Archive for the ‘Latest Research’ Category

How High Performance Organizations Manage IT

April 28, 2011

Your highest performing competitors are using IT to:

• Gain your customers
• Retain more customers
• Post revenue that is 5 percent higher than your industry average
• Record profit that is 5 percent higher than average
• Significantly reduce business risk related to the use of IT

What do these High Performance Organizations (HPOs) share in common?

It’s not industry and it’s not size:
although larger-size companies and certain industries do exhibit tendencies toward better outcomes when compared with others.

It’s not just profit and revenue:
some of the highest revenue generators and profit-makers are achieving results from short-term financial shuffling, not from operations.

Spend on IT, information security and audit matter
One defining characteristic of HPOs is the outsize-spend being allocated to IT, information security and audit by these winner-take-all competitors, as follows:

• Spending on IT that is 70 percent higher than industry average

• Spending on information security is 100 percent higher than industry average

• Spending on audit is 50 percent higher than industry average

Top-line spending on IT by HPOs is allocated to:

• Attracting customers
• Retaining customers
• Financial opportunity
• Market advantage
• Competitive advantage

Spend to manage business risk by HPOs is allocated to:

• Information security
• Audit
• Frequent assessments of change in the environment
• Controls to manage risk-reward
• Contextual scorecards for operating responses
• Contextual scorecards about IT for stakeholders

The newest ITPCG research report, How High Performance Organizations Manage IT, is a wake-up call about how IT is being used and managed by the highest performers in your industry to gain your customers, for their financial and market advantage.

Chock full of fact-based findings, the report focuses on the competitive advantage of IT among the highest performing companies, top-line outcomes, adverse risk outcomes, how and why IT matters, how business risk related to the use of IT is being managed by these organizations, the simple risk-reward cycle implemented by these organizations, the four simple questions asked by decision-makers at these firms, information gathering, automation, contextual scorecards, indicators, composites and benchmarks.

Obtain your own free copy of How High Performance Organizations Manage IT today.

Advertisements

The IT Rorschach Test

March 3, 2011

The traditional management disciplines involve the use of directing, organizing, planning, staffing and controls to manage outcomes for organizations.

Of these, the most important is directing: it is through the tone and direction established and reinforced daily by senior managers that organizations become either industry leaders or laggards. The same disciplines are as important to managing IT as they are to managing the organization.

Beyond the five management disciplines are some telltale characteristics of how well — or poorly — organizations are doing in managing the IT portfolio to support peer-beating growth results, including revenue and profit; while avoiding industrial espionage, the loss of intellectual-property, the theft of customer data, and headline-grabbing events that result in damage to reputations and brands.

Take the IT Rorschach Test

Which of the following are true at your organization?

• The business value of IT is visible to senior management

• Business risks from the use of IT are visible to senior management

• The business value of IT assets are prioritized

• Unacceptable business risks related to the use of IT are documented

• Acceptable risks and control exceptions for IT are documented

• Business risks for IT assets are prioritized

• IT controls for legal and regulatory compliance are prioritized

Add up the number of times you said yes to each of the seven questions, then find out what the results mean.

1 to 2 “Yes”: Least value delivered and highest risk

3 to 6 “Yes”: Middle of the pack for value delivered and risk

6 to 7 “Yes”: Most value delivered and least risk

This simple IT Rorschach Test is based on research conducted with more than 1,600 other organizations. More compelling are the two-minute self-assessments that enable comparison with your industry, peers and those that are answering “7’s” to the IT Rorschach Test.

Assess Yourself against Your Peers and the Best Performers — Today
The Assessments@ITPolicyCompliance deliver a confidential and quick two-minute way to assess the posture of your organization against your industry and peers.

Benchmarked against more than 4,000 other organizations, these quick two-minute assessments cover organizational structure and strategy, the use of frameworks and standards, management of policy, management of procedural controls, management of information controls, management of technical controls, vulnerability and threat management, risk management and reporting, and financial implications.

Who should be interested: CIOs, CISO, CAOs, CROs, and principal managers of IT and audit

Time to value: minutes

Visit: www.ITPolicyCompliance.com/Assessments to find out more

Additional resources

How the Masters of IT Deliver More Value and Less Risk
http://www.itpolicycompliance.com/research_reports/latest_report/read.asp?ID=20

What Color Is Your Information Risk – Today?
http://www.itpolicycompliance.com/research_reports/latest_report/read.asp?ID=19

Revenue, Profit and Spend on IT Security

February 14, 2011

In his 2003 Harvard Business Review article IT Doesn’t Matter, Nicholas Carr recommended that organizations:

1) Spend less on IT
2) Follow, don’t lead, and
3) Focus on vulnerabilities, not opportunities when it comes to IT.

IT Does Matter
Recent research – How the IT Masters Deliver More Value and Less Risk – proves that Carr was correct in recommending organizations should focus on vulnerabilities. However, the research proves there are some areas where firms should clearly lead.

It is also clear that spending less on IT, especially on information security and audit, is actually detrimental to business results including revenue, profit and customer retention. In fact, the research clearly shows about 2-in-10 organizations that spend the least on IT, information security and audit deliver the worst business results including the lowest revenue, profit and customer retention when compared with peers. Unfortunately, these same organizations are exposed to the highest business risks from higher-than-average data loss or theft rates, more business downtime and greater difficulty with audits.

In sharp contrast are the 1-in-10 organizations spending the most, that also post the best business results, including the highest revenue, profit and customer retention rates compared to peers. These same organizations are least exposed to business-jarring risks from data loss or theft, downtime or audits.

In between are a majority of organizations (7 in 10) that are under- or over- spending compared with peers. These same organizations are posting business results that are slightly on the negative or positive side of their peers, and experiencing risks from data loss or theft, downtime and audit that are similar to peers.

What it means for you

If you spend too little: it’s time to increase spend upwards

If you spend at average: it’s time to increase and reallocate spend

If you’re not reaping the benefits of high spend: it’s time to reallocate spend

Assess for Yourself, Today
The Assessments@ITPolicyCompliance deliver a confidential and quick two-minute way to assess the posture of your organization against your industry and peers.

Benchmarked against more than 4,000 other organizations, these quick two-minute assessments cover organizational structure and strategy, the use of frameworks and standards, management of policy, management of procedural controls, management of information controls, management of technical controls, vulnerability and threat management, risk management and reporting, and financial implications.

Who should be interested: CIOs, CFOs, CEOs, CISO, CAOs, CROs, and principal managers of IT and audit

Time to value: minutes

Visit: www.ITPolicyCompliance.com/Assessments to find out more

HBR Article
IT Doesn’t Matter

Research

How the Masters of IT Deliver More Value and Less Risk

What Color Is Your Information Risk – Today?

Why Automating Vulnerability Management Pays

Automation, Practice and Policy in Information Security for Better Outcomes

Assessments

www.itpolicycompliance.com/assessments/

Blog

NASDAQ Cyber Attack: Is More at Risk?

Cloud Computing: Information anywhere anytime

IT Value

Who’s Got Your Information — Today?

Managing IT Configuration Drift, Controls and Risk

January 27, 2011

In less than a week, all the configuration controls, permissions and entitlements that IT spends time testing are useless. The sheer fact is that these are quickly changed by normal use, whether the changes are collateral from other changes being made, accidental or intentional.

Also known as configuration-drift, the problem affects every stack of technology being used by organizations, from outsourced Cloud-computing applications to web-applications and databases, underlying systems and networks, laptops, PCs and mobile devices.

Unfortunately, the unseen and unknown changes to technical controls are the very foundation of the next business disruption, or unauthorized access to applications, information and interconnected IT assets.

Patching: One possible solution?
There’s a lot of workarounds that can be used to achieve a temporary solution until patches are available. Then there’s the ubiquitous Microsoft Patch Tuesday as well as patches from other suppliers that must be scheduled, applied and tested. In other cases there are no temporary solutions and hard tradeoffs have to be made between convenience, exceptions and increased risk profiles. The sad fact is that most organizations sit on patches for months before applying even those deemed most critical.

Detect and prevent: the other solution?
Detect and prevent can only be achieved if IT assets are instrumented to provide the information from logs and events, IT assets are inventoried and continuous assessments are routine and visibility into the problems and risks are quantifiable. The reality is that only one-in-ten organizations are proactively using these kind of IT GRC tools.

In truth, different procedures and controls are more — and less — effective, under different circumstances, and some procedures are clearly more important than others.

The new Assessments@ITPolicyCompliance enable you to determine which procedures for managing technical controls are leading to the best outcomes against the real World practices of more than 4,000 other organizations.

Visit: www.ITPolicyCompliance.com/Assessments/ to find out more

Find the answers to how your practices for managing technical controls compare with others, including:
• Your industry
• Your peers, and
• Best performing organizations

The practices covered by the Management of Technical Controls include:
• Whether IT assets are identified and classified
• If access to IT assets are segmented or otherwise limited
• Whether unauthorized access to IT assets is detected or prevented
• If audit trails and configuration setting are monitored
• Whether IT assets and configuration settings are tested
• If evidence from audit trails and configuration settings is gathered
• Whether gaps in technical controls are remediated and documented
• If IT assets are hardened
• Whether an inventory of IT assets is centrally maintained
• If your procedures are automated sufficiently

Visit: www.ITPolicyCompliance.com/Assessments to find out more

Specific to your industry and size of your organization, the confidential and free assessment delivers immediate feedback on how well, or poorly, your practices for managing technical controls are compared to your industry, your peers and the best performing organizations.

More importantly, the intuitive risk-index of the Assessments@ITPolicyCompliance enables you to quickly identify changes that will:
• Increase the value delivered by IT
• Reduce business downtime
• Reduce data loss or theft
• Reduce the time and money spent to pass and sustain audits

Who should be interested: managers in IT security and operations, audit, risk, and compliance

Time to value: minutes

Regardless of size or industry, most organizations are continuously looking to improve operational effectiveness across all functions, and IT is no exception. Assess yourself and your organization today with the Assessments@ITPolicyCompliance today.

Additional reading:

Automation, Practice and Policy in Information Security for Better Outcomes

Business Continuity in the Real World

Don’t Fall for the Old Saw of Patch Management

IT Value

January 11, 2011

In 2003 on the heels of the Dotcom bubble, Nicholas Carr argues persuasively in his seminal article, IT Doesn’t Matter that strategic advantage from the use of IT is becoming increasingly fleeting and short-lived, that IT is becoming commoditized, and that risks left by the use of IT are more important than the advantages delivered.

His recommendations include:
• Spend less on IT
• Follow, don’t lead
• Focus on vulnerabilities, not opportunities

Advice on spend is a bit simplistic
In the latest IT PCG research report, How the Masters of IT Deliver More Value and Less Risk, the dictate to “spend less on IT” is found to be a bit simplistic – if not self-serving.

The best performers actually spend more on IT to drive value and manage risk
Research from 2006 through 2010 shows those organizations with higher revenue, profit and customer retention actually spend more on IT and information security to drive value and manage business risks related to the use of IT.

Where spend on IT delivers more value and less risk
The best performing organizations are using IT Balanced Scorecards, IT Strategy Maps, IT Portfolio Management and COBIT to drive value from the use of IT. Preserving value and managing risk is accomplished by the same organizations with the use of ISO-based information security practices, COBIT-defined controls and procedures, CIS defined benchmarks, IT GRC systems and applications, security incident and event management systems, and information security controls.

Highly automated, these organizations are reporting on value and risk daily, weekly and bi-monthly. The findings from the ongoing research show organizations taking these actions post much higher revenue, much higher profits, much less loss or theft of customer data, much less business downtime from IT accidents or disruptions, fewer vulnerabilities and far fewer problems with regulatory audit.

Do not follow the laggards: Instead follow-the-leaders
The only differentiation found in the research is among those spending less money for these initiatives, management tools and technology systems. Among these organizations, revenue, profits, customer retention are either average or worst-of-breed. These same organizations post the highest business risks from IT-related downtime, lost or stolen customer data, vulnerabilities impacting IT systems, and problems found from audit. The advice provided by Carr in 2003 to follow the leaders is sage advice.

References:

How the Masters of IT Deliver More Value and Less Risk

IT Doesn’t Matter

Related research

What Color Is Your Information Risk – Today?

Why Automating Vulnerability Management Pays

Automation, Practice and Policy in Information Security for Better Outcomes

Assessments@ITPolicyCompliance
Want to simply find out how your organization compares with your industry, your peers or best performing organizations? Try the two-minute Assessments@ITPolicyCompliance

Who’s Got Your Information — Today!

December 29, 2010

The twenty most recent reported data-loss or theft incidents of 2010, based on data reported by the Open Security Foundation* impacted the following organizations:

– Farber Enterprises, 30 Nov 2010
– Houston Independent School District, 2 Dec 2010
– University of Arizona, 2 Dec 2010
– American Check Casher of Oklahoma, 3 Dec 2010
– Mesa County, Colorado, 4 Dec 2020
– University of Wisconsin, Madison, 9 Dec 2010
– University of Alberta, 9 Dec 2010
– Gaelic Athletic Association, 10 Dec 2010
– Walgreens, 10 Dec 2010
– Genesco, Incorporated, 10 Dec 2010
– Mountain View Medical Center, 10 Dec 2010
– McDonalds Corporation, 11 Dec 2010
– NatWest, 11 Dec 2010
– Gawker Media, 12 Dec 2010
– Department of National Defence, Canada, 12 Dec 2010
– Mesa County Sherriff’s Office, 12 Dec 2010
– Mountain Vista Medical Center, 13 Dec 2010
– Ohio State University, 15 Dec 2010
– NY State Office, Temporary/Disability Assistance, 15 Dec 2010
– Dean Health Systems, 20 Dec 2010

* Source: Open Security Foundation, 2010 (see http://datalossdb.org/)

These twenty were preceded by another 351 during 2010, impacting: AMR Corporation, Aon Consulting, British Columbia Lottery Corporation, Citibank, Equifax, Federal Reserve Bank, Jackson Hewitt, Hartford Life Insurance Company, Loma Linda University Medical Center, Navy Federal Credit Union, NBC Universal, Paychex, Starbucks, St. Mary’s Medical Center, the U.S. Army, State Department and Verizon Wireless among many others.

For details of these and others, see the comprehensive database compiled and made available by the Open Security Foundation at http://datalossdb.org/.

What Others Can Find Out about You and Your Employees
Think you’re immune to the problem? Think again! Your employees are leaving trails all-over the Internet for anyone to exploit.

Visit What The Internet Knows About You – Today!
See http://whattheinternetknowsaboutyou.com/ to test it out for yourself
See http://wtikay.com/docs/details.html to read the background details

Due to lax or non-existent controls that make it easy to identify where your employees have been, who they are, and routes that can be used to craft attacks, it is rather easy to gather intelligence about you and your organization.

What Others Are Finding Out about You and Your Employees!
The widespread adoption of smart-phones, both inside and outside the organization, is leaving many firms exposed to personally identifiable data-sharing practices that are now being challenged in the courts. The most recent lawsuit targets Apple and the makers of Apps that run on the iPhone. The same Apps, App-makers and Android-based smart-phones could be next.

Read the news at:

Apple sued over iPad and iPhone Add ‘data leaks’
See: http://www.bbc.co.uk/news/technology-12089225

Apple, App makers hit with privacy lawsuits
See http://www.washingtonpost.com/wp-dyn/content/article/2010/12/28/AR2010122803648.html

Apple Sued for Allegedly Sending Data to Advertisers
See http://online.wsj.com/article/BT-CO-20101228-706485.html

The lawsuits do focus the issue on appropriate uses of personally identifiable data – even if it’s too early to decipher the outcomes.

Beyond PID: Financial, customer, audit, security and other sensitive information
What’s more important, PID covering your employees and your customers, or senstive information about your financials, audit profile data, internal fraud investigations, configuration control data for your websites and critical data-bases, information security controls and procedures governing access to sensitive information, information covering strategic partners, suppliers, mergers or acquisition-plans, patient data, new drug-testing results, utility-grid data, minerals-exploration findings, new manufacturing methods, board minutes … or other information?

• Whatever you value, is it worth protecting, do you know where it’s located, who has access to it, and how it should not be used?
If you can answer these questions immediately: count yourself among the lucky 10 percent of the population that can!

