Research Objectives |
研究宗旨 |
In order to explore cyber supply chain security practices and challenges further, ESG surveyed 303 IT and information security professionals representing large midmarket (500 to 999 employees) organizations and enterprise-class (1,000 employees or more) organizations in the United States within vertical industries designated as critical infrastructure by the U.S. Department of Homeland Security (DHS). All respondents were familiar with/responsible for their organization’s information security policies and procedures, especially with respect to the procurement of IT products and services. Respondents also had to be familiar with cyber supply chain security as defined previously. |
为了探索cyber供应链安全进一步实践并且挑战, ESG在美国的勘测了303它和信息安全专家代表大midmarket (500到999雇员)组织和企业类(1,000名雇员或更多)组织在垂直的产业之内被选定作为重要基础设施由美国。 国土安全(DHS)的部门。 所有应答者熟悉或负责他们的组织的信息安全政策和规程,特别是关于获得它产品和服务。 应答者必须也熟悉cyber供应链安全如早先被定义。 |
The survey was designed to answer the following questions: |
勘测被设计回答以下问题: |
1. Risk management |
1. 风险管理 |
Has the organization experienced any security breaches? If so, what was the impact? |
组织体验了任何安全漏洞? 如果那样,什么是冲击? |
How would respondents rate the security threat landscape now compared with two years ago? Do respondents expect the threat landscape to get worse over the next two years? |
应答者怎么对安全威胁风景估计现在比较二年前? 应答者是否盼望威胁风景得到坏以后二年? |
How well prepared is the organization for the current threat landscape? |
多么恰当准备是组织为当前威胁风景? |
Is executive management supporting and investing in cybersecurity? |
行政管理支持和投资在cybersecurity ? |
2. Procurement |
2. 获得 |
How important are IT vendors’ security processes in customers’ procurement decisions? |
多么重要的是它供营商’安全过程在顾客’获得决定? |
Do critical infrastructure organizations audit the development processes of vendors before purchasing IT products? If so, is there a common model for these audits? Are these standard activities and processes across the enterprise? |
重要基础设施组织是否在购买它之前验核供营商的发展过程产品? 如果那样,有没有一个共同的模型为这些审计? 这些标准活动和过程横跨企业? |
Are vendor cybersecurity audits a critical component of IT procurement or do purchasing managers have the discretion to purchase from IT vendors with sub-par product and process security? |
供营商cybersecurity审计是否是一个重要组分它获得或采购管理员有谨慎购买从它供营商以次级同水准产品和过程安全? |
3. Software development |
3. 软件开发 |
Do critical infrastructure organizations include security considerations as part of their standard software development processes? |
作为他们的标准软件发展过程一部分,重要基础设施组织是否包括安全考虑事项? |
Have organizations experienced any security breaches related to internally developed software vulnerability? |
组织体验了任何安全漏洞与内部被开发的软件弱点有关? |
Do critical infrastructure organizations require their internal developers to be trained in secure software development? |
重要基础设施组织是否要求他们的内部开发商被训练在安全软件开发? |
When organizations outsource their software development, are secure development processes a requirement for external outsourcers and contractors? |
组织何时外购他们的软件开发,是安全发展过程外在outsourcers和承包商的一个要求? |
4. External IT security |
4. 外部它安全 |
To what extent do critical infrastructure organizations currently open their IT systems to external parties such as customers, suppliers, and business partners? |
在何种程度上当前重要基础设施组织打开他们它系统对外在党例如顾客、供应商和商务伙伴? |
To what extent do critical infrastructure organizations currently consume IT services and applications provided by external parties such as customers, suppliers, and business partners? |
在何种程度上当前重要基础设施组织消耗它为服务和外在党提供的应用例如顾客、供应商和商务伙伴? |
How are these relationships secured? Are there formal processes and safeguards in place? |
这些关系怎么获取? 到位有没有正式过程和保障? |
5. The role of the U.S. Federal Government |
5. 美国的角色。 联邦政府 |
Do cybersecurity professionals working at critical infrastructure organizations understand the U.S. government’s cybersecurity strategy? |
做工作在重要基础设施组织的cybersecurity专家了解美国。 政府的cybersecurity战略? |
Do critical infrastructure organizations believe that the Federal Government should do more or less in terms of cybersecurity defenses and strategies? |
重要基础设施组织是否相信联邦政府应该做或多或少根据cybersecurity防御和战略? |
What if any specific actions should the Federal Government take? |
若任何具体行动联邦政府应该采取? |
Survey participants represented industries designated as critical infrastructure by the U.S. Department of Homeland Security (DHS). These industries include agriculture and food, banking and finance, communications, defense industrial base, energy (utilities, oil, and gas), transportation systems, water supply, health care, etc. For more details, please see the Research Methodology and Respondent Demographics sections of this report. |
勘测参加者代表的产业被选定作为重要基础设施由美国。 国土安全(DHS)的部门。 这些产业包括农业和食物、银行业务和财务、通信、防御工业基地、能量(公共事业、石油和气体),运输系统、给水、医疗保健等等。 欲知详情,请看这个报告的研究方法学和应答者人口统计学部分。 |