Symantec White Papers & Resources

Why Compliance Pays: Reputations and Revenues at Risk - Research Report
A new benchmark research report by the IT Policy Compliance Group is now available that highlights the differences between compliance laggards and leaders and shows how compliance leaders are making compliance pay for them. For example:

• 9 out of 10 firms are not leveraging compliance and IT governance procedures that could help them mitigate financial risk from lost or stolen data
• Firms with the best IT compliance results have the least business downtime from IT security events
• The probability of making the front page of the paper for a data theft or loss is once every three years or sooner for compliance laggards, compared to once every 42 years or later for compliance leaders

Executive Summary

Ø     Key findings
Ø     Implications and analysis
Ø     Recommendations: Follow the leaders

Key Findings

Ø     Most firms continue to struggle with compliance
Ø     Compliance deficiencies, business disruptions and data losses
Ø     Firms that do well on compliance have the fewest business disruptions
Ø     Firms that do well on compliance have the fewest data losses and thefts
Ø     Publicly exposed and reported data loss/theft: When, not if
Ø     Financial losses from publicly exposed data loss and theft
Ø     Share price declines for publicly traded companies
Ø     Customer and revenue losses
Ø     Expenses and costs
Ø     Financial returns for compliance and data protection
Ø     Leaders cracked the code: Operational excellence in IT
Ø     More and appropriate IT controls
Ø     Fewer control objectives
Ø     High standards and key performance indicators
Ø     More frequent monitoring and measurement
Ø     Automation of spending to automate controls monitoring
Ø     Why compliance pays
Ø     Appendix A: Probability of publicly reported data losses
Ø     Appendix B: Financial losses and IT policy compliance
Ø     About the benchmarks

List of Figures

Ø     Figure 1: Business disruptions and compliance profiles
Ø     Figure 2: Unreported data losses, thefts, and compliance profiles
Ø     Figure 3: Average time to public exposure of data loss and theft
Ø     Figure 4: Stock price declines for publicly exposed data loss/theft
Ø     Figure 5: Customer and revenue losses for publicly exposed data loss/theft
Ø     Figure 6: Costs per lost customer record
Ø     Figure 7: Returns on compliance spending: Normative performers
Ø     Figure 8: Primary causes of compliance deficiencies: IT general controls
Ø     Figure 9: Appropriate number of IT controls: Laggards to leaders
Ø     Figure 10: KPI results: Laggards to leaders
Ø     Figure 11: Frequency of monitoring and measurement

List of Tables

Ø     Table 1: Compliance deficiencies, business disruptions, data losses and thefts
Ø     Table 2: Financial risk appetites by size of organizations
Ø     Table 3: Years to disclosure for publicly exposed data thefts and losses
Ø     Table 4: Returns on spending for compliance and data protection
Ø     Table 5: Number of control objectives

Lessons Learned for SOX Compliance and Other Regulatory Challenges
According to most estimates, first-year efforts to comply with the Sarbanes Oxley Act of 2002, widely known as "SOX," tended to overcompensate by trying to cover too many controls. Stacks of manual assessments and spreadsheets were produced at a very high cost. According to Ernst & Young, first-year SOX filers spent 70 percent of their time resolving deficiencies in IT controls in order to pass SOX audits. In the second year of SOX activity, financial report filers still spent 60 to 65 percent of their time resolving IT deficiencies in order to pass SOX audits, and again experienced significant increases in personnel costs as they completed their final SOX audits.

Research reveals major success factors for SOX compliance Recent research conducted among organizations in North America and around the world helps illuminate what appears to be working when it comes to SOX compliance. Organizations with the least IT control deficiencies:

1. Deliver continuous training to employees while ensuring accountability with policy
2. Restructure the risk management function, internal controls, and IT security
3. Reallocate IT expenditures by shifting spending from consultants and contract labor to automated tools
4. Automate IT measurements, reporting, controls, change management processes, and IT security policies
5. Focus on managing risk to improve IT controls, information collection, and reporting

Managing Access to Critical Data for Protection and Privacy
Protecting intellectual property and confidential personal, financial, and business information is a business priority, and often a legal requirement. To secure their data and ensure that only authorized people have access to it, organizations use a variety of access management disciplines. Access management includes identity management solutions that control permissions for critical data stores by managing Access Control Lists (ACLs). But identity management solutions in isolation risk access inflation, workarounds, and coverage gaps.

Comprehensive access management deploys identity management within a framework that includes disciplines for data protection, integration with hiring and promotion, and especially monitoring. Monitoring augments access management with a second line of defense, protection against unanticipated threats, a source of feedback for the continuous improvement of access management practices, and an audit trail.

The transition to comprehensive access management disciplines starts with an inventory and classification of data and a definition of appropriate IT security controls, along with the creation of a risk model to establish priorities. Typically, this planning process identifies areas of inappropriate access despite restrictive access rules, along with poorly defined controls, inadequate monitoring, and no real metrics for program effectiveness. Once under way, comprehensive access management relies on tight integration with business processes and frequent audits to maintain alignment with policy. And it depends on monitoring to identify, prioritize, and respond to unauthorized access.

Symantec Network Access Control: Comprehensive Network Access Control
The managed state of an organization's individual endpoints plays a critical role in the overall security and availability of its IT infrastructure and related business operations. The new wave of sophisticated crimeware not only targets specific companies, but it also targets desktops and laptops as backdoor entryways into those enterprises' business operations and valuable resources.

To safeguard themselves against these targeted threats, organizations must have a means to guarantee that each endpoint continually complies with corporate security and configuration management policies. Failure to guarantee endpoint policy compliance leaves organizations vulnerable to a wide array of threats, including the proliferation of malicious code throughout the enterprise, disruption of business-critical services, increased IT recovery and management costs, exposure of confidential information, damage to corporate brand, and regulatory fines due to non-compliance.

Symantec Network Access Control enables organizations to ensure the proper configuration and security state of user endpoints-including those of onsite employees, remote employees, guests, contractors, and temporary workers-before they are allowed to access resources on the corporate network. It discovers and evaluates endpoint compliance status, provisions the appropriate network access, and provides remediation capabilities to ensure that endpoint security policies and standards are met. Symantec Network Access Control is network OS-neutral and easily integrates with any network infrastructure, making its implementation more comprehensive, easier, faster, and more cost-effective than competing solutions.

Symantec Endpoint Protection: A unified, proactive approach to endpoint security
Organizations today face a threat landscape that involves stealthy, targeted, and financially motivated attacks that exploit vulnerabilities in endpoint devices. Many of these sophisticated threats can evade traditional security solutions, leaving organizations vulnerable to data theft and manipulation, disruption of business-critical services, and damage to corporate brand and reputation. To stay ahead of this emerging breed of stealthy and resilient security threats, organizations must advance their endpoint protection.

Symantec Endpoint Protection enables organizations to take a more holistic and effective approach to protecting their endpoints-laptops, desktops, and servers. It combines five essential security technologies to proactively deliver the highest level of protection against known and unknown threats, including viruses, worms, Trojan horses, spyware, adware, rootkits, and zero day attacks. This offering combines industry-leading antivirus, anti spyware, and firewall with advanced proactive protection technologies in a single deployable agent that can be administered from a central management console. Also, administrators can easily disable or enable any of these technologies based on their particular needs.

Taking Action to Protect Sensitive Data
Only 12 percent of organizations-about one in ten-are experiencing fewer than three losses of sensitive data in the past year. For all other institutions-almost 90 percent-data loss rates are higher. The leading organizations-those with the fewest losses of sensitive data-are spending more time, employing multiple IT controls, and monitoring compliance with their policies weekly, to significantly reduce the loss of sensitive data. In fact, leading organizations are uniquely: