Posts Tagged ‘IT controls’

IT Policies and Controls: Which Matter?

February 16, 2011

A discussion with a recently hired CISO for an insurance company revealed the last time policies and controls for IT were reviewed was two years prior to her arrival. When she first attempted to engage managers in a top-down review of policies, everyone ignored her, including IT.

After finding support from the chief legal counsel, the CIO, the chief of internal audit and the audit committee, the company conducted its first formal review of its IT policies in more than five years, despite yearly SOX and GLBA audits.

Sound far-fetched? It’s not, based on the experience of others: this CISO had the support of management, others do not.

Do Your IT Policies Matter?
IT policies span a range from human-readable management policy to business procedures and machine-level policies and controls implemented in IT. Understanding the difference between these and aligning them with the risk and reward culture of the organization, while staying on-top of regulatory and legal mandates is a task not done frequently enough.

The Boundaries of the Playing Field: Managements Voice
Management policies are like the boundary lines for a sporting event (European football, Brazilian football, US soccer, Canadian hockey, US football, Pakistani Cricket, Japanese baseball, French tennis, the idea is the same). When the ball goes outside the boundary markers, it means play is dead. Inside the boundary markers and the players can continue playing, albeit with the addition of other rules and controls that keep the game moving on a level playing field. Examples of these include three strikes and you’re out in baseball or offside passes in the World Cup.

The rules for what constitutes the size, shape and location of the boundary-markers for IT policies are management responsibilities and prerogatives. These are the easy “directive” policies that management sets. The hard ones are the policies and controls for what happens on the playing field inside the boundary markers: which is why management policies and directives are critical.

On the Field of Play
The rules of play on the field should reflect managements’ directives. Whether it is business procedures, access to information, protection of customer data, protection of sensitive organizational information, or the availability and protection of critical IT assets, the policies (and controls) set out for business procedures and those implemented in IT, should fit hand-in-glove with value and risk management objectives of the organization.

Commonly referred to as procedural and technical polices (and controls), the primary distinctions between the two include:

– Procedural polices and controls are the human-readable policies governing how people use information systems to execute business objectives

– Technical policies and controls are the hard-coded policies and controls that are implemented in applications and IT assets.

Do management policies for IT matter?
Based on research conducted with thousands of organizations, management policies for IT matter quite a bit, and the findings show very marked differences in terms of outcomes being experienced and what is emphasized — or not — by organizations.

Organizations experiencing the best outcomes (highest revenue, profit, least business downtime, fewest problems with audit and least loss or theft of sensitive information) actually implement management policy for IT very differently than do their peers and most other organizations.

Some notable differences among the worst performing organizations include:

• An utter lack of polices for the business risks related to the use of IT

• Little to no guidance for minimum acceptable service levels

• No monitoring or reporting standards are defined

• Non-existent or few policies and controls for business procedures

The differences starkly illustrate the impact that management direction for IT policies and controls — or lack thereof — has on revenue, profit, customer retention, business downtime, data loss or theft and audit deficiencies.

However, the differences shown in the table are not the only ones found from research conducted with thousands of organizations. Other policies and controls that are consistently not implemented among the worst performing organizations include those governing:

• Acceptable use standards
• Information processing facilities
• Acquisition, use and disposition of IT assets
• Application development, testing and development
• Access to information and IT assets
• Incident response and problem management
• Change management
• Accreditation and acceptance
• Maintaining a history of the changes to policies and controls

Which IT policies are most important?
Management policies are critical. These set the tone and direction from the top, as the practices (and outcomes) of the best performing organizations attest. Those that define the boundaries of play, especially minimum acceptable service levels and maximum acceptable risk, are critical. It is the tradeoffs that are made between these two that are guided by an organizations value and risk culture, and the legal and regulatory mandates in whatever geographies the organization operates.

Which IT policies do you need to improve?
For some organizations, improvements to IT policies and controls may be a tuck-here or a slight change there. For a few it may be a start-from-nothing exercise. But for a majority of organizations, some practices for IT policies and controls may close enough while others will need to be improved.

When should you review IT policies and controls?
If your organization is anything like the Insurance company that had not reviewed its IT policies (and controls) in more than five years, it’s probably time to undertake the effort. Even if these were reviewed in the past year, it’s still time to conduct the review: changing business, regulatory and legal conditions in operating geographies dictate more frequent reviews.

And, if it’s any indication, the best performing organizations review policy and controls at least quarterly, supplemented by daily, weekly and monthly updates from assessments and reports to gauge the effectiveness of policy and controls.

Assess Your Practices — Today
The Assessments@ITPolicyCompliance deliver a confidential and quick two-minute way to assess the posture of your organization against your industry and peers.

Benchmarked against more than 4,000 other organizations, these quick two-minute assessments cover organizational structure and strategy, the use of frameworks and standards, management of policy, management of procedural controls, management of information controls, management of technical controls, vulnerability and threat management, risk management and reporting, and financial implications.

Who should be interested: CIOs, CISO, CAOs, CROs, and principal managers of IT and audit

Time to value: minutes

Benchmark universe: more than 4,000 other organizations

Visit: to find out more

Related research

Automation, Practice and Policy in Information Security for Better Outcomes

How the Masters of IT Deliver More Value and Less Risk

What Color Is Your Information Risk – Today?


Managing IT Configuration Drift, Controls and Risk

January 27, 2011

In less than a week, all the configuration controls, permissions and entitlements that IT spends time testing are useless. The sheer fact is that these are quickly changed by normal use, whether the changes are collateral from other changes being made, accidental or intentional.

Also known as configuration-drift, the problem affects every stack of technology being used by organizations, from outsourced Cloud-computing applications to web-applications and databases, underlying systems and networks, laptops, PCs and mobile devices.

Unfortunately, the unseen and unknown changes to technical controls are the very foundation of the next business disruption, or unauthorized access to applications, information and interconnected IT assets.

Patching: One possible solution?
There’s a lot of workarounds that can be used to achieve a temporary solution until patches are available. Then there’s the ubiquitous Microsoft Patch Tuesday as well as patches from other suppliers that must be scheduled, applied and tested. In other cases there are no temporary solutions and hard tradeoffs have to be made between convenience, exceptions and increased risk profiles. The sad fact is that most organizations sit on patches for months before applying even those deemed most critical.

Detect and prevent: the other solution?
Detect and prevent can only be achieved if IT assets are instrumented to provide the information from logs and events, IT assets are inventoried and continuous assessments are routine and visibility into the problems and risks are quantifiable. The reality is that only one-in-ten organizations are proactively using these kind of IT GRC tools.

In truth, different procedures and controls are more — and less — effective, under different circumstances, and some procedures are clearly more important than others.

The new Assessments@ITPolicyCompliance enable you to determine which procedures for managing technical controls are leading to the best outcomes against the real World practices of more than 4,000 other organizations.

Visit: to find out more

Find the answers to how your practices for managing technical controls compare with others, including:
• Your industry
• Your peers, and
• Best performing organizations

The practices covered by the Management of Technical Controls include:
• Whether IT assets are identified and classified
• If access to IT assets are segmented or otherwise limited
• Whether unauthorized access to IT assets is detected or prevented
• If audit trails and configuration setting are monitored
• Whether IT assets and configuration settings are tested
• If evidence from audit trails and configuration settings is gathered
• Whether gaps in technical controls are remediated and documented
• If IT assets are hardened
• Whether an inventory of IT assets is centrally maintained
• If your procedures are automated sufficiently

Visit: to find out more

Specific to your industry and size of your organization, the confidential and free assessment delivers immediate feedback on how well, or poorly, your practices for managing technical controls are compared to your industry, your peers and the best performing organizations.

More importantly, the intuitive risk-index of the Assessments@ITPolicyCompliance enables you to quickly identify changes that will:
• Increase the value delivered by IT
• Reduce business downtime
• Reduce data loss or theft
• Reduce the time and money spent to pass and sustain audits

Who should be interested: managers in IT security and operations, audit, risk, and compliance

Time to value: minutes

Regardless of size or industry, most organizations are continuously looking to improve operational effectiveness across all functions, and IT is no exception. Assess yourself and your organization today with the Assessments@ITPolicyCompliance today.

Additional reading:

Automation, Practice and Policy in Information Security for Better Outcomes

Business Continuity in the Real World

Don’t Fall for the Old Saw of Patch Management

%d bloggers like this: