security is the state of defined being protected against danger or loss. In the Internet era, information has to be as valuable and important as the physical aspects of security.

security remains one of the leading security company and executives of technology. But how does this benefit for the users and their managers?

Business innovation led to a reader survey, the extent to which users are familiar with the tools and processes to determine policy in relation to the safety of the company.

How many people do you have dedicated security?
of the 316 survey participants
60% have engaged a small team of 1-5 persons within their IT organization with the security of their infrastructures. Almost 28 percent claimed a larger team dedicated to safety. Twelve percent did not have staff on IT security in their organization.

“Except for very large organizations that are truly dedicated security team, security experts, most of the so-called IT organizations to effectively perform multiple jobs, safety is one them,” said Henry Ng, Professional Services be manager, Asia, Verizon Business. “to compare the United States, there are few companies in Asia, where a Chief Information Security or ICOS is used to monitor the safety initiatives of the company. In organizations where such function is present, the CISO reports directly to the Chief Executive often, instead of the IOC. “

Have you always difficult to measure the security of your company?

More than 51 percent admit they have no way to adequately measure the safety of the company. In addition, 24.6 percent of respondents who are unsure how to measure the safety and you have to measure a population of 75.6 percent of respondents, the problems with security.

This indicates a lack of awareness of internal tools, policies and procedures to ensure an exact measurement, and also puts the inability to justify further investment in the safety of basic security tools like Anti-virus software, intrusion detection and intrusion prevention solutions.

How do you measure security? Some solution providers point by the number of incidents that are monitored and measured or remained at the door.

Ng says his team is often invited to cooperate with customers to solve specific security problems. “When it comes to security, most organizations act in response to certain events. Few have particularly the very large companies in the U.S. or Europe based security policy on the basics,” says Ng.

Can you demonstrate, effective risk reduction and an improved security situation?

The easiest way to demonstrate to the risk reduction that your antivirus software updated. Most companies have user-automates this process for you by IT. When a user connects to the network, client antivirus software scans the server for updates. Surprisingly claim only 38.6 percent of respondents to be able to demonstrate that posture.

Andrew Walls, head of security, risk and privacy at Gartner, said the only way is to demonstrate risk reduction and safety performance effective Security Information and Event Management (SIEM) program have .

research firm Gartner has found produces benefits in the high level of security to secure and control the cost of security through a well-run SIEM.

Walls warns against that action needs to be guided by the priorities of the commodities business metrics (was collected from security systems and technical processes), analyzed and translated into business terminology.

you need help or support for internal or external audits?

believe a little more than 41 percent said they needed help in terms of internal or external audits. more than 42 percent say they do not need support, while almost 15 percent remain unsure.

on policies, processes and standards. “Avoid the trend of Asian organizations, which leads to internal security practices of the public body to conflicts where Western organizations, the evaluations carried out risk to the safety and compliance audits. Lack of transparency is often a lack of enforcement of security within the organization can lead to negative controls are interpreted, “he added.

competitive standards like Payment Card Data Security Standard, ISO 27001 or other?

Only 20.5 percent of respondents confirm that they comply with specific safety standards. The standards of most of the entries are ISO 27001 and BS7799.

Nearly 54 percent believe that they are not commissioned meet with all safety standards. More than a quarter of respondents are uncertain whether their organizations should support a standard at all.

It is human nature that we operate in a reactive mode, particularly when it comes to security. It should not surprise us that after 11 September 2001 fell to evaluate companies and to implement security policies and processes. Even after the earthquake in Taiwan on Boxing Day 26th December 2006 that the communication lines proposed under the water, climbed to see the people, whether their systems were compromised.

Do you have a structured method or methods for the management of safety initiatives in the company?

According to a structured process for managing security initiatives across the company a rarity in the Asia-Pacific. It is not surprising that 26.3 percent of respondents say they have a structured methodology to ensure the organization. Many more (38.2 percent) believe they have not so alarming that 35.6 percent were not sure whether such a process exists.

The other two groups in a total of 73.8 percent – a number that is a source of concern for regulators and an opportunity for security experts, their performance should be sought on the supply market .

Are you confident about how to prioritize security efforts and funding?

The ability to set priorities means knowledge. Respondents clearly underestimated the size and complexity of the implementation of security policies and strategies. About 45 percent of respondents say they are confident that they know how to prioritize security initiatives and the allocation of resources.

In fact, based on interviews with experts, it is often not the case. It is possible that this perception is largely in the belief that security is no more than the use of a combination of anti-virus, intrusion detection and prevention solutions.

Do you think that your existing security controls effectively protect against threats, worms and viruses?

believe the majority (61.9 percent) of respondents indicated that their current configuration is effective in combating infringements caused by worms and viruses. They say it is the trust that the demise of Napoleon />

confirmation or certificate to provide to third parties or to meet compliance requirements?

Respondents confidence in the effectiveness of their safety initiative will be measured by the inability or active measures to confirm the effectiveness of security in terms of hindering compliance.

Only 35.7 percent of respondents have third party validation process in place. Forty-four percent do not use external agencies to the 42.7 percent who are not with an external examiner to their security status and 53.9 percent, to not check may be conducted comply with standards.

do not know if their organization is using third parties to carry out the certification.

Many certifications are on the third market for all types of security procedures. “But they only have value as evidence of compliance, if the certification applies to regular reviews of all relevant safety practices based the standard. The quality of assessment is entirely dependent on the questions raised above: transparency and maturity,” warns Walls.

According to the walls, if an organization is not fully transparent in a certification evaluation to be certified, but then a compliance audit. Transparency is an absolute necessity if your organization is dedicated to manage a serious security risk.

“If the program is for security, not well documented and consistently applied to policies, procedures and standards, certification on hearsay and personal commitments will be based on the employees. It is not sufficient to produce a compliance audit happen, “says Walls.” br />
The test is simple, if you are a mature security program and have transparent with effective measures. If you do not, audits will always be a struggle.

Market Analysis

How many companies are spending on security solutions? According to IDC 0.9 billion on IT security solution has been spent in Asia-Pacific (excluding Japan) in 2006. This figure should nearly double to 0.9 billion in 2011.

IDC Asia / Pacific Communications 2006 study has shown that “the virus” was the top threat indicates a large margin. This suggests that, despite the aging of secure content management (SCM) technology (including Antivirus, Web Filtering and Messaging Security), the virus remains as a great threat to the company’s IT infrastructure.

/ Es by “bribery or replication of data follows” and “external hackers. It is also interesting that sabotage “employee” also traditionally marked on the list of companies in APEJ on perimeter defense, or what is commonly known as the strategy of focusing “bad attitude things out.”

This result shows that many companies now recognize that it is necessary to set the controls to “keep the good stuff too.

Willie Low, senior market analyst IDC Asia / Pacific Infrastructure Software Research, said viruses, worms, Trojans and other malicious software continue to be high on the topics for the consumer. “However, feeds the growing use of RSS, mashups, blogs, web 2.0 and other interactive technologies in the workplace present new security challenges for many IT Manager and many organizations are not prepared for them, “he warns.

” It is no coincidence that we see a lot of information protection and control solutions (systems, to prevent data loss, is be a kind of solution IBC started), for market recently. We can expect to see more in the coming months, “says Holland.

According to Gartner, the three most important security issues or initiatives for the year 2008 in Asia:

new approaches to the provision of IT market explodes. Software as a Service, Virtualization, demand for infrastructure, managed services, social networks, grid computing and virtual worlds can have enormous benefits in terms of performance and cost are available, but they also need new approaches to security. To have the advantages of companies to act quickly to improve their security.

. can this risk mitigation through a responsive, coordinated program and corporate security are achieved.

IT initiatives continue to take place without adequate, early involvement of safety in the design process. It costs much more to a system to warn about the costs to a system that is used to think about for sure! Conclusion

Walls warned that it is impossible for the whole to generalize the Asian region, the quality of procedures for safety. It reminds us that, as in other areas of the economy, various communities have grown faster than others due to various factors.

“In general, the provision of security policies, processes and methods in the major financial centers in Asia, carried out as Hong Kong, Singapore, Kuala Lumpur, Beijing and Shanghai. The need for security work is motivated by risk-taking entrepreneurs in a society. As companies grow in size, they tend to be rather conservative and risk averse. Therefore, they demand higher security guarantee, “says Walls.

It is therefore natural that companies in financial centers have increased security, activities than other sectors.

In In 2006, China Trust Commercial Bank (CCB) is a comprehensive review of its security information. The practice in the achievement of the Cybertrust Security Management Program (SMP) Certification. culminated

After RUU-Tian Chang, Executive Vice President the China Trust Commercial Bank, CCB was able to adequately strengthen its program management with information that will help security expertise to identify weaknesses in the external IT systems, the history of improvements and investigate the causes of problems. “

The result is a clean bill of health from the bank in order to be one of the safest financial institutions in Taiwan position.

Ng suggests that the safety initiatives have several features that ensure their survival beyond the table, managed to talk (whether in the boardroom or the War Room, where the execution begins). “The approach must be holistic – not piecemeal tactics can long survive. There should be a baseline can be measured from the success or failure against. The initiatives should be reviewed regularly against the prevailing (and perhaps even the speculation) conditions,” said Ng.

Walls offers five best practices in the creation and deployment of a safety initiative:

Do you understand the priorities of the company behind the initiative.

Determine how the success or failure of the initiative and negotiate such measures with stakeholders to measure

Prioritize suppliers that have facilities to support on-site assistance in planning , deployment and management

entrepreneurs to obtain and users in the operational plan for the organizational support

call high, broad appeal, call often! Make sure everyone in for the CEO to be its role in the initiative and will be updated regularly on progress.

What ever want to hear you have to restart and this time was yesterday.

Manage auditing and security log