MACAU INFORMATION SECURITY SURVEY 2010 REPORT

MACAU INFORMATION SECURITY SURVEY 2010 REPORT Information security has an important role to play in today s fast moving business environment. With a highly dependency on information systems and increase of sophisticated security threats, having an efficient strategy to protect information is very crucial to the success, reputation and business continuity of any organization. In order to understand the current implementation status of information security within companies and organizations of different industry sectors of Macau, icentre of Macau Technologies Incubator Centre (Manetic) in cooperation with SAFP (Direcção dos Serviços de Administração e Função Pública / Public Administration and Civil Service Bureau) conducted an Information Security Survey in January 2010. We will serve this annual study as reference for designing training programs to enhance information security awareness and strategy implementation in Macau. All data collected from this survey will be used as reference for organizations in:! Revision or establishment of appropriate information security management and policy;! Revision of existing corporate information security technologies;! Preparation of proper information security education and training. O R G A N I Z E D B Y : CO- O R G A N I Z E D B Y : Copyright! 2010 Manetic icentre. All rights reserved.

2 MACAU INFORMATION SECURITY SURVEY 2010 REPORT TABLE OF CONTENTS Executive Summary...3! Findings from the survey...5! Respondent Profile...7! Information Security Policy...9! Risk Assessment...9! Establishment of Security Policy...10! IT Security Expenditure... 11! Security Awareness and Training...12! Information Security Control...14! Administration and Maintenance...14! Access Control and Communication Protection...14! Audit and Accountability...16! Physical Security...17! Media Protection...19! Disaster Recovery...20! Information Security Incident...22! Incident Response...22! Information Security Level versus Effectiveness of Security Strategy...25! Web Server Adoption & Patching...26! Survey Methodology...28! Limitations...28! Acknowledgement...29! About Manetic icentre...29!

MACAU INFORMATION SECURITY SURVEY 2010 REPORT 3 EXECUTIVE SUMMARY From collected survey response of targeted industry sectors of Macau, a measure of the level of information security, as well as a measure of the effectiveness of their security strategy was recorded. The targeted industry sectors that participated in this survey are broadly classified into two distinct sectors: 1. Governmental Sector consisting of government departments, and 2. consisting of Educational Institutes, Gaming, ICT, Public Utilities, Sales & Marketing. In this survey, sent to invited participants, ten (10) security categories were requested for response to be able to analyze the level of security by the respondents. Also the same security categories were used to map, by category, the effectiveness of the respondents security strategy in reducing the occurrence and impact of information security incidents. These ten (10) security categories are: 1. Risk Assessment, 2. Establishment of Security Policy, 3. Security Awareness and Training, 4. Administration and Maintenance, 5. Access Control and Communication Protection, 6. Audit and accountability, 7. Physical Security, 8. Media Protection, 9. Disaster Recovery, and 10. Incident Response. The result of this survey may be seen from the following radar charts that present the results for the totality of the respondents, followed by the stratified results for Government Sector and. In all of the three graphs, the interplay between the level of security and the effectiveness of the applied security strategy may be observed. The graph that uses all of the respondent s results provides for a summary of Macau s organization in their level of implementation of information security as well as a summary of the effectiveness of implementing a security strategy. Comparison of Implemented Information Security Level and Effectiveness Level of Security Strategy (for MACAU) Disaster Recovery Media Protection Incident Response Physical Security Risk Assessment 5.0 4.0 3.0 2.0 1.0 Audit and accountability Effectiveness of Security Strategy Establishment of Security Policy Access Control and Communication Protection Implemented Information Security Level Security Awareness and Training Administration and Maintenance

4 MACAU INFORMATION SECURITY SURVEY 2010 REPORT Comparison of Implemented Information Security Level and Effectiveness Level of Security Strategy (for GOVERNMENT SECTOR) Incident Response Risk Assessment 5.0 4.0 Establishment of Security Policy Disaster Recovery 3.0 2.0 Security Awareness and Training 1.0 Media Protection Administration and Maintenance Physical Security Audit and accountability Access Control and Communication Protection Effectiveness of Security Strategy Implemented Information Security Level Comparison of Implemented Information Security Level and Effectiveness Level of Security Strategy (for OTHER SECTORS) Incident Response Risk Assessment 5.0 4.0 Establishment of Security Policy Disaster Recovery 3.0 2.0 Security Awareness and Training 1.0 Media Protection Administration and Maintenance Physical Security Audit and accountability Access Control and Communication Protection Effectiveness of Security Strategy Implemented Information Security Level

MACAU INFORMATION SECURITY SURVEY 2010 REPORT 5 FINDINGS FROM THE SURVEY INFORMATION SECURITY POLICY 11% Have mostly or fully Risk Assessment to support their information security program. 22% Have mostly or fully documented information security policy. 36% Of organizations without security policy documentation considered the lack of IT expertise is the main obstacle for such establishment. 2%~5% Of IT overall budget goes to information security. 8% Have mostly or fully information security education for all staff in the past 12 months. Have mostly or fully training program to update skills and competencies to IT staff in the past 12 months. INFORMATION SECURITY CONTROL 4 3 1 Have full-time IT staff as responsible for maintaining the information security program and ensuring compliance. Have mostly or fully their access control measures and communication protection. Have mostly or fully periodic review and audit of their information security program. Have mostly or fully regular compliance report sent to top management. 3 22% 41% 32% Have mostly or fully multiple physical measures to restrict unauthorized entry to their sensitive facilities. Have mostly or fully protection for their critical hardware against power loss, tampering, failure and environment threats. Have mostly or fully controls on securing data disposal or printed materials that contain sensitive information. Have mostly or fully security mechanism on information sharing, storing and transmitting their data with external parties. 4 Do not take any control actions on usage of removable media devices. 31% Have mostly or fully disaster recovery planning. 2 Have mostly or fully simulation of emergency situation and resolution according to their disaster recovery plan.

6 MACAU INFORMATION SECURITY SURVEY 2010 REPORT INFORMATION SECURITY INCIDENT 17% Have mostly or fully implementation of incident management procedures. 88% Were affected by virus and malicious software infection in the past 12 months. 5% Of respondents considered virus and malicious software cause the most impact in their company in the past 12 months. 61% Have less than 5 incidents in the past 12 months. 63% 57% Consider developing incident response and reporting procedures highly effective for security incident resolution. Are not aware of any suitable external parties to report the occurrence of information security incident.

MACAU INFORMATION SECURITY SURVEY 2010 REPORT 7 RESPONDENT PROFILE The survey invitations were sent out separately by Manetic (Macau New Technologies Incubator Centre) and SAFP (Macau Public Administration and Civil Service Bureau) to 133 respondents and the survey has achieved fifty-eight percent (58%) of participation. Since information security is a sensitive topic to many organizations, the anonymity of the participants was preserved by not identifying them throughout this study report. This survey is a joint-study organized by Manetic and co-organized by SAFP, which is a volunteer participation by invited respondents. Due to the sensitivity of this topic, respondent rate may have been affected. The majority of respondents belong to Governmental Sector with seventy-one percent (71%) of total participants, while represent twenty-nine percent (2). Within this second group, different types of sectors have been included: Public Utilities, Educational Institutes, ICT (Information and Communication Technologies), Gaming, Sales & Marketing and miscellaneous organizations. Government Sector 71% Respondents by Industry Sector 3 ICT 7% Public Utilities 7% Gaming 3% Educational Institute Numbers may not add up to 10 due to rounding. Sales & Marketing 1% Other 6% Regarding the number of employees from organizations in study, sixty-six percent (66%) of respondents belong to organizations with more than 50 employees, whilst sixty-five percent (65%) have less than ten (10) currently active IT employees. 7 6 5 4 3 2 1 Respondents by Total employee size 1 5% 8% 8% 3% 66% Less than 10 11-20 21-30 31-40 41-50 More than 50 7 6 5 4 3 2 1 Respondents by IT employee size 65% 1 8% 8% Less than 10 11-20 21-30 31-40 41-50 More than 50

8 MACAU INFORMATION SECURITY SURVEY 2010 REPORT Respondents by Total employee size and Sector 8 7 68% 6 65% 5 4 3 2 1 11% Less than 10 5% 7% 11-20 5% 21-30 5% 31-40 2% 41-50 5% More than 50 Government Respondents by IT employee size and Sector 8 7 6 71% 5 5 4 32% 3 2 1 15% Less than 10 11-20 21-30 5% 1 5% 31-40 41-50 More than 50 Government

MACAU INFORMATION SECURITY SURVEY 2010 REPORT 9 INFORMATION SECURITY POLICY RISK ASSESSMENT Implementation Status of Risk Assessment for Information Security Program From the collected results it can be seen from the following charts that a large section of the companies and organizations, forty-two percent (42%), have Partially Implemented a Security Risk Assessment in their Information Security Program. Adding the six percent (6%) that have Mostly Implemented and five percent (5%) that have Fully Implemented just crosses over the half-mark of respondents that have a Security Risk Assessment process in one form or another. Risk assessment helps an organization to identify, measure and prioritize the potential risks that organizations are likely to face and assist in selecting appropriate security controls to mitigate those risks. Partially 42% stage 25% Mostly 6% Fully 5% Not 22% Implementation Status of Risk Assessment for Information Security Program (by Sector) Fully Mostly Partially stage Not 6% 2 43% 41% 1 2 3 4 5 Between the two sectors of Government and Other, the proportion of response that Government Sector answered a non- Risk Assessment Process, twenty-six percent (), was double that of, thirteen percent (). Organizations, from, are more likely, within their sector, to respond that they have fully or mostly a Risk Assessment Process within their Information Security Program. Government Sector

10 MACAU INFORMATION SECURITY SURVEY 2010 REPORT ESTABLISHMENT OF SECURITY POLICY Macau s organizations may view a documented Information Security Policy to be a non-essential overhead for effective real security controls. The response from this survey reinforces this suggestion with only six percent (6%) responding that they have fully an Information Security Policy. Yet, there is recognition that a documented policy may help the effectiveness of control as nearly half, forty-eight percent (48%), have partially a policy, leaving eighteen percent (18%) in the planning stage and twelve percent (12%) reported that no policy is. Implementation Status of Documented Information Security Policy Partially 48% stage 18% Mostly 16% Not 12% Fully 6% Implementation Status of Documented Information Security Policy (by Sector) Fully Mostly Partially stage Not 2% 17% 15% 15% 2 1 2 3 4 5 Government Sector 48% 48% Comparing the stratified proportions between Government Sector and of Macau, the second one will more readily report that they have fully a security policy with seventeen percent (17%) of their respondents as compared to only two percent (2%) of Government Sector who would report this claim. On the other hand, Government Sector will more likely respond that a security policy is Mostly Implemented with an outstanding twenty percent (2) as compared to only four percent () of.

MACAU INFORMATION SECURITY SURVEY 2010 REPORT 11 As policies may be seen more of a hindrance and overhead than positively adding to the effectiveness of security controls, a focus has been made to uncover why an organization in Macau would resist from having a security policy in place. Resistance to forming a security policy may be due to the size of the organization or the business type, the security awareness, technological expertise of the organization, or the maturity in its approach to information security. This 5 4 3 2 1 Reasons for Not Having Documented Information Security Policy 36% No IT expertise Company's size does not justify for 18% 18% having such documented policy The amount of information systems does not justify for having such documented policy 27% Unawareness of information security risks by top management question was answered in this survey and it was found that thirty-six (36%) of the respondents reported a Lack of IT Expertise as the central reason for not having a documented Information Security Policy. IT SECURITY EXPENDITURE According to the survey findings, there seems to be a predominate proportion of the budget assigned for Information Security for respondents of. Forty-three percent (43%) of will report a two-to-five percent (2-5%) expenditure of their IT budget towards Information Security. The distribution of response for Government Sector is more evened out across the provided response tiers with a shift toward a larger percentage of their IT budget spent on Information Security. Including the tier of two-to-five percent (2-5%) and the higher tier of six-to-ten percent (6-1) of budget expenditure, on security, brings the Government Sector respondents to forty-four percent (4). Percentage of Information Security Expenditure on IT Budget (by Sector) More than 2 16% - 2 11% - 15% 6% - 1 2% - 5% Less than 1% 11% 11% 15% 22% 22% 22% 1 43% 1 2 3 4 5 Government Sector

12 MACAU INFORMATION SECURITY SURVEY 2010 REPORT SECURITY AWARENESS AND TRAINING According to survey results, only three percent (3%) of all respondents have fully an information security education or awareness program for their staff, within the last twelve (12) months. Forty-nine percent (4) of the respondents state that they either do not have an information security education program or that they are planning to implement a training program. Fully 3% Implementation Status of Information Security Education or Awareness Program for All Staff (in the past 12 months) Not 31% Mostly 1 stage 18% Partially 38% Implementation Status of Information Security Education or Awareness Program for All Staff (in the past 12 months) by Sector Fully Mostly Partially stage Not 31% 2 3 1 2 3 4 5 6 Government Sector 52% The majority of respondents will report that they have partially an information security education or awareness program for all their staff in the past twelve (12) months. Respondents from Government Sector is more likely to answer reservedly with thirty-one percent (31%) reporting partial implementation or thirty-nine percent (3) reporting no information security education or awareness program that in the past twelve (12) months. Security education and awareness should not be limited to organization s general staff, but should also extent to the IT staff, to constantly update their skills and competencies on information security matters. In this study, nearly half of all respondents, forty-four percent (4), are either planning or have not an information security training program for their IT Staff. Implementation Status of Training program to update information security skills and competencies for IT staff (in the past 12 months) Partially 48% stage 16% Not 28% Mostly Fully

MACAU INFORMATION SECURITY SURVEY 2010 REPORT 13 Implementation Status of Training program to update information security skills and competencies for IT staff (in the past 12 months) by Sector Fully Mostly Partially stage 1 48% 48% Not 3 5% 1 15% 2 25% 3 35% 4 45% 5 Government Sector Increasing the level of information security education and awareness to employees of Macau organizations will result in a greater understanding of information security issues that they are facing, on a daily basis. Through proper education and training programs the staff will enhance their confidence and ability to reduce the impact of security incidents to the organization. This helps the survivability of organization to come out safely from information security issues and in turn enhance job security.

14 MACAU INFORMATION SECURITY SURVEY 2010 REPORT INFORMATION SECURITY CONTROL ADMINISTRATION AND MAINTENANCE From the chart below, forty-eight percent (48%) of Government Sector respondents, answered that they employ full time IT staff as their main representative with a primary duty in information security, maintenance of information security programs, and to ensure compliance. Forty-three percent (43%) of respondents report that this role is composed of ad-hoc staff. Employee who is responsible for Information Security Administration and Compliance (by Sector) 10 9 Dedicated IT team 8 7 6 5 48% 22% Full-time IT staff Part-time IT staff 4 3 2 1 7% 1 43% Ad-hoc None Government Sector ACCESS CONTROL AND COMMUNICATION PROTECTION Respondents, from this study, have identified the most widely used access controls and communication protection techniques as being: 1. Firewalls, 2. Anti-virus Systems, 3. Password Controls, and 4. Account Controls. These four (4) controls sport an adoption rate of more than ninety percent (9). Less common controls have also been identified, and are: 1. Encryption of Voice over IP, 2. Biometric Technology, 3. Previous Login Information, and 4. Instant Messaging Controls.

MACAU INFORMATION SECURITY SURVEY 2010 REPORT 15 Most Used Access Control Measures and Communication Protection Encryption of Voice over IP telephony 8% Instant Messaging control Patch management 47% Biometrics technologies 18% Wireless network encryption 3 Remote access control 65% Anti-virus system Firewall 95% 96% Intrusion detection and prevention systems Spam filtering 4 83% Website filtering 65% Configuration control 45% Previous login information report 1 Access trial failure control 3 Password control Account control 95% 9 2 4 6 8 10 By observing the chart below, half of Government Sector respondents consider to have partially access control and communication protection measures, while respondents are more likely, with forty-three percent (43%), to state that these controls are mostly in their organizations. Implementation Status of Access Control Measures and Communication Protection (by Sector) 10 9 8 7 6 5 4 3 2 1 7% 2 43% 5 35% 7% 11% Government Sector Fully Mostly Partially stage Not

16 MACAU INFORMATION SECURITY SURVEY 2010 REPORT AUDIT AND ACCOUNTABILITY Implementation Status of Periodic Review and Audit of Information Security Program Mostly Partially 3 Fully 5% Not 2 stage 23% audit of their information security program. This survey highlights that, as a whole, the implementation of periodic review and audit of information security programs, practices, controls and techniques are not widely. Only eight percent (8%) of Government Sector respondents answered that their periodic review and audit of their information security program are fully or mostly. respondents are more likely, with thirty percent (3), to answer a fully or mostly periodic review and Periodic Review and Audit of Information Security Program (by Sector) 10 2% 6% Fully 8 35% 17% Mostly 6 4 2 22% 35% 3 Partially stage Not Government Sector This survey has similarly identified that the submission of regular compliance reports, of the state of information security to top management, is also not widely practiced in most organizations in Macau. Grouping, the non- and the planning stage, comprises seventy-one percent (71%) of respondents, overwhelming the complement proportion of twenty-nine percent (2), that report some existence of a periodic review and audit on information security. Implementation Status of Compliance Report Sent to Top Management stage 3 Partially 16% Not 41% Mostly Fully

MACAU INFORMATION SECURITY SURVEY 2010 REPORT 17 Generally, for both Government Sector and the response that either no compliance report to top management is provided either due to the process not being, or being planned, is the same at around seventy percent (7). Compliance Report Sent to Top Management (by Sector) 10 8 6 4 2 2% 6% 2 17% 3 46% 3 Fully Mostly Partially stage Not Government Sector PHYSICAL SECURITY Regarding physical security measures, thirty-four percent (3) of the survey respondents in this study have either fully or mostly multiple physical measures to restrict unauthorized entry to sensitive facilities. Implementation Status of Multiple Physical Protection Partially 28% stage 12% Mostly 21% Fully Not Implementation Status of Multiple Physical Protection (by Sector) 3 17% 17% Government Sector 28% 22% 11% 2 4 6 8 10 Not stage Partially Mostly Fully

18 MACAU INFORMATION SECURITY SURVEY 2010 REPORT Protection of organizations critical hardware appears to be given more attention, as fifty-four percent (5) have either fully or mostly protection measures. Only seventeen percent (17%) of respondents answered that they do not have recognizable security measures, by either stating that either these measures, such as controls against power loss, tampering, failure, and environmental threats, are not or are still in the planning stage. Implementation Status of Critical Hardware Protection Fully 1 Not 12% Mostly 4 stage 5% Partially 2 Implementation Status of Critical Hardware Protection (by Sector) 48% Government Sector 6% 3 43% 2 4 6 8 10 Not stage Partially Mostly Fully

2 4 6 8 10 MACAU INFORMATION SECURITY SURVEY 2010 REPORT 19 MEDIA PROTECTION One of the security control category that this study covers is the security control over media protection. Survey participants were asked about their implementation status of security controls on the disposal of media that contains sensitive information, as well as security mechanisms on information sharing, storing, and transmitting data with external parties. Around thirty-two percent (32%) of respondents, in this survey, have either fully or mostly adopted security mechanisms on information sharing, storing, and transmitting data with external parties. Implementation Status of Security Mechanism on Information Sharing, Storing and Transmitting data with External Parties Partially 36% Mostly 25% Fully 7% Not 23% stage Implementation Status of Media Protection with Secure Disposal for Sensitive Information (by Sector) 43% 3 Government Sector 1 33% Not stage Partially Mostly Fully

20 MACAU INFORMATION SECURITY SURVEY 2010 REPORT Another aspect of this survey was to assess the concerns of the respondents to the usage of removable media such as USB flash memory or removable hard drives that may be a source of information leakage. Based on this surveys results, most respondents, forty percent (4), either did not apply any controls on the usage of such removable devices. On the other extreme, thirty-two percent (32%) of respondents stated that one of their controls is to configure the PC s so as to restrict the use such removable media. Controls applied on Removable Media devices 5 45% 4 4 35% 3 25% 22% 32% 3 2 15% 1 5% Staff is told not to use Technical such devices configuration of PCs to restrict usage of such devices Data encryption or password protection on such devices No actions taken DISASTER RECOVERY PLANNING It is a continuing worldwide trend to enable an organization to address disasters through planning recovery and restoring of IT systems after failure from disaster. The results from this survey bucks this worldwide trend with forty-three percent (43%) of respondents stating that they have no such plans because they are either, not or are still in the planning stage. Implementation Status of Disaster Recovery Partially stage 27% Mostly Fully 5% Not 16%

MACAU INFORMATION SECURITY SURVEY 2010 REPORT 21 Implementation Status of Disaster Recovery (by Sector) 10 8 6 4 2 2 3 28% 17% Government Sector 6% Fully Mostly Partially stage Not Although the complement of fifty-seven percent (57%) of respondents have a disaster recovery plan, in one form or an other, this plan needs to be tested to ensure that it will be effective against the designed disaster. Sixty-three percent (63%) of respondent do test their plan to some degree, as compared to thirty-seven percent (37%) that do not or are only at the planning stage. Implementation Status of Emergency Simulation and Resolution according to Disaster Recovery Plan Partially 43% stage 3 Mostly 18% Not 7% Fully 2% Implementation Status of Emergency Simulation and Resolution according to Disaster Recovery Plan (by Sector) 10 8 6 4 2 7% 2 1 47% 3 3% Government Sector 36% 2 1 Fully Mostly Partially stage Not

22 MACAU INFORMATION SECURITY SURVEY 2010 REPORT INFORMATION SECURITY INCIDENT INCIDENT RESPONSE Whenever an information security incident occurs, organizations should have methods in place to handle and resolve the incident. According to the results of this survey, most of the respondents, sixty-one percent (61%), do not have an incident management procedure. This is reported as either not or in the planning stage. Implementation Status of Incident Management Procedures stage 3 Partially 22% Mostly 12% Fully 5% Not 31% Analyzing by sector, the response from Government Sector is less likely to state the existence of a set of incident management procedures than. Indeed, only ten percent (1) of Government Sector respondents state that such a control exists in either state of fully or mostly, and sixty-five percent (65%) state that these procedures are at the planning stage or simply do not exist. In contrast of the ten percent (1), from Government Sector respondents, thirty-five percent (35%) of respondents from claim either fully or mostly incident management procedures that will address an information security incident. Implementation Status of Incident Management Procedures ( by Sector) 10 8 6 4 2 6% 35% 3 35% Government Sector 17% Fully Mostly Partially stage Not

MACAU INFORMATION SECURITY SURVEY 2010 REPORT 23 By having a set of incident management procedures, organizations are able to handle an incident, to resolution, much faster and more effectively, should it occur. Of the respondents that have procedures, the stated three (3) most effective procedures that are considered most helpful are: 1. An incident response and reporting procedure; 2. An incident response policy; 3. A defined incident response team. Effectiveness of Incident Management Procedures on Security Incident Resolution (excluded Respondents without Incident Management Procedures ) 10 9 8 7 6 5 4 3 2 1 5% 58% 63% 32% 32% 57% 2 5% 5% 5% Create an incident response policy Develop incident response and reporting procedures 1 1 1 11% 16% Establish guidelines for communicating with external parties 43% 2 52% 1 5 37% 3 37% 1 1 11% Define incident response team services Train the incident response team Establish and maintain accurate notification mechanisms Develop written guidelines for prioritizing incidents 1: Least Effective 2 3 4 5: Most Effective N/A In the past twelve (12) months, when an information security breach occurred, respondents have stated that Infection by Virus and Malicious Software have been the cause of most impact to their organization. This is in contrast to the information security incident of Theft or Fraud Involving Computers, which was the least reported type of security breach. Level of Impact by type of Information Security Incidents (in the past 12 months) 10 8 6 4 18% 12% 5% 27% 32% 4 3% 6% 1% 23% 18% 17% 3% 1 6% 18% 16% 16% 18% 2 2 32% 42% 32% 32% Infection by viruses and malicious software Staff misuse of information systems Unauthorized access by outsiders Theft or fraud involving computers Systems failure and data corruption 1: Least Impact 2 3 4 5: Most Impact N/A

24 MACAU INFORMATION SECURITY SURVEY 2010 REPORT Most of the organizations in this study, sixty-one percent (61%), have experienced a security incident occurrence rate of less than five (5) time, in the past twelve (12) months. No. Information Security Incidents in the past 12 months 7 6 5 4 3 2 1 2 Not aware of any. 61% 8% Less than 5 6-10 11-20 1% 1% More than 20 Respondents to this survey, state that reporting security incidents to external parties, which may assist in resolving the incident effectively, is the least favorable action in handling such incidents. Fifty-seven percent (57%) of the respondents were not aware of any suitable external parties to report security incidents. Reasons for Not Reporting to External Parties about Occurence of Information Security Incidents 6 57% 5 4 3 2 1 3 17% 1 5% 6% Not aware of any Do not think that suitable external external entities parties to report can help to solve to. the incident. Too trivial, no need to report. Can not identify which type of security incident. Damage company/ organization reputation. Legal matters.

MACAU INFORMATION SECURITY SURVEY 2010 REPORT 25 INFORMATION SECURITY LEVEL VERSUS EFFECTIVENESS OF SECURITY STRATEGY Based on the obtained data, it is possible to conclude, through the constructed charts, that Government Sector and have an average score ranging between 2.0 and 3.4 points for the level of implementation of their information security controls. The scores only represent the perception of how both sectors look at their security strategy implementation, and therefore it is not able to make a direct comparison on the actual performance between the two sectors. places more effort on information security controls such as, Media Implemented Information Security Level Disaster Recovery Media Protection Incident Response Physical Security Risk Assessment 5.0 Protection, Physical Security, and Access Controls and Communication Protection, whilst Government Sector is more focused on controls such as Administration and Maintenance, Physical Security and also Access Controls and Communication Protection. Security Awareness and Training, Audit and Accountability, and Incident Response, are the lowest scoring categories for information security by either sectors. 4.0 3.0 2.0 1.0 Audit and accountability Government Sector Establishment of Security Policy Access Control and Communication Protection Security Awareness and Training Administration and Maintenance Effectiveness Level of Security Strategy Disaster Recovery Incident Response Media Protection Physical Security Risk Assessment 5.0 4.0 3.0 2.0 1.0 Audit and accountability Establishment of Security Policy Security Awareness and Training Administration and Maintenance Access Control and Communication Protection Regarding the effectiveness of either sector s security strategy, both sectors consider their implementations are effective at reducing the impact of information security incidents to their organization, by scoring a range between 3.0 and 4.0 points. Based on the data shown from the radar charts, both sectors considered their applied information security level have achieved in general satisfactory effectiveness level of security strategy. Government Sector

26 MACAU INFORMATION SECURITY SURVEY 2010 REPORT WEB SERVER ADOPTION & PATCHING In addition to the survey, a study of the different type of web servers that are being used by organizations in Macau has been conducted for the period as at December 2009. The web servers that were included in this study, fifty-five percent (55%) of websites were of a commercial nature (.com.mo), twenty-nine percent (2) were organizations (.org.mo), nine percent () educational (.edu.mo), and seven percent (7%) were of government site (.gov.mo). Web Site check by Business Type (Dec. 2009) Organisation 2 Government 7% Education Commercial 55% In general, the most adopted web-server technology used in Macau as at December 2009, was Microsoft IIS 6.0 with a twenty-seven percent (27%) share, followed by Apache 2.2 with sixteen percent (16%), Apache 2.0 at fourteen percent (1) and Apache 1.3 also at fourteen (1) percent. Remarks: Latest version of web servers by December 2009 Apache 2.2 and Microsoft IIS 7.0 Web Server Adoption (Dec. 2009) Microsoft-IIS 4.0 Microsoft-IIS 5.0 11% Apache-Coyote 1.1 (TomCat) 2% Microsoft-IIS 6.0 27% Microsoft-IIS 7.0 2% Apache 2.2 16% Unknown 2% Apache (unknown version) 12% Apache 1.3 1 Apache 2.0 1 Apache (unknown version) Apache 1.3 Apache 2.0 Apache 2.2 Apache-Coyote 1.1 (TomCat) Microsoft-IIS 4.0 Microsoft-IIS 5.0 Microsoft-IIS 6.0 Microsoft-IIS 7.0 Unknown

MACAU INFORMATION SECURITY SURVEY 2010 REPORT 27 Based on the results from the table and chart below, it can be seen that Education and Organization have a preference in the use of open source web servers whereas Commercial and Government websites mainly adopt Microsoft IIS6.0 Commercial Education Government Organisation Apache (unknown version) 10.1% 10. 11.1% 14.6% Apache 1.3 14.5% 10. 5.6% 16.5% Apache 2.0 11.8% 20. 2.8% 20.3% Apache 2.2 11.5% 24. 13. 23. Apache-Coyote 1.1 (Tomcat) 1.7% 2. 2.8% 0.6% Microsoft-IIS 4.0 0.3% 0. 2.8% 0. Microsoft-IIS 5.0 12.2% 10. 25. 5.1% Microsoft-IIS 6.0 33.1% 16. 33.3% 17.1% Microsoft-IIS 7.0 2. 6. 0. 0.6% Unkown 2. 2. 2.8% 1. Web Server versions by Business Type (Dec. 2009) 35. 33.3% 33.1% 30. 25. 24. 23. 25. 20. 20.3% 20. 15. 10. 16.5% 14.6% 14.5% 13. 11.8% 11.5% 10.1% 11.1% 10. 10. 12.2% 10. 17.1% 16. 5. 0. 5.6% 2.8% 2.8% 2. 2.8% 1.7% 0.6% 0.3% 5.1% 6. 2.8% 2. 2. 0.6% 2. 1. Commercial Education Government Organisation

28 MACAU INFORMATION SECURITY SURVEY 2010 REPORT SURVEY METHODOLOGY This survey was conducted via an online survey system that allowed respondents to answer between the dates of the 20 th January till the 5 th February 2010. Email invitations were sent to 133 Macau organizations, ranging from governmental departments, to small and medium enterprises, that either have dedicated IT departments or IT professional as support. Invitations to government departments were sent through the assistance of SAFP, while the remaining invitations were sent out via Manetic. Respondents were classified according to their corresponding industries in Macau. Based on the total sample in this survey, we are 9 confident that the margin error for our sampling procedure and its results is no more than +/- 1 and with a total of seventy-seven (77) respondents. The respondent to this survey were required to be IT professionals who has acquired a certain level of IT knowledge to be deemed competent in the specialized field of Information Security. LIMITATIONS Information security study is a very complex and broad topic that requires profound knowledge for elaboration of a comprehensive research and study. Due to different constraints of online survey, this study intends to provide a general perception of how well organizations were doing in information security field in their own perspective instead of an in-depth study by drilling down into specific areas. This study might not cover all the information security categories, but does cover most of the critical security areas that organizations and enterprises are concerned. The evaluation method for assessing the information protection level for Macau Industry sectors were calculated based on arithmetic average of the answers from current survey. The obtained scores permitted to draw graphically the Implemented Information Security Level and Effectiveness Level of Security Level of government departments and organizations from, but due to the difference on perception of Information Security, it s inappropriate to compare directly their both performance of Security Strategy.

MACAU INFORMATION SECURITY SURVEY 2010 REPORT 29 ACKNOWLEDGEMENT We would like to show our gratitude to SAFP (Direcção dos Serviços de Administração e Função Pública / Public Administration and Civil Service Bureau) for their collaboration and support in this project as well as to all the participants who have spent their time and contribution to this study. ABOUT MANETIC ICENTRE Manetic icentre is a platform aiming to expand the Macau information technology industry's market through the development and promotion of IT solutions, services and skills, as well as directing users to the appropriate Macau information technology resources through portal and enquiry services. Manetic icentre enforces collaborations between different parties including government, small and medium enterprises (SMEs), independent software vendors (ISVs), educational institutes, IT & industry associates and so forth. CONTACT Manetic icentre Av. Infante D. Henrique, no.43-53a, 7 andar, Edf. The Macau Square, Macau http://icentre.manetic.org icentre@manetic.org Tel: (853) 2871 0566 Fax: (853) 2871 0565 This full report is available for download at http://icentre.manetic.org