New Developments

In New Developments, internal auditors will find information about the most recent IT and audit research reports and survey results; new IT, security, and privacy legislation; and other news items of importance to auditors.

More Security and Privacy Spending Is Needed

Many IT organizations are overconfident and under-prepared to handle a security breach, according to Deloitte's recently published 2007 Technology, Media, and Telecommunications Security Survey (PDF, 1.29 MB). This year's report builds on the results from its 2006 study and sheds light on the current security and privacy trends as reported by chief information security officers and chief security officers in more than 100 technology, media, and telecommunications (TMT) companies around the world. In addition, the report discusses what other organizations are doing to address their security and privacy problems to provide readers with information that can in turn help them reduce their vulnerabilities to attack.

More specifically, the survey found that 46 percent of TMT companies surveyed do not have a formal information security strategy in place. Furthermore, the survey found that only 7 percent of participants believe their companies are prepared for a future security threat; 5 percent of companies increased their security investments by 15 percent or more; half allocated less than 3 percent of IT budget to security; and less than 40 percent of companies believe their organization has all the skills and capabilities they need to respond effectively and efficiently to a security challenge.

Despite this lack of a formal security strategy and security resources, 69 percent report that they are confident in the way their organization is tackling external security threats and 62 percent of respondents believe security is a key imperative at the board or executive level. In addition, the number of security breaches remained unchanged from last year.

Other key survey findings center on the performance of audits and independent reviews. When asked to identify their organization's top internal and external audit findings over the past 12 months, respondents cited excessive access rights (38 percent), lack of documentation and controls (33 percent), lack of review of audit trails (31 percent), access control compliance with procedures (29 percent), and insufficient segregation of duties (also 29 percent) as the top security problems. Other audit-related survey findings include lack of audit trails, sharing of user IDs with a commonly known password, and lack of security awareness programs.

On the compliance side, the Deloitte study found that companies in the TMT sector are facing a growing number of rules and regulations designed to improve information security and reduce risk. According to survey results, 29 percent of participants stated that current rules and regulations are effective in this regard while 71 percent combined find them somewhat or not effective. In terms of future regulatory compliance, 12 percent are considering the adoption of international standards, such as the International Organization for Standardization's 27001: 2005 Standard, or plan to undergo certification within the next 12 months.

To download a full copy of the report, visit Deloitte's Web site.