Do you know what your information risks are – today?
If you can answer this question in less than a week, count yourself among the prepared 8 percent of the population.
And, make sure the CEO and the board know about this.

Take Action — Today!
For 90 percent, it’s time to tell the CEO and the board what needs to be done, before you too become the next headline covered in the Wall Street Journal, The Washington Post, the BBC, and find yourself listed in the Open Security dataloss database.

See the recent research, “What Color Is Your Information Risk — Today?” at http://www.itpolicycompliance.com/research_reports/

The two-minute benchmark test
Too busy to read research? Take two-minutes to find out how well prepared you are by benchmarking and comparing your practices against others in your industry, your peers, and the best performing organizations.

The Assessments@ITPolicyCompliance for managing information controls compares your practices to manage information against the real-World choices and practices of more than 3,800 other organizations.

Visit: www.ITPolicyCompliance.com/Assessments/ – Today!

Find the answers to how your practices for managing information controls compare with:
• your industry
• your peers, and
• best performers

Practices covered by this assessment include:
• Segregating different kinds of IT systems
• Classifying information
• Identifying the locations of sensitive information
• Segregating access to sensitive information
• Prevention and detection
• Protecting sensitive information
• Detecting the leakage of sensitive information

Visit: www.ITPolicyCompliance.com/Assessments/ – Today!

Specific to your industry and size of your organization, all of the confidential and free assessments deliver immediate feedback on how well, or poorly, you are managing business value and risk related to the use of IT compared to others in your industry, your peers and the best performing organizations. More importantly, the two-minute assessments quickly identify how you compare with others and practices that will improve outcomes.

Who should be interested: senior managers in IT, audit, risk, and compliance
Time to value: minutes

Regardless of size or industry, most organizations are continuously looking to improve operational effectiveness across all functions: IT is no exception.

Improve your outcomes, visit Assessments@ITPolicyCompliance today.

Who’s Spying on You, and What They Know

December 20, 2010

Reports last week that Microsoft intends to put a “do not track” button in its forthcoming release of Internet Explorer browser joins a long-line of add-ons for numerous web-browsers that would — in theory — put users in charge of whether they are targets for on-line advertising. See “Add do not track to Firefox, IE, Google Chrome by Dennis O’Reilly at CNET http://news.cnet.com/8301-13880_3-20024815-68.html

But, recent research reveals these “do-not-track” efforts may be useless.

Tracking of User Web browsers
A review of the past and present reveals the following practices to track and identify users and their web-browsers:

Old school: Cookies
A tried-and-true method and still used today. For an introduction to cookies, see: http://en.wikipedia.org/wiki/HTTP_cookie. Its author was trying to solve the “shopping-cart” problem and never intended his invention to be used for tracking purposes. It was not until years after his invention when he found advertising being served up to him based on his searches, that he realized his “shopping-cart” solution had been subverted for private-gain. Cookies combined with IP addresses and 3rd party analytics are now the most common method employed to serve-up advertising based on web-surfing behavior.

“So what” you say? Read on…

Contemporary school: LSO Super-cookies
A more contemporary approach uses Flash-based LSO super-cookies (or Silverlight cookies), that are combined with 3rd party analytics to serve-up advertising based on web-surfing behavior.
See http://en.wikipedia.org/wiki/Local_Shared_Object

No one ever tells users this is happening, and the practice continues unabated because people are visual creatures, unaware their use of the Internet is leading to more personal data being collected about them. If you want to change what’s done on your PC or laptop with Flash stored objects, you have to visit http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager04.html but doing this does not block LSO cookies and the tracking that occurs as a result.

Users of Firefox can add plug-ins that will detect and delete these. Such plug-ins as Better Privacy, Ghostery, Request Policy, TorButton and Noscripts among others provide tools for those that do not want to be tracked. And, plug-ins for Firefox can be used to prevent Java script from hi-jacking a lot of personally identifable data.

“So what” you say? Read on….

You are Now being Fingerprinted
The new school of tracking actually fingerprints your web browser, with or without cookies, and without your knowledge or consent. When combined with the ubiquitous ability to geo-track and more importantly grab your unique IP address (unless you spoof this), the reality is that even without cookies the trackers can continue to harvest data about users for advertisers and their supporting search-engine, device, App and network-service enablers. You don’t believe this?….

Test the fingerprint of your browser
See how unique your own web browser’s fingerprint is, visit Panoptoclick at:

http://panoptoclick.eff.org/

It doesn’t matter whether you use in-private browsing or not: you and your IP address are now being uniquely fingerprinted. The research paper from the Electronic Frontier Foundation available on the Panoptoclick site (http://panopticlick.eff.org/browser-uniqueness.pdf) reveals that browsers are overwhelmingly trackable and that policymakers should consider treating web-browser fingerprints as personally identifiable data.

The Europeans may be inclined to do this, but watch-out if you are not a citizen of a Euro-country.

Some good uses of fingerprinting browsers:
Good uses of the approach include applications being used in financial services and by goods and service providers as another check to ensure against fraud. One of many such providers of the technology is technology is 41st Parameter.
See more at http://www.the41st.com/industries.asp

Focused on financial services, the company also delivers products and services for eCommerce, Travel, DRM and Social networking applications.

Beware Traffic Analysis
Although 41st Parameters stated applications of its technology are focused on uses that many people will applaud, there is no reason the same technology from another company with a very different business model, or a hacker for that matter, cannot be used with the last item on the list — social networking applications — that should scare everyone from consumers to CEOs of the largest companies because of the ability to easily conduct traffic analysis, a technique that yields useful information about searches and sites being used by a targeted group. For an introduction to traffic analysis and a few of its applications, see http://en.wikipedia.org/wiki/Traffic_analysis

Fingerprint on the Web: meet Social media!
Social media meets fingerprinting
See more: http://www.webpronews.com/topnews/2010/12/15/gawker-attack-sends-ripples-throughout-the-web

Personal details stored by users on social media sites such as facebook, linkedin or any number of other Internet social media sites (see http://en.wikipedia.org/wiki/List_of_social_networking_websites for a more complete list of social media networks) can easily be used to link your personal information with old-fashioned cookies, LSO cookies, fingerprints, IP address and other information being collected.

Instead of a government overtly conducting spying on its citizens, the primary harvesting-engine of personal preferences and interests in the West is coming from the private-sector.

“So what”, you say? Read on…

Mobile smartphones
The Wall Street Journal reported the findings of its investigation on the personal-information data-collection and data-sharing practices that are employed for Mobile smartphones in its article “Your Apps Are Watching You” printed on December 18, 2010.
See more: http://online.wsj.com/article/SB10001424052748704368004576027751867039730.html?mod=googlenews_wsj

In their findings, the authors found the following: that personal details are routinely being collected and shared, including among others, age, gender, location and the ID of the smartphone. Of course, this is a great-practice for financial gain from the sale of advertising, but the data being collected can be used for purposes beyond advertising. And, if there is a buck to be made from the sale of personally identifiable data, you can be assured these activities are already underway. An interactive database of the Journal’s results can also be found at www.WSJ.com/WTK

Who’s got your back?
What protections can you take if you are a consumer or a business? What protections can your company employ to limit what your competitors can learn about your strategic plans, customer visits, merger and acuisition plans, or strategic partners by using traffic analysis? What about traditionally more secretive national defense or homeland security initiatives?

While the ethics of modern Internet advertising are debatable (service providers who double-dip by charging consumers for a service and then selling data for a profit that is then used to target prospective customers), the real-worry is how the information being collected can be used for traffic analysis and targeting purposes, in the public and private-sector alike. Traffic analysis knows no boundaries!

In retrospect, the “do-not-track” missive of a week or so ago appears sophomoric at best, and misleading at worst!

You tell us: is this too paranoid, or are we already in an era that is beyond privacy-that-can be legislated, where the practices on the Web already outstrip boundaries of national law and regulation, without any possible solution other than more defensive technical traps and arsenals – if there are any?

Policy Shapes Outcomes

March 23, 2010

Policies are guiding principals that are used to shape outcomes and desired end-results.

Recently completed benchmark research conducted by the IT Policy Compliance Group shows that policies – and procedures – for information security are responsible for driving outcomes related to the availability, integrity and confidentiality of information.

