2012 DTTL Global Financial Services Industry Security Study Breaking Barriers

Transcription

1 2012 DTTL Global Financial Services Industry Security Study Breaking Barriers

2 Table of contents Executive Summary Preface Participating organizations profile Summary of study findings Sector highlights Survey results snapshot by region Security threats snapshot by region Study design and methodology Contact information Appendix Detailed study findings

3 Preface With increasing business demands and evolving regulatory frameworks, information security is a top priority for financial services industry (FSI) organizations. This year s security survey study finds that many FSI organizations have become more proactive in implementing innovative security measures and creating greater awareness of information security within their businesses. However, most organizations in the survey are challenged with balancing the cost of information security initiatives with the perceived risks of sophisticated threats and emerging technologies. 2

4 Participating organizations profile This year s participants represent: Chief Security Officers/Chief Information Security Officers (CISOs) or designate, or security management team Over 250 financial services organizations from 39 countries 11 of the leading* 100 global banks by revenue 24 of the leading* 100 global insurance organizations by revenue Participating organizations by sector Participating organizations by headcount Participating organizations by region and revenue Region % of participants responses % of aggregate revenue APAC (excl. Japan) 9% 9% Japan 9% 4% EMEA (excl. UK) 35% 31% Latin America & Caribbean (LACRO) 31% 6% UK 4% 16% US 7% 20% Canada 5% 14% * Ranking is based on Dow Jones Companies & Executives 3

5 Summary of study findings 1. Stronger together: silos and barriers retreat 2. Adapting to new technologies: security innovation Almost two-thirds of respondents believed that their information security function and business are engaged Over 50% of respondents indicated that they have a strong working relationship with operational risk management. Close to half of respondents indicated that they have strong relationships and coordinated activities with enterprise risk management Information security governance; identity and access management; and information security strategy and roadmap are cited to be the top security initiatives for this year Consistent with prior years, respondents cited a lack of sufficient budget (44%) and the increasing sophistication of threats (28%) as the primary barriers to implementing an effective information security program As the use of social media increases, 37% of respondents are revising organizational policies; 33% are educating users on social networking to address the security risks Many surveyed organizations have explored cloud computing options. However 40% of the respondents indicated they still do not use cloud computing. The reasons cited include technology prematurity, security risks, and adoption capabilities of the organization As a part of their mobility program, many organizations have already deployed, or plan to deploy, mobile VPN, central device management, and mobile device management software. However, more than 50% of respondents have not yet planned for deployment of anti-phishing software, employee and customer-facing applications, and data loss prevention for mobile devices 3. Policing cyber threats: safeguarding data assets Financial fraud involving information systems; employee errors and omissions; and breaches of information were perceived to be the top three threats in 2011 Three out of four respondents have dedicated privacy resources; organizations are increasingly focusing on protecting their sensitive information and formalizing the privacy function 49% of surveyed organizations claim to actively manage vulnerabilities, 82% of which are also actively researching new threats to proactively protect their environment from emerging threats Most surveyed organizations use the Security Operation Center (SOC) to monitor traffic and data and actively respond to incidents and breaches More than half of the respondents indicated that their organizations manage the SOC internally to get a better understanding of information security issues and gain more control over their operations 4

6 Sector highlights: Banking Survey Findings Maturity paradox: how to keep the Information Security (IS) program effective With increasing regulatory pressure, banking respondents continue to enhance their security programs. Close to 80% of respondents believe that their information security programs have reached a Level 3 (set of defined and document standard processes with degree of improvement over time) maturity or higher Even as security practices mature and advance, nearly 25% of the banking respondents indicated they experienced security breaches in the past 12 months Excessive access rights, security policies and standards that have not been operationalized, and lack of sufficient segregation of duties are cited as the top three external audit findings by banking respondents Balancing act: security and cost containment Even though more than 70% of banking respondents dedicate at least 1-3% of their IT budget to information security, lack of sufficient budget and/or resources is cited as the top barrier for an effective information security program Nearly half of banking respondents have already implemented or purchased cloud computing services. Of those who have not implemented cloud computing services, close to 90% of the respondents believe the benefits outweigh the security risks Vulnerability scanning and penetration testing (72%) is the top information security function that is outsourced to a third-party. This is followed by threat management and monitoring services, at 24% Security innovation: new technologies and their risks have arrived Nearly 75% of the banking respondents are making use of social media; 20% of the banking respondents have deployed technical controls to block or limit organizational usage When it comes to adoption of mobile devices, banking respondents indicated that the top three security controls are enhancing the consumer acceptable use policy, integrating consumer device security into awareness campaigns and enforcing complex passwords A total of 158 banking organizations participated in this year s survey, making up 62% of respondents As banks adapt to increased financial regulatory pressure and adopt new technologies to stay competitive, they are challenged with managing myriad vulnerabilities and business expectations 5

