Study: SA companies not as compliant as they think

Von Nicolas Callegari

A research report commissioned by security specialist Symantec Corp., in conjunction with Deloitte and local IDC-affiliated research house, BMI-T, has revealed that South African companies have some work to do to become compliant with the various legislations and best practices being enforced worldwide.

According to Symantec regional manager, Patrick Evans, the study was started over two years ago when 50 large companies (with more than a hundred servers) across six vertical sectors were approached to participate.

?We needed local research,? states Evans. ?Most research reports are all conducted overseas, and, while they are often interesting to read, they do not apply to the local market.

"We also wanted to see how compliant companies really are, because a lot of them just pay lip-service to the fact that they are, but being compliant on paper is very different from actually being compliant,? he adds.

Thirty six out of the original 50 companies agreed to participate in the research, which involved Symantec installing its Enterprise Security Manager software and running 250 security tests on each system. Deloitte gathered data from the various systems to be analyzed by BMI-T. The vertical breakdown is as follows: five companies in mining, three in telecoms, eight in banking and financial services, five in commerce, six in government and nine in retail.

According to BMI-T?s Lain Machanick, the findings were measured against the ISO-17799 standard, which provides executives with a common reference against which to determine compliance of the enterprise with internationally accepted best practices.

ISO-17799 is the Code of Practice for Information Security, something critical to ensuring that local companies are compliant with the findings of King II and the ECT Act.

Tests were conducted on system elements including user account integrity, login parameters, network integrity, object integrity, OS patches, password strength, registry, start-up files and systems auditing.

According to the report, the most significant findings were that the telecoms vertical was the most compliant, retail fared the worst, and faces some very serious challenges, and government was the second-worst compliant vertical, but saw promise within the next 36 months.

Mining and commerce were almost on a par, while banking and financial services was the second most compliant vertical.

When looking at the reasons for noncompliance, a clear pattern was emerging that all of the verticals suffered from start-up file vulnerabilities, weak passwords (with the exception of telecoms) and registry entry problems.

BMI-T defines start-up files as the services initiated on start-up of the various systems. Not that they pose a risk, but many are not necessarily used and should be shut down and investigated as a potential security concern, the report says.

Registry entries are predominantly used in operating system-level attacks as they provide an easy access route to critical information on a server or PC.

Some companies may not actually know what most of the entries in systems registries are, and these should be closely scrutinized to ensure that entries cannot be used to exploit a potential vulnerability. Password strength is self-explanatory.

?From these findings, it is clear that SA companies are still not aware of the urgent need to embrace security as a business process,? Evans says.

However, Evans mentions that security is slowly becoming a focus area in many verticals, especially those where ICT is not the core competency. ?We have just signed a record deal with a major mining house in SA with more deals in the pipeline,? he adds.

On the whole, policy compliance as a key performance indicator is still wrongly practiced as an ad hoc administration function, however.

?The only way to reach a level where security and policy compliance are embraced as part of the business is firstly to understand the asset value of a specific system, and then create policies around each system,? Evans says.

While it has been outlined numerous times in the past, compliance is still one of the most important aspects of corporate governance, and is undoubtedly something that local companies need to address.