What Color is Your Infosec and Audit Program?

Does your organization operate in the red when it comes to information security and audit?  Or are you like 7-in-10 others operating in the yellow.  Might you be one of the top 10 operating in the green?

Size and industry do not matter when it comes to better protecting customer data, delivering higher levels of IT service, or passing regulatory audits. Larger organizations with more capabilities, more resources and more talent fare no better at protecting customer data than do small businesses with fewer resources and less capital. And, firms in more highly regulated industries are having, on average, the same level of difficulty passing regulatory audits as organizations in less regulated industries.

Neither size nor industry play an important role in driving better service levels for IT.

What matters?
Simply put: practices for infosec and audit!

 It’s the practices that are implemented, or not, that are most responsible for driving better results. Which of the following practices are implemented by your organization?

- Distribution of IT policies for adoption and exceptions
- Managing information security outside of IT operations
- Delivering training to employees and contractors
- Continuously monitoring critical IT assets
- Conducting ongoing assessments of business conditions and risks

All of the best-in-class organizations, operating in the green, experience the lowest rates of data loss or theft, the least amount of business downtime due to IT failures or disruptions, the fewest problems with regulatory audit in IT, and spend least on information security and audit.

Find out how the color – and the details – of your practices compare with the experience of more than 3,000 organizations in Guidance for Best Practices for Information security and IT Audit, at the IT Policy Compliance Group (see link below).

Additional information:

IT Policy Compliance Group report:

www.itpolicycompliance.com/research_reports

ISACA: www.isaca.org

PCI: www.pcisecuritystandards.org

ISO: www.iso.org

NIST: www.nist.gov

ITIL: www.itil-officialsite.com

Proven Recipes for Better Security Outcomes

If experience is the best teacher, then the votes are in: organizations using CobiT and COSO to guide information security and IT audit practices are the winners.
Based on results from the latest benchmark, what’s being used for practice guidance strongly influences outcomes. The results include:

- Managing the integrity of information: CobiT and COSO by 30x
- Information security practices: CobiT and COSO by 23x
- Managing compliance with audit: CobiT and COSO by 16x
- Managing information security policies: unacceptable risks by 4x
- Managing business risks from IT: COSO and CobiT by 17x

Practice guidance among the 1 in 10 organizations with the best outcomes – least loss or theft or sensitive data, highest IT service levels, and lowest problems with regulatory audit – is dominated by the use of CobiT and COSO.  Thirty times more of these organizations use CobiT and COSO for managing the integrity of information, while 23 times more rely on these two forms of guidance for information security practices and prodedures. These organziations also employ PCI (even when not subject to PCI audits), ISO, NIST and internal standards at far higher-levels than all other organizations.
In contrast, 7 in 10 organziations rely on legal guidance for security policies and SCAP and CVE to manage the integrity of information. The worst outcomes are being experienced by organization with little-to-no guidance for their information security and IT audit practices.

Obtain the freely available benchmark report to compare your practices against the best performers today:

Guidance for Best Practices in Information Security and IT Audit

Additional information sources:
IT Policy Compliance Group report: www.itpolicycompliance.com
CobiT and COSO: www.isaca.org
PCI:  www.pcisecuritystandards.org
ISO: www.iso.org
NIST:  www.nist.gov
ITIL: www.itil-officialsite.com

Are we secure enough?

Are we secure enough?
This oft-heard question in IT is usually accompanied by: “what happens if we reduce the budget (for information security) by 10 percent this year?”

Quick thinking managers cite stories about self-insurance, premiums on house insurance polciies, and which part of the house the organization can’t rebuild after the organizational house burns down.

But, the best practitioners engage senior leadership with an on-going business and financial risk assessment program, one that manages budget for information security focused on managiung the biggest business and financial risks from the use of IT. 

By allocating spend for informaiton security and audit on practices that drive better results, these organizations are experiencing returns exceeding 200 percent and more, each year. The benefits of managing the budget to manage the risks include:

- the lowest rates of data loss or theft

- the least business downtime from IT failures and disruptions

- the fewest problems with regulatory audits

In addition, these organizations spend less than half of what others are spending on audt fees and expenses each year.

 

If you are being requested, or told, to do more with less this year, then it pays to find out what’s actually working to reduce risks, reduce costs and improve results.  See the latest research, Managing Spend on Information Secuirty and Audit for Better Results from the IT Policy Compliance Group.

 

Links:
www.itpolicycompliance.com

www.itpolicycompliance.com/research_reports/spend_management/read.asp?ID=14

New interactive benchmark tools: legal data hold

New interactive benchmarking tools have been added to the IT Policy Compliance Group site. The new benchmark tools include:

·    Finding the maturity of your legal data custody practices

·    Determining how much money can be saved by improving practices

·    Determining how much time can be save by improving practices

The new interactive tools make it easier to see the financial implications of current practices. By themselves, the tools do not provide the ability to diagnose how current practices compare with others. However, the full research report, Improving Results for the Legal Custody of Information, contains this information.

A few highlights from the report:

A few of the best practices implemented by organizations with the lowest exposure to legal settlements and fees, and expenses in IT, include:

·     Notifying affected employees of legal holds on information within one hour

·     Maintaining evidence about the handling of information

·     Inventorying and indexing information for rapid search

Find out more:

Find out about the other best practices, including information categories that should be targeted for automation. Interactive tools and the full benchmark research report, Improving Results for the Legal Custody of Information, provide insight into the financial impact of practices along with the practices and capabilities that are driving down expenses for best-in-class firms.

Check out some blogs with great background material, including:

Blog managed by Bon Krantz and Jeffery Fehrman

http://eddblogonline.blogspot.com

Blog managed by Rick Wolf

http://wolfs2cents.wordpress.com

Legal discovery: Beyond the lawyer jokes

 

Jokes about lawyers are funny because there is a ring of truth to them.

A few sites worth visiting for some reality laughs include:

 

http://www.ahajokes.com/lawyer_jokes.html

http://www.stus.com

 

If you have sites with funnier content: share them.

 

But seriously, lawyers contribute an invaluable and multi-faceted approach to discovery that is hard to find in other professions. Legal discovery could be sanctioned for a class action injury case, a product liability inquiry, lack of adequate controls for guarding personally identifiable information, or medical malpractice among other purposes.

 

When it comes to legal discovery, information is king, and in this age of electronic information the courts have ruled that organizations have specific obligations to preserve, protect, find and produce information that could be subject to a discovery request.

 

No joking when it comes to legal discovery

What do lawyers say are the best practices for avoiding problems and reducing costs when it comes to legal requests governing information?

 

A few of the top recommendations include:

- Establishing ground-rules for reasonable anticipation of litigation

- Indexing as much information as possible to drive down costs

- Implementing standard procedures for information formerly on hold

 

Find out …

- About other recommendations from legal counsels

- About the intimate relationship between IT and legal functions

- What the best practices are among firms with the lowest expenses

- How much you can save by improving current practices

 

Interactive tools (below) and the full benchmark research report, Improving Results for the Legal Custody of Information (below), provide insight into the financial impact of practices along with the practices and capabilities that are driving down expenses among best-in-class firms.

 

 

www.itpolicycompliance.com/interactive-tools/

www.itpolicycompliance.com.research_reports/

 

Another great resource is the Electronic Discovery blog

www.electronicdiscoveryblog.com

 

Jim Hurley

Spending on Legal Data Holds and Custody too High for Most

Like a majority of organizations, your firm probably overspends on legal settlements, legal services and expenses in IT to find, produce, protect and preserve information in response to legal requests and holds on information.