7 Sector highlights: Insurance Survey Findings Challenges remain: executive sponsorship and limited IS budget In response to breaches of customer data, nearly 70% of respondents information security programs have achieved Level 3 maturity or higher Despite increased focus on protecting data from security breaches, approximately 40% of the 46 major insurance organizations have experienced one or more breaches in the past 12 months According to a majority of insurance respondents, lack of sufficient budget and/or resources is the top barrier for an effective information security program for insurance organizations. The next most common barrier is lack of visibility and influence within the organization In the spot light: data protection and mobile security Employees in the insurance sector demand more virtual and mobile products or services. It is no surprise that over 80% of insurance respondents support employee-owned or corporate-owned mobile devices With increased use of mobile devices, over 45% of insurance respondents indicate they experienced one or more breaches in the past 12 months Due to increased focus on data protection, close to 80% of respondents have one or more dedicated resource for managing privacy in addition to an IS program Data Protection and IS Governance are the top two security initiatives this year for insurance organizations; 57% of insurance respondents believe they are adequately equipped, including technical and nontechnical measures; for protecting customer sensitive data A total of 46 major insurance organizations participated in this year s survey, making up 18% of respondents Insurance organizations are bracing for the impact of more stringent consumer financial laws and the risks associated with newer technologies to meet the growing demand for virtual operations 6

8 Survey results snapshot by region Survey Highlights 2010 Global 2011 Global APAC (excl. Japan) Japan * EMEA (excl. UK) LACRO United Kingdom United States Canada 1 Respondents believe there is an increase in their information security budget 56% 57% 73% 14% 55% 62% 56% 94% 46% 2 Respondents believe their information security expenditure is on or above plan 45% 48% 50% 27% 50% 50% 44% 50% 31% 3a Top Security initiatives Respondents who believe identity access management being the top security initiative 44% 27% 18% 9% 38% 18% 44% 33% 46% 3b Respondents who believe IS governance as the top security initiative N/A 28% 36% 36% 31% 29% 11% 1111% 8% 4 Respondents that implemented or purchased cloud computing services N/A 48% 50% 41% 54% 30% 89% 89% 62% 5 Respondents who experienced privacy-related breaches in the past year N/A 27% 32% 23% 26% 21% 67% 50% 23% Highest Lowest * For the purpose of this document, we have separated Japan from the rest of Asia Pacific With the exception of Canada and Japan, more than 50% of respondents in each region report an increase in the information security budget Despite the economic downturn and corporate budget cuts, the majority of regions believe that their information security expenditure is on or above plan Identity and access management is the top security initiative in Canada and United Kingdom. IS governance is the top security initiative for Japan and APAC region When it comes to the adoption of new technology, United States and United Kingdom respondents have the highest number of organizations that implemented cloud computing services United Kingdom and United States respondents have experienced more privacy-related breaches in the past year than other regions 7

9 Security threats snapshot by region Security Threats 2011 Global APAC (excl. Japan) Japan * EMEA (excl. UK) LACRO United Kingdom United States Canada 1 State or industrial espionage 6% 14% 0% 5% 5% 0% 22% 0% 2 Attacks exploiting mobile network vulnerabilities 10% 9% 9% 10% 12% 11% 11% 15% 3 Threats resulting from the convergence of social media and online platforms into the corporate network (e.g., using micro-blogging by a project manager) 8% 14% 9% 4% 7% 11% 28% 8% 4 Financial fraud involving information systems 18% 14% 5% 15% 16% 44% 22% 54% 5 Security breaches involving third-party organizations (e.g., supply chain or contractors) 12% 14% 5% 7% 8% 33% 50% 15% 6 Hacktivism or cyber-activism 14% 9% 0% 15% 14% 33% 17% 23% Highest Lowest * For the purpose of this document, we have separated Japan from the rest of Asia Pacific The United States reports the highest number of respondents who cite state or industrial espionage as the highest threat Respondents report mobile network vulnerabilities are highest in Canada and lowest in APAC and Japan The Unites States has the highest number of respondents (28%) that perceive social media as a threat; EMEA, at 4%, has the lowest More than 50% of respondents in Canada report financial fraud involving information systems as a threat More than 50% of United States respondents consider security breaches involving third-party organizations as a high threat; respondents in Japan have the lowest response at 5% The United Kingdom has the highest number of respondents who cite hactivism or cyber-activism as a key security threat; Japan has the lowest at 0% 8

10 Study design and methodology This DTTL Global Security Study reports on the outcome of focused discussions between Security & Privacy professionals from Deloitte member firms around the world (Deloitte*) and Information Technology executives of top global organizations. Discussions with representatives of these organizations were designed to identify, record, and present the state of the practice of information security in the financial services industry with a particular emphasis on identifying levels of perceived risks, the types of risks with which organizations are concerned, and the resources being used to mitigate these risks. To fulfill this objective, senior Security & Privacy professionals within the Deloitte member firm network designed a questionnaire that probed various aspects of strategic and operational areas of security and privacy. Responses of participants were subsequently analyzed and consolidated and are presented herein in both qualitative and quantitative formats. Drafting of the questionnaire The questionnaire comprised questions composed by the global study team made up of senior Deloitte member firm Security & Privacy Services professionals. Questions were selected based on their potential to reflect the most important operating dimensions of a consumer business organization s processes or systems in relation to security and privacy. The questions were each tested against global suitability, timeliness, and degree of value. The purpose of the questions was to identify, record, and present the state of information security and privacy in the industry. The collection process Once the questionnaire was finalized and agreed upon by the study team, questionnaires were distributed to the participating regions electronically. Data collection involved gathering both quantitative and qualitative data related to the identified areas. Each participating region assigned responsibility to senior member firm professionals within their firms Security & Privacy Services practices and those people were held accountable for obtaining answers from the various financial institutions with which they had a relationship. Most of the data collection process took place through face-to-face interviews with the CISO/Chief Security Officer or designate, and in some instances, with the security management team. Deloitte member firm professionals also offered preselected consumer business organizations the ability to submit answers online using an online questionnaire managed by DeloitteDEX of Deloitte & Touche LLP. Results, analysis, and validation The DeloitteDEX team is responsible for analyzing the data from the study. DeloitteDEX is a family of proprietary products and processes for diagnostic benchmarking applications. The DeloitteDEX team uses a variety of research tools and information databases to provide benchmarking analyses measuring financial and/or operational performance. Deloitte member firm clients performance can be measured against that of their peer group(s). The process identifies competitive performance gaps and can help management to understand how to improve the performance of business processes by identifying and adopting leading practices on a company, industry, national, or global basis, as appropriate. *As used in this communication, Deloitte means Deloitte Touche Tohmatsu Limited and its member firms. Once the DeloitteDEX team received the data, it was arranged by geographic origin of respondents. Some basic measures of dispersion were calculated from the data sets. Some answers to specific questions were not used in calculations to keep the analysis simple and straightforward. Not all respondents answered all questions; in which case, their responses were excluded. 9

11 How to interpret the survey results Three different type s of charts depict your responses against the 2012 GFSI security study questions: Bar chart & Table chart: Your responses will be highlighted in blue color Pie chart: Your responses will be highlighted in the sliced pie Please note that if no responses are highlighted then it indicates that your organization did not provide a response to that question Bar Chart Table Chart Your response Your response Your response Pie Chart Your response 10

12 Global Contacts: Global Security, Privacy, and Resiliency Contacts Global Ted DeZabala Global ERS Platform Leader Security, Privacy & Resiliency Deloitte & Touche LLP Americas Region Nick Galletto Canada Deloitte & Touche Edward Powers U.S Deloitte & Touche LLP Asia Pacific Region Thio Tse Gan Singapore Deloitte & Touche Enterprise Risk Services Europe, Middle East, and Africa Region Mike Maddison U.K. Deloitte LLP Financial Services Enterprise Risk Management Contacts Global Scott Baret Global Financial Services Industry ERS Leader Deloitte & Touche LLP Latin America Region Elsa Mena Columbia Deloitte & Touche Ltda emenacardona@deloitte.com Andrés Gil LATCO Deloitte & Co S.A angil@deloitte.com emenacardona@deloitte.com Rodrigo Mendes Duarte Brazil Deloitte Consulting rodrigomendes@deloitte.com Europe, Middle East and Africa Region Alfonso Mur Spain Deloitte Advisory, S.L ext 2103 amur@deloitte.es Asia Pacific Region Danny Lau Hong Kong Deloitte & Touche Tohmatsu danlau@deloitte.com.hk Contributor: Walter Hoogmoed Principal Deloitte & Touche LLP whoogmoed@deloitte.com

13 Appendix: Detailed Study Findings

14 1. Governance and reporting Three out of four organizations have an executive responsible for information security. 13

15 1. Governance and reporting (cont.) While the reporting structure varies across organizations, the trend is that the information security function most commonly reports to the CRO, COO, CTO and CEO. 14

16 1. Governance and reporting (cont.) The top areas of focus for information security (IS) executives are IS strategy and planning; IS governance; IS compliance and monitoring; IS risk assessments; incident management; IS communications, awareness and training; data security; IS program measurement and reporting; vulnerability management; and IS budgeting. 15

17 1. Governance and reporting (cont.) Over half of respondents indicate that Information Security and Operational Risk Management have a strong working relationship with coordinated activities. 16

18 1. Governance and reporting (cont.) Close to half of respondents indicate that they have strong relationships and coordinated activities between the information security and enterprise risk management function. 17

19 1. Governance and reporting (cont.) Most organizations have a dedicated information security function; nearly half of respondents indicate that the size of their information security function is between one and five full time equivalent professionals. 18

20 1. Governance and reporting (cont.) Despite increasing cohesion between the information security and business functions, 36% of respondents indicate there is little or no engagement between them. 19

21 2. The security strategy Most organizations understand the value and importance of having a documented and approved information security strategy. 20

22 2. The security strategy (cont.) Most organizations are aligning business requirements and technology strategy to the overall information security strategy. 21

23 3. Information security maturity Over three quarters of respondents believe that their information security program maturity is a Level 3 or higher. 22

24 1. Governance & Reporting 8. Security Technologies 3. Information security maturity (cont.) Most organizations are still evolving their metrics and enhancing them so that they are less technical and more business focused. 23

25 1. Governance & Reporting 3. Information security maturity (cont.) The majority of organizations believe that lack of adequate budget/resources is the main barrier to establishing an effective information security program. 24

26 3. Information security maturity (cont.) Security reporting frequency and audience vary among organizations; a significant number of respondents do not follow a formalized plan for reporting information security to the C-Suite. Approximately one out of three organizations present a monthly report on the security posture of the organization to senior and executive management. 25

27 3. Information security maturity (cont.) Information security governance, identity and access management, information security strategy and roadmap, information security regulatory and legislative compliance, data protection, information security measurement and reporting and information security training and awareness were the top security initiatives for

28 3. Information security maturity (cont.) Organizations rely mainly on internal self assessments as well as internal and external audit reviews to gauge the effectiveness of their information security practices. 27

29 1. Governance & 1. Governance & Reporting 3. Information security maturity (cont.) More than 50% of organizations recognize the need to maintain a loss event database to identify trends and continuously improve processes; however, almost one third of organizations still do not maintain a loss event database. 28

30 4. Investment in information security To keep pace with the increasing sophistication of attacks and the number of breaches, the majority of organizations have dedicated IT budget to information security. Close to one third of organizations have dedicated at least 4-6% of their budgets to information security. 29

31 4. Investment in information security (cont.) Despite the economic downturn and corporate budget cuts, information security budgets continue to grow; 38% of organizations have increased their information security budgets by 1-5%. 30

32 4. Investment in information security (cont.) While there is an increase in the annual information security budget, nearly half of organizations are still catching up or falling behind their information security expenditures plan. 31

33 4. Investment in information security (cont.) Organizations are increasingly making a push for aligning security objectives with business goals. Nearly 90% claim the IS and business initiatives are somewhat or appropriately aligned. 32

34 Cyber Crime 5. Security operation center To combat today s sophisticated threats, monitoring traffic and data and actively responding to incidents and breaches are the top SOC capabilities being used by organizations. However, one out of four organizations still does not use a SOC. 33

35 Cyber Crime 7. Breach of Info Sec 14. Security Value and Perception 6. Threat Landscape 13. Cyber Crime 12. Compliance 4.Investment in Info Sec 11. Privacy 3. Info Sec Maturity 10. Third party mgmt 2. The Security Strategy 9. Security Operations 1. Governance & Reporting 8. Security Technologies 5. Security operation center (cont.) More than half of organizations feel that the most effective way to provide oversight to a SOC is to manage it internally, thereby giving them more control over operations and awareness of information security issues. 34

36 Cyber Crime 5. Security operation center (cont.) SOC serves the purpose of monitoring many types of systems, devices, applications, firewalls, and security breaches. However, only 28% of organizations believe that the SOC is effective in raising the level of security. 35

37 7. Breach of Info Sec 6. Threat Landscape 13. Cyber Crime 5. Security Operation Center 12. Compliance 4.Investment in Info Sec 11. Privacy 3. Info Sec Maturity 10. Third party mgmt. 2. The Security Strategy 9. Security Operations 1. Governance & Reporting 8. Security Technologies 6. Security value and perception Information security initiatives must be tailored to the organization s specific business goals to be fully effective. Two thirds of organizations believe that their security initiatives are only somewhat effective. 36

38 7. Breach of Info Sec 14. Security Value and Perception 6. Threat Landscape 13. Cyber Crime 5. Security Operation Center 12. Compliance 4.Investment in Info Sec 11. Privacy 3. Info Sec Maturity 10. Third party mgmt 2. The Security Strategy 9. Security Operations 1. Governance & Reporting 8. Security Technologies 7. Threat landscape Roughly three out of four organizations are somewhat or very confident that they can protect against an internal attack or breach, in comparison to nine out of ten organizations that are somewhat or very confident that they can protect against an external attack or breach. 37

39 7. Threat landscape (cont.) As the use of technology and the internet proliferates, financial fraud involving information systems, information breaches, hacktivism and coordinated attacks are cited as the top four greatest threats. 38

40 7. Breach of Info Sec 14. Security Value and Perception 13. Cyber Crime 5. Security Operation Center 12. Compliance 4.Investment in Info Sec 11. Privacy 3. Info Sec Maturity 10. Third party mgmt 2. The Security Strategy 9. Security Operations 8. Security Technologies 7. Threat landscape (cont.) One third of organizations that are adopting social media are revising organizational policies, educating users on social networking and deploying technical controls to block organizational usage as security controls. 39

41 7. Threat landscape (cont.) Most organizations have explored the option of cloud computing; however, close to 50% of organizations have not adopted cloud computing due to security risks, technology maturity, and organization size. 40

42 7. Threat landscape (cont.) In response to risks associated with cloud computing services, organizations should adopt appropriate controls to mitigate those risks. The top controls are including security policy in contracts with cloud computing service providers and specifying the right to audit providers systems and infrastructure. 41

43 8. Breach of information security With external breaches becoming more sophisticated, organizations are stepping up their information security measures to protect themselves. More than 75% of organizations have not faced an external breach in the last 12 months. 42

44 8. Breach of information security (cont.) Type Once occurrence Multiple occurrences Theft of information resulting from state or industrial espionage 100% 0% External financial fraud involving information systems 36% 64% Breach of information originating from an electronic attack outside the organization (e.g., hacker, etc.) 63% 37% Breach of information originating from a physical attack outside the organization (e.g., stolen laptop, etc.) 55% 45% Breach of information originating from a third-party vendor off the organization s premises 65% 35% Mobile network breach originating from outside the organization 100% 0% Malicious software originating from outside the organization 32% 68% Website defacement 83% 17% Other form of external breach 64% 36% While many organizations have not faced external breaches in last 12 months, the type and occurrence of the external breaches is varied across organizations. 43

45 8. Breach of information security (cont.) Close to one third of respondents admit to internal information security breaches in the past 12 months. 44

46 Perception 6. Threat Landscape 13. Cyber Crime 5. Security Operation Center 12. Compliance 4.Investment in Info Sec 11. Privacy 3. Info Sec Maturity 10. Third party mgmt 2. The Security Strategy 9. Security Operations 1. Governance & Reporting 8. Security Technologies 8. Breach of information security (cont.) Type Once occurrence Multiple occurrences Internal financial fraud involving information systems 54% 46% Breach of information originating from insider or rogue trading 63% 37% Breach of information originating from inside the organization conducted by an employee (e.g., abuse of privileged access, phishing , etc.) 56% 44% Breach of information originating from inside the organization conducted by a non-employee (e.g., malicious third-party, social engineering, etc.) 50% 50% Accidental breach of information originating from inside the organization (e.g., loss of unencrypted laptop, hard drive, etc.) 37% 63% Breach of information originating from a third-party vendor (e.g., cleaners, consultants, etc.) on the organization s premises 56% 4% Mobile network breach originating from inside the organization (e.g., wireless) 100% 0% Malicious software originating from inside the organization (e.g., viruses/worms/spyware) 28% 72% Other form of internal breach 50% 50% Mobile network breach, malicious software, and accidental breach of information are the leading causes of breaches originating from inside the organization. 45

47 2. The Security Strategy 9. Security Operations 1. Governance & Reporting 8. Security Technologies 8. Breach of information security (cont.) For the two thirds of organizations who reported a monetary damage, 11% suffered a loss of $250,000 or less. However, 4% of those organizations lost between $1 million and $15 million in monetary damages resulting from breaches. 46

48 Perception 6. Threat Landscape 13. Cyber Crime 5. Security Operation Centre 12. Compliance 4.Investment in Info Sec 11. Privacy 3. Info Sec Maturity 10. Third party mgmt 2. The Security Strategy 9. Security Operations 1. Governance & Reporting 8. Security Technologies 9. Security technologies Many organizations believe that technologies such as firewalls or web security are most useful in protecting their networks, but most are skeptical about data security, mobile and event management when it comes to protecting their organization. 47

49 9. Security technologies (cont.) Security log and event management along with data loss prevention are the top initiatives that are currently being piloted. 48

50 9. Security technologies (cont.) Most organizations are using multiple methods to detect and assess their organizations security vulnerabilities on a periodic basis; however, many respondents indicate that an application security code review is performed on an ad-hoc basis. The Security Strategy 49

51 10. Security operations Most organizations provide corporate devices rather than employee-purchased devices to mitigate security risks. 50

52 10. Security operations (cont.) Majority of the organizations are currently dealing with mobile device related security risks through formal policy measures and awareness campaigns. In addition, organizations are implementing some foundational security measures such as device password pins and remote wipe capabilities, though a few of the surveyed organizations have deployed commercial mobile device management technology solutions for security profile provisioning, device tracking, control and management. 51

53 10. Security operations (cont.) The top three (3) mobility focus areas that organizations have invested in or are looking to invest in the near future are development and adoption of an overarching and centralized mobile security strategy, implementation of a mobile device management technology solution for increased visibility and control of devices in the enterprise, and secure deployment and support of tablet devices. 52

54 11. Outsourcing and third-party security management While many security functions are outsourced, the top five functions are infrastructure security technologies, filtering, distributed denial of service protection, threat management and monitoring services and vulnerability scanning/penetration testing. 53

55 11. Outsourcing and third-party security management (cont.) While close to 50% of organizations have identified third party security capabilities, controls and organizational dependencies, two thirds of organizations do not regularly review and test third party security capabilities. 54

56 11. Outsourcing and third-party security management (cont.) Most organizations address information security in contracts and sign nondisclosure agreements to reduce the risk of outsourcing, but do not perform on-site spot checks of third parties to verify compliance. 55

57 12. Privacy Close to 60% of organizations have 1-20 fulltime equivalents dedicated to privacy while close to 26% of organizations have no resources dedicated to privacy. 56

58 12. Privacy (cont.) In 2011, nearly one third of organizations dedicate 3% or less of the overall organization s budget to privacy. 57

59 12. Privacy (cont.) Most organizations believe that they have adequate measures in place to handle privacy-sensitive data. 58

60 12. Privacy (cont.) Almost half of organizations report privacy-related incidents over the past year. The reluctance of organizations to report privacyrelated breaches is slowly decreasing with many breach notification initiatives undertaken by organizations. 59

61 7. Breach of Info Sec 14. Security Value and Perception 6. Threat Landscape 13. Cyber Crime 5. Security Operation Center 12. Compliance 4.Investment in Info Sec 3. Info Sec Maturity 10. Third party mgmt 2. The Security Strategy 9. Security Operations 1. Governance & Reporting 8. Security Technologies 12. Privacy (cont.) Most organizations have policies in place that require them to report breaches internally and externally. 60

62 13. Compliance The top four internal and external audit findings relate to access management, with excessive access rights being the top audit finding followed by excessive developer s access to production, removal of access privileges following transfer or termination and lack of sufficient segregation of duties. 61

63 14. Cyber crime As the threat landscape becomes more sophisticated, organizations are becoming more proactive in identifying and managing risks through a variety of approaches. 62

64 Use your smart phone to scan this QR code and view this study and other Deloitte publications. Don t have a reader? Visit us at Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte s approximately 182,000 professionals are committed to becoming the standard of excellence. This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte Network ) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication Deloitte Global Services Limited.