core competencies for protecting sensitive data -...

Core Competencies for Protecting Sensitive Data

Benchmark Research Report

October 2007

IT Policy Compliance Group


© 2007 IT Policy Compliance Group

Contents

Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Key findings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Implications and analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Recommendations for action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Key findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Core competencies for protecting sensitive data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Compliance and data protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Financial outcomes from the loss and theft of sensitive data . . . . . . . . . . . . . . . . . . . . . . . 5

Strategic actions to improve results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

The importance of control objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Assessment and audit of business functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Frequency of controls assessment, measurement and monitoring . . . . . . . . . . . . . . . . . 12

Leveraging IT to improve results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Actions taken in IT to improve results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

More prevention, less remediation in IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Assessment and monitoring in IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

The role of IT change management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

In IT, an ounce of prevention is better than a pound of cure . . . . . . . . . . . . . . . . . . . . . . 21

Leveraging core business value disciplines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Data loss and regulatory audit results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Data loss and theft results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Regulatory audit results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Multiple regulatory audits: The norm for large enterprises . . . . . . . . . . . . . . . . . . . . . . . . 27

The correlation between regulatory audit and data protection . . . . . . . . . . . . . . . . . . . . 28

Most sensitive data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Sources of data loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Conduits for data loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Years to public disclosure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Source of compliance deficiencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Attrition.org’s data loss database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

About the benchmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

About IT Policy Compliance Group sponsors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38


© 2007 IT Policy Compliance Group 1

Executive summary

Key findings

The most recent benchmark research conducted by the IT Policy Compliance Group (IT PCG) reveals an intimate relationship between financial outcomes, sustained competitive advantage, data protection, and regulatory compliance.

The core competencies for protecting sensitive data are the result of this research and show the practices, procedures, and organizational strategies being implemented by organizations with the least loss and theft of sensitive data. A company’s ability to sustain its competitive advantage is enabled by protecting its sensitive data, resulting in better customer retention while protecting the brand and reputation of the firm. Protecting sensitive data helps a company avoid revenue loss, market capitalization loss, and unnecessary expenses.

The core competencies for protecting sensitive data and sustaining competitive advantage involve several business value disciplines, including the following:

• Organizational structure and strategy

– Implement a world-class compliance program

– Document and maintain policies, standards, and procedures

– Reorganize internal controls, IT security, and risk management functions to leverage customer intimacy and operational excellence

• Customer intimacy

– Define the roles and responsibilities of policy owners

– Identify and manage business and financial risks

– Deliver employee training and manage exceptions to policy

• Operational excellence

– Expand the scope of internal audit to most business functions

– Make control objectives risk-relevant

– Reduce the number of control objectives

– Implement controls that are measured

– Conduct self-assessments of procedural controls

– Increase the frequency of technical controls assessment

– Implement a complete IT change management program

– Use IT change management to prevent unauthorized use or change

Implications and analysis

The organizations with the least data loss are the firms with the best regulatory compliance audit results and the actions taken by these firms demonstrate a core set of competencies that minimize the loss or theft of sensitive data.

Unfortunately, a majority of organizations—87 percent—are suffering from higher rates of sensitive data loss and theft. And, this only accounts for data that is known to have been lost or stolen. Although not all data loss or theft involves sensitive data, the odds of a loss involving sensitive data increase as the overall rate of latent data loss or theft increases. Compounding the likelihood of a data loss event being reported publicly are new laws in more locations mandating notification of affected parties and reporting of sensitive data loss. As the number of these local laws increases, the likelihood of a data loss becoming publicly reported increases, and with it comes an increased likelihood of customer defections, revenue losses, market capitalization losses, and additional expenses.

Recommendations for action

Financial results from the loss of sensitive data are quantified and predictable. The annualized expected loss rates in the IT PCG benchmarks closely match those being experienced by organizations that have experienced the loss or theft of sensitive data.

The core competencies identified in this report are being implemented by the 13 percent of organizations with the lowest rates of latent data loss or theft. While the core competencies for protecting sensitive data identified by the research may not directly contribute to a company’s competitive advantage, if implemented, they will

• Reduce sensitive data loss

• Minimize financial loss associated with data loss and theft events

• Reduce noncompliance with regulatory mandates

• Enable firms to sustain competitive advantage

Eighty-seven percent of firms are having greater difficulty protecting sensitive data, including customer data, and can benefit from taking the actions that are shown to reduce data loss and theft. These firms can now make the decision to implement the core competencies for protecting such data.


2 © 2007 IT Policy Compliance Group



Key findings

Core competencies for protecting sensitive data

The phrase core competencies is associated with an organization’s sustainable competitive advantage and is described as the combination of skills, organizational structures, and procedures that, when put together, provide access to a wide variety of markets, contribute to the perceived benefits of products and services, and are difficult for competitors to match.

The core competencies for protecting sensitive data do not lead to competitive advantage, but rather complement an organization’s ability to sustain it. The core competencies for protecting sensitive data are the practices, procedures, and organizational behavior needed to minimize data loss accompanying financial loss, and damage to the reputation and brand of the enterprise.

These core competencies are the result of primary benchmark research conducted with hundreds of organizations, and are the practices and actions taken by those organization with the least loss or theft of sensitive data. The implementation of these core competencies will result in lower data loss rates, lower financial risk and loss, and less damage to the reputation of the firm.

The core competencies for protecting sensitive data are relevant to a majority of firms (87 percent), i.e., those experiencing more than three losses or thefts of sensitive data annually (see Appendix).

Although not all of the organizations with the least loss of sensitive data weight all of the core competencies equally, a majority of the firms with the fewest losses of sensitive data implement these practices to an extent exceeding that of other organizations.

The lesson from the benchmarks is clear: To reduce sensitive data loss, follow the leaders and initiate efforts to implement these core competencies to protect your sensitive data.

The core competencies:

• Implement a best-in-class regulatory compliance program.

• Manage business and financial risk.

• Define policy owners.

• Manage policies and standards.

• Reduce control objectives.

• Deliver employee training.

• Expand the scope of internal audit.

• Increase the frequency of controls assessment.

• Conduct self assessment of controls.

• Use IT change management to prevent unauthorized use or change.

• Expand the scope of technical assessment.

• Reorganize to leverage core business value disciplines.

Compliance and data protection

An organization’s ability to protect and safeguard sensitive data is directly related to how well it performs on regulatory audit. Although not the only core competency for protecting sensitive data, almost all of the firms with the fewest losses of sensitive data are the firms with the best regulatory compliance results.

Only about one in ten organizations are in the enviable position of being able to adequately protect their sensitive data. These are the same firms with the fewest deficiencies that must be corrected to pass regulatory audit (see Appendix).

The most recent benchmarks confirm earlier findings: Ninety-six (96) percent of the organizations with three or fewer compliance deficiencies are the same firms with three or fewer losses or thefts of sensitive data during the past year. In contrast, 64 percent of the organizations with the most compliance deficiencies are the same firms with twelve or more losses or thefts of sensitive data in the past year (Figure 1).

Clearly, whatever the firms with the best regulatory audit results are doing, it is resulting in the fewest losses or thefts of sensitive data. Implementing a world-class regulatory compliance program should be a top priority for the 87 percent of all firms that are not leaders—those with data losses and thefts ranging from 3 to 12 or more annually (see Appendix).

Figure 1. Compliance profiles, data loss, and theft

Source: IT Policy Compliance Group, 2007



More than 12 losses/thefts of sensitive data annually

Less than 3 losses/thefts of sensitive data annually

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Per

cen

tage

of o

rgan

izat

ion

s

N: 943

Compliance lagging more than 16 deficiencies

Compliance leading less than 3 deficiencies

Core competency

Implement a best-in-class regulatory compliance program to sharply reduce data loss and theft.



Financial outcomes from the loss and theft of sensitive data

Financial outcomes from the loss or theft of sensitive data include customer defections, revenue declines, declines in stock price for publicly traded firms, and additional expenses (see Why Compliance Pays: Reputations and Revenues at Risk, IT PCG, July 2007). Additional financial risk results from expenses incurred for litigation, litigation settlements, consumer credit counseling, investigations, data restoration, and necessary (and after-the-fact) get-well efforts. Averaging nearly 8 percent of revenue, the expected losses from benchmarks conducted with hundreds of organizations are mirrored by actual experience (Table 1).

Although the benchmark results are valid as averages, these numbers are unlikely to be shared equally by every firm. Some firms may experience dramatic revenue declines while others may not. Other firms will experience revenue increases accompanied by sharp drops in shareholder value and dramatic declines in profits as additional expenses mount after the loss or theft of sensitive data.

Type of loss Average loss

Customer defections 8.1%

Revenue decline 8.0%

Decline in stock price 8.0%

Additional expenses $100 per lost record

Table 1. Expected financial losses


Ongoing multiple data losses and results

A minority of firms are experiencing more than one loss of sensitive data in a short period of time. For example, the attrition database (see Appendix) shows that roughly 10 percent of publicly reported data losses are occurring among organizations with more than one loss of sensitive data in less than two years. Among these organizations, loss events range from two to as many as six over two years. Clearly, some organizations have better procedural and technical controls in place than others.

However, the quality of controls is not as important as their appropriateness for specific risk and the frequency of controls assessment. Organizations not implementing risk-appropriate controls and not assessing the effectiveness of procedural and technical controls frequently enough are highly predisposed to data loss and theft. Moreover, firms with nonexistent controls and infrequent controls assessment are the firms experiencing the highest rates of frequent data loss and theft (see Appendix).

Expected financial losses from the loss or theft of sensitive data are actually higher for firms conducting controls assessment less frequently. Firms conducting controls assessment once every 150 days are more predisposed to data loss and theft than firms conducting controls assessment monthly. Organizations conducting controls assessment once or twice per year are more susceptible to data loss events (see Appendix).

When annualized, the expected financial losses are actually higher for firms with fewer annual control assessments than among the firms conducting monthly assessments of controls (Figure 2).

Although the expected annualized financial losses may seem high, the numbers are quite credible. For example, a recent data loss occurred at the beginning of 2007 at an organization with $17.4 billion in revenue. This data loss did not result in a revenue decline from the first to second calendar quarter for this firm. Although the firm’s revenues increased quarter to quarter, its revenues actually declined by roughly 2 percent when compared with historical year-over-year figures. However, this historical year-over-year decline in revenue could easily be attributed to factors other than the data loss the firm experienced. The firm has been fortunate in being able to retain its customers and not experience a near-term revenue decline.

Figure 2. Expected annualized financial losses




$683 million

$60 million

$421 thousand

$43 thousand

$100million

Two assessments of controls per year

Two assessments of controls per year

Exp

ecte

d fi

nan

cial

loss

, an

nu

aliz

ed

$1billion

$10billion

$10 billion

$1 billion

$10 million

$10 million

$1 million

$100 thousand

$10 thousand

$100billion

N: 708

Revenue



Although revenues were not materially impacted by its data loss, the company experienced an aggregate decline of 7.5 percent of its market capital over an extended six-month period immediately after the data loss became publicly known. This extended decline in the share price of the firm’s publicly traded stock amounts to nearly $1 billion in shareholder value that evaporated when the stock price and shares outstanding are taken into account. Furthermore, the company took charges against earnings for additional expenses that are nearly $215 million to date, with additional expenses related to the data loss expected. The firm reported a 75 percent drop in profits in its most recent quarterly financial filing due to expenses related to the data loss event.

The lesson: Although revenues did not account for a majority of the financial loss experienced to date by this firm, its experience is in line with expected annualized financial losses.

Strategic actions to improve results

After implementing a world-class compliance program, the three most important strategic actions being taken by the leaders—the firms with the least data loss and the lowest number of regulatory compliance deficiencies—include:

• Identifying and managing risk

• Documenting and maintaining IT security policies, standards, and procedures

• Increasing the frequency of monitoring, measurements, and assessments

Additional strategic actions being taken by the leaders include establishing objectives; measuring results; and reorganizing internal controls, IT security, and risk management functions (Figure 3).

Firms with the best results are complementing risk and policy management by increasing the frequency with which policies and controls are assessed, measured, and monitored to ensure that risks are appropriately managed. In addition to strategic actions that differentiate the leaders from all others, the leading organizations also have a smaller number of control objectives against which controls are measured, monitored, and assessed to manage risk.

Core competencies

• Identify and manage risks.

• Document and maintain policies, standards, and procedures.

• Increase the frequency of controls assessment.

Figure 3. Strategic actions to improve results


The importance of control objectives

Control objectives are expressions of policy reflecting the risk an organization considers acceptable or unacceptable. Examples of high-level control objectives that might be relevant to compliance and data protection include:

• We will ensure compliance with Sarbanes-Oxley and PCI audits.

• We will not allow customer data to be compromised, lost, or stolen.

• We will adhere to Basel II operational risk guidelines.

These examples may be relevant for some firms and irrelevant to others. For example, organizations not subject to Sarbanes-Oxley would not have control objectives for it. Likewise, firms conducting business in France, Germany, Ireland, Italy, or the United Kingdom will have control objectives for European data protection and retention laws and would want to evaluate risk related to these, as appropriate. Firms doing business in Japan, Taiwan, or Singapore may be focused on J-SOX and perhaps PCI if substantial portions of their revenue depend upon merchant credit- and debit-card transactions.



1. Established objectives and measured results2. Delivered training and accountability for employees3. Identified and managed risks4. Increased the frequency of monitoring and

assessments5. Reduced the impact of Internet security threats

6. Segmented or limited access to sensitive data7. Documented and maintained IT security policies,

standards, and procedures8. Reorganized internal controls, IT security, and risk

management functions

0%

10%

20%

30%

40%

50%

60%

70%

All others Leading

N: 943

1 2 3 4 5 6 7 8

Perc

enta

ge o

f org

aniz

atio

ns

Core competencies

• Reduce control objectives to about 30 risk-based policies.

• Match objectives with controls that can be measured.



Whatever the primary business and regulatory audit pressures for an organization, firms with the least data loss and theft purposely keep the number of control objectives low and focused on risk. Control objectives among firms with the least data loss and the fewest compliance deficiencies number 30, compared with an average of 43 among firms operating at the norm, and 82 control objectives for organizations with the most data losses and thefts (Table 2).

Lagging Norm Leading

Number of control objectives 82 43 30

Compliance deficiencies annually 22 or more 6 on average 2 or less

Data losses and thefts annually 13 or more 5 on average 2 or less

Table 2. Control objectives and results


The direct benefits of a smaller set of risk-based policies and control objectives include:

• More effective compliance with policies by employees

• Lower costs for training employees

• Lower labor costs to implement regulatory compliance programs

• Lower costs for audit fees

The indirect benefit of eliminating redundant and irrelevant control objectives is that organizations will avoid burdensome procedures that would otherwise dampen cus-tomer service, sales, production, distribution, manufacturing, and other important business functions that are implemented to sustain competitive advantage.

Control objectives by size of organization

Unfortunately, larger enterprises have a larger number of control objectives than smaller organizations. In fact, most organizations with more than $1 billion in revenue have—on average—60 control objectives. This is almost twice the number employed by the leaders, those with the fewest data losses and best regulatory compliance records (Figure 4).

Large enterprises are demonstrating compliance with more regulatory mandates and annual audits than are midsize firms and small businesses. Unfortunately, there are more large enterprises performing as laggards and fewer operating at the norm. Large enterprises appear to be treating regulatory compliance as unrelated silos, when in fact there may be opportunity to collapse similar or identical control objectives, practices, and controls across multiple audit requirements (see Appendix).

However, not all large enterprises perform as compliance and data protection laggards. Large enterprises performing as leaders have found a way to consolidate and simplify policies and control objectives to simultaneously address key business risks, multiple regulatory audit requirements, and controls to ensure that the organization’s policies are being implemented. Given much larger financial risk, brand damage, lost customers, and market capitalization losses from the loss or theft of sensitive data, it is probably more important for larger enterprises to realign and consolidate control objectives on risk and across multiple regulatory audit requirements.

Figure 4. Control objectives by size of organization


In addition to a smaller number of risk-relevant control objectives, objectives must be matched by controls that can be implemented, measured, and documented. Without accompanying controls that are measured, objectives and policy statements aren’t linked to actual procedures and systems that operate the business.



Number of control objectives by compliance results

Number of control objectives by revenue

Nu

mb

er o

f co

ntr

ol o

bje

ctiv

es

100

80

60

40

20

0

N: 708

Less than$50 million

Lagging

$50 millionto $999 million

Norm

Leading

$1 billionor more

Key findings

A smaller set of risk-based objectives:

• Improves data protection and regulatory compliance results

• Reduces labor costs for compliance programs

• Reduces expenses for employee training

• Reduces audit fees



Assessment and audit of business functions

In addition to reducing the number of con-trol objectives, another core competency for protecting sensitive data is the extent of the business functions being audited. Among data protection and regulatory com-pliance leaders, the most important business functions being audited regularly include finance, internal controls, IT, IT security, legal services, and the compliance function itself. Leaders also monitor and audit procurement, logistics, manufacturing, customer service operations, sales, and marketing functions at rates that are much higher than those of other firms (Figure 5).

In comparison, firms not operating as leaders target the human resource function and employees as the primary focus for assessment and audit. Most of these firms do not audit procurement, logistics, product design and development, or manufacturing—all of which are key areas of the business where assets and access to information, business procedures, and IT systems can result in fraud and malfeasance, in addition to data loss, theft, and compliance deficiencies.

Figure 5. Business functions being monitored and assessed


0%

20%

40%

60%

80%

100%

All others Leading

N: 454

1 2 3 4 5 6 7 8 9

1. IT and IT security2. Legal and compliance3. Human resources and employees4. Product design and development5. Finance and internal controls

6. Customer service operations7. Sales and marketing8. Manufacturing9. Procurement and logistics

Perc

enta

ge o

f org

aniz

atio

ns

Core competency

Expand the scope of internal audit and assessments across most business functions.

Reducing the loss of sensitive data also means that appropriate rewards and penalties be instituted after training and education are implemented for employees. Regular training and education, combined with more far-reaching audit procedures that include self-assessments of procedural controls and automated control assessments of technical controls, will significantly reduce the loss of sensitive data.

Assessing more business functions without automation may be more difficult to achieve among large enterprises because business functions in larger enterprises are more likely to be spread across different geographies, locations, and offices.

Frequency of controls assessment, measurement and monitoring

After strategic actions, the most important action taken by firms with the fewest data losses and compliance deficiencies is to increase the frequency of monitoring, measurements and assessments.

Leading firms tend to monitor, audit, and assess their procedural and technical con-trols at least once every month. In fact, the average time for these assessments among these firms is once every 19 days.

In comparison, firms performing at the norm are measuring and assessing once every 150 days, and organizations with the most compliance deficiencies and the highest rate of data loss are conducting assessments once every 230 days (Figure 6).

Figure 6. Importance of frequent measurement, assessment, and reporting




Days between assessments by results

Days between assessments by revenue

Day

s b

etw

een

ass

essm

ents

250

200

150

100

50

0

N: 943


Lagging


Norm

Leading

$1 billionor more

Core competency

Increase the frequency of controls assessment and monitoring to at least once every 30 days.



Small business results

Most small businesses are monitoring controls at rates similar to those implemented by laggards. However, the performance profile of small businesses indicates that more of these organizations are among the norm, marginally fewer are operating as laggards, and the number of leaders is close to the industry average. The divergence between performance results and frequency of controls assessment among small businesses includes several primary factors: smaller businesses are subject to one regulatory audit annually, are dealing with far less complex business structures, and have far less complicated operations.

Small businesses tend to have fewer control objectives (an average of 20), mirroring fewer regulatory audits and less complexity. Increasing control objectives and the frequency of controls assessment will likely improve data protection and compliance results among small businesses.

Midsize firm results

Midsize organizations assess and monitor controls, on average, once every 150 days, with performance results matching that of the general population. In short, most midsize businesses are stuck in the middle. Most are subject to two regulatory audits annually, and most are performing at the norm. However, the probability of a data loss occurring for one of these firms is higher than it is for small businesses. The financial and business risk of data loss, data theft, and noncompliance is far higher for midsize firms than it is for small businesses. Unlike small businesses, midsize firms have more control objectives than are needed. Midsize firms should consider reducing the number of control objectives to reflect actual risk and increase the rate of control assessments from current levels to reduce data loss.

Large enterprise results

Large enterprises with complex business structures and more complex operations are subject to three regulatory audits annually, on average. The report card for large enterprises finds that:

• More are operating as laggards than the general population

• Too many control objectives are implemented

• Controls are not assessed frequently enough, relative to much higher risk

The financial risk for large enterprises is much larger: Revenue and market capitalization declines are much more visible and substantial for an organization with $25 billion in revenue than for a small business with $25 million in revenue or a midsize firm with $250 million in revenue.

Larger enterprises have twice as many control objectives—an average of 60—as are needed to adequately and cost-effectively manage risk from the loss of sensitive data or noncompliance with regulatory mandates. Although large enterprises assess and monitor controls once every 106 days, the desired target is every 19 days or at least once per month.

The actions that most large enterprises should consider taking to reduce risk from the loss of sensitive data and noncompliance with regulatory mandates include:

• Consolidate control objectives across multiple regulatory mandates.

• Increase the rate of assessment and monitoring to at least monthly.

Leveraging IT to improve results

Organizations with the fewest data losses and regulatory compliance deficiencies identify six critical areas in IT that contribute to better results, at rates far above other organizations. The leading capabilities in IT that are enabling data protection leaders to take action include:

• Consistent measurement of controls and evidence logs

• Consistent employee training and clearly defined accountability

• Controls in IT to prevent business risk

After these three, the next most important capabilities include well defined IT change management procedures, and consistent reporting and reviews complemented by automated controls and procedures (Figure 7).

Figure 7. Importance of IT capabilities




0%

10%

20%

30%

40%

50%

60%

70%

All others Leading

N: 454

1 2 3 4 5 6

1. Well defined IT change management procedures2. Consistent measurement of controls and

evidence logs3. Consistent reporting and reviews

4. Automated controls and procedures5. Consistent training and clearly defined accountability6. IT controls to prevent business risks

Perc

enta

ge o

f org

aniz

atio

ns

Core competencies

• Deliver employee training and manage exceptions to policy.

• Consistently measure IT controls.

• Employ controls in IT to prevent risk.



It’s important to note the capabilities with the most divergence between leaders and all other firms. These include:

• Well defined IT change management procedures

• Consistent measurement of controls and evidence logs

• IT controls to prevent business risk (Figure 8)

Of these three, having well defined IT change management procedures is the most divergent between leading firms and all other organizations.

Actions taken in IT to improve results

In addition to capabilities in IT, the action most taken in IT to reduce data loss and improve compliance results among the leaders is to conduct self-assessments of controls. After this, a wide range of actions taken in IT lead the list, including correcting gaps in IT controls, defining the roles and responsibilities of policy owners, delivering training to users, managing exceptions to policy, gathering evidence about IT controls, automating the monitoring and assessment of controls, and mapping controls to regulatory frameworks (Figure 8).

Figure 8. Actions taken in IT to improve compliance results


0%

10%

20%

30%

40%

50%

60%

70%

All others Leading

N: 454

1 2 3 4 5 6 7 8 9 10 11

1. Conducted self-assessments of controls2. Automated monitoring3. Mapped controls to regulatory mandates

and framework standards4. Gathered evidence about IT controls5. Corrected gaps in IT controls6. Encapsulated policies in electronic formats

7. Defined roles and responsibilities of policy owners8. Delivered and managed training to users

about policies9. Mapped policies to control statements10. Gathered evidence about compliance with policies11. Monitored changes to administrative permissions

Perc

enta

ge o

f org

aniz

atio

ns

Core competencies

• Conduct self-assessment of controls.

• Define the roles and responsibilities of policy owners.

Of these actions, those most divergent between leaders and all others include:

• Delivering training to users and managing policy exceptions

• Conducting self-assessments of controls

• Gathering evidence about IT controls

• Correcting gaps in IT controls

However, not all of these actions are taken by organizations of different sizes. The three primary actions taken in IT by small businesses include conducting self-assessments of controls; monitoring changes to administrative permissions on files, groups, and directories; and defining the roles and responsibilities of policy owners. The three primary actions taken in IT by midsize organizations include correcting gaps in controls, conducting self-assessment of controls, and defining the roles and responsibilities of policy owners. The three primary actions taken in IT by large enterprises include correcting gaps in controls; defining the roles and responsibilities of policy owners; and monitoring changes to administrative permissions on files, directories, and groups.

Although there are some similarities in the actions taken within IT, most of these actions are taken by less than 40 percent of the populations and do not reflect where the time is being allocated by the IT function within organizations.

More prevention, less remediation in IT

Whether operating at the norm or as laggards, a majority of the market—almost 9 of every 10 firms—is spending more of its time in IT trying to fix IT security vulnerabilities and IT compliance deficiencies than in preventing these problems from occurring (Figure 9).

The benchmarks show that firms with more data loss and larger numbers of regulatory compliance deficiencies are spending much more time in three activities:

1. Fixing IT security vulnerabilities

2. Fixing IT compliance deficiencies

3. Gathering evidence for regulatory compliance

In contrast, data protection and regulatory compliance leaders are spending less than five percent of the time in IT trying to fix problems, and 70 percent of the time trying to protect their information and prevent problems from occurring. Data protection leaders are spending a majority of the time in IT on other preventive measures, including protecting information; maintaining user account access controls; maintaining IT policies, standards, and compliance controls; and maintaining Internet threat controls.





Figure 9. Where IT spends time on compliance


Assessment and monitoring in IT

Firms with the least data loss and best compliance results consistently assess and measure more controls, more continuously, than all other organizations. Ranked by results, the top five controls measured by leading firms include:

1. Email, Web, and Internet access controls

2. Personnel security procedures

3. User, database, and application access controls

4. IT policies and standards

5. Technical and procedural controls

However, when ranked by most divergence between leading firms and all others, the controls most assessed are technical and procedural controls, followed by Email, Web, and Internet access controls (Figure 10).

0%

10%

20%

30%

40%

50%

60%

70%

80%

N: 454

1 2 3 4 5 6 7 8 9 10 11 12

1. Gathering evidence for regulatory compliance2. Gathering evidence about IT security policies3. Maintaining IT policies, standards, and compliance

controls4. Maintaining IT security controls5. Maintaining Internet threat controls6. Maintaining user accounts and access controls

7. Protecting information and data8. Protecting IT applications, systems, and networks9. Monitoring IT security vulnerabilities10. Monitoring IT compliance deficiencies11. Fixing IT security vulnerabilities12. Fixing IT compliance deficiencies

Perc

enta

ge o

f org

aniz

atio

ns

NormLaggards Leaders

Figure 10. Controls being assessed, audited, and monitored by IT


The only controls assessed at nearly the same rate among all firms are those related to data archiving and management, which are among the least prioritized of the controls being measured by firms with the fewest data losses and compliance deficiencies.

The role of IT change management

Arising from the need to modify and retrofit changes to applications, data sets, and systems, organizations implement change management procedures in IT to ensure the completeness, accuracy, and integrity of important business information. Identified as an important capability for effective data protection, IT change management programs are more fully implemented by organizations operating as data protection and regulatory compliance leaders (Figure 11).

Leaders consistently rank the major tasks of IT change management as something their organization almost always completes. Unlike the leaders, the 90 percent of firms performing at the norm or as laggards rank these same actions for IT change management as activities that are only implemented sometimes.



0%

10%

20%

30%

40%

50%

60%

70%

80%

All others Leading

N: 454

1 2 3 4 5 6 7 8 9

1. Email, Web, and Internet access controls2. Personnel security3. User, database, and application access controls4. IT policies and standards5. Technical IT controls

6. Procedural—non-technical—controls7. IT configuration and change management8. Auditing and reporting controls9. Data archive and management controls

Perc

enta

ge o

f org

aniz

atio

ns



Figure 11. Completeness of IT change management procedures


What is evident from these benchmarks is that change management in IT is also critical for avoiding risk from data loss or theft and for minimizing compliance deficiencies, inadvertent or otherwise.

Although originally focused on application changes, the findings show that data protection leaders and regulatory compliance leaders test seven other areas of IT change ahead of application changes (Figure 12). These are:

• IT systems and operating systems

• Network systems and software

• IT security logs and controls

• User accounts, entitlements and permissions

• Administrative groups and system privileges

• Registries and directories

• Databases

0% 1% 2% 3% 4% 5%

All others Leading N: 454

Not done

Change requests are recorded

Change requests are assessed

Change requests are tested before deployment

Change requests are tested after deployment

Change requests are closed out

Sometimes Always

What is striking about the findings is that the leaders routinely and more continuously test more facets of IT than all other firms.

Moreover, three of these areas for IT change measurement testing are implemented by 70 percent of the leaders, while another four are implemented by 60 percent or more. In contrast, none of these IT change management testing activities are implemented by more than 45 percent of all other organizations, and for most of these organizations, the activities are engaged in by 40 percent, on average.

Figure 12. Currently tested as part of a change management program




0%

10%

20%

30%

40%

50%

60%

70%

80%

All others Leading

N: 454

1 2 3 4 5 6 7 8 9 10 11

1. Internet threat controls2. IT systems and operating systems3. Software applications4. Databases5. Email, Web, and Internet systems6. Network systems and software

7. IT security logs and controls8. User accounts, entitlements, and permissions9. Administrative groups and system privileges10. Registries and directories11. File-level permissions

Perc

enta

ge o

f org

aniz

atio

ns

Core competency

Expand the scope of technical controls assessment to more aspects of IT.

Obviously, data protection and regulatory compliance leaders are focused on preventing problems before they occur, thus minimizing the amount of time needed to repair or correct problems after the fact. This is verified by the benchmark results for where these organizations are spending time in IT.

In addition to preventing harmful change or unauthorized use, the leaders also implement real-time notification for unauthorized use and change at rates that are far greater than all other firms. The areas where 50 percent or more of compliance and data protection leaders implement real-time notification of unauthorized use or change include Internet threats, IT servers, PCs, laptops, databases, user accounts, entitlements, user permissions, IT security logs and files, and inactive user accounts.

Leveraging core business value disciplines

Nearly 6 in 10 organizations derive the most financial value from being operationally excellent where lowest overall cost solutions are consistently delivered for customers. Nearly 3 in 10 organizations realize the greatest financial value from product leadership where breakthrough solutions are consistently delivered for customers. Last, 1 in 10 organizations derive the greatest value from being customer intimate, where the most value is derived from delivering customer-specific solutions consistently (Figure 14).

Figure 14. Core business value disciplines and results




0%

10%

20%

30%

40%

50%

60%

70%

80%

N: 454

Lagging Norm Leading

By performance resultsOverall results

Improving operational excellence and delivering lowest overall cost solutions

Improving product leadership and delivering breakthrough solutions

Improving customer intimacy and delivering customer-specific solutions

Operational excellence29%

Customerintimacy

58%Product leadership

13%



However, discrepancies arise when the data loss results are correlated with core business value disciplines. For instance, there are about 30 percent more lagging organizations among firms that are focused on operational excellence than the general population, and almost twice as many firms emphasizing customer intimacy among the leaders than the general population. This would appear to be counterintuitive, because the core value discipline of the organization is operational excellence and many of the identified core competencies are clearly aligned with operational excellence.

There are almost five times more firms emphasizing customer intimacy among the industry laggards than the general population, and almost twice as many firms emphasizing product leadership among the industry laggards. What is also clear is that among the firms emphasizing operational excellence, there are almost five times fewer among the industry leaders, and three times fewer emphasizing product leadership among the leaders.

The findings are a clear indication that an organization’s core business value disci-plines are not an advantage. Rather, the results demonstrate that a mix of value disciplines is effective for minimizing data loss, theft, and regulatory compliance defi-ciencies. For example, operational excel-lence may be required to continuously assess controls, but customer intimacy is required to manage risk assessments and control objectives with any relevance to changing business conditions.

