20% of Companies Lack Formal IT Policies, Standards

According to a new study from Cutter Consortium, 19.7% of companies have no formal IT security policy or standard in place. Of this number, 60% plan to implement a formal IT security policy and security standards by the end of 2000, but 13.3% have no plans to implement any policy.

Sheila Green, a Senior Analyst for Cutter Consortium, believes there could be many factors that contribute to these numbers, including Year 2000 issues. Says Green, "Perhaps some companies are putting off work on their security policy until Year 2000 issues have been resolved. I hope not, because security breaches could go undetected amidst abnormal behavior resulting from or attributed to Year 2000 computer problems."

Green continues, "There has been some concern over security problems being introduced through Year 2000 remediation. An organization that does not have a formal security policy and standards has a greater likelihood of encountering problems during and after the Year 2000 rollover."

Green concludes, "In the fast-changing world of the Internet and distributed computing, it becomes increasingly difficult to keep up with security concerns. So you would expect many companies to look outside their own organization for help with IT security issues, but Cutter's research shows that this is not the case. Only 25% of respondents to our study have used outside consultants to develop IT security policies or standards. Because few companies have in-depth expertise in security issues, the reluctance to use outside consultants indicates that companies are unknowingly putting themselves at risk."

For more information, visit www.cutter.com/consortium.