What Color is Your Infosec and Audit Program?

Does your organization operate in the red when it comes to information security and audit?  Or are you like 7-in-10 others operating in the yellow.  Might you be one of the top 10 operating in the green?

Size and industry do not matter when it comes to better protecting customer data, delivering higher levels of IT service, or passing regulatory audits. Larger organizations with more capabilities, more resources and more talent fare no better at protecting customer data than do small businesses with fewer resources and less capital. And, firms in more highly regulated industries are having, on average, the same level of difficulty passing regulatory audits as organizations in less regulated industries.

Neither size nor industry play an important role in driving better service levels for IT.

What matters?
Simply put: practices for infosec and audit!

 It’s the practices that are implemented, or not, that are most responsible for driving better results. Which of the following practices are implemented by your organization?

- Distribution of IT policies for adoption and exceptions
- Managing information security outside of IT operations
- Delivering training to employees and contractors
- Continuously monitoring critical IT assets
- Conducting ongoing assessments of business conditions and risks

All of the best-in-class organizations, operating in the green, experience the lowest rates of data loss or theft, the least amount of business downtime due to IT failures or disruptions, the fewest problems with regulatory audit in IT, and spend least on information security and audit.

Find out how the color – and the details – of your practices compare with the experience of more than 3,000 organizations in Guidance for Best Practices for Information security and IT Audit, at the IT Policy Compliance Group (see link below).

Additional information:

IT Policy Compliance Group report:

www.itpolicycompliance.com/research_reports

ISACA: www.isaca.org

PCI: www.pcisecuritystandards.org

ISO: www.iso.org

NIST: www.nist.gov

ITIL: www.itil-officialsite.com

New interactive benchmark tools: legal data hold

New interactive benchmarking tools have been added to the IT Policy Compliance Group site. The new benchmark tools include:

·    Finding the maturity of your legal data custody practices

·    Determining how much money can be saved by improving practices

·    Determining how much time can be save by improving practices

The new interactive tools make it easier to see the financial implications of current practices. By themselves, the tools do not provide the ability to diagnose how current practices compare with others. However, the full research report, Improving Results for the Legal Custody of Information, contains this information.

A few highlights from the report:

A few of the best practices implemented by organizations with the lowest exposure to legal settlements and fees, and expenses in IT, include:

·     Notifying affected employees of legal holds on information within one hour

·     Maintaining evidence about the handling of information

·     Inventorying and indexing information for rapid search

Find out more:

Find out about the other best practices, including information categories that should be targeted for automation. Interactive tools and the full benchmark research report, Improving Results for the Legal Custody of Information, provide insight into the financial impact of practices along with the practices and capabilities that are driving down expenses for best-in-class firms.

Check out some blogs with great background material, including:

Blog managed by Bon Krantz and Jeffery Fehrman

http://eddblogonline.blogspot.com

Blog managed by Rick Wolf

http://wolfs2cents.wordpress.com