Archive for the ‘ITPCG News’ Category

What’s Your Threat & Vulnerability Quotient?

May 23, 2011

Are you really doing everything you need to make sure your sensitive information, systems, applications and databases are NOT in the hands of the bad-guys?

Do you even know where your information and IT assets are without your knowledge?

Visit: www.ITPolicyCompliance.com/Assessments to find out more

Find out if you are exercising due care compared to your industry and peers by using the assessments at IT Policy Compliance Group.

Focused on antivirus, vulnerability testing, pen-testing, IT asset patching and configuration management practices, the assessment shows how your practices for managing vulnerabilities and threats rank against others in your industry, your peers and best performing organizations, and the impact your practices have on:

• Delivering more or less value from IT
• Business downtime
• Data loss and theft
• Time spent on regulatory audit
• You relative to your industry
• You relative to your peers
• You relative to best performing organizations

Based on research benchmarks conducted with thousands of organizations, the quick two-minute assessments deliver a rapid diagnostic to determine whether you are ahead or behind your competitors, and how far behind the best performers you may be.

Visit: www.ITPolicyCompliance.com/Assessments to find out more

More importantly, the intuitive risk-indexes of the assessments enable you to identify changes that will:

• Increase the value delivered by IT
• Reduce business downtime
• Reduce data loss or theft
• Reduce the time and money spent to pass and sustain audits

Who should be interested: managers in IT security and operations, audit, risk, and compliance

Time to value: minutes

Regardless of size or industry, most organizations are continuously looking to improve operational effectiveness across all functions, and IT is no exception. Assess yourself and your organization today with the Assessments@ITPolicyCompliance today.

Related Research:

– Why Vulnerability Management Pays
– Best Practices for Managing Information Security
– What Color Is Your Information Risk – Today?
– How High Performance Organizations Manage IT

See Latest research for more.

Advertisements

How High Performance Organizations Manage IT

April 28, 2011

Your highest performing competitors are using IT to:

• Gain your customers
• Retain more customers
• Post revenue that is 5 percent higher than your industry average
• Record profit that is 5 percent higher than average
• Significantly reduce business risk related to the use of IT

What do these High Performance Organizations (HPOs) share in common?

It’s not industry and it’s not size:
although larger-size companies and certain industries do exhibit tendencies toward better outcomes when compared with others.

It’s not just profit and revenue:
some of the highest revenue generators and profit-makers are achieving results from short-term financial shuffling, not from operations.

Spend on IT, information security and audit matter
One defining characteristic of HPOs is the outsize-spend being allocated to IT, information security and audit by these winner-take-all competitors, as follows:

• Spending on IT that is 70 percent higher than industry average

• Spending on information security is 100 percent higher than industry average

• Spending on audit is 50 percent higher than industry average

Top-line spending on IT by HPOs is allocated to:

• Attracting customers
• Retaining customers
• Financial opportunity
• Market advantage
• Competitive advantage

Spend to manage business risk by HPOs is allocated to:

• Information security
• Audit
• Frequent assessments of change in the environment
• Controls to manage risk-reward
• Contextual scorecards for operating responses
• Contextual scorecards about IT for stakeholders

The newest ITPCG research report, How High Performance Organizations Manage IT, is a wake-up call about how IT is being used and managed by the highest performers in your industry to gain your customers, for their financial and market advantage.

Chock full of fact-based findings, the report focuses on the competitive advantage of IT among the highest performing companies, top-line outcomes, adverse risk outcomes, how and why IT matters, how business risk related to the use of IT is being managed by these organizations, the simple risk-reward cycle implemented by these organizations, the four simple questions asked by decision-makers at these firms, information gathering, automation, contextual scorecards, indicators, composites and benchmarks.

Obtain your own free copy of How High Performance Organizations Manage IT today.

Cyber warfare — A new normal?

March 4, 2011

The age of Cyber war is upon us — and you better get ready for it.

If you don’t believe it, here’s a list of sources covering just a few of the events in the past year.

Attacks on South Korea
Involving attacks on business and government websites in March 2011 the latest attacks occurred in the past twenty-four hours when dozens of South Korean websites came under attack. See the following for more information:

Business Week
http://www.businessweek.com/ap/financialnews/D9LO5ACO1.htm

CNN
http://edition.cnn.com/2011/WORLD/asiapcf/03/04/south.korea.cyber.attack

Stuxnet attacks: 2010
If you somehow missed Stuxnet, check out the following:

Wikipedia
http://en.wikipedia.org/wiki/Stuxnet

Turkish press
http://www.turkishpress.com/news.asp?id=358414

New York Times
http://www.nytimes.com/2011/02/13/science/13stuxnet.html?src=twrhp

Google attacks: 2010
If you also missed the attacks on Google and dozens of other commercial and government agencies, check out the following:

Guardian
http://www.guardian.co.uk/technology/2010/jan/14/google-attacks-traced-china-verisign

Is this more “sky-is-falling” language

BBC
http://www.bbc.co.uk/news/technology-12473809

Or is there more to this than semantecs?

New York Times Topic feature articles
http://topics.nytimes.com/topics/features/timestopics/series/cyberwar/index.html

What does it mean for you?

1. The Stuxnet attacks are the dangerous demonstration of cyber warfare — to date

2. More events are likely to occur in the future

3. You better get ready

What else does it mean?

For the most at risk
For 2-in-10 organizations that decided to significantly reduce spending on staffing and tools for information security during 2009 and 2010 in response to slowdowns in receipts, it means ramping-up spending for information security to just catch-up to peers. Budgets for information security staffing and tools among these organizations are going to have to triple or quadruple to simply catch-up.

For most of us
For 7-in-10 of us, it means re-thinking the priorities for business risks for a new normal involving government sponsored cyber attacks, NGO attacks, culture-warfare attacks, political and economic attacks, rogue and criminal gang attacks, and how we’re going to detect, defend against, respond to, implement contingency and recovery procedures, and add additional layers of defense than are currently being managed. It also means having simple yet accurate management displays to prioritize responses. Current budgets for information security are going to have to double to achieve parity with the best-in-class organizations.

For the best-in-class
For the 1-in-10 already operating at best-in-class levels, it means re-thinking and re-evaluating current strategy, risk controls, and responses. And, it also means slight increases and reallocations to deal with the new threats.

How do you know where you are, and what you’ll have to do?

Find out where you are — today
The Assessments@ITPolicyCompliance deliver a confidential and quick two-minute way to assess the posture of your organization against your industry and peers.

Benchmarked against more than 4,000 other organizations, these quick two-minute assessments cover organizational structure and strategy, the use of frameworks and standards, management of policy, management of procedural controls, management of information controls, management of technical controls, vulnerability and threat management, risk management and reporting, and financial implications.

Who should be interested: CIOs, CISO, CAOs, CROs, and principal managers of IT and audit

Time to value: minutes

Visit: www.ITPolicyCompliance.com/Assessments to find out more

Additional resources

How the Masters of IT Deliver More Value and Less Risk
http://www.itpolicycompliance.com/research_reports/latest_report/read.asp?ID=20

What Color Is Your Information Risk – Today?
http://www.itpolicycompliance.com/research_reports/latest_report/read.asp?ID=19

IT Policies and Controls: Which Matter?

February 16, 2011

A discussion with a recently hired CISO for an insurance company revealed the last time policies and controls for IT were reviewed was two years prior to her arrival. When she first attempted to engage managers in a top-down review of policies, everyone ignored her, including IT.

After finding support from the chief legal counsel, the CIO, the chief of internal audit and the audit committee, the company conducted its first formal review of its IT policies in more than five years, despite yearly SOX and GLBA audits.

Sound far-fetched? It’s not, based on the experience of others: this CISO had the support of management, others do not.

Do Your IT Policies Matter?
IT policies span a range from human-readable management policy to business procedures and machine-level policies and controls implemented in IT. Understanding the difference between these and aligning them with the risk and reward culture of the organization, while staying on-top of regulatory and legal mandates is a task not done frequently enough.

The Boundaries of the Playing Field: Managements Voice
Management policies are like the boundary lines for a sporting event (European football, Brazilian football, US soccer, Canadian hockey, US football, Pakistani Cricket, Japanese baseball, French tennis, the idea is the same). When the ball goes outside the boundary markers, it means play is dead. Inside the boundary markers and the players can continue playing, albeit with the addition of other rules and controls that keep the game moving on a level playing field. Examples of these include three strikes and you’re out in baseball or offside passes in the World Cup.

The rules for what constitutes the size, shape and location of the boundary-markers for IT policies are management responsibilities and prerogatives. These are the easy “directive” policies that management sets. The hard ones are the policies and controls for what happens on the playing field inside the boundary markers: which is why management policies and directives are critical.

On the Field of Play
The rules of play on the field should reflect managements’ directives. Whether it is business procedures, access to information, protection of customer data, protection of sensitive organizational information, or the availability and protection of critical IT assets, the policies (and controls) set out for business procedures and those implemented in IT, should fit hand-in-glove with value and risk management objectives of the organization.

Commonly referred to as procedural and technical polices (and controls), the primary distinctions between the two include:

– Procedural polices and controls are the human-readable policies governing how people use information systems to execute business objectives

– Technical policies and controls are the hard-coded policies and controls that are implemented in applications and IT assets.

Do management policies for IT matter?
Based on research conducted with thousands of organizations, management policies for IT matter quite a bit, and the findings show very marked differences in terms of outcomes being experienced and what is emphasized — or not — by organizations.

Organizations experiencing the best outcomes (highest revenue, profit, least business downtime, fewest problems with audit and least loss or theft of sensitive information) actually implement management policy for IT very differently than do their peers and most other organizations.

Some notable differences among the worst performing organizations include:

• An utter lack of polices for the business risks related to the use of IT

• Little to no guidance for minimum acceptable service levels

• No monitoring or reporting standards are defined

• Non-existent or few policies and controls for business procedures

The differences starkly illustrate the impact that management direction for IT policies and controls — or lack thereof — has on revenue, profit, customer retention, business downtime, data loss or theft and audit deficiencies.

However, the differences shown in the table are not the only ones found from research conducted with thousands of organizations. Other policies and controls that are consistently not implemented among the worst performing organizations include those governing:

• Acceptable use standards
• Information processing facilities
• Acquisition, use and disposition of IT assets
• Application development, testing and development
• Access to information and IT assets
• Incident response and problem management
• Change management
• Accreditation and acceptance
• Maintaining a history of the changes to policies and controls

Which IT policies are most important?
Management policies are critical. These set the tone and direction from the top, as the practices (and outcomes) of the best performing organizations attest. Those that define the boundaries of play, especially minimum acceptable service levels and maximum acceptable risk, are critical. It is the tradeoffs that are made between these two that are guided by an organizations value and risk culture, and the legal and regulatory mandates in whatever geographies the organization operates.

Which IT policies do you need to improve?
For some organizations, improvements to IT policies and controls may be a tuck-here or a slight change there. For a few it may be a start-from-nothing exercise. But for a majority of organizations, some practices for IT policies and controls may close enough while others will need to be improved.

When should you review IT policies and controls?
If your organization is anything like the Insurance company that had not reviewed its IT policies (and controls) in more than five years, it’s probably time to undertake the effort. Even if these were reviewed in the past year, it’s still time to conduct the review: changing business, regulatory and legal conditions in operating geographies dictate more frequent reviews.

And, if it’s any indication, the best performing organizations review policy and controls at least quarterly, supplemented by daily, weekly and monthly updates from assessments and reports to gauge the effectiveness of policy and controls.

Assess Your Practices — Today
The Assessments@ITPolicyCompliance deliver a confidential and quick two-minute way to assess the posture of your organization against your industry and peers.

Benchmarked against more than 4,000 other organizations, these quick two-minute assessments cover organizational structure and strategy, the use of frameworks and standards, management of policy, management of procedural controls, management of information controls, management of technical controls, vulnerability and threat management, risk management and reporting, and financial implications.

Who should be interested: CIOs, CISO, CAOs, CROs, and principal managers of IT and audit

Time to value: minutes

Benchmark universe: more than 4,000 other organizations

Visit: www.ITPolicyCompliance.com/Assessments to find out more

Related research

Automation, Practice and Policy in Information Security for Better Outcomes
http://www.itpolicycompliance.com/research_reports/

How the Masters of IT Deliver More Value and Less Risk
http://www.itpolicycompliance.com/research_reports/

What Color Is Your Information Risk – Today?
http://www.itpolicycompliance.com/research_reports/

Revenue, Profit and Spend on IT Security

February 14, 2011

In his 2003 Harvard Business Review article IT Doesn’t Matter, Nicholas Carr recommended that organizations:

1) Spend less on IT
2) Follow, don’t lead, and
3) Focus on vulnerabilities, not opportunities when it comes to IT.

IT Does Matter
Recent research – How the IT Masters Deliver More Value and Less Risk – proves that Carr was correct in recommending organizations should focus on vulnerabilities. However, the research proves there are some areas where firms should clearly lead.

It is also clear that spending less on IT, especially on information security and audit, is actually detrimental to business results including revenue, profit and customer retention. In fact, the research clearly shows about 2-in-10 organizations that spend the least on IT, information security and audit deliver the worst business results including the lowest revenue, profit and customer retention when compared with peers. Unfortunately, these same organizations are exposed to the highest business risks from higher-than-average data loss or theft rates, more business downtime and greater difficulty with audits.

In sharp contrast are the 1-in-10 organizations spending the most, that also post the best business results, including the highest revenue, profit and customer retention rates compared to peers. These same organizations are least exposed to business-jarring risks from data loss or theft, downtime or audits.

In between are a majority of organizations (7 in 10) that are under- or over- spending compared with peers. These same organizations are posting business results that are slightly on the negative or positive side of their peers, and experiencing risks from data loss or theft, downtime and audit that are similar to peers.

What it means for you

If you spend too little: it’s time to increase spend upwards

If you spend at average: it’s time to increase and reallocate spend

If you’re not reaping the benefits of high spend: it’s time to reallocate spend

Assess for Yourself, Today
The Assessments@ITPolicyCompliance deliver a confidential and quick two-minute way to assess the posture of your organization against your industry and peers.

Benchmarked against more than 4,000 other organizations, these quick two-minute assessments cover organizational structure and strategy, the use of frameworks and standards, management of policy, management of procedural controls, management of information controls, management of technical controls, vulnerability and threat management, risk management and reporting, and financial implications.

Who should be interested: CIOs, CFOs, CEOs, CISO, CAOs, CROs, and principal managers of IT and audit

Time to value: minutes

Visit: www.ITPolicyCompliance.com/Assessments to find out more

HBR Article
IT Doesn’t Matter

Research

How the Masters of IT Deliver More Value and Less Risk

What Color Is Your Information Risk – Today?

Why Automating Vulnerability Management Pays

Automation, Practice and Policy in Information Security for Better Outcomes

Assessments

www.itpolicycompliance.com/assessments/

Blog

NASDAQ Cyber Attack: Is More at Risk?

Cloud Computing: Information anywhere anytime

IT Value

Who’s Got Your Information — Today?

NASDAQ Cyber Attack: Is More at Risk?

February 10, 2011

NASDAQ revealed it was broken into by hackers on February 5, 2011 and unattributed but reliable sources state the hacks have been going on for more than a year. See the Star-Telegram article for more.

Is more at risk? You be the judge!
In his post on Zdnet in January 2008, Richard Stiennon presciently explained his view of the state of Cyberwarfare as follows:

Threat level 1: Travel warnings

Threat level 2: Nation States probe each others networks for vulnerabilities

Threat level 3: Widespread information-theft with intent to mine industrial and military secrets

Threat level 4: Targeted attacks against military and government installations

Threat level 5: Nation-to-Nation attacks with intent to destroy communications and disable business procedures and financial markets

Richard observed that based on events leading up to January 2008, he’d characterize the state of Cyber Warfare to be at Defcon level 4. The Stuxnet attacks of 2010 and most attacks on NASDAQ seem to indicate we might be closing in on level 5, even if the perpetrators may not be Nation States.

In his more recent blog at ThreatChaos Richard argues that strategic industries should go on high-alert with some observations about why State departments, Military, critical infrastructure industries, and computer and technology industries should go on high-alert.

The Sky in not falling, yet!
If you’re reading this, the Internet has not been brought down, you are not under attack, and presumably you are not under lock-down or responding to an emergency. Calmer perspectives and more information can be found at CyberDefcon where the focus in on providing information needed to make informed decisions. Among these is a great offshoot site called HostExploit providing insight into historical events, sites, operators, tools and locations of bot-nets, cyber-criminals and other malfeasance perpetrators.

Real-time alerts on your desktop
One of the better freebies is available from Symantec. A screensaver that is chock-full of information from its around-the-world sensors that are delivered right to your desktop. You can download this at Symantec Threat Monitor

Industrial-strength real-time alerts
If you are looking for customized real-time services for your business on threats that are specific to your organization, check out the more detailed services available from Impact-Alliance or from the Symantec Global Intelligence Network

Assess Your Posture and Readiness Compared to Your peers
In addition, the Assessments@ITPolicyCompliance provide a rapid way to assess your posture and readiness compared to others. Benchmarked against more than 4,000 other organizations, these quick two-minute assessments help to identify strengths and weaknesses against others in your industry, your peers, and best performing organizations.

Additional resources:

Hackers Attack NASDAQ Network, Probe On; Reports

NASDAQ hack a wake-up call for Exchanges

Hacking fears raised by Nasdaq OMX attack

US Congress Rallying Cybersecurity Bill After NASDAQ Attack

Cyber Defcon 4: : 2008 blog post at Zdent by Richard Stiennon

Why Automating Vulnerability Management Pays

Automation, Practice and Policy in Information Security for Better Outcomes

Scan or Manage: Threats and Vulnerabilities

February 3, 2011

You buy a service from a vulnerability scanning company, check-off the box about managing Internet threats and vulnerabilities, and satisfy demands from auditors to implement a vulnerability management program, right?

Think again: this is exactly what 7-in-10 others are doing – and it’s not working!

It’s not working because:
– Minimum service levels and maximum acceptable risks remain undefined
– Less than half of the procedures to find vulnerabilities and threats are automated
– Less than on-third of the procedures to fix vulnerabilities are fully automated
– Many critical production systems remain uncovered
– Critical fixes and patches are mired by weeks-to-months long delays

When compared with peers and best performers, the impacts include: more difficulty with audits, more business downtime, higher theft and loss of sensitive information, and preventable damage to the brand and reputation of the organization.

The Assessments@ITPolicyCompliance enable you to determine how your practices for managing vulnerabilities and threats in IT compare with your industry, your peers and best performing organizations.

Visit: www.ITPolicyCompliance.com/Assessments/ to find out more

The practices covered by the Vulnerability and Threat Management self-assessment include the percentage of IT assets that:

• Have antivirus updates consistently applied
• Are subject to vulnerability testing
• Are subject to penetration testing
• Are consistently patched and documented
• Have configuration settings and permissions consistently updated

In addition, the assessment is specific to your automation levels, days elapsed between vulnerability tests, revenue or agency budget, industry and locality.

Visit: www.ITPolicyCompliance.com/Assessments to find out more

The intuitive risk-index of the Assessments@ITPolicyCompliance enables you to quickly identify changes to existing practices that will:
• Increase the value delivered by IT
• Reduce business downtime
• Reduce data loss or theft
• Reduce the time and money spent to pass and sustain audits

Who should be interested:
– managers in IT security and operations, audit, risk, and compliance

Time to value:
– minutes

Benchmark universe:
– more than 4,000 other organizations

Additional reading:

Why Automating Vulnerability Management Pays

Automation, Practice and Policy in Information Security for Better Outcomes

Managing IT Configuration Drift, Controls and Risk

January 27, 2011

In less than a week, all the configuration controls, permissions and entitlements that IT spends time testing are useless. The sheer fact is that these are quickly changed by normal use, whether the changes are collateral from other changes being made, accidental or intentional.

Also known as configuration-drift, the problem affects every stack of technology being used by organizations, from outsourced Cloud-computing applications to web-applications and databases, underlying systems and networks, laptops, PCs and mobile devices.

Unfortunately, the unseen and unknown changes to technical controls are the very foundation of the next business disruption, or unauthorized access to applications, information and interconnected IT assets.

Patching: One possible solution?
There’s a lot of workarounds that can be used to achieve a temporary solution until patches are available. Then there’s the ubiquitous Microsoft Patch Tuesday as well as patches from other suppliers that must be scheduled, applied and tested. In other cases there are no temporary solutions and hard tradeoffs have to be made between convenience, exceptions and increased risk profiles. The sad fact is that most organizations sit on patches for months before applying even those deemed most critical.

Detect and prevent: the other solution?
Detect and prevent can only be achieved if IT assets are instrumented to provide the information from logs and events, IT assets are inventoried and continuous assessments are routine and visibility into the problems and risks are quantifiable. The reality is that only one-in-ten organizations are proactively using these kind of IT GRC tools.

In truth, different procedures and controls are more — and less — effective, under different circumstances, and some procedures are clearly more important than others.

The new Assessments@ITPolicyCompliance enable you to determine which procedures for managing technical controls are leading to the best outcomes against the real World practices of more than 4,000 other organizations.

Visit: www.ITPolicyCompliance.com/Assessments/ to find out more

Find the answers to how your practices for managing technical controls compare with others, including:
• Your industry
• Your peers, and
• Best performing organizations

The practices covered by the Management of Technical Controls include:
• Whether IT assets are identified and classified
• If access to IT assets are segmented or otherwise limited
• Whether unauthorized access to IT assets is detected or prevented
• If audit trails and configuration setting are monitored
• Whether IT assets and configuration settings are tested
• If evidence from audit trails and configuration settings is gathered
• Whether gaps in technical controls are remediated and documented
• If IT assets are hardened
• Whether an inventory of IT assets is centrally maintained
• If your procedures are automated sufficiently

Visit: www.ITPolicyCompliance.com/Assessments to find out more

Specific to your industry and size of your organization, the confidential and free assessment delivers immediate feedback on how well, or poorly, your practices for managing technical controls are compared to your industry, your peers and the best performing organizations.

More importantly, the intuitive risk-index of the Assessments@ITPolicyCompliance enables you to quickly identify changes that will:
• Increase the value delivered by IT
• Reduce business downtime
• Reduce data loss or theft
• Reduce the time and money spent to pass and sustain audits

Who should be interested: managers in IT security and operations, audit, risk, and compliance

Time to value: minutes

Regardless of size or industry, most organizations are continuously looking to improve operational effectiveness across all functions, and IT is no exception. Assess yourself and your organization today with the Assessments@ITPolicyCompliance today.

Additional reading:

Automation, Practice and Policy in Information Security for Better Outcomes

Business Continuity in the Real World

Don’t Fall for the Old Saw of Patch Management

IT Value

January 11, 2011

In 2003 on the heels of the Dotcom bubble, Nicholas Carr argues persuasively in his seminal article, IT Doesn’t Matter that strategic advantage from the use of IT is becoming increasingly fleeting and short-lived, that IT is becoming commoditized, and that risks left by the use of IT are more important than the advantages delivered.

His recommendations include:
• Spend less on IT
• Follow, don’t lead
• Focus on vulnerabilities, not opportunities

Advice on spend is a bit simplistic
In the latest IT PCG research report, How the Masters of IT Deliver More Value and Less Risk, the dictate to “spend less on IT” is found to be a bit simplistic – if not self-serving.

The best performers actually spend more on IT to drive value and manage risk
Research from 2006 through 2010 shows those organizations with higher revenue, profit and customer retention actually spend more on IT and information security to drive value and manage business risks related to the use of IT.

Where spend on IT delivers more value and less risk
The best performing organizations are using IT Balanced Scorecards, IT Strategy Maps, IT Portfolio Management and COBIT to drive value from the use of IT. Preserving value and managing risk is accomplished by the same organizations with the use of ISO-based information security practices, COBIT-defined controls and procedures, CIS defined benchmarks, IT GRC systems and applications, security incident and event management systems, and information security controls.

Highly automated, these organizations are reporting on value and risk daily, weekly and bi-monthly. The findings from the ongoing research show organizations taking these actions post much higher revenue, much higher profits, much less loss or theft of customer data, much less business downtime from IT accidents or disruptions, fewer vulnerabilities and far fewer problems with regulatory audit.

Do not follow the laggards: Instead follow-the-leaders
The only differentiation found in the research is among those spending less money for these initiatives, management tools and technology systems. Among these organizations, revenue, profits, customer retention are either average or worst-of-breed. These same organizations post the highest business risks from IT-related downtime, lost or stolen customer data, vulnerabilities impacting IT systems, and problems found from audit. The advice provided by Carr in 2003 to follow the leaders is sage advice.

References:

How the Masters of IT Deliver More Value and Less Risk

IT Doesn’t Matter

Related research

What Color Is Your Information Risk – Today?

Why Automating Vulnerability Management Pays

Automation, Practice and Policy in Information Security for Better Outcomes

Assessments@ITPolicyCompliance
Want to simply find out how your organization compares with your industry, your peers or best performing organizations? Try the two-minute Assessments@ITPolicyCompliance

Internal Controls and Human Behavior: Business Risk and Business Value

December 10, 2010

Are you more at risk because employees are using the Web to download Warez from Internet-sharing sites? What about transferring confidential company data or customer information using Email, thumb-drives and print-outs? Are your financial, sales, customer and partner records accidentally being siphoned because employees don’t know better? Do your employees know what your policies and procedures are, and how do you know?

The new Assessments@ITPolicyCompliance compares your practices for managing internal procedural controls for human-behavior against real World practices at more than 3,600 other organizations.

Visit: www.ITPolicyCompliance.com/Assessments/ to find out more

Find the answers to how your practices for internal procedural controls to manage IT related business risk and value compare with:
• Your industry
• Your peers, and
• Best performing organizations

The assessment – Management of Procedural Controls – compares how well or poorly you use internal procedural controls to manage business risk and value. Practices covered include:

• Change management for policies, procedures, assets and controls
• Information-handling
• Acquisition and use of IT assets
• Background checks
• Training for ethics, compliance and IT polices
• Surveys about ethics and policies
• Social engineering and penetration testing
• Automation of internal control procedures

Visit: www.ITPolicyCompliance.com/Assessments to find out more

Specific to your industry and size of your organization, the confidential and free assessment delivers immediate feedback on how well, or poorly, your practices for managing internal procedural controls are compared to your industry, your peers and the best performing organizations.

The Assessments@ITPolicyCompliance enable you to rapidly identify changes to practices that will:
• Increase the value delivered by IT
• Reduce business downtime
• Reduce data loss or theft
• Reduce the time and money spent to pass and sustain audits.

Who should be interested: senior managers in IT, audit, risk, and compliance
Time to value: minutes

Regardless of size or industry, most organizations are continuously looking to improve operational effectiveness across all functions, and IT is no exception. Assess yourself and your organization today with the Assessments@ITPolicyCompliance today.


%d bloggers like this: