White Papers for Sarbanes-Oxley (SOX)
IT Risk Management Report 2: Myths and Realities
IT Risk - encompassing Security, Availability, Performance, and Compliance elements - has become a critical issue for executives and boards of directors. In this second volume of the IT Risk Management Report, Symantec extends its analysis of IT professionals' insights into the nature of IT Risk and the most effective ways to manage it, with added focus on Availability and Performance Risk..
The Report addresses persistent myths about IT Risk, concluding that:
• IT professionals are adopting a more balanced, less Security-centric view of IT Risk - more of them now see Risk as critical or serious than any other element
• Compliance Risk is more than Security Risk formalized by law: data breaches, outages and disasters may cause irrecoverable losses of customer loyalty, revenue, and company value
• Reactive or annual project-oriented IT Risk Management is better than nothing. But IT professionals’ expectations of monthly incidents in a constantly-changing global and regional business and technology environment call for a continuous, process-oriented approach
• Best-in-class organizations deploy controls balanced across strategic, support, delivery, and security categories, positioning themselves to correct the missing or faulty processes that cause most incidents
• Over the past year, survey participants saw no improvement in Asset Inventory Classification and Management controls, and a decline in Data Lifecycle Management
• IT Risk Management builds on Operational Risk Management and manufacturing quality disciplines, spurred on by Sarbanes-Oxley and other regulations affecting Corporate Governance, and supported by its own emerging frameworks, standards, and best practices.
Symantec recommends a continuous IT Risk Management process starting with risk assessment, paying close attention to cultural and training issues, and addressing long-term structural improvements as well as "early wins." Most implementations will focus on Risk and associated controls in the early stages, but should follow up with Risk and delivery controls, and include Compliance and Performance Risk with strategic controls for an integrated, effective program over the long term.
View the White Paper
Share or bookmarklet this web page at: