Who Manages Information Security?

Does it matter who manages the information security function in your organization?

Apparently it does!

Benchmark results  from 2008 through 2009 show the following:

Organizations experiencing the worst outcomes
Impacting 2 out of every 10 organizations, the dominant profile of organizations experiencing the worst outcomes (most loss or theft of customer data, most downtime from IT failures, largest problems with IT audit findings) has either a systems or network administrator or a manager or director in IT operations in charge of information security.

Those experiencing normal industry outcomes
Affecting 7 out of every 10 organizations, those with  normal industry profiles (for data loss or theft, business downtime from IT failures and regulatory audit snafus in IT) manage the information security function through the senior leader of IT operations or a chief security officer (CSO).

Organizations with the best outcomes
Those with the least loss or theft of customer data, the lowest rates of business downtime from IT failures and the fewest problems with IT audit are managing information security through  a senior manager of IT assurance or a chief information security officer (CISO).

While there are always exceptions, the findings so evidently link outcomes with organizational structure that it may pay to look at the impact management structure is having on how well you are able to protect customer data, how productively IT assets are being managed and how costly it is to demonstrate audit with few problems to fix. 

FInd out more in the latest research report, Best Practices for Managing Information Security at: www.itpolicycompliance.com.

We’re interested in hearing from you: do you have a unique management structure that is working, or not working?

jhurley@itpolicycompliance.com

As always, you can find out more from one of our charter members:   www.itgi.org, www.isaca.org, www.theiia.org,  www.gocsi.com; www.protiviti.com, www.symantec.com

Apparently Uncommon Security Practices

Firewalls are so common that all organizations implement and maintain firewalls, right? 

If you think this is the case, think again! 
The 2009 Data Breach Investigations Report issued by the Verizon Business Risk Team finds that 7-in-10 organizations experiencing data breaches are not deploying or maintaining firewalls.
More stunning findings from the investigations include: 9-in-10 organizations do not implement controls to protect cardholder data, 19-in-20 do not implement or maintain secure systems and applications, 6-in-7 organizations fail to regularly test technical and procedural information security controls, and the same number of firms either have no policies or do not maintain policies for information security.

What are the risks?
If your information security practices are like the firms from the Verizon study and you are with a small business, the risk of a data breach is 1-in-10 each year and the likely financial impact is 4 percent of revenue. For midsize organizations with similar practices, the risk of a data breach is 1-in-4 each year and the likely financial impact is 5 percent of revenue.  Larger enterprises with similar practices for information security are most at risk, with a 1-in-1.4 chance of experiencing a data breach each year and a likely financial impact of 7 percent of revenue.

What can you do to improve your odds?
See the latest research report highlighting the practices making a difference for organizations with the best track-records for protecting sensitive customer information.

Additional sources:
2009 Data Breach Investigations Report
http://securityblog.verizonbusiness.com/
Guidance for Best Practices in Information Security and IT Audit
http://www.itpolicycompliance.com/research_reports/latest_report/read.asp?ID=15
 
Jim Hurley

What Color is Your Infosec and Audit Program?

Does your organization operate in the red when it comes to information security and audit?  Or are you like 7-in-10 others operating in the yellow.  Might you be one of the top 10 operating in the green?

Size and industry do not matter when it comes to better protecting customer data, delivering higher levels of IT service, or passing regulatory audits. Larger organizations with more capabilities, more resources and more talent fare no better at protecting customer data than do small businesses with fewer resources and less capital. And, firms in more highly regulated industries are having, on average, the same level of difficulty passing regulatory audits as organizations in less regulated industries.

Neither size nor industry play an important role in driving better service levels for IT.

What matters?
Simply put: practices for infosec and audit!

 It’s the practices that are implemented, or not, that are most responsible for driving better results. Which of the following practices are implemented by your organization?

- Distribution of IT policies for adoption and exceptions
- Managing information security outside of IT operations
- Delivering training to employees and contractors
- Continuously monitoring critical IT assets
- Conducting ongoing assessments of business conditions and risks

All of the best-in-class organizations, operating in the green, experience the lowest rates of data loss or theft, the least amount of business downtime due to IT failures or disruptions, the fewest problems with regulatory audit in IT, and spend least on information security and audit.

Find out how the color – and the details – of your practices compare with the experience of more than 3,000 organizations in Guidance for Best Practices for Information security and IT Audit, at the IT Policy Compliance Group (see link below).

Additional information:

IT Policy Compliance Group report:

www.itpolicycompliance.com/research_reports

ISACA: www.isaca.org

PCI: www.pcisecuritystandards.org

ISO: www.iso.org

NIST: www.nist.gov

ITIL: www.itil-officialsite.com

Proven Recipes for Better Security Outcomes

If experience is the best teacher, then the votes are in: organizations using CobiT and COSO to guide information security and IT audit practices are the winners.
Based on results from the latest benchmark, what’s being used for practice guidance strongly influences outcomes. The results include:

- Managing the integrity of information: CobiT and COSO by 30x
- Information security practices: CobiT and COSO by 23x
- Managing compliance with audit: CobiT and COSO by 16x
- Managing information security policies: unacceptable risks by 4x
- Managing business risks from IT: COSO and CobiT by 17x

Practice guidance among the 1 in 10 organizations with the best outcomes – least loss or theft or sensitive data, highest IT service levels, and lowest problems with regulatory audit – is dominated by the use of CobiT and COSO.  Thirty times more of these organizations use CobiT and COSO for managing the integrity of information, while 23 times more rely on these two forms of guidance for information security practices and prodedures. These organziations also employ PCI (even when not subject to PCI audits), ISO, NIST and internal standards at far higher-levels than all other organizations.
In contrast, 7 in 10 organziations rely on legal guidance for security policies and SCAP and CVE to manage the integrity of information. The worst outcomes are being experienced by organization with little-to-no guidance for their information security and IT audit practices.

Obtain the freely available benchmark report to compare your practices against the best performers today:

Guidance for Best Practices in Information Security and IT Audit

Additional information sources:
IT Policy Compliance Group report: www.itpolicycompliance.com
CobiT and COSO: www.isaca.org
PCI:  www.pcisecuritystandards.org
ISO: www.iso.org
NIST:  www.nist.gov
ITIL: www.itil-officialsite.com

Are we secure enough?

Are we secure enough?
This oft-heard question in IT is usually accompanied by: “what happens if we reduce the budget (for information security) by 10 percent this year?”

Quick thinking managers cite stories about self-insurance, premiums on house insurance polciies, and which part of the house the organization can’t rebuild after the organizational house burns down.

But, the best practitioners engage senior leadership with an on-going business and financial risk assessment program, one that manages budget for information security focused on managiung the biggest business and financial risks from the use of IT. 

By allocating spend for informaiton security and audit on practices that drive better results, these organizations are experiencing returns exceeding 200 percent and more, each year. The benefits of managing the budget to manage the risks include:

- the lowest rates of data loss or theft

- the least business downtime from IT failures and disruptions

- the fewest problems with regulatory audits

In addition, these organizations spend less than half of what others are spending on audt fees and expenses each year.

 

If you are being requested, or told, to do more with less this year, then it pays to find out what’s actually working to reduce risks, reduce costs and improve results.  See the latest research, Managing Spend on Information Secuirty and Audit for Better Results from the IT Policy Compliance Group.

 

Links:
www.itpolicycompliance.com

www.itpolicycompliance.com/research_reports/spend_management/read.asp?ID=14

New interactive benchmark tools: legal data hold

New interactive benchmarking tools have been added to the IT Policy Compliance Group site. The new benchmark tools include:

·    Finding the maturity of your legal data custody practices

·    Determining how much money can be saved by improving practices

·    Determining how much time can be save by improving practices

The new interactive tools make it easier to see the financial implications of current practices. By themselves, the tools do not provide the ability to diagnose how current practices compare with others. However, the full research report, Improving Results for the Legal Custody of Information, contains this information.

A few highlights from the report:

A few of the best practices implemented by organizations with the lowest exposure to legal settlements and fees, and expenses in IT, include:

·     Notifying affected employees of legal holds on information within one hour

·     Maintaining evidence about the handling of information

·     Inventorying and indexing information for rapid search

Find out more:

Find out about the other best practices, including information categories that should be targeted for automation. Interactive tools and the full benchmark research report, Improving Results for the Legal Custody of Information, provide insight into the financial impact of practices along with the practices and capabilities that are driving down expenses for best-in-class firms.

Check out some blogs with great background material, including:

Blog managed by Bon Krantz and Jeffery Fehrman

http://eddblogonline.blogspot.com

Blog managed by Rick Wolf

http://wolfs2cents.wordpress.com

Legal discovery: Beyond the lawyer jokes

 

Jokes about lawyers are funny because there is a ring of truth to them.

A few sites worth visiting for some reality laughs include:

 

http://www.ahajokes.com/lawyer_jokes.html

http://www.stus.com

 

If you have sites with funnier content: share them.

 

But seriously, lawyers contribute an invaluable and multi-faceted approach to discovery that is hard to find in other professions. Legal discovery could be sanctioned for a class action injury case, a product liability inquiry, lack of adequate controls for guarding personally identifiable information, or medical malpractice among other purposes.

 

When it comes to legal discovery, information is king, and in this age of electronic information the courts have ruled that organizations have specific obligations to preserve, protect, find and produce information that could be subject to a discovery request.

 

No joking when it comes to legal discovery

What do lawyers say are the best practices for avoiding problems and reducing costs when it comes to legal requests governing information?

 

A few of the top recommendations include:

- Establishing ground-rules for reasonable anticipation of litigation

- Indexing as much information as possible to drive down costs

- Implementing standard procedures for information formerly on hold

 

Find out …

- About other recommendations from legal counsels

- About the intimate relationship between IT and legal functions

- What the best practices are among firms with the lowest expenses

- How much you can save by improving current practices

 

Interactive tools (below) and the full benchmark research report, Improving Results for the Legal Custody of Information (below), provide insight into the financial impact of practices along with the practices and capabilities that are driving down expenses among best-in-class firms.

 

 

www.itpolicycompliance.com/interactive-tools/

www.itpolicycompliance.com.research_reports/

 

Another great resource is the Electronic Discovery blog

www.electronicdiscoveryblog.com

 

Jim Hurley

Spending on Legal Data Holds and Custody too High for Most

Like a majority of organizations, your firm probably overspends on legal settlements, legal services and expenses in IT to find, produce, protect and preserve information in response to legal requests and holds on information.

Recent news about events at Oracle Corporation — see Forbes (link below) and the Wall Street Journal articles (link below) — confirm that legal requests for information are not confined to any one industry nor size organization. Nor is the problem confined to the U.S., as the recent Bloomberg article about information the European Union is seeking from BHP Billiton (link below).

How much is too much?
Based on the benchmarks conducted by the IT Policy Compliance Group (IT PCG) — about two-in-ten firms — are spending 16-to-18 times more on legal services, settlements and internal expenses to find, produce, protect and preserve information than the organizations with most mature practices.

While this is the extreme case, a majority of organizations — seven-in-ten — are spending 5-to-6 times more on legal settlements, legal fees, and internal expenses to find, produce, protect and preserve information in response to legal requests for information.

Find out what works to improve results and reduce expenses
Visit the IT Policy Compliance Group (www.itpolicycompliance.com), play with the interactive benchmarking tools (link below) and download your own copy of the benchmark research report, Improving Results for the Legal Custody of Information (link below).

The interactive tools and benchmark research provide fact-based insight that will enable you to assess:

- The maturity of your firms’ practices
- What your peers are spending on legal settlements, fees and IT expenses
- How much you can save by improving practices
- Which practices your organization can target to improve results and spend less

Interactive tools at IT PCG:
www.itpolicycompliance.com/interactive-tools 
Research Report at IT PCG:
www.itpolicycompliance.com/research_reports/it_governance/read.asp?ID=13
Forbes:
www.forbes.com/markets/2008/09/04/oracle-software-update-markets-equity-cx_ra_0904markets37.html
Wall Street Journal: 
http://blogs.wsj.com/law/2008/09/03/softwar-smackdown-discovery-flap-ends-badly-for-oracles-ellison/
Bloomberg:
www.bloomberg.com/apps/news?pic=20601081&sid=afc0XEbY5.kM&refer=australia

Jim Hurley

New Research from ISACA

ISACA Research: Top Business/Technology Challenges and Opportunities

New research from ISACA, conducted with 3,173 professionals from around the World, highlights the top business and technology challenges and opportunities facing organizations today.

The top, rank-ordered, business issues facing organizations include:

1. Regulatory compliance
2. Enterprise-based IT management and IT governance
3. Information security management
4. Disaster recovery and business continuity
5. IT value management
6. Managing IT risk
7. Compliance with financial reporting
8. Continuous process improvement and business agility
9. Vulnerability management
10. Collaborate value chain management
11. Modernization and consolidation of IT systems, assets and applications

This freely available report provides insight into the challenges facing many organizations, and the opportunities awaiting firms that solve the challenges. Among the interesting findings contained in this report are the divergent priorities across IT auditors, IT management and IT security functions within organizations.

This report is definitely worth the read.

Insight on What’s Working to Improve Results

The results of the ISACA survey are similar to those from the ongoing IT Policy Compliance Group (IT PCG) benchmarks, where regulatory compliance, IT governance, risk management, and information security top the list of challenges and opportunities for improvement among organizations.

For a comprehensive view of what’s working to improve results, download the recent IT PCG 2008 Annual Report. This research report provides a wealth of insight into the practices that are resulting in improvements to revenue, profits, customer retention, regulatory compliance, business continuity, the protection of sensitive data, and the management of IT value.

In addition, Interactive Tools at the IT PCG site quantify how business outcomes are changing, in multiple regions and currencies around the World, from improvements made in IT for the same challenges and opportunities cited by the ISACA research findings.

Jim Hurley

Reducing the cost of audit

Reducing your spend on regulatory audit costs

Is spending on audit too high, and projected to climb further in the coming years? Are more audits required this year than two years ago? If you answer yes to these questions, you aren’t alone.

While many firms continue to spend more on audit, others are actually spending less. The benchmarks conducted by the IT Policy Compliance Group (IT PCG) confirm this: firms with the most mature practices consistently spend less on audit fees.

Lower annual spending on audit fees are just one area of savings being realized by these organizations. In addition, they significantly drive down internal costs, including in IT, to support and sustain regulatory audit.

What are the potential savings?

The benchmarks show that among firms with the most mature practices, the level of spend on overall regulatory compliance is 50 percent lower, each year, than all other organizations of the same size, and in the same industry. Wouldn’t that be a nice bit of change to put to better use?

These 50 percent annual reductions in overall spend on regulatory audit include: legal services; professional service audit fees; other external services related to audit, and internal expenses to support and sustain audit results.

What’s realistic for savings?

Interviews with members indicate that 50 to 55 percent reductions are on the very high-side of what’s possible. More typical reductions, specifically for regulatory audit fees among the mature firms, are in the range of 30 percent: still significant and worth looking into.

Do the savings apply to all audits?

There is less opportunity in some situations than others to reduce audit fees.  For example, some IT PCG members in government and utilities say that sole-sourced mandatory audits don’t leave much wiggle-room for negotiating lower fees. But, for audits where there are multiple sources of professional services, there is greater leeway to “talk-turkey” as it were.

The caveat: savings by negotiating multiple bids, without improving the maturity of practices internally, are only going to cost more down the road. Once the replacement firm determines it can no longer profitably service your business, you are stuck with the same inefficient practices that are going to cost more with the next firm. Anyone can negotiate incremental year-over-year reductions. Based on the benchmarks, the sustainable savings are coming from automating the procedures and practices, year in and year out.

What can you do?

·       Talk with your peers about their experience

·       Identify multiple – often overlapping – audits and service sources. You might be surprised by what you find.

·       Separate the influence of competitive bidding from practice maturity to determine sustainable savings

·       Use the Interactive Tools at the IT Policy Compliance Group site to identify the upside

·       Establish realistic targets for what you’d like to achieve over the next three years

·       Implement the practice maturities that are shown to improve results

For more information

For more information on who is spending less, and what they do to improve internal procedures and practices, see the results from the benchmarks:

 

·       2008 Annual Report: IT GRC – Improving Business Results and Mitigating Financial Risks

 

·       Interactive Tools

 

These can all be accessed from the IT PCG home page:

www.itpolicycompliance.com