It is not insurance companies that underwrite business risk insurance, that include security on the checklist of overall company health as part of a standard process or are driving the risk assessment business. The insurance reviews are quick and usually not considered strategic. Instead, it is the overall heightened awareness of security on the part of business managers that is driving information security risk assessment from the major auditing firms such as KPMG, according to Mark T. Lindig, a KPMG partner.

"There is a distinction between what an insurance company is requiring and what managers are asking us to do," says Lindig.

Lindig is the national partner in charge of KPMG's Information Risk Management practice. He has more than 19 years of experience in providing risk management services to clients in multiple industries.

Another strong driver of information security risk assessment is increasing federal regulation of certain industries, including a looming January 2004 deadline for security certifications now being required by the Federal Energy Regulatory Commission of the gas, pipeline and electrical utility providers.

And with a deadline of March 2004, the Sarbanes-Oxley Act requires that management of public companies listed on the stock exchange and regulated by the SEC certify the quality of their controls over financial reporting, one of which is information security.

"If you have a system that is not well controlled from a security perspective, you really cannot rely on the other controls in that system," Lindig suggests.

Typical vulnerabilities KPMG's auditors find when they perform an information security risk assessment include:

  • Default operating system and other strategic software settings on new hardware delivered by the manufacturer. The manufacturers do not want to impose security protocols on their customers, so boxes are delivered "wide open" from a security perspective. Security configuration of new hardware is a requirement.
  • Lack of holistic monitoring. Most companies have firewalls in place, but few companies correlate information received from a firewall device, with information from network monitors and other sources, in order to detect patterns or anticipate attacks.

    "The customer has to tune the monitoring platform for everything they want to monitor," Lindig advises.