[ISN] Top UK companies are failing to develop written security policies

InfoSec News isn at c4i.org
Wed Sep 8 08:47:46 EDT 2004


by Nick Huber 
7 September 2004 

Almost half (47%) of the UK's top 350 companies do not have a fully
documented information security policy, despite the proliferation of
computer viruses and the impact a security breach could have on a
company's share price, according to a survey.

The IT department is left to develop and enforce a security policy in
71% of FTSE 350 companies, according business executives questioned
for the survey.

Simon Owen, partner in the technology assurance practice at
professional services firm Deloitte, said, "The findings are as
alarming as any written security policy. If you fail on security, how
confident can management be that controls are strong throughout the

"It could be symptomatic of wider problems throughout the company."

Owen said a written policy on an organisation's information security
should be no longer than 10 pages and avoid jargon. It should cover
internal and external threats and be backed up by training to raise
awareness of security issues among staff, he added.

UK companies with a casual approach to IT security also risk the anger
of shareholders, according to the survey, which was commissioned by IT
services company LogicaCMG, which questioned senior executives at 20%
of the FTSE 350 companies.

A security breach would have an impact on a company's share price,
according to 83% of investors, and 68% said that a company's policy on
IT security would be a significant factor when deciding whether to buy
or sell its shares.

Getting it right

"UK companies have a misplaced conception that increased spend in IT
security will mitigate information violations. Unfortunately,
devolving responsibility of information governance away from the board
room to the IT department will not safeguard information assets.

"Information security governance needs to be embraced throughout the
organisation. The best technology in the world cannot alone prevent
the implications of negligent human behaviour."

More information about the ISN mailing list