Recent news about events at Oracle Corporation — see Forbes (link below) and the Wall Street Journal articles (link below) — confirm that legal requests for information are not confined to any one industry nor size organization. Nor is the problem confined to the U.S., as the recent Bloomberg article about information the European Union is seeking from BHP Billiton (link below).

How much is too much?
Based on the benchmarks conducted by the IT Policy Compliance Group (IT PCG) — about two-in-ten firms — are spending 16-to-18 times more on legal services, settlements and internal expenses to find, produce, protect and preserve information than the organizations with most mature practices.

While this is the extreme case, a majority of organizations — seven-in-ten — are spending 5-to-6 times more on legal settlements, legal fees, and internal expenses to find, produce, protect and preserve information in response to legal requests for information.

Find out what works to improve results and reduce expenses
Visit the IT Policy Compliance Group (www.itpolicycompliance.com), play with the interactive benchmarking tools (link below) and download your own copy of the benchmark research report, Improving Results for the Legal Custody of Information (link below).

The interactive tools and benchmark research provide fact-based insight that will enable you to assess:

- The maturity of your firms’ practices
- What your peers are spending on legal settlements, fees and IT expenses
- How much you can save by improving practices
- Which practices your organization can target to improve results and spend less

Interactive tools at IT PCG:
www.itpolicycompliance.com/interactive-tools 
Research Report at IT PCG:
www.itpolicycompliance.com/research_reports/it_governance/read.asp?ID=13
Forbes:
www.forbes.com/markets/2008/09/04/oracle-software-update-markets-equity-cx_ra_0904markets37.html
Wall Street Journal: 
http://blogs.wsj.com/law/2008/09/03/softwar-smackdown-discovery-flap-ends-badly-for-oracles-ellison/
Bloomberg:
www.bloomberg.com/apps/news?pic=20601081&sid=afc0XEbY5.kM&refer=australia

Jim Hurley

New Research from ISACA

ISACA Research: Top Business/Technology Challenges and Opportunities

New research from ISACA, conducted with 3,173 professionals from around the World, highlights the top business and technology challenges and opportunities facing organizations today.

The top, rank-ordered, business issues facing organizations include:

1. Regulatory compliance
2. Enterprise-based IT management and IT governance
3. Information security management
4. Disaster recovery and business continuity
5. IT value management
6. Managing IT risk
7. Compliance with financial reporting
8. Continuous process improvement and business agility
9. Vulnerability management
10. Collaborate value chain management
11. Modernization and consolidation of IT systems, assets and applications

This freely available report provides insight into the challenges facing many organizations, and the opportunities awaiting firms that solve the challenges. Among the interesting findings contained in this report are the divergent priorities across IT auditors, IT management and IT security functions within organizations.

This report is definitely worth the read.

Insight on What’s Working to Improve Results

The results of the ISACA survey are similar to those from the ongoing IT Policy Compliance Group (IT PCG) benchmarks, where regulatory compliance, IT governance, risk management, and information security top the list of challenges and opportunities for improvement among organizations.

For a comprehensive view of what’s working to improve results, download the recent IT PCG 2008 Annual Report. This research report provides a wealth of insight into the practices that are resulting in improvements to revenue, profits, customer retention, regulatory compliance, business continuity, the protection of sensitive data, and the management of IT value.

In addition, Interactive Tools at the IT PCG site quantify how business outcomes are changing, in multiple regions and currencies around the World, from improvements made in IT for the same challenges and opportunities cited by the ISACA research findings.

Jim Hurley

Reducing the cost of audit

Reducing your spend on regulatory audit costs

Is spending on audit too high, and projected to climb further in the coming years? Are more audits required this year than two years ago? If you answer yes to these questions, you aren’t alone.

While many firms continue to spend more on audit, others are actually spending less. The benchmarks conducted by the IT Policy Compliance Group (IT PCG) confirm this: firms with the most mature practices consistently spend less on audit fees.

Lower annual spending on audit fees are just one area of savings being realized by these organizations. In addition, they significantly drive down internal costs, including in IT, to support and sustain regulatory audit.

What are the potential savings?

The benchmarks show that among firms with the most mature practices, the level of spend on overall regulatory compliance is 50 percent lower, each year, than all other organizations of the same size, and in the same industry. Wouldn’t that be a nice bit of change to put to better use?

These 50 percent annual reductions in overall spend on regulatory audit include: legal services; professional service audit fees; other external services related to audit, and internal expenses to support and sustain audit results.

What’s realistic for savings?

Interviews with members indicate that 50 to 55 percent reductions are on the very high-side of what’s possible. More typical reductions, specifically for regulatory audit fees among the mature firms, are in the range of 30 percent: still significant and worth looking into.

Do the savings apply to all audits?

There is less opportunity in some situations than others to reduce audit fees.  For example, some IT PCG members in government and utilities say that sole-sourced mandatory audits don’t leave much wiggle-room for negotiating lower fees. But, for audits where there are multiple sources of professional services, there is greater leeway to “talk-turkey” as it were.

The caveat: savings by negotiating multiple bids, without improving the maturity of practices internally, are only going to cost more down the road. Once the replacement firm determines it can no longer profitably service your business, you are stuck with the same inefficient practices that are going to cost more with the next firm. Anyone can negotiate incremental year-over-year reductions. Based on the benchmarks, the sustainable savings are coming from automating the procedures and practices, year in and year out.

What can you do?

·       Talk with your peers about their experience

·       Identify multiple – often overlapping – audits and service sources. You might be surprised by what you find.

·       Separate the influence of competitive bidding from practice maturity to determine sustainable savings

·       Use the Interactive Tools at the IT Policy Compliance Group site to identify the upside

·       Establish realistic targets for what you’d like to achieve over the next three years

·       Implement the practice maturities that are shown to improve results

For more information

For more information on who is spending less, and what they do to improve internal procedures and practices, see the results from the benchmarks:

 

·       2008 Annual Report: IT GRC – Improving Business Results and Mitigating Financial Risks

 

·       Interactive Tools

 

These can all be accessed from the IT PCG home page:

www.itpolicycompliance.com

Try our new IT GRC Interactive Tools

The IT Policy Compliance Group has introduced several interactive tools on our web site to help you assess the maturity of your IT governance, risk and compliance practices.  The tools demonstrate the impacts of various IT GRC Maturity levels on your financial and business risks and results, as well as listing the practices and capabilities proven to improve the effectiveness of IT. All the tools utilize the research results from our 2008 Annual Report on IT Governance, Risk and Compliance.

 

Start exploring these tools by going to the Interactive Tools page on our web site.  The first thing you need to do is assess your current IT Governance, Risk and Compliance Maturity Level. Then, if you’ve registered as a member of the site, you can access the other tools that include:

• Business results for varying IT GRC maturity levels as they impact revenues, profits, customers
• Financial risks related to customer data loss or theft for varying IT GRC maturity levels
• Financial risks of IT failures and disruptions for varying IT GRC maturity levels
• Cost savings of overall regulatory compliance spending for varying IT GRC maturity levels
• Cost savings in terms of time spent on demonstrating IT compliance for varying IT GRC maturity levels
• Best practices for improving IT GRC maturity levels presented in pdf format.

As a member, be sure to download the Quick Guide for Interpreting Your IT-GRC Interactive Tool Results to help you get the most value from the information provided by the tools.

IT GRC maturity FAQ

Q: How do you define IT GRC?

Other than the three broad definitions contained in the research report (2008 Annual Report: IT Governance, RIsk and Compliance), all revolving around IT governance, risk management and compliance, we aren’t defining it. Rather, we’re letting the findings from the primary benchmark research going back almost two years, define what IT GRC is.

 

Q: How do you define maturity?

We really aren’t defining maturity either, other than to map business results against an existing, well accepted and employed maturity scale. In this sense, we’re simply standing on the shoulder of giants, especially ISACA, the IT Governance Institute, The IIA, and our other supporting members, CSI, Protiviti and Symantec. The only thing we did was to map business reward and risk results from the benchmarks against a capability maturity scale that is already widely accepted and used.

 

Q: What motivated you to do this report?

About a year ago we were being tasked by our supporting members, who are our board of directors, to identify the business impact of the improvements that organizations are making in audit, regulatory compliance, IT assurance and security. In addition, members and advisors of the Group were asking for more insight into the practices that were working to improve results at other organizations.

At about the same time, we noticed that the firms experiencing poor results for regulatory compliance were the exact same firms with the highest loss or theft of customer data and the largest financial loss from these events. The benchmark data also revealed the converse was true: firms with the best regulatory compliance results were the same firms with the least loss of sensitive data and the lowest financial losses from these events. Similarly, we found the majority of organizations operating at the norm for regulatory compliance the same one’s with moderate levels of customer data loss and financial loss from these events.

We were a little surprised at the time because the benchmarks were not designed to uncover this. It simply resulted from asking the question: is there a relationship between the two set of outcomes and which organizations are experiencing these results?

To find the relationship we first employed logical tests on the raw data, which resulted in very high levels of correlation. For example, we simply added up all the firms with the poorest results for one set of business outcomes (high levels of regulatory audit problems) and tested to find out if these were the same firms experiencing the poorest results for other outcomes (high levels of customer data loss or theft). The data showed they are the same firms. We also found the opposite to be true, the same firms with the best results were almost identical across all of the business metrics measured by the benchmarks. We also conducted statistical variance testing to make sure we weren’t missing anything.

We expanded to effort to business disruptions and their financial impact, as well as revenue, profit, and customer-related metrics for the improvements being made to compliance and data protection. We went back through nearly two years of identical questions and came up with nearly identical population distributions for all these results, even though different firms participated in the research.

Q: Do highly regulated industries do better?
We originally throught that industry segments might influence results and that highly regulated industries would be doing better. But we were wrong: industry segment and high levels of regulation do not influence results. The best example I can give is the banking industry, where there is more of a disposition – and population distribution – toward lower maturity and poorer results than overall industry results. And, if you’ve been in IT shops in banking, you know it’s highly regulated with lots of audits.

What’s responsible for better results then?
The inescapable conclusion we came to — especially after seeing the results for the actions being taken by firms to respond to audits, regulations, losses and theft of customer data, and the differences in the practices being implemented to respond to these pressures — is that it is the practices, and the capabilities firms have to take action, that are driving better, and worse, results.

We continued testing different business outcomes and purposely used seed questions to try and disprove the conenctiion between practices and business outcomes. The additional tests confirmed earlier results. As they say, and as we’ve documented from the research, the correct practices do make perfect.

Q: So, how did you come up with the practices?

We didn’t. The practices and capabilities shown in the report are a direct result of the research. After mapping the business results to the well accepted maturity scale, we simply let the practices fall out at each level of business results. Each of the practices cited in the report, and especially in the Tables in Appendix A, are direclty related to the business outcomes at each level. The practices are a direct reflection of the business outcomes. The key finding is: if you implement the practices, the organization is going to retain customers better, increase revenue, be more profitable, and much less likely to experience downside business risk and loss – as these relate to things that can – and do – go wrong from the use of IT.

Q: What advice would you have for someone looking to improve their results?

Take a look at the report (2008 Annual Report on IT Governance, Risk and Compliance). Or, if you don’t want to wade through an entire 80 page report, and who can blame you, take a quick drive-by the site (www.itpolicycompliance.com) and check out the Interactive Tools.

These provide, in a quick five-minutes, the essence of what the report is about. After that, I’d recommend downloading the GRC CMM tables. Once you have the information from the tools and the tables, you can quickly identify the gaps and shortfalls and what needs to be done to improve results.

 

Jim Hurley