Compliance and Risk Report Released

According to a new report entitled Why Compliance Pays: Reputations and Revenues at Risk from the IT Policy Compliance Group, 9 out of 10 firms are exposed to financial risk from data loss and theft.

Among larger enterprises, the probability of a publicly disclosed data loss is likely once every three years if the firm is ignores security and risk management issues. In contrast, organizations with the best results have delayed the probability of data loss to once in every 42 years, says the organization.

"The vast majority of businesses and public institutions are still struggling with high rates of annual compliance deficiencies, resulting in business disruption, data loss and theft," said James Hurley, senior research manager, Symantec and managing director, IT Policy Compliance Group. "While the probability of data loss and business disruption occurring in an organization is less a matter of 'if' than 'when,' there are a number of compliance, risk and governance practices that, if implemented correctly, could significantly reduce the frequency and impact of these events."

According to the report, organizations with the fewest data losses and thefts focus on improving compliance results, especially in IT general controls and IT security controls and procedures. More notable, the benchmarks show the least data loss among firms that are monitoring and measuring controls against objectives consistently, at least once every two weeks.

Based on what is working among organizations with the fewest data losses, practices the IT Policy Compliance Group sees that will assist businesses in reducing data loss and theft include:

• Implementing more and appropriate IT controls
• Reducing control objectives, making it easier to communicate, measure and report against
• Establishing higher standards for performance objectives
• Encouraging a culture of operational excellence in IT
• Conducting monitoring, measurement and reporting of controls against objectives at least once every two weeks
• Allocating more spend to controls automation

"Control advocates have always been pressed to justify allocating resources on additional controls. This report provides supporting evidence that the appropriate additional controls are not only warranted, but essential to prevent theft and loss," said Rocco Grillo, a managing director in the Technology Risk practice of Protiviti. "The report also links system resiliency with compliance. That is a novel perspective, however, as the paper indicates, there are great linkages between effective controls and resiliency."

Posted by Jon Erickson at 11:01 AM  Permalink