Information Security 2008 Survey

For the purposes of this survey, information security is defined as the set of activities required to protect and secure information from harmful and/or unwanted intrusion by internal and external sources.

1. Over the next 12 months, how does improving information security rank compared to other IT priorities? Choose one

Number one priority Among the top priorities, but not number one Neither at the top nor bottom of the priority list Low priority

2. How frequently do you evaluate your security vulnerabilities and overall security posture? Choose one

Quarterly Semi-annually Annually Less than once a year No set schedule

3. How satisfied are you with your IT organization's current information security capabilities and with the products available to improve those security capabilities? Choose one in each row

Current information security capabilities Very satisfied Somewhat satisfied Somewhat dissatisfied Completely dissatisfied Products available to improve information security capabilities

4. Are you currently more concerned about external or internal security threats to your information systems? Which has been the source of the greatest number of security breaches in the last 12 months? Which has caused the most damage/expense to your information systems in the last 12 months? Choose one in each row

Top concern today External threats/attacks Internal threats/attacks Not sure Source of most frequent attacks Most damaging/costly

5. Which access source causes you the most concern for potential information security breaches? Choose one

Email Ecommerce Remote access for mobile workers Extranet or business partners with privileged access Other, please specify

6. Which issue causes you the most concern for potential information security breaches? Choose one

Lack of security products that meet current security needs Difficulty of installing software security patches/updates in a timely and comprehensive manner Network operating systems with unknown security flaws Enterprise application software with unknown security flaws Insufficient/poorly implemented security processes Inadequately trained/unconcerned users

7. How important is each of the following security elements to your total security efforts? Choose one in each row

Security infrastructure (firewalls, IDS, etc.) Very important Somewhat important Not so important Not at all important Identity management capability Remote access and authentication services Incident response capability Data leak prevention (DLP) Regular security audits and assessments Regular penetration tests (ethical hacking) Regular risk analyses Secure coded reviews/application testing Regulatory compliance Written security policies Integrated program of technology and processes Security Policy/Process/Procedure Framework (e.g., ISMS, ISO 17799) End-user/client training and awareness programs Web-site security certification

8. Which of the following are significant barriers to improving your information security capabilities? Choose all that apply

Unrelenting introduction of new threats Determining security requirements Lack of standards Available products/tools don't meet requirements Difficulty in implementing products/tools Cost of products/tools too high Lack of experienced staff Staff turnover Amount of staff training required Amount of end-user training/education required Organizational/process issues Justifying costs/benefits to upper management Lack of upper management support Other projects with higher priority

9. In which of the following areas does your enterprise encounter the most risk to achieving its mission? In which area will risk increase the most over the next 2-3 years? Choose one in each row

Source of most risk today Competition Finances Operations Environment Human capital Most increase in risk over next 2-3 years

10. How much do expect each of the following contribute to increases in risk over the next 2-3 years? Choose one in each row

Growing operational complexity Extensively Moderately Very little Not at all Expanding communications channels Government regulations/standards Push for revenue growth Geographic expansion

11. Over the next 2-3 years, will your enterprise most likely: Choose one

Implement risk management tools across all business and functional units Implement risk management tools within some business and/or functional units Evaluate risk management tools for future implementation Not evaluate or implement risk management tools

12. What percentage of your IT organization's budget is spent on security products/services and security management? Enter number

13. How many employees does your IT organization support? Choose one

Less than 1,000 1,000-9,999 10,000 or more Don't know

To be entered into the drawing for a $100 American Express Gift Cheque, please enter your E-mail address below. If you cannot be reached by E-mail, enter your name and daytime telephone number for the drawing only.

Email

Name

Telephone number

---

Thank you for your participation.