The benchmarks show huge gaps in some of the information security policies being used by organizations. For example, organizations with the highest levels of customer data loss and theft have very different information security policies than those with the fewest losses or thefts of customer data.

A clear majority – about 8-in-10 – of the organizations with the least loss or theft of customer data are using 10 unique policies for the information security function. A few of these “top-10” policies for information security, include:

  • Policies describing maximum acceptable risks
  • Policies describing minimum acceptable service levels
  • Regulatory mandates and legal requirements
  • Coverage of third-parties and contractors

In contrast, a slight minority – fewer than 2-in-10 – of the organizations with the highest levels of customer data loss or theft use these same policies.

In addition to information security policies, the recent benchmarks also measure procedures being employed to implement policy.

The research clearly shows that some of the most critical policies – and procedures to implement policy – governing outcomes for the information security function are either being ignored – or are not taken seriously – by almost nine-of-ten organziations.

Look for the upcoming research report for more information at www.itpolicycompliance.com.

Who’s sets objectives: Legal, Business lines or IT?

February 19, 2010

Middle of the road: legal counsel
A majority of organizations are relying on legal counsel to establish objectives for the integrity, availability and confidentiality of information.


 

However, for the 7-in-10 organizations using legal counsel to drive and manage these objectives, the track-record is mixed, with data-loss and theft rates ranging from 3 events per year to as many as 15 such events.

Worst-outcomes
In contrast, organizations where business divisions establish and maintain these objectives are much more prone to data loss and theft: at rates of 16 or more customer data loss events each year.  In some cases, firms are suffering from many tens-of-such events.

Best performers
Organizations with the fewest loss or theft of sensitive customer data, at less than 3 such events each year, are relying on IT to establish and maintain objectives for information integrity, availability and confidentiality.

Stakeholders, Owners and Policy Managers
Truth-be-told, objectives for information integrity, availability and confidentiality differ, depending on the information, the business processes involved, risk-factors, IT systems and applications involved, controls that are in place to manage risk, and legal and regulatory demands among others. Complications such as Country and regional laws, cultures, third-party providers, and reporting requirements only add to the complexity in managing sensitive business information. 

While many organizations employ an “ownership” concept for IT assets and information based on budgets in business lines, this is not the same nor to be confused with managing policies and controls for managing risks related to the use of information and IT assets.

The evidence is clear: IT should be in charge of establishing and managing objectives for information integrity, availability and confidentiality, with input from all relevant stakeholders.

More information from latest research is available at:
www.itpolicycompliance.com

Jim Hurley
jhurley@itpolicycompliance.com

Who Manages Information Security?

February 9, 2010

Does it matter who manages the information security function in your organization?

Apparently it does!

Benchmark results  from 2008 through 2009 show the following:

Organizations experiencing the worst outcomes
Impacting 2 out of every 10 organizations, the dominant profile of organizations experiencing the worst outcomes (most loss or theft of customer data, most downtime from IT failures, largest problems with IT audit findings) has either a systems or network administrator or a manager or director in IT operations in charge of information security.

Those experiencing normal industry outcomes
Affecting 7 out of every 10 organizations, those with  normal industry profiles (for data loss or theft, business downtime from IT failures and regulatory audit snafus in IT) manage the information security function through the senior leader of IT operations or a chief security officer (CSO).

Organizations with the best outcomes
Those with the least loss or theft of customer data, the lowest rates of business downtime from IT failures and the fewest problems with IT audit are managing information security through  a senior manager of IT assurance or a chief information security officer (CISO).

While there are always exceptions, the findings so evidently link outcomes with organizational structure that it may pay to look at the impact management structure is having on how well you are able to protect customer data, how productively IT assets are being managed and how costly it is to demonstrate audit with few problems to fix. 

FInd out more in the latest research report, Best Practices for Managing Information Security at: www.itpolicycompliance.com.

We’re interested in hearing from you: do you have a unique management structure that is working, or not working?

jhurley@itpolicycompliance.com

As always, you can find out more from one of our charter members:   www.itgi.org, www.isaca.org, www.theiia.org,  www.gocsi.com; www.protiviti.com, www.symantec.com


%d bloggers like this: