A survey conducted in June 2002 by Computer Economics revealed that 30% of the organizations polled do not have written IT security policies in place, despite the fact that written policies are key to a successful security effort. Those industry sectors that most often reported having written policies in place included healthcare, manufacturing, and financial and insurance institutions. Conversely, professional services, education, and trade services organizations were most often found not to have a written security policy.
The results of our survey also indicate that the majority of organizations are quite vulnerable, with only 49% of those organizations surveyed having written IT security incident response procedures in place.
The full report, IT Security: Perceptions, Awareness, and Practices, is available to clients of Computer Economics.