[ news_security_news ]
Jim Hurley Has Noted Your Compliance
David Utter
Staff Writer
2006-11-13
 Insider Reports RSS Feed
The former Aberdeen Group VP now works as managing director of the IT Policy Compliance Group founded by Symantec, the Computer Security Institute (CSI), and the Institute of Internal Auditors (IIA); we talked about the group's recent study of factors that motivate companies to ensure better compliance with policies by their staffs.
Regular audits, ongoing monitoring of IT resources, and budgeting for security have a profound impact on how well a firm's employees comply with policies. That compliance becomes more important at publicly traded firms, where provisions of Sarbanes-Oxley provide additional incentive to stay on top of people and potential issues.
Group managing director Jim Hurley said in our call that the top ten percent of the over 1,000 companies they studied from January to July 2006 on compliance evidenced a bare minimum of problems. On average, those firms only had one significant and material security issue and one compliance issue to handle.
Contrast that with the bottom twenty percent of the study group, where 35 percent of the security and compliance issues out of the entire group occurred. Audits happened infrequently in this portion of the group, about once every nine months.
The top group performed audits much more frequently. Those that had the fewest issues generally assessed compliance issues an average of every 21 days. The middle 70 percent tend to do audits every six months.
Hurley said that for small businesses (less than $50 million in annual revenues) the main issues were access controls, and business continuity and disaster recovery. Poor access controls can put too much information in the hands of those who don't need it.
Since internal employees can cause as much or more mischief than someone outside the firm, companies need to manage access better.
Medium sized businesses ($50 million to $500 million) and large ones ($500 million+) both had documentation as their top challenge, followed by access controls. I asked if pressure from items like SOX or HIPAA would cause these bigger firms to keep a closer eye on access controls, and Hurley said that could be a likely hypothesis.
Database security at medium and large businesses is an issue for them. So much corporate information, including data on their customers, resides in table after table of databases at countless firms. Hurley said that companies lost an average of 450,000 records per reported incident.
Like many efforts, security benefits from having more money tossed its way. The leaders in regulatory compliance spent at least ten percent of their IT budgets on security, while the laggards spend less than seven percent.
When 52 percent of the top performers' security spend goes toward automating compliance monitoring and associated tasks, those companies do better than ones that spend 42 percent on automation.
For all size firms, access control will be the issue that persists in requiring continual focus. IT Policy Compliance Group plans to continue to benchmark of organizations participating in its study; those numbered 1,059 for their initial report. Hurley also suggested other developments from the Group on the compliance issue would be publicized soon.
---
Tag: IT Policy Compliance
Add to  Del.icio.us |  Digg |  Reddit |  Furl
Get all the SecurityProNews updates: 
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More news_security_news Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
