Security Survey Executive Summary October 2008

Transcription

1 A government technology Executive Survey Summary: HP Security Survey Executive Summary October 2008 Produced by: In Partnership With:

2 Introduction Information is paramount to the survival of government s business, and the push towards more electronic data sharing and citizen transactions is growing rapidly as a means to provide enhanced services and reduce expense. Yet a dynamic, transparent government can come at a cost as it only takes one weak link to disable an entire network or critical IT infrastructure. To avoid embarrassing headlines, costly recovery and diminished public trust, the burden weighs heavily on leaders to enact proactive security management to preserve the growing volumes of data it must now collect, protect against security gaps and facilitate authorized access. Facing this challenge is the top agenda item for Government Technology s state and local readers who rank Information Security as their priority focus going into This mounting steady pressure on the public sector landscape prompted Government Technology to survey its readers on various areas of security management including if their agencies have undergone IT operational risk assessments, and at what levels data protection has been implemented. With more than 300 completed surveys over the course of two weeks, courageous government professionals continue to seek the best approach and strategy to execute a secure environment for better citizen engagement and governance. Survey Methodology & Participants This online survey was completed by a random sampling of Government Technology s readership including IT executives, policy makers and agency management across state and local government. The targeted population was given approximately two weeks to respond, and received two communications directing them to the online questionnaire. All aspects of the survey including questionnaire development, deployment and report preparation have been completed by Government Technology. All reported responses have been included in this summary. Total Numbers of s Sent... 19,188 Surveys Completed July 2008 Government Technology Reader Survey 2

3 Respondent Demographics Level of Government 46.9% State 39.8% Local 3.7% Higher Education 3.7% K-12 Education 5.8% Federal Primary Segment 27.9% General Administration 22% Law Enforcement/Public Safety/ Fire/Emergency Services 4.8% Other 3.9% Justice/Courts/ Corrections 4.4% Elected Official/ Legislative/Policy 7.8% Education 13.1% Transportation/ Public Works 16.1% Health and Welfare/ Social Services 3

4 Executive Summary 1. Has your agency or organization conducted a risk assessment of security risks to your IT operations? 57.7% 28% The majority, 58%, have undergone a risk assessment of security risks to their agency s IT operations. 14.3% 2. At what stage is your agency or organization currently at in its efforts to reduce or eliminate security risks? 59.2% 55.7% 47.6% 41.1% Implementing in-depth defenses such as firewalls and host intrusion protection is cited by nearly 60% as their agency s primary effort to reduce security risk. A positive 56% of respondent agencies have an established comprehensive security policy. 27.1% 26.2% 22.6% 14.3% Established comprehensive security policy Implemented comprehensive security in-depth defenses such as firewalls, host intrusion protection Conducted a thorough risk assessment Established a Virtual Private Network (VPN) Complete encryption of all sensitive data Established and tested a comprehensive continuity of operations plan ne of the above Implemented a comprehensive Identity Management solution

5 3. Has your agency or organization utilized the new, standards-based Information Security Service Management (ISSM) Reference Model to guide its security efforts? Information Security Service Management (ISSM) is a Reference Model to guide an organization toward managing and mitigating operational risk across the enterprise by deploying highly operationalized security controls. This approach reduces compliance costs helps ensure that security controls address all enterprise risks and helps achieve a best-in-class information security program. 58% of those surveyed are not aware if the Information Security Service Management (ISSM) Reference Model is considered as a guide in their agency s security strategy. 28.2% 58.3% 13.5% 3 4. Has your agency or organization provided training and updates on its security policy to its employees? 30.8% 59% of respondents reported that training and updates of their agency s security policy have been provided to employees. 58.9% 10.3% 4

6 5. Has comprehensive data protection been implemented at the following levels in your agency or organization? 74.5% 72.8% 61.3% 58.9% 52% 50.3% Desktop Computers (75%) and Data Servers (73%) are the top two levels where comprehensive data protection has been implemented. 25.5% Desktop Computers Data Servers Wired Networks Storage Devices Mobile Computers Wireless Networks Printers and Fax Machines 6. Has your agency implemented a comprehensive and robust Identity Management Solution to protect assets from unauthorized access and use? 38.7% 33.4% 39% of respondents confirm that their agency has implemented an Identity Management solution to protect assets from unauthorized access and use. 27.8%

7 7. Does your agency or organization have an ongoing security testing and continual improvement process to keep up with new security threats? 57.2% 22.7% 57% of those surveyed validate that their agency employs an ongoing security testing and continual improvement process to stay ahead of security threats. 20.1% 8. Who in your agency or organization bears the primary responsibility for implementing IT security solutions? 27.5% Chief Information Officer (28%) was labeled to be primarily responsible for implementing IT solutions followed by MIS Manager (21%) and Chief Information Security Officer (20%). 20.6% 20.4% 9.7% 9.4% 6.4% 6% MIS Manager Chief Information Officer (CIO) Chief Information Security Officer (CISO) Chief Security Officer (CSO) Other Chief Technology Officer (CTO) Outsourced to Vendor (For those that cited other, responses included: City Manager, Deputy Director and shared responsibility across teams.)

8 9. How do you expect security funding for your organization to change over the next 12 months? 33.1% It will probably stay the same 24.4% 1/3 of respondents foresee their agency s security funding to stay the same over the next 12 months. 22.1% It will probably increase 20.4% It will probably decrease Government Technology, a division of e.republic, Inc. 100 Blue Ravine Road I Folsom, CA I Phone: I Fax: I 8