Does protecting customer data pay?

Does protecting customer data pay?

We all sort of instinctively know that doing the right thing should result in better outcomes. This includes safeguarding and protecting customer data. The problem: unless it happened recently to you, no one could prove that it resulted in better business outcomes.

Well, the evidence is in. Not only is protecting customer data the right thing to do, it pays handsomely, including:

- Much higher revenues

- Larger profits

- Increased customer satisfaction and retention

- Lower financial loss and risk

- Significantly lower spending on regulatory compliance

- Better alignment between business objectives and IT capabilities

Many instinctively assume that improving practices in IT to influence business outcomes, manage risks and deal with regulatory audits are the right things to do, but no one could quantify these results.

Now, the 2008 Annual Report from the IT Policy Compliance Group quantifies just how much the organizations with the most mature practices and capabilities for IT governance, risk and compliance are delivering and how.

Furthermore: new interactive tools at the IT Policy Compliance Group, based on benchmark results from more than 2,600 organizations from around the World, provide a quick way to assess your own organization, and what you can do to improve results.

To find out more, see:

- 2008 Annual Report, IT Governance, Risk and Compliance improving business results and mitigating financial risk

- the new Interactive Tools

at the IT Policy Compliance Group.

www.itpolicycompliancegroup.com

 

Jim Hurley

Update on e-discovery rules

     After more than a year since new federal rules for the discovery of electronic information, it appears awareness among affected companies has grown though confidence in being able to meet those rules has actually declined. Journalist Christopher Hord reports on the cross disciplinary efforts of one state organization’s IT group and some of its advantages in our cover story this month.

John Ortbal, Editorial Director

Europe behind US in PCI compliance

Journalist Mathew Schwartz examines PCI compliance in Europe, noting that security breaches in North America and UK have appeared to spur more attention on PCI than most countries in the European Union. The lack of a “credit card culture” in mainland Europe could explain minimal interest and awareness of PCI, according to Schwartz, as well as the lack of a unified data breach notification requirement for the EU.  Will it take a major credit card breach to increase visibility and compliance requirements in Europe?  There’s nothing like a major scare to motivate organizations to take action.

John Ortbal, Editorial Director

New research from the ITPCG

New research content has been placed on the Site (www.itpolicycompliance.com) since publication of the Core Competancies for Protecting Sensitive Data report. 

Simply navigate the Guidance area of the Site for the following:- Leaders are spending less time on compliance
- Leaders are spending 44 percent less money on compliance
- Benchmarking your spending on compliance
- How much data loss and theft will cost your organization
- How often data loss and theft will occur for your organization
- Profiles of firms with the most, and least, data losses and thefts
- The primary causes of data loss and theft
- Prevent or fix data loss, theft and compliance deficiencies: you decide
- What works: actions that are reducing data loss and theft
- What works: the frequency of controls assessment
- What works: auditing of more business functions
- What works: number of control objectives and controls
- What works: detecting unauthorized use or change
- What works: preventing unauthorized use or changeThese short, one-page summaries are focused on core findings from the benchmarks, are easy to navigate through, and provide a quick snapshot of some of the more important findings.As always, we appreciate your feedback.
Jim Hurley

Want to better manage risk?

As a former practitioner and manager of internal audit, Dave Richards, the President of The Institute of Internal Auditors (www.theiia.org) brings a great deal of experience and first-hand knowledge to the subject of managing risk.  According to Dave, and others I’ve spoken with recently, the three areas to focus on to reduce risk include:
- Senior management involvement
- Managing fraud
- Managing technologyThe gist of the discussions around the importance of management focus and involvement are that if senior managers do not encourage a culture of ethics and compliance within the organization, then risk from all sources increase, with outcomes ranging from miniscule to really big-headaches.Managing fraud is about planning for the inevitable.  Despite the best of intentions, management support, controls and assessments, people are always going to figure out how to beat the system.  Planning ahead for the really big outcomes, likely scenarios and predictable events needs to be complemented with agility and the ability to respond rapidly.  Whether due to internal or external sources, some of the new ways in which fraud is occurring are covered at www.fraudwar.blogspot.com.Paying careful attention to how fraud is committed through the use, and misuse, of technology is more important today than it was last year, two-, five-, and ten- years ago.  But you shouldn’t assume that all uses of technology are identically available to fraudsters.  When was the last time you used a cell phone, a spreadsheet, a website, a laptop, a telephone, a facsimile machine, a credit report, a bank statement, an electric typewriter, a money order, issued an invoice or reviewed a purchase order?  Do you know how these are being used to commit fraud today?  Do you know how these, and different technology-assisted successors to these are being used to commit fraud today? 

What do you think?
- Are other factors more important than these three?

Jim Hurley

Are you feeling “over-controlled?”

I recently had a conversation with a colleague in the past month about his clients’ feelings they were “over-controlled.”  The discussion identified a few of the reasons the people in these organizations are feeling “over-controlled”, including:
- Lots of audits
- Many different audit standards and frameworks
- A going-through-the-motions, and not reducing core business risk

One of the solutions to this miasma is to consolidate audit control statements across many different audit frameworks.  This is simply doing it once and making it repeatable: a good practice. However, another thought occurred to me after our conversation: maybe we aren’t measuring enough.  Are we relying too heavily on static controls to deal with dynamic user error – and subterfuge – to stem loss or theft of sensitive data? 

Human beings are always ten-steps, or more, ahead of controls.  Gaming the system and figuring out how to maximize gain seems to be a well-learned part of the human condition.  The ingenuity and creativity of people goes far beyond limits imposed by static procedural and technical controls.  An interesting take on this, can be found at realtime-itcompliance (see: http://www.realtime-itcompliance.com/2007/11/show_home_alone_to_raise_socia.htm), where the movie “Home Alone”, is recommended for training and education about social engineering.

So, in addition to consolidating control statements to more cost-effectively manage existing audit load, should we be looking at adding dynamic systems for managing risk, whereby the 5% to 10% of policy violations falling outside the norm should be actively managed and the other 90% to 95% of routine violations are collapsed into the “audit log.”  This is a practice that has met with great success in most industries, as well as in finance and manufacturing among other business functions.  In fact, manufacturing went overboard with Six Sigma.  5% to 10% exception management ought to work for audit, IT general controls and data protection. 

What are your thoughts:
-  Is your organization feeling over-controlled?
- Have you figured out how to do audit once, and make it repeatable?
- Are you delivering entertaining ways to educate the workforce?
- Is exception-based risk management a reality or a pipe-dream?
- Are you managing by exception today? Jim Hurley  

How many control objectives do you have?

I just returned from a seminar in Las Vegas where I asked the attendees, “how many control objectives (policies for regulatory compliance) does your organization have.”  The answer: “Which, the one’s for CobIT?  We have more than 300 for CobIT (the de-facto audit standard for Sarbanes Oxley).”

Afterwards, it occurred to me that many of us may be confusing control objectives with control statements, the procedures that implement controls and the technical controls that implement procedures.  However, control statements are very specific to each framework and each specific audit.  There are the 300 plus control statements associated with CobIT for SOX, there’s the ubiquitous ISO 17799 and 27000 control directives, and specific PCI DSS statements and tests, among many others. If we’re confusing control objectives (policies) with controls (procedures that implement policy) we may all be battling an overgrown forest.

When paired with compartmented teams often spun-up to pass different compliance audits (“I just need to pass PCI this quarter”, “we have to pass the OCC audit this month, another team is working on SOX”, etc.), it is probably not surprising that organizations are complaining about spend on regulatory audit.

Aligning business risk with policy and then mapping control objectives (policy) to control statements may be seen as too much of a luxury when you’re knee-deep, cutting paths for the auditors through the thickets, brambles, and new-growth trees.  Unfortunately, the paths tend to become ensnarled with new growth again when the auditors return the following month, quarter, or year.

The research results (www.itpolicycompliance.com) are overwhelming: the fewer the number of risk-based control objectives, the better the results for protecting sensitive data and sailing through regulatory audit.

The questions I still have are these:
- How many control objectives does your firm have?
- Are you confusing control statements or controls (procedures that implement an objective or policy), with control objectives (policy)?
- Is there an opportunity to reduce costs by consolidating redundant control statements across multiple audits?

 Jim Hurley 

Do you have a policy about customer data?

I recently returned from an IT security-focused conference in Hawaii (first time ever in Hawaii) where I asked the people attending, “How many of your organizations have a policy in place about protecting customer data.”

- Three people out of a hundred in the room raised their hand.

Not being sure whether they heard me or not, I repeated the question, just to be sure.- Only three hands were visible out of a hundred people.Other than being dumbstruck by such a small response, the results are scary, especially considering all of the events that have occurred in the past year.  I thought that protecting customer data would have become an autonomic “OOMMM ……. we shall not lose customer data ….. OOMMM” mantra that everyone could salute.Apparently, the protection of customer data has not yet become a major issue, or not enough of one that it registered among the organizations of the attendees at this conference.  Funny, but I always thought IT security was ultimately about the integrity, availability – and yes confidentiality – of data.The practical experience of firms that have lost customer data, and the documented research findings (see www.itpolicycompliance.com), make it abundantly clear: the loss of customer data costs reputations, customers, and money: lots of money.So my question remains:
- Does your firm have a policy in place that says, “We will not lose – nor have stolen – customer data?”

Jim Hurley

New ITPCG research report now available

Be sure to download the IT Policy Compliance Group’s (IT-PCG) latest research report, “Core Competencies for Protecting Sensitive Data.” You have to register as a member first if you haven’t already.  Once you’ve logged in you’ll see the download button for the report in pdf format.

This current benchmark research reveals an intimate relationship between financial outcomes, sustained competitive advantage, data protection and regulatory compliance.  You’ll learn about the practices, procedures and organizational strategies being implemented by organizations with the least loss and theft of sensitive data. The report is based on responses from more than 450 organizations globally, showing that only one in ten organizations is in a position to adequately protect sensitive data.

Welcome to our Blog

The IT Policy Compliance Group has officially launched its own Blog this week to help facilitate useful conversations about timely topics in IT policy compliance.  Our goal is to provide a forum that gives our members and the general public a voice to express what is working—and not working—when it comes to creating and implementing more effective and efficient IT policies. We welcome your comments and suggestions.