Global Financial Services Industry,2004 Global,Security Survey,Contents,Introduction,Page,Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Objective of the survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 How we designed, implemented and evaluated the survey . . . . . .3 Areas covered by the survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Who responded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Regional observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Key findings of the survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 Body of the survey Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Investment in security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22 Use of security technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 Quality of operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 Conclusion Summing up and challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . .29,2004 Global Security Survey,Foreword,It is particularly gratifying for me to write this foreword to the second annual Deloitte Global Security Survey. When we began the first Global Security Survey last year, we could not have anticipated the,excellent response we received from financial institutions around the globe and from the media. This response has supported our desire to have this survey become an annual occurrence and not just a “one off” publication. We intend to continue this tradition on an annual basis. It seems that every year, the importance of information security particularly for financial institutions grows more crucial and the challenges on all fronts continue to mount. Chief among these challenges is meeting the various regulatory initiatives and preparing for potential security threats that have not previously materialized. How does an organization keep information secure while, at the same time, allowing customers access to the information to which they are entitled? How does a company keep shareholders happy by returning good value when cutting costs may mean offshoring, a practice that invites consumer concerns? How does an organization protect its information while opening itself up to customers and partners for revenue growth? And how does an organization balance its stakeholder demands while managing the cost of security solutions to prevent IT attacks? While there are no easy answers to these questions, each one of them is tackled in this Security Survey, some with surprising results. This is a report to which your counterparts, in financial institutions all over the world, have had direct input. Its purpose is to “tell it like it is” the extent to which it does this directly affects its value as a benchmark. We hope that you will find this information useful and that it helps establish organizational direction for a very complex issue. We are deeply indebted to the participants, without whom this survey could not exist. To the Chief Security Officers, their designates, and the security management teams from financial services industry organizations around the world, my heartfelt thank you for the time that you invested in this undertaking. Adel Melek, Partner, Global Leader IT Risk Management & Security Services Global Financial Services Industry Deloitte Touche Tohmatsu 1,Objective of the survey,2,Response to Deloitte Touche Tohmatsus inaugural 2003 Global Security Survey was overwhelming. We have come to the realization that, as financial institutions continue to face an unprecedented number of evolving threats, there will always be a need for the type of information contained in these surveys. We are, therefore, very pleased to present our 2004 Global Security Survey for financial institutions. Deloittes purpose in publishing the results of this survey is to contribute to the protection of the financial services marketplace by sharing current practices and identifying future trends in security and privacy management. The goal of the 2004 Global Security Survey is to help participants assess the state of information security within their organization relative to other comparable financial institutions around the world, and against themselves year over year, to the extent they respond to the survey annually. Overall, the survey attempts to answer the question: How does the information security of my organization compare to that of my counterparts? By comparing the data collected,for the 2004 survey, we can begin to determi