FFIEC News

New Research Shows How Compliance Controls Can Minimize Data Loss

Research from the IT Policy Compliance Group Indicates 87 Percent of Organizations Not Leveraging Appropriate Compliance and IT Governance Procedures to Mitigate Data Loss

CUPERTINO, Calif. – July 18, 2007 – The IT Policy Compliance Group today announced the availability of its latest benchmark research report titled “Why Compliance Pays:  Reputations and Revenues at Risk.”  According to the report, nine in ten firms are exposed to financial risk from data loss and theft.  These risks, which can cost organizations customers, reduced revenues and even a decline in share price, could be significantly reduced by implementing core procedural and technical controls and monitoring those controls at least once every two weeks. 

Among larger enterprises, the probability of a publicly disclosed data loss is likely once every three years if the firm is currently operating as a laggard.  In contrast, organizations with the best results have delayed the probability of data loss to once in every 42 years.  The benchmarks show that the organizations excelling at compliance are the same firms with the least data losses and the least business disruptions from IT downtime. 

 “The vast majority of businesses and public institutions are still struggling with high rates of annual compliance deficiencies, resulting in business disruption, data loss and theft,” said James Hurley, principal research manager, Symantec Corp. and managing director, IT Policy Compliance Group.  “While the probability of data loss and business disruption occurring in an organization is less a matter of ‘if’ than ‘when,’ there are a number of compliance, risk and governance practices that, if implemented correctly, could significantly reduce the frequency and impact of these events.”  

 The Cost of a Data Breach

According to Attrition.org’s Data Loss Database, the U.S. has averaged almost 280 publicly exposed incidents of data theft or loss annually over the last two years.  This average will likely rise given the increasing focus on data breaches by consumers, regulatory bodies and governments.  According to the latest IT Policy Compliance Group report, these losses can have significant business impact.  Benchmarks show organizations experiencing a publicly reported data loss expect to see an eight percent decline in customers and revenue, an eight percent decline in the price per share for publicly traded firms, and additional expenses averaging US $100 per lost customer record for firms experiencing publicly disclosed data losses and thefts. 

Best Practices from Compliance Leaders

The research shows that successful firms, those with the fewest data losses and thefts, are driving operational excellence in IT by improving compliance results, especially in IT general controls and IT security controls and procedures.  More notable, the benchmarks show the least data loss among firms that are monitoring and measuring controls against objectives consistently, at least once every two weeks.   

 “An effective IT governance process with concise IT control objectives, along with the right mix of built-in IT controls, allow businesses to set policies and measure against those policies in a consistent manner,” said Everett C. Johnson, CPA, International President of ISACA and the IT Governance Institute.  “By creating a measurable and repeatable IT compliance program, businesses are able to adequately produce data and ensure a high level of compliance.” 

Based on what is working among organizations with the fewest data losses, the IT Policy Compliance Group report identifies practices that will assist businesses with improving IT compliance results, reduce business downtime, and reduce data loss and theft.  These steps include:

• Implementing more and appropriate IT controls
• Reducing control objectives, making it easier to communicate, measure and report against
• Establishing higher standards for performance objectives
• Encouraging a culture of operational excellence in IT
• Conducting monitoring, measurement and reporting of controls against objectives at least once every two weeks
• Allocating more spend to controls automation

In addition to spending larger percentages of the IT budget on IT security controls, the firms with the fewest undisclosed latent data losses and least number of compliance deficiencies are reallocating monies away from external contract spend towards additional funding of equipment and software, specifically targeted at automating the monitoring and measurement of controls and procedures. 

“Control advocates have always been pressed to justify allocating resources on additional controls.  This report provides supporting evidence that the appropriate additional controls are not only warranted, but essential to prevent theft and loss,” said Rocco Grillo, a managing director in the Technology Risk practice of Protiviti Inc.  “The report also links system resiliency with compliance.  That is a novel perspective, however, as the paper indicates, there are great linkages between effective controls and resiliency.”

The IT Policy Compliance Group, which was formed to conduct benchmark research and promote best practices that help IT professionals successfully address policy and regulatory compliance challenges, also announced the addition of two new members:  ISACA and the IT Governance Institute. 

For more information and to download the latest research report, titled “Why Compliance Pays:  Reputations and Revenues at Risk,” visit www.ITPolicyCompliance.com.

About ISACA

With more than 65,000 members in more than 140 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance.  Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal, develops international information systems auditing and control standards, and administers the globally respected CISA designation, earned by more than 50,000 professionals since inception, and the CISM designation, a groundbreaking credential earned by 6,500 professionals since it was established in 2002. 

About the IT Governance Institute

The IT Governance Institute (ITGI) (http://www.itgi.org) was established by ISACA in 1998 to advance international thinking and standards in directing and controlling an enterprise’s information technology.  ITGI developed Control Objectives for Information and related Technology (COBIT), now in version 4.1, and Val IT, and offers original research and case studies to assist enterprise leaders and boards of directors in their IT governance responsibilities. 

About IT Policy Compliance Group

The IT Policy Compliance Group is dedicated to promoting the development of research and information that will help IT security professionals meet the policy and regulatory compliance goals of their organizations.  It is made up of members from several leading organizations including:  the Computer Security Institute, The Institute of Internal Auditors, Protiviti, Information Systems Audit and Control Association , IT Governance Institute, and Symantec Corporation (NASDAQ:  SYMC).  The group conducts fact-based benchmark research to determine the best practices that result in improvements to IT compliance results for organizations.  More information is available at www.ITPolicyCompliance.com.

Share or bookmarklet this web page at: