Chapter 4. Information Systems Security Policies, Standards, and/or Guidelines
One of the key elements of the internal control environment within any organization is its information systems (IS) security policy (see Exhibit 1.1). An IS security policy provides the high-level framework from which all other IS securityrelated controls are derived. Many of us assume that nearly all organizations have an IS security policy or something that would qualify as such. Shockingly, this is not the case. According to a 1996 Datapro Information Services Group survey of over 1,300 organizations from the United States, Canada, Central and South America, Europe, and Asia, only 54 percent had an IS security policy. This was down from a high of 82 percent in 1992 and was the lowest figure since Datapro began the survey in 1991.[] The survey also indicated that only 62 percent of respondent organizations had assigned a specific person to be responsible for computer security, and the majority of respondents reported that less than 5 percent of their organization's information technology (IT) budget is allocated for security.
A separate worldwide survey by Xephon of England confirmed Datapro's findings. Xephon found that fewer than 60 percent of responding organizations had IS security policies. Of those that did, Xephon found that the policies were essentially made in a vacuum, with only one in five based on external standards.[]
More recently, a July 2000 industry survey conducted by Information ...
Get Auditing Information Systems, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
