity plans to the IT department 
and limited critical systems.

Too many companies are still assigning responsibility for continuity and 
availability to the IT department, rather than taking a strategic and 
enterprise wide approach to leveraging their investments in these 
programmes.

Only 12 per cent of UAE companies currently have these functions 
reporting directly to the board, which is a common practice in leading 
global companies with robust security and continuity strategies.

"Companies in the UAE need to take a holistic approach when investing in 
their business continuity and information security programmes to ensure 
that all areas of the business are covered, rather than addressing 
issues on a case to case basis," said head of IT advisory practice for 
KPMG in the UAE and Oman Rajeev Lalwani.

Results show that companies in the UAE need to rethink their security 
and continuity policies to keep up with the growing international trend 
to integrate security and continuity functions as part of a company's 
overall risk management policy and strategic framework, through 
implementing standards such as ISO 27001.

At present, 86 per cnet of the companies surveyed had not implemented a 
global standard. Of those that did follow the standards, 21 per cent did 
not cover the whole organisation.

Management has a responsibility to protect information assets and 
preserve brand and shareholder value by ensuring the security of their 
information and the continuity of their business, it said.

"Leading organisations leverage the strength of their information 
security and business continuity programmes as one of the sources of 
strategic and competitive advantage," said principal in the business 
continuity practice of KPMG in the UK Will Brown.

Other noteworthy findings from the survey show a greater understanding 
is required on the need for geographic dispersion of disaster recovery 
sites.

Most companies surveyed have, or plan to have, secondary recovery sites 
within the same city or location in which their business operates.

This leaves businesses vulnerable in the event of a major disaster in 
that city or location. The survey also reveals that organisations 
recognise people as one of their weakest links, it said.

"Processes are left vulnerable due to human error, negligence, lack of 
awareness or even the lack of staff availability during a disruption. 
Investment in business continuity appears to be constrained, with a 
majority of firms spending in the lower end of the investment spectrum," 
it said.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn