DTIIUA Digital Risk Survey

1
DTI/IUA Digital Risk Survey

• Survey Results
• March 2005

2
DTI/IUA Digital Risk Survey

• Underwriting questions Completed by
  Underwriters
• IT Questions
• Completed by IT Managers

3
DTI/IUA Digital Risk SurveyWho answered the
questions?- Underwriters- Position of IT
Managers (below)
4
DTI/IUA Digital Risk SurveyUnderwriting Section

• Q 1 Is your underwriting team involved in
  providing insurance cover for unauthorised
  access?

5
DTI/IUA Digital Risk Survey Underwriting Section

If Yes to Question (1)

• If No to Question (1)

6
DTI/IUA Digital Risk Survey Underwriting Section

• Q 2 Which of the following have influenced
  your decision?

7
DTI/IUA Digital Risk SurveyQ 3 Do you
experience a lack of understanding by clients in
the covers provided for unauthorised access?
8
DTI/IUA Digital Risk Survey Underwriting Section
Q 4 What limits are being requested by clients
for the following covers
Q 5 Do you seek information from proposers in
relation to the measure they take to prevent
unauthorised access to their systems?
9
DTI/IUA Digital Risk Survey Underwriting Section
Q 6 Do you find BS7799 is being used for the
most part?If no, please state the reason (s) why

• REASONS
• We are a reinsurer
• Hard to tell as we are not actively providing
  such cover. We understand that this is a widely
  accepted standard.
• N/A
• We have ticked No to this but it is not
  applicable to us.

10
DTI/IUA Digital Risk Survey Underwriting Section
Q 7 Generally, are you finding that security
procedures are not sufficiently being attended to
by your insured's?
11
DTI/IUA Digital Risk SurveyIT SectionQ 1 How
Many employees within your organisation?Q 2
What is your organisations geographical range?
12
DTI/IUA Digital Risk SurveyIT SectionQ 3 If
you characterised your organisation as either a
regional or global entity, which statement
best describes your information security policy
structure
13
DTI/IUA Digital Risk SurveyIT SectionQ 4 What
is your organisations approximate annual sales
revenue in the most recent financial year? ()
14
DTI/IUA Digital Risk SurveyIT SectionQ 5
Approximately, what is your organisation's
information technology budget for the fiscal year
2004? For the information technology budget, we
mean software, hardware, implementations,
salaries, consultants and other expenses.

• Average Spend is 1.86 of Sales income
• Taking out the highest spend - Average spend
  is 1.31
• Smaller sales income companies spend less
  0.95 on average
• Larger companies excluding the highest spend
  1.6 on average

15
DTI/IUA Digital Risk SurveyIT SectionQ 6 How
well is your organisations information security
spending aligned with its business objectives?
16
DTI/IUA Digital Risk SurveyIT SectionQ 7
What are your organisations top 3 areas of
information security spending?
17
DTI/IUA Digital Risk SurveyIT SectionOverall
top three areas of Security Spending, resulting
from Q 7
18
DTI/IUA Digital Risk SurveyIT SectionQ 8 How
often does your organisation calculate the return
on investment for information security
expenditures?
19
DTI/IUA Digital Risk SurveyIT SectionQ 9 Who
is primarily responsible for your organisations
information security programme?
20
DTI/IUA Digital Risk SurveyIT SectionQ 10 How
often does your organisation provide its board of
directors or equivalent with a report about the
organisations information security status or
security incidents?
21
DTI/IUA Digital Risk SurveyIT SectionQ 11
Please indicate how often your organisations
executive management reviews the following
22
DTI/IUA Digital Risk SurveyIT SectionQ 12 In
your organisation, how often do the individuals
responsible for information security meet with
business unit leaders to understand their
business objectives or information security needs?
23
DTI/IUA Digital Risk SurveyIT SectionQ 13 How
does your organisation make its employees aware
of their information security obligations?
24
DTI/IUA Digital Risk SurveyIT SectionQ 14 To
what extent are government security-driven
regulations impacting your industry and
organisation?
25
DTI/IUA Digital Risk SurveyIT SectionQ 15 Is
your organisation compliant with applicable
security-driven regulations (Eg UK Data
Protection Act and the US Health Insurance
Portability Accountability Act of 1996 (HIPAA))
26
DTI/IUA Digital Risk SurveyIT SectionQ 16
What top 3 factors are the most influential when
your organisation considers adopting new
information security solutions?

• TOP 3
• Legislative or regulatory compliance
• Risk Reduction
• Reputation Trust

27
DTI/IUA Digital Risk SurveyIT SectionQ 17 In
your opinion, what are the most significant
obstacles to effective information security
within your organisation?Please indicate
28
DTI/IUA Digital Risk SurveyIT SectionQ 18 (a)
In your opinion, how important is information
security for achieving your organisations overall
objectives?
29
DTI/IUA Digital Risk SurveyIT SectionQ 18 (b)
Indication of overall objectives
30
DTI/IUA Digital Risk SurveyIT SectionQ 19
What business function (s) or services (s) has
your organisation outsourced or will outsource?
31
DTI/IUA Digital Risk SurveyIT SectionQ 20 How
do you discover if your details are being
complied with?
32
DTI/IUA Digital Risk SurveyIT SectionQ 21 How
often do you check your compliance?
33
DTI/IUA Digital Risk SurveyIT SectionQ 22
What statement best describes how your
organisation manages information security
policies with its critical relationships, eg
joint ventures, customers alliances
34
DTI/IUA Digital Risk SurveyIT SectionQ 23
Does your organisation have a process to
understand and monitor its critical
relationships business continuity plans to
ensure an acceptable level of operational
connectivity during an unexpected or unscheduled
outage?
35
DTI/IUA Digital Risk SurveyIT SectionQ 24 In
terms of your organisation over the next 12
months, please indicate the threat intensity of
the following issues
36
DTI/IUA Digital Risk SurveyIT SectionQ 25 In
your opinion, how would you rate your
organisations level of protection of its
critical business information?
37
DTI/IUA Digital Risk SurveyIT SectionQ 26 How
would you characterise your organisations
effectiveness when it comes to identifying
information system vulnerabilities?
38
DTI/IUA Digital Risk SurveyIT SectionQ 27 How
would you rate the ability of the following
entities to determine whether their information
systems were under attack?
39
DTI/IUA Digital Risk SurveyIT SectionQ28
Which of the following entities, if any, would be
contacted if your organisation experiences an
information security incident, eg a major virus
problem, an unauthorised network intrusion or a
disclosure of sensitive information on the
internet?
40
DTI/IUA Digital Risk SurveyIT SectionQ 29 If
your organisation does not report information
security incident(s) to an outside agency, what
were the primary reasons?
41
DTI/IUA Digital Risk SurveyIT SectionQ 30 To
the best of your knowledge, have any of the
following entities experienced unexpected or
unscheduled outage of a critical business system
for more than 2 hours in the past 12 months?
42
DTI/IUA Digital Risk SurveyIT SectionQ 31
What was the cause of your organisation's
unexpected or unscheduled outage of critical
business systems, if any within the last 12
months?
43
DTI/IUA Digital Risk SurveyIT SectionQ 32 In
your opinion, how aware is your organisation
about its dependence on the global information
infrastructure and the possible consequences from
the failure of that infrastructure?
44
DTI/IUA Digital Risk SurveyIT SectionQ 33 How
would you rate the ability of the following
entities to continue business operations in the
event of a malicious attack or disaster?
45
DTI/IUA Digital Risk SurveyIT SectionQ 34
Please rate your organisations sense of urgency
around business continuity/disaster recovery?
46
DTI/IUA Digital Risk SurveyIT SectionQ 35
Does your organisation have insurance coverage
for losses due to damages arising from
information security breaches?
47
DTI/IUA Digital Risk SurveyIT Section BS7799
Q 36 Are you currently employing either
ISO/IEC 17799 or BS7799 Part 2 as your security
approach to manage your information security
risks?
48
DTI/IUA Digital Risk SurveyIT Section BS7799
Q 37 If you answered NO to question 36, do you
have any plans to adopt any of the BS7799
standards in the future?
49
DTI/IUA Digital Risk SurveyIT Section BS7799
Q 38 If you answered no to Q36, can you list
some of the reasons why it is not being
considered?
50
DTI/IUA Digital Risk SurveyIT Section BS7799
Q 39 If you answered Yes to Q36, from where
did the initial drive for adoption of the
standards come?
51
DTI/IUA Digital Risk Survey IT Section BS7799
Q 40 If yes to Q36 to what extent have the
BS7799 standards increased your organisations
awareness of the risks to its information assets
addressed in Q1-36 and the value of information
security to manage these risks?
52
DTI/IUA Digital Risk SurveyIT Section BS7799
Q 41 Comments regarding the areas where
awareness has been of greatest benefit- eg,
incident reporting/response access control
procedures doing a risk assessment involving
management and driven by the business

• The main areas is to make the business aware and
  for us to have a process in identifying risks
  with our partners
• Providing a framework for development of
  Information Security Policies and Information
  Security Infrastructure.
• We implemented BS7799 over five years ago so it's
  hard to comment on where the greatest benefit was
  at that time.
• user awareness
• Risk assessment
• The greatest benefit has been in individual staff
  awareness whereby people are much less likely to
  leave us open to information security breaches
  either because of lack of knowledge or
  carelessness.
• Involving management
• helped to improve controls and procedures and
  documentation
• more ad improved focus on BCP

53
DTI/IUA Digital Risk SurveyIT Section BS7799
Q 42 If yes to Q36, to what do you see as the
greatest benefits of adopting the standards?
54
DTI/IUA Digital Risk SurveyIT Section BS7799
Q 43 BS 7799 is now being seen as part of a
wider Corporate Governance agenda. Does
organisation follow a risk based approach to
corporate governance eg, such as that required by
the LSE combined Code on Corporate Governance?
55
DTI/IUA Digital Risk SurveyIT Section BS7799
Q 44 If yes to Q36, to what extent have recent
events (such as 9/11, global virus attacks, cyber
threats, denial of service attacks, DTI survey)
influenced your organisation regarding adoption
of the BS7799 family of standards?
56
DTI/IUA Digital Risk SurveyIT Section BS7799
Q 45 If yes to Q36, what approach are you
planning to use/have you used for demonstrating
compliance against the BS7799 standards?
57
DTI/IUA Digital Risk Survey

• Survey compiled and results collated by
• The Digital Risk Working Party
• Chairman Mr Paul Skinner FCII
• Assistant Vice President
• Snr ICT Underwriting Specialist
• Chubb Insurance Company of Europe S.A.