Date:


Home
What We Do
Services
Products
About

Blog
Books

Email Us
contact@execia.com

Other Links
ENISA
The Jericho Forum
The Jericho Blog
InfoBOOM
View From The Bunker

2010 Information Risk Management Maturity Survey (Extract)

Introduction

This report has been produced as a result of a survey conducted jointly between CA, Comsec and ExecIA; using the ExecIA Controls Assessment (ECA) tool. The survey asked respondents to select their current and target capability maturity in 31 areas of information assurance risk control. The control areas were selected from international standards and best practices such as ISO27001, COBIT and ITIL. The capability maturity levels are designated as follows:
  • 0. Processes not present or required.
  • 1. Ad-hoc, undocumented processes used.
  • 2. Documented processes in place, but not always fully communicated.
  • 3. Processes fully documented, communicated and deployed appropriately.
  • 4. Fully documented processes, with regular training, enforcement and monitoring.
  • 5. Processes documented and automated; with full training, enforcement, monitoring and audit.
About 20 UK respondents took part in the survey. These were all from large or very large organisations in a range of sectors; including banking and finance, retail, transport, IT services and government. The analysis below is an extract of some of the most interesting findings from the survey.

Most Mature Control Areas

As expected, the most mature controls are either operational (O) or tactical (T). Malicious code protection is probably the best-understood technical control area, and it is therefore no surprise to find it as most mature. The fact that mobile and remote security is in second place reflects the emphasis that has been placed on this area in recent years; following high-profile information breaches related to it. It is interesting that policy management is the only strategic control (S) that appears in the top 10; reflecting the fact that most organisations begin to tackle information assurance by putting appropriate policies in place.
Figure 1: Most mature control areas

Least Mature Control Areas

On the other hand, of the 10 least mature control areas, 7 are in the strategic group. The single tactical control area (access) not only presents many technical challenges; but also involves strategic issues related to human resources and the requirement for coordination throughout the organisation. Similarly, the two related operational controls (incident handling, monitoring and response) are complex issues with strategic ramifications in terms both of coordination and human resources.

As organisations move towards utilising “the cloud” for the delivery of IT as a service; many of the controls will increase in importance. Specifically:

  • Access controls
  • Metrics and audit
  • Business alignment and governance
  • Architecture and planning
  • Compliance management
Figure 2: Least mature control areas

Largest Control Area Gaps

Table 1 shows the ten control areas that have the largest gaps between the average current and target maturity scores. Here strategic control areas comprise 4 of the top 5. In general the list reflects those issues highlighted previously.

Analysis of the top 10 gaps for each of the organisations which took part in the survey has revealed a surprising degree of consistency. The gaps of at least 30% of the control areas for all organisations were the same as those in the list below, with one organisation having 100% of its top 10 control gaps as in the table below. On average the organisations responding to the survey shared 58% of their top 10 control gaps with the average list shown below. The implication of this is that most organisations have similar information assurance issues in common. Information sharing on this subject is therefore likely to prove productive.

Table 1: Largest Control Area Gaps

Download the complete summary report here.

| Home | Contact | Privacy |
(C) ExecIA LLP 2011