SOX News

New Research Outlines Key Steps to Protect Sensitive Data

(Dec 05, 2007)-- The IT Policy Compliance Group announced the availability of its latest benchmark research report titled "Core Competencies for Protecting Sensitive Data." The report, which incorporates responses from more than 450 organizations globally, concludes that only one in 10 organizations is in the enviable position of adequately protecting their sensitive data. The report also analyzes the variables between those companies that are leaders and laggards in the area of data protection, providing insight into best practices that can lead to better data protection, improved compliance and sustained competitive advantage.

One of the most striking findings from the research is the correlation between the protection of sensitive data and regulatory compliance results: firms that excel at protecting sensitive data also perform well on regulatory compliance audits. Almost all (96 percent) of the organizations with the least loss of sensitive data are the exact same organizations with the fewest regulatory compliance deficiencies that must be corrected to pass regulatory audits. In contrast, the majority (64 percent) of the organizations with the most loss of sensitive data are the same organizations with the largest number of regulatory compliance deficiencies that must be corrected to pass audit.

The core competencies identified in this report fall into the categories of organizational structure and strategy, customer intimacy and operational excellence. By analyzing the firms with the least amount of sensitive data loss(leaders) and those that experience the most amount of data loss (laggards), one can see the importance of defining fewer policies or control objectives, pursuing more frequent assessments and leveraging IT change management to prevent unauthorized use or change.

Leaders define an average of 30 control objectives and conduct assessments once every 19 days. These firms experience two or fewer data losses and thefts annually, and two or fewer compliance deficiencies annually.

Laggards define an average of 82 control objectives and conduct assessments once every 230 days. Laggards experience 13 or more data losses and thefts annually and 22 or more compliance deficiencies annually.

"Several recent events have demonstrated how damaging the loss of data can be to an organization's reputation and strategic objectives. It is critical to ensure that risk-based controls are in place to deter data loss and theft, and that those controls are regularly tested," said Lynn Lawton, CISA, FCA, FIIA, PIIA, FBCS CITP, international president of ISACA. "Successful organizations focus on selecting the most relevant controls, instead of simply implementing a large number. The survey results clearly demonstrate that selecting, implementing and communicating the key controls, and regularly assessing their effectiveness, is a more practical approach and gets better results than constantly adding to a complex maze of uncoordinated isolated controls."

The research indicates that the quality of controls is not as important as their appropriateness for specific risk and the frequency of controls assessment. Organizations not implementing risk-appropriate controls and not assessing the effectiveness of procedural and technical controls frequently enough are highly predisposed to data loss and theft. Firms with nonexistent controls and infrequent controls assessment are the firms experiencing the highest rates of frequent data loss and theft.

"Protecting customer and employee data as well as intellectual property has never been as important as it is today due to the rapid increase of compliance requirements and reputation risk," said Rocco Grillo, managing director in the Technology Risk practice of Protiviti Inc. "Yet data security breaches and identity thefts continue to occur. Even though controls cannot fully guarantee protection, companies need to conduct the appropriate level of due diligence in information security and risk management. Proven programs to maintain and increase effective security and safeguarding of sensitive data have had enormous payback in protecting valuable information from theft or loss. Gone are the days where management can sit back and wait for a crisis or incident to spur them into action - everyone needs to be proactive."

Share or bookmarklet this web page at: