New Research Outlines Key Steps to Protect Data
New Research Outlines Key Steps to Protect Sensitive Data
Research from the IT Policy Compliance Group illustrates what works to protect sensitive data
The IT Policy Compliance Group today announced the availability of its latest benchmark research report titled ‘Core Competencies for Protecting Sensitive Data.’ The report, which incorporates responses from more than 450 organisations globally, concludes that only one in 10 organisations is in the enviable position of adequately protecting their sensitive data. The report also analyses the variables between those companies that are leaders and laggards in the area of data protection, providing insight into best practices that can lead to better data protection, improved compliance and sustained competitive advantage.
One of the most striking findings from the research is the correlation between the protection of sensitive data and regulatory compliance results: firms that excel at protecting sensitive data also perform well on regulatory compliance audits. Almost all (96 percent) of the organisations with the least loss of sensitive data are the exact same organisations with the fewest regulatory compliance deficiencies that must be corrected to pass regulatory audits. In contrast, the majority (64 percent) of the organisations with the greatest loss of sensitive data are the same organisations with the largest number of regulatory compliance deficiencies that must be corrected to pass audit.
The core competencies identified in this report fall into the categories of organisational structure and strategy, customer intimacy and operational excellence. By analysing the firms with the least amount of sensitive data loss (leaders) and those that experience the greatest amount of data loss (laggards), one can see the importance of defining fewer policies or control objectives, pursuing more frequent assessments and leveraging IT change management to prevent unauthorised use or change.
- Leaders define an average of 30 control objectives and conduct assessments once every 19 days. These firms experience two or fewer data losses and thefts annually, and two or fewer compliance deficiencies annually.
- Laggards define an average of 82 control objectives and conduct assessments once every 230 days. Laggards experience 13 or more data losses and thefts annually and 22 or more compliance deficiencies annually.
“Several recent events have demonstrated how damaging the loss of data can be to an organisation’s reputation and strategic objectives. It is critical to ensure that risk-based controls are in place to deter data loss and theft, and that those controls are regularly tested,” said Lynn Lawton, CISA, FCA, FIIA, PIIA, FBCS CITP, international president of ISACA. “Successful organisations focus on selecting the most relevant controls, instead of simply implementing a large number. The survey results clearly demonstrate that selecting, implementing and communicating the key controls, and regularly assessing their effectiveness, is a more practical approach and gets better results than constantly adding to a complex maze of uncoordinated isolated controls.”
The research indicates that the quality of controls is not as important as their appropriateness for specific risk and the frequency of controls assessment. Organisations not implementing risk-appropriate controls and not assessing the effectiveness of procedural and technical controls frequently enough are highly predisposed to data loss and theft. Firms with nonexistent controls and infrequent controls assessment are the firms experiencing the highest rates of frequent data loss and theft.
“Protecting customer and employee data as well as intellectual property has never been as important as it is today due to the rapid increase of compliance requirements and reputation risk,” said Rocco Grillo, managing director in the Technology Risk practice of Protiviti Inc. “Yet data security breaches and identity thefts continue to occur. Even though controls cannot fully guarantee protection, companies need to conduct the appropriate level of due diligence in information security and risk management. Proven programs to maintain and increase effective security and safeguarding of sensitive data have had enormous payback in protecting valuable information from theft or loss. Gone are the days where management can sit back and wait for a crisis or incident to spur them into action – everyone needs to be proactive.”
Best Practices from Data Protection Leaders
Organisations with the least amount of data loss are the firms with the best regulatory compliance audit results. These firms demonstrate a core set of competencies that not only minimise data loss and improve compliance, but minimise the financial impact of data breaches (see previous report “Why Compliance Pays Reputations and Revenues at Risk”) and enable sustained competitive advantage. The core competencies include:
Organisational structure and
- Implement a world-class compliance program
- Document and maintain policies, standards and procedures
- Reorganise internal controls, IT security and risk management functions to leverage customer intimacy and operational excellence
- Define the roles and responsibilities of policy owners
- Identify and manage business and financial risks
- Deliver employee training and manage exceptions to policy
- Expand the scope of internal audit to most business functions
- Make control objectives risk-relevant
- Reduce the number of control objectives
- Implement controls that are measured
- Conduct self-assessments of procedural controls
- Increase the frequency of technical controls assessment
- Implement a complete IT change management program
- Use IT change management to prevent unauthorised use or change
About the Research
Topics researched by the IT Policy Compliance Group are part of an ongoing research calendar established by input from sponsoring members and general members and from findings compiled from recent research. The most recent benchmarks that are the basis for this report were conducted with 454 organisations between February and May of 2007. The error margin for this research is plus or minus 4.5 percent. The majority of organisations (90 percent) participating in the benchmarks are located in the United States. The other 10 percent come from other countries including: Australia, Canada, France, Germany, Ireland, Japan, Spain and the United Kingdom, among others.
IT Policy Compliance Group Membership
The IT Policy Compliance Group also announced the addition of a new membership category: Advisory Membership. Advisory Membership is being created to formalise advice and direction for future research conducted by the Group, provide access to an upcoming blog, and for the formation, guidance and participation of working groups. General membership in the group is being renamed as Associate Membership. For more information and to download the latest research report, titled ‘Core Competencies for Protecting Sensitive Data,’ visit www.ITPolicyCompliance.com.
About IT Policy Compliance Group
The IT Policy Compliance Group is dedicated to promoting the development of research and information that will help IT professionals meet the policy and regulatory compliance goals of their organisations. It is supported by several leading organisations including: the Computer Security Institute, The Institute of Internal Auditors, Protiviti, ISACA, IT Governance Institute and Symantec Corporation (NASDAQ: SYMC). The group conducts fact-based benchmark research to determine the best practices that result in improvements to IT for organisations. More information is available at www.ITPolicyCompliance.com.
Symantec is a global leader in infrastructure software, enabling businesses and consumers to have confidence in a connected world. The company helps customers protect their infrastructure, information and interactions by delivering software and services that address risks to security, availability, compliance and performance. Headquartered in Cupertino, California, Symantec has operations in more than 40 countries. More information is available at www.symantec.com.