Hackers Shift Attacks to Small Firms

July 21, 2011 by

A front-page story in the Wall Street Journal on 21 July 2011 says it all: small and midsize businesses are now at much greater risk.

Don’t believe it or think it’s just more scare tactics? Read the story for yourself at the WSJ.

If the link only provides you a summary, search for “Hackers Shift Attacks to Small Firms”

Some of the key findings in the story:

In 2009, of the 141 incidents of cyber-theft theft from businesses, reported by the U.S. Secret Service and Verizon, 27 percent (38 events) involved small businesses with less than 50 employees.

One year later in 2010, the same sources report that 63 percent of 761 reported events of cyber-theft (479 events) involved small businesses with less than 50 employees.

The findings cited by the numbers from the Secret Service and Verizon are buttressed by similar findings from Symantec’s Internet Security Threat Report.

Shocking as the shift in the percentages are, the increase in the raw numbers of reported events shows just how prevalent cyber-theft against small business is becoming: a staggering increase of more than 12-fold from one year to the next, between 2009 and 2010. And, these do include the number of cyber-thefts going unreported and unknown, which is probably more substantial than is realized.

Case in point, the small business featured in the Wall Street Journal article, City News located in Chicago. The owner of City News, Mr. Angelastri, did not know that for a full year Cyber-thieves had placed malware on his invoicing systems for processing credit card payments. This resulted in a siphoning of credit card data to Cyber-thieves thieves that had set-up shop at a hosting site located in Russia. Who knows where they are really located: no one is saying, if they know. And, Mr. Angelastri to this day does not know.

A small merchant, Mr. Angelastri does about $1 million in sales annually according to the article in the Wall Street Journal, and he is still paying off loans totaling $22,000 for forensics examinations and security improvements so that he can continue accepting credit card payments and stay in business.

Staggering numbers!
Data from ongoing benchmarks conducted by the IT Policy Compliance Group reveal a disturbing trend since 2008, including:

In 2008
22 percent of all organizations experiencing the highest rates of security problems that were having a material financial impact were among small businesses and mid-size firms with less than $50 million in annual sales.

In 2009
The figure of small business with the most problems jumped to 27 percent.

In 2010
This figure increased to 34 percent

As of the second quarter of 2011
This figure stands at 40 percent

In the United States, this translates into 2.3 million firms, which is 44 percent of all firms with less than 500 employees.

The threat is not limited to the U.S. as small merchants and midsize businesses in Frankfurt, Manchester, Paris, Milan, Singapore, Dubai, Sydney, Tokyo, Toronto, Mexico City, Minsk and many other locations around the World will attest.

If anything, the Wall Street Journal article shines a spotlight on a trend that has been long underway: Cyber-thieves are now focused on ill-gotten gain by targetting small businesses.

Unfortunately, Cyber-thieves have discovered small firms have some of the weakest controls and practices in place when it comes to information security.

On-site interactive assessments conducted by the IT Policy Compliance Group reveal small business owners and midsize firms routinely self-rate their practices and ability to deflect cyber-threats at a 1 or 2 level, on a 5-point scale. This is the equivalent of an “F” or “D” letter grade: not good enough when it comes to handling finances.

A majority of small businesses do not have staff that understand what is needed for preventive or detective controls, technical and non-technical, to manage the risks of doing business online, despite the fact that many are now using online invoicing, payment processing and banking services.

For instance, an average of 76 percent of small and midsize businesses with less than $50 million in annual sales are not using any information security controls: simply staggering! The averages can be misleading however. For example, 53 percent are not using firewalls and 52 percent are not using anti-virus and anti-malware controls, while 81 percent are not employing anything to test for vulnerabilities.

Small and midsize merchants using credit card processing systems are required to abide by strictures put in place by the PCI DSS standard. This standard, developed over years of common-sense use, is widely credited with helping small, midsize and large firms understand – and hopefully improve – practices needed for adequate information security practices.

Penalties and sticks only go so far
However, the benefits of PCI DSS have been a stick, instead of a carrot. For instance, penalties for not complying can include not being able to transact credit card payments at all, as Mr. Angelastri discovered. The primary benefit of the PCI standard continues to be the ability to accept and process credit card transactions. As anyone will attest, incentives work better than sticks to drive behavior, and that most people and organizations find easier ways to avoid sticks.

Incentives drive behavior
What would have helped Mr. Agelastri, and will help the millions of other small business owners and midsize firms is a carrot to complement the existing PCI DSS stick. Such a carrot might involve tax-credits for beefing-up and implementing best-practice controls for information security that are largely missing and non-existent among a majority of small businesses. The competitive interests at stake should be obvious to most firms and governments in all nations, not just the United States.

We can hope that small business supporters, such as the Chamber of Commerce among others, can help drive this kind of carrot-based approach in the U.S. and give small business owners a fighting chance against Cyber-thieves.

What about inside the Beltway? Let’s first see which adults in Washington are able to resolve the tax and debt negotiations before August 2nd.

Beyond the U.S., support at the Euro Zone, individual country and even through the IMF or World Bank may be needed. The problem is one that is not going away without adequate incentives, practices and knowledge that can be readily consumed by small and midsize organizations, including government agencies.


Cloud Security Governance Reputation

June 7, 2011 by

White hat/black hat, white-list/black-list, which witch is which?

The old saw about White lists/Black lists is continuing to make the rounds. Which approach your organization uses for governing its Cloud-based outsourcing — assuming IT has anything to say about Cloud-contracts at your organization — is going to make the difference between organizational survivability, or not.

The old White-list/Black-list approach to security is predicated on a simple duality:

(1) White list: nothing is allowed until approved

(2) Black list: anything is allowed until proven to be harmful

In truth, we tend to have a combination of these two approaches for information security maintained in IT operations at our owned-premises.

White hat
The first approach assumes that nothing can be trusted. It is accompanied by “white-lists” for known good people, procedures, web-sites, applications, databases, smart-phones, systems, hypervisors, networks, credentials and information. Examples of these include current homeland security screening procedures at airports in the US, email filters and firewall rule-sets among others.

Black hat
The second approach assumes that everything can be trusted. It is accompanied by “blacklists” for known-bad people, procedures, web-sites, applications, databases, smart-phones, systems, hypervisors, networks, credentials and information. Examples of these include most restaurants and retail establishments, email filters, and most contemporary antivirus and malware detection engines except Norton.

Other examples
Operating systems are designed on the principal that users are not competent enough to avoid making a mess of things. Kernel-mode operations in operating systems are reserved for highly privileged procedures and applications, including such things as device drivers, network drivers, storage drivers, memory management and schedulers to name but a few. Poor old users are subject to the whims of less- and least- privilege by design. The same is true for networking equipment and software, databases, user accounts, directories, web-applications, databases and entire swaths of enterprise-class applications.

The white-hat/black-hat discussions are just another indication of split-seams in the age-old approaches to security. And, the debate is going to become more poignant for those organizations that are proceeding to outsource more of their IT to “the cloud.”

While it is possible to lock-down your applications, interfaces, management interfaces, input-validations, implement squeaky-clean “good-coding”, change management practices, and whatever combination of white-list/black-list you’d like, you cannot control some of the things that happen at your Cloud provider, including:

• Hypervisors from being hi-jacked at your Cloud provider

• Hijacked root privileges of co-tenants from overwriting your database tables

• Pornography from enduing-up on your web-site

• Your data from being siphoned-off by criminal gangs.

Reputation: the missing component
Although there is much discussion about which approach is better, the debate is flawed: it misses the key issue of reputation from which we then create “known-bad” or “known-good” mental-markers that are the basis for black-lists and white-lists. For example, if you had a reputation-scale for Cloud-providers, as in a simply rated consumer-reports article, would this make it easier to make a more optimal decision?

This does not mean that “white-lists” or “black-list” are not useful. Indeed, where “bad” is known, Black-lists serve a very useful purpose to augment known-good “white-lists.” However, the reality is that a combination of such lists (Black- and White- lists) cannot account for 100 percent of interactions, people, software, or Cloud providers. In most circumstances you’ll have both white- and black- lists accounting for about 33 percent of a known universe, especially for large universes with imperfect information which is what the Internet is. In “best-case” scenarios, you’ll cover 66 percent of a smaller known universe using such lists.

Why reputation
The unknown 67 percent (or 33 percent if you are fortunate) is why “reputational analysis” becomes the default procedure for weeding through the unknown, especially large unknown sets.

As an example, rudimentary reputation-analysis has been practiced for generations of societies and these have proven very useful, and mainly successful. Moreover, reputation has been the default for most of our recorded history. Reputation-based interactions in business, politics, religion, the arts and sciences are the basis for that which we trust: and it is my bet that this is where we are headed for information security.

For example, one of the leading reputation solutions on the market is the Symantec Norton security tools that use reputation-analysis to populate both white- and black- lists based on reputational-evidence. Although this represents a breakthrough for information security tools, there is so much more that can be done with reputational security and governance.

Can you imagine what can be different if reputational analysis is baked into others, such as:

• Two-factor authentication tokens
• Firewalls
• Cryptography
• Virtual-private networks
• User accounts and directories
• Intrusion detection engines
• URL engines
• DNS services

While waiting for such services to “come-to-market” as it were, do your due-diligence, and then do your own due-care, whichever approaches you decide to settle on, but remember: it’s all about reputation, and your reputation in the Cloud needs to be controlled.

My bet is that “reputation-based” risk management, information security and governance is what makes-the-difference for people, organizations and governments. Hopefully we’ll get beyond the chimera of White-list/Black-list long-enough to understand how the lists were created. After all, it is what goes into making up the lists that has to be trusted, or not.

Related research

Reputation-Based Governance

Testing Security

Application Security: Whitelist Vs. Blacklist

Security of Cloud Providers Study

Schneier on security

Security Due Care – What’s it Worth?

June 1, 2011 by

As of mid-day on Wednesday the 1st of June 2011 (US time), some recent events reported in print and online venues include:

– The trojan effecting MAC users is eluding the fix Apple supplied
– L-3 Communications is the 2nd known SecurID hack of defense contractor
– More malware has infected Google’s Android marketplace (smartphones)
– Insider theft recently cost BoA $10 million
– Cookie-jacking is a new threat-vector for anyone using IE
– The Playstation breach is estimated to cost Sony $171 million
– More flaws are found in CAPCHA
– Credit processors are being targeted by spammers
– Lockheed Martin suspends remote access after 1st known SecurID hack
– Hacktavists attack PBS over Wikileak-disagreements
– Bank in Australia cancels 10,000 credit cards due to un-named security breach
– Backdoor passwords to networking gear are leaked online
– Pentagon taking stance that cyberware is an attack

A good source for updated information can be found at The Register

And, this is just mid-week: hopefully the back-half of the week will be slower. Whether events are publicly reported or not, the trajectory-of-evidence indicates we in a period of active attacks on targets of opportunity: be these for financial or political reasons. Gone are the days of the script-kiddies pulling a new hack for bragging-rights.

What do High Performance Organizations (HPOs) share in common?

1. The least amount of data theft or loss
2. The fewest problems with regulatory audit
3. The highest levels of business uptime in IT
4. The highest customer attraction and retention rates
5. Revenue and profit levels that define and dominate markets

Security is apparently not easy to do.

But, if you’re not spending enough money on it – then it’s easy to do, because you’re ignoring it.

Just don’t tell this to investors, regulators or attorneys: standards for due-care could be jaw-breakers.

Questions to Ask Before Flying into the Cloud

May 24, 2011 by

Think Cloud computing is the cat’s meow? I guess it depends on your role, function, needs and objectives – and whether you are prepared to answer some very hard questions about the business risks you are taking on.

If you are with a small or midsize business attempting to service new customers and new geographies the lure of on-demand metered IT is hard to ignore. And, if you are with a larger organization attempting to better align operating or capital expenses, the opportunity to reduce non-core expenses is also hard to ignore.

The sticky-problem that won’t go away: you lose control over the applications, systems, information and intellectual property that may be flowing through the Cloud. Worse, there are reports of some organizations already experiencing applications, business procedures and critically sensitive information being hijacked from mult-tenant virtual systems that dominate among most Cloud providers.

What is your reputation, customer trust, customer loyalty, intellectual property, customer data, and employee data worth? Is your cloud provider responsible for these or are you?

Do your Cloud providers have deep enough pockets for these exigencies, and can you even ink a contract covering indemnities for what could be a business disaster?

What happens to your data when your Cloud provider outsources his obligations to you to a third or fourth party? Or, what happens to your data if a few bad-apples working at a Cloud provider set up their own data-brokerage business, with your data?

Beyond the obvious business risks from the loss of priceless intangibles, does the provider deliver the necessary physical controls to protect your information, or appropriate disaster recovery controls in case a disaster strikes their operations and puts your business on hold?

And then there’s the problem of information security. If you are not spending enough on it now, is your cloud provider financially incented to deliver better information security than you can provide yourself? Can she or he deliver secure-enough identity, information protection and infrastructure protection to guarantee or warranty your risks?

Lastly, what will you do to meet the needs of the auditors and regulators, and how will this be factored into a one-stop shopping menu of a Cloud provider that you might be asked to select from.

Unfortunately there are no easy answers here: only an obvious Cloud-trajectory and a lot of questions that many organizations are wrestling with and attempting to sandbox around.

Whatever you do, factor-in your own accounting and controls to manage the business risks before flying into the Cloud: otherwise you may not emerge.

What’s Your Threat & Vulnerability Quotient?

May 23, 2011 by

Are you really doing everything you need to make sure your sensitive information, systems, applications and databases are NOT in the hands of the bad-guys?

Do you even know where your information and IT assets are without your knowledge?

Visit: www.ITPolicyCompliance.com/Assessments to find out more

Find out if you are exercising due care compared to your industry and peers by using the assessments at IT Policy Compliance Group.

Focused on antivirus, vulnerability testing, pen-testing, IT asset patching and configuration management practices, the assessment shows how your practices for managing vulnerabilities and threats rank against others in your industry, your peers and best performing organizations, and the impact your practices have on:

• Delivering more or less value from IT
• Business downtime
• Data loss and theft
• Time spent on regulatory audit
• You relative to your industry
• You relative to your peers
• You relative to best performing organizations

Based on research benchmarks conducted with thousands of organizations, the quick two-minute assessments deliver a rapid diagnostic to determine whether you are ahead or behind your competitors, and how far behind the best performers you may be.

Visit: www.ITPolicyCompliance.com/Assessments to find out more

More importantly, the intuitive risk-indexes of the assessments enable you to identify changes that will:

• Increase the value delivered by IT
• Reduce business downtime
• Reduce data loss or theft
• Reduce the time and money spent to pass and sustain audits

Who should be interested: managers in IT security and operations, audit, risk, and compliance

Time to value: minutes

Regardless of size or industry, most organizations are continuously looking to improve operational effectiveness across all functions, and IT is no exception. Assess yourself and your organization today with the Assessments@ITPolicyCompliance today.

Related Research:

– Why Vulnerability Management Pays
– Best Practices for Managing Information Security
– What Color Is Your Information Risk – Today?
– How High Performance Organizations Manage IT

See Latest research for more.

How High Performance Organizations Manage IT

April 28, 2011 by

Your highest performing competitors are using IT to:

• Gain your customers
• Retain more customers
• Post revenue that is 5 percent higher than your industry average
• Record profit that is 5 percent higher than average
• Significantly reduce business risk related to the use of IT

What do these High Performance Organizations (HPOs) share in common?

It’s not industry and it’s not size:
although larger-size companies and certain industries do exhibit tendencies toward better outcomes when compared with others.

It’s not just profit and revenue:
some of the highest revenue generators and profit-makers are achieving results from short-term financial shuffling, not from operations.

Spend on IT, information security and audit matter
One defining characteristic of HPOs is the outsize-spend being allocated to IT, information security and audit by these winner-take-all competitors, as follows:

• Spending on IT that is 70 percent higher than industry average

• Spending on information security is 100 percent higher than industry average

• Spending on audit is 50 percent higher than industry average

Top-line spending on IT by HPOs is allocated to:

• Attracting customers
• Retaining customers
• Financial opportunity
• Market advantage
• Competitive advantage

Spend to manage business risk by HPOs is allocated to:

• Information security
• Audit
• Frequent assessments of change in the environment
• Controls to manage risk-reward
• Contextual scorecards for operating responses
• Contextual scorecards about IT for stakeholders

The newest ITPCG research report, How High Performance Organizations Manage IT, is a wake-up call about how IT is being used and managed by the highest performers in your industry to gain your customers, for their financial and market advantage.

Chock full of fact-based findings, the report focuses on the competitive advantage of IT among the highest performing companies, top-line outcomes, adverse risk outcomes, how and why IT matters, how business risk related to the use of IT is being managed by these organizations, the simple risk-reward cycle implemented by these organizations, the four simple questions asked by decision-makers at these firms, information gathering, automation, contextual scorecards, indicators, composites and benchmarks.

Obtain your own free copy of How High Performance Organizations Manage IT today.

Your Choice Adobe: Customers or McAfee

March 14, 2011 by

Sometimes, organizations just don’t get it. The latest edition of organizational tin-ear who-cares-about-customers comes to us from Adobe, the maker of innovate software packages that include Acrobat, Creative Suite 5, Flash and Photoshop among many others.

In addition to its innovative software, Adobe has always advertised adding bloatware downloads for its free “reader” downloads, most notably the Google toolbar. For the longest time, most people simply un-checked the Add Google Toolbox bar and went about their business. And, most of these people are its existing and prospective customers.

But, in September 2009, Adobe started offering an optional checkbox for a download of a “free” security scan from McAfee as part of the free downloads for its Flash Player. The practice expanded to include the McAfee security scanner with downloads of Adobe’s free Acrobat reader in 2010.

Harmless enough, right? Wrong!
Despite un-checking the box for the McAfee security scanner, the scanner is installed without your permission and the next time the Adobe product is used, up pops the executable for the scanner to “assess” your computer. No doubt the scanner will find something in its scan of your computer and redirect you to a page at McAfee where you can purchase something that will take care of the discovered problem, even if you take great-pains to keep a squeaky-clean PC.

McAfee scanner = blue screen of death
However, before the McAfee security scanner can pop-up, be prepared for the blue-screen-death on the machines the scanner was installed on and some tender coaxing using known previous good configurations to restart the machines the beast was installed on. This occurred most recently to me on three PCs after trying to update Adobe reader – supposedly without the McAffee security scanner being downloaded. Despite my expressely un-checking the box for the scanner, the scanner was installed on these systems without my permission and all three had to be recovered. Not good business practices, and not a good track-record Adobe! Bordering on deceptive and liable? I’ll leave this question to lawyers.

Think I’m alone?
No, I’m just one of the many people that are being afflicted by this latest case of bad business practices and whichever set of people at Adobe are not listening with their tin-ears about the reaction customers have for the latest business practices of this dynamic-duo.

See the following buzz:

McAfee Security Scan Plus – Advice That You May Not Want, January 2010

Adobe and McAfee are installing malware: June 2010

Adobe support forum: from 2010

McAfee + adobe + flash installer = No!, February 2011
At Andy Sciro’s blog: http://andysciro.com/2011/02/22/mcaffee-adobe-flash-installer-no/

Google “blog adobe mcafee” and you’ll find a lot more than these few examples. Weed through a few of these and you’ll find some fairly upset people, many wondering how and why Adobe could allow this nonsense to continue, and pleading with Adobe to put a stop to the practice of downloading the McAfee security scanner.

What will you do?
Consider yourself warned if this has not already occurred to you and consider sending an email to your employees about what will and will not be supported if PCs suddenly start coming-up with blue-screens.

Of the two, Adobe always had the better brand for its business practices and its treatment of customers. But its association and willingness to ignore the pleas of customers to stop the practice have fallen on tin-ears.

Adobe, your customers have been telling you for more than a year to stop this business practice and you’ve ignored them. Continuing to ignore your customers will come at much higher expense to find new customers. And, the longer the business arrangement occurs, and with the impact that it is having on users and organizations, the more likely that customers and prospective customers will simply walk-away from both organizations – to the detriment of the shareholders of Adobe and now Intel.

Cyber warfare — A new normal?

March 4, 2011 by

The age of Cyber war is upon us — and you better get ready for it.

If you don’t believe it, here’s a list of sources covering just a few of the events in the past year.

Attacks on South Korea
Involving attacks on business and government websites in March 2011 the latest attacks occurred in the past twenty-four hours when dozens of South Korean websites came under attack. See the following for more information:

Business Week


Stuxnet attacks: 2010
If you somehow missed Stuxnet, check out the following:


Turkish press

New York Times

Google attacks: 2010
If you also missed the attacks on Google and dozens of other commercial and government agencies, check out the following:


Is this more “sky-is-falling” language


Or is there more to this than semantecs?

New York Times Topic feature articles

What does it mean for you?

1. The Stuxnet attacks are the dangerous demonstration of cyber warfare — to date

2. More events are likely to occur in the future

3. You better get ready

What else does it mean?

For the most at risk
For 2-in-10 organizations that decided to significantly reduce spending on staffing and tools for information security during 2009 and 2010 in response to slowdowns in receipts, it means ramping-up spending for information security to just catch-up to peers. Budgets for information security staffing and tools among these organizations are going to have to triple or quadruple to simply catch-up.

For most of us
For 7-in-10 of us, it means re-thinking the priorities for business risks for a new normal involving government sponsored cyber attacks, NGO attacks, culture-warfare attacks, political and economic attacks, rogue and criminal gang attacks, and how we’re going to detect, defend against, respond to, implement contingency and recovery procedures, and add additional layers of defense than are currently being managed. It also means having simple yet accurate management displays to prioritize responses. Current budgets for information security are going to have to double to achieve parity with the best-in-class organizations.

For the best-in-class
For the 1-in-10 already operating at best-in-class levels, it means re-thinking and re-evaluating current strategy, risk controls, and responses. And, it also means slight increases and reallocations to deal with the new threats.

How do you know where you are, and what you’ll have to do?

Find out where you are — today
The Assessments@ITPolicyCompliance deliver a confidential and quick two-minute way to assess the posture of your organization against your industry and peers.

Benchmarked against more than 4,000 other organizations, these quick two-minute assessments cover organizational structure and strategy, the use of frameworks and standards, management of policy, management of procedural controls, management of information controls, management of technical controls, vulnerability and threat management, risk management and reporting, and financial implications.

Who should be interested: CIOs, CISO, CAOs, CROs, and principal managers of IT and audit

Time to value: minutes

Visit: www.ITPolicyCompliance.com/Assessments to find out more

Additional resources

How the Masters of IT Deliver More Value and Less Risk

What Color Is Your Information Risk – Today?

The IT Rorschach Test

March 3, 2011 by

The traditional management disciplines involve the use of directing, organizing, planning, staffing and controls to manage outcomes for organizations.

Of these, the most important is directing: it is through the tone and direction established and reinforced daily by senior managers that organizations become either industry leaders or laggards. The same disciplines are as important to managing IT as they are to managing the organization.

Beyond the five management disciplines are some telltale characteristics of how well — or poorly — organizations are doing in managing the IT portfolio to support peer-beating growth results, including revenue and profit; while avoiding industrial espionage, the loss of intellectual-property, the theft of customer data, and headline-grabbing events that result in damage to reputations and brands.

Take the IT Rorschach Test

Which of the following are true at your organization?

• The business value of IT is visible to senior management

• Business risks from the use of IT are visible to senior management

• The business value of IT assets are prioritized

• Unacceptable business risks related to the use of IT are documented

• Acceptable risks and control exceptions for IT are documented

• Business risks for IT assets are prioritized

• IT controls for legal and regulatory compliance are prioritized

Add up the number of times you said yes to each of the seven questions, then find out what the results mean.

1 to 2 “Yes”: Least value delivered and highest risk

3 to 6 “Yes”: Middle of the pack for value delivered and risk

6 to 7 “Yes”: Most value delivered and least risk

This simple IT Rorschach Test is based on research conducted with more than 1,600 other organizations. More compelling are the two-minute self-assessments that enable comparison with your industry, peers and those that are answering “7’s” to the IT Rorschach Test.

Assess Yourself against Your Peers and the Best Performers — Today
The Assessments@ITPolicyCompliance deliver a confidential and quick two-minute way to assess the posture of your organization against your industry and peers.

Benchmarked against more than 4,000 other organizations, these quick two-minute assessments cover organizational structure and strategy, the use of frameworks and standards, management of policy, management of procedural controls, management of information controls, management of technical controls, vulnerability and threat management, risk management and reporting, and financial implications.

Who should be interested: CIOs, CISO, CAOs, CROs, and principal managers of IT and audit

Time to value: minutes

Visit: www.ITPolicyCompliance.com/Assessments to find out more

Additional resources

How the Masters of IT Deliver More Value and Less Risk

What Color Is Your Information Risk – Today?

IT Policies and Controls: Which Matter?

February 16, 2011 by

A discussion with a recently hired CISO for an insurance company revealed the last time policies and controls for IT were reviewed was two years prior to her arrival. When she first attempted to engage managers in a top-down review of policies, everyone ignored her, including IT.

After finding support from the chief legal counsel, the CIO, the chief of internal audit and the audit committee, the company conducted its first formal review of its IT policies in more than five years, despite yearly SOX and GLBA audits.

Sound far-fetched? It’s not, based on the experience of others: this CISO had the support of management, others do not.

Do Your IT Policies Matter?
IT policies span a range from human-readable management policy to business procedures and machine-level policies and controls implemented in IT. Understanding the difference between these and aligning them with the risk and reward culture of the organization, while staying on-top of regulatory and legal mandates is a task not done frequently enough.

The Boundaries of the Playing Field: Managements Voice
Management policies are like the boundary lines for a sporting event (European football, Brazilian football, US soccer, Canadian hockey, US football, Pakistani Cricket, Japanese baseball, French tennis, the idea is the same). When the ball goes outside the boundary markers, it means play is dead. Inside the boundary markers and the players can continue playing, albeit with the addition of other rules and controls that keep the game moving on a level playing field. Examples of these include three strikes and you’re out in baseball or offside passes in the World Cup.

The rules for what constitutes the size, shape and location of the boundary-markers for IT policies are management responsibilities and prerogatives. These are the easy “directive” policies that management sets. The hard ones are the policies and controls for what happens on the playing field inside the boundary markers: which is why management policies and directives are critical.

On the Field of Play
The rules of play on the field should reflect managements’ directives. Whether it is business procedures, access to information, protection of customer data, protection of sensitive organizational information, or the availability and protection of critical IT assets, the policies (and controls) set out for business procedures and those implemented in IT, should fit hand-in-glove with value and risk management objectives of the organization.

Commonly referred to as procedural and technical polices (and controls), the primary distinctions between the two include:

– Procedural polices and controls are the human-readable policies governing how people use information systems to execute business objectives

– Technical policies and controls are the hard-coded policies and controls that are implemented in applications and IT assets.

Do management policies for IT matter?
Based on research conducted with thousands of organizations, management policies for IT matter quite a bit, and the findings show very marked differences in terms of outcomes being experienced and what is emphasized — or not — by organizations.

Organizations experiencing the best outcomes (highest revenue, profit, least business downtime, fewest problems with audit and least loss or theft of sensitive information) actually implement management policy for IT very differently than do their peers and most other organizations.

Some notable differences among the worst performing organizations include:

• An utter lack of polices for the business risks related to the use of IT

• Little to no guidance for minimum acceptable service levels

• No monitoring or reporting standards are defined

• Non-existent or few policies and controls for business procedures

The differences starkly illustrate the impact that management direction for IT policies and controls — or lack thereof — has on revenue, profit, customer retention, business downtime, data loss or theft and audit deficiencies.

However, the differences shown in the table are not the only ones found from research conducted with thousands of organizations. Other policies and controls that are consistently not implemented among the worst performing organizations include those governing:

• Acceptable use standards
• Information processing facilities
• Acquisition, use and disposition of IT assets
• Application development, testing and development
• Access to information and IT assets
• Incident response and problem management
• Change management
• Accreditation and acceptance
• Maintaining a history of the changes to policies and controls

Which IT policies are most important?
Management policies are critical. These set the tone and direction from the top, as the practices (and outcomes) of the best performing organizations attest. Those that define the boundaries of play, especially minimum acceptable service levels and maximum acceptable risk, are critical. It is the tradeoffs that are made between these two that are guided by an organizations value and risk culture, and the legal and regulatory mandates in whatever geographies the organization operates.

Which IT policies do you need to improve?
For some organizations, improvements to IT policies and controls may be a tuck-here or a slight change there. For a few it may be a start-from-nothing exercise. But for a majority of organizations, some practices for IT policies and controls may close enough while others will need to be improved.

When should you review IT policies and controls?
If your organization is anything like the Insurance company that had not reviewed its IT policies (and controls) in more than five years, it’s probably time to undertake the effort. Even if these were reviewed in the past year, it’s still time to conduct the review: changing business, regulatory and legal conditions in operating geographies dictate more frequent reviews.

And, if it’s any indication, the best performing organizations review policy and controls at least quarterly, supplemented by daily, weekly and monthly updates from assessments and reports to gauge the effectiveness of policy and controls.

Assess Your Practices — Today
The Assessments@ITPolicyCompliance deliver a confidential and quick two-minute way to assess the posture of your organization against your industry and peers.

Benchmarked against more than 4,000 other organizations, these quick two-minute assessments cover organizational structure and strategy, the use of frameworks and standards, management of policy, management of procedural controls, management of information controls, management of technical controls, vulnerability and threat management, risk management and reporting, and financial implications.

Who should be interested: CIOs, CISO, CAOs, CROs, and principal managers of IT and audit

Time to value: minutes

Benchmark universe: more than 4,000 other organizations

Visit: www.ITPolicyCompliance.com/Assessments to find out more

Related research

Automation, Practice and Policy in Information Security for Better Outcomes

How the Masters of IT Deliver More Value and Less Risk

What Color Is Your Information Risk – Today?

%d bloggers like this: