Recognizing the sensitivity and vulnerability of information stored in databases, 86% respondents , to a recently conducted survey, have expressed the need for an information security policy. The survey conducted by the Confederation of Indian Industry (CII) sought to assess the awareness levels prevalent among organizations regarding information security needs and the level of implementation. The survey report titled “Report on Information Security Baseline 2005” also revealed that 38% companies do not have an information security policy of which 7% are indifferent to security policy.

The survey covered about 100 companies. The respondents were mostly CEOs, and top management of both large and small organizations. 43% of the organizations surveyed by CII had more than 500 employees and 38% had less than 100. 26% respondents belonged to the manufacturing sector, 14% to consumer goods and 42% were IT/ITES companies, BPOs, ISPs, consultants, education, insurance, construction, real estate, financial services etc. 100% of the respondents used computers.

While an information security policy was high on the agenda of most companies, the CII survey revealed that only 16% of participating companies had an assigned CSO or a CISO. 62% of them had no such post or person.

Greater percentage of companies used traditional business acumen to protect their data. According to the CII survey, 81% of the respondents felt that their application system access mechanism was in control and about 79% of them monitored it regularly. Only about 11% of them did not have user id password protection to protect the data.

The CII survey also revealed that 100% of the respondents used some form of anti virus, anti spam and anti worm software, 85% used firewalls, IDS, IPS towards network protection, 60% had a Data Base Administrator, 67% had a system administrator, 64% had an email server administrator and 56% had a network administrator.

89% of the respondents took backups regularly, 70% had a business continuity plan in place and 63% had a disaster recovery plan in place, according to the CII survey. 73% of those surveyed by CII had invested in electronic storages for data protection and back ups, 87% in protecting operating system, 75% in application protection, 68% in database protection, 67% in communication protection, 79% in firewalls, ids, ips for network protection.

62% of the respondents considered financial data as a priority for protection and 40% considered customer information as being important.

The CII report also defines risks which were revealed by the survey. According to the report, topping the list is the absence of a CSO/CISO in a company. Having no CSO was an indication of absence of IT security governance in an enterprise, reads the survey.

The CII report further identifies a great need for Information Security Awareness Program amongst companies. 71% of the respondents to the CII survey had no security process certification, a high risk area.