A mix of core value disciplines specifically for managing the loss or theft of sensitive data and regulatory compliance programs may be difficult for organizations to imple-ment. This may be a reason why half of all firms are reorganizing internal controls, the IT function, and the risk management function.

However, despite these reorganizations, only 13 percent of all firms are able to post the lowest rates of latent data loss and theft and the fewest regulatory compliance deficiencies. Implementing core value disciplines that are not ingrained in the business may be difficult. For example, businesses excelling at customer intimacy by making it their business to meet all the needs of every customer may find it difficult to implement operational excellence and product leadership within IT. Similarly, organizations rewarding behavior based on wringing efficiencies out of all operations to deliver the lowest total overall cost may find it difficult to institute changes crucial to employee training and management of risk as business conditions change. Furthermore, an ingrained pattern of product leadership may prove difficult for instilling operational excellence.

Key findings

Half of the leaders have reorganized internal audit, IT security, and risk management functions to leverage different core business value disciplines, including:

• Operational excellence

• Product leadership

• Customer intimacy

At the same time, it is imperative that organizations recognize that all three core value disciplines are needed to effectively manage the financial risks associated with data loss and regulatory noncompliance. It is in an organization’s interest to appropriately reward multiple value disciplines across internal audit, IT, and risk management functions to implement the core competencies for protecting sensitive data—and to sustain competitive advantage.





Appendix

Data loss and regulatory audit results

The IT PCG benchmarks quantify a number of key performance results from across thousands of organizations, from small businesses to the largest of enterprises. Among the metrics tracked by the benchmarks are the number of losses or thefts of sensitive business data that occurred in the past year, and the number of compliance deficiencies that had to be corrected to pass the most recent audit.

Data loss and theft results

Each benchmark consistently shows almost seven in ten organizations operating at the norm—not the worst record and not the best when it comes to data loss and theft. Along the laggard end of the spectrum, about two in ten organizations are experiencing the most data losses or thefts. Firms with the best results number slightly more than one in ten (Figure 15).

Figure 15. Data loss and theft results


More small businesses are operating at the norm, with between 3 and 12 data losses annually compared with the general population. There are fewer midsize firms operating at the norm than the general population, only slightly more operating as leaders, and about the same proportion operating as laggards as the general population. There are even fewer large enterprises operating at the norm, but this is offset by more large enterprises at the other ends of the spectrum operating as laggards or leaders when it comes to data loss and theft.

N: 943

Data loss/theft results by size of organizationData loss/theft results

Lagging, more than 12

Norm, 3 to 12

Leading, less than 3Less than

$50 million$50 million

to $999 million$1 billionor more

0%

10%

20%

30%

40%

50%

60%

70%

80%

13%20%

67%

Regulatory audit results

Only one in ten organizations—12 percent—are successfully navigating regulatory audit, with fewer than three compliance deficiencies that must be corrected in order to pass audit. In contrast, almost seven in ten firms—68 percent—must correct between three and fifteen deficiencies to pass audit. Moreover, two in ten—20 percent—of all organizations must correct sixteen or more deficiencies in order to pass audit (Figure 16).

Fewer large enterprises are among the norm than the general population and more of these firms—almost three in every ten—are among the laggards than the general population. Midsize organizations are performing at the norm when compared with the general population. The highest proportion of organizations operating at the norm is among small businesses, and this is offset by far fewer of these firms operating as regulatory audit laggards.

Figure 16. Regulatory audit results


Similar results are seen when the populations experiencing data loss and theft and audit deficiencies are compared side by side. The one difference among the population distributions is the range of performance results. Regulatory compliance laggards are correcting more than 16 deficiencies to pass audit, while data loss and theft laggards are experiencing 12 or more losses or thefts of data annually. Among the norm, the range is from 3 to 16 compliance deficiencies and between 3 and 10 data losses or thefts (Table 3).



N: 943

Regulatory audit results by size of organizationRegulatory audit results

Lagging, more than 16

Norm, 3 to 16

Leading, less than 3Less than

$50 million$50 million

to $999 million$1 billionor more

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

20%

68%

12%

Key findings

More large enterprises are operating as regulatory compliance laggards.



Performance spectrum

Compliance population

Range MeanData loss

populationRange Mean

Laggards 20% 16 or more 22 20% 12 or more 13

Norm 67% 3 to 16 8 68% 3 to 10 6

Leaders 13% Less than 3 2 12% Less than 3 2

Table 3: Compliance and data loss results


Multiple regulatory audits: The norm for large enterprises

Nearly six in ten organizations must successfully navigate two or more audits annually and almost four of every ten must produce evidence from IT operations to conform with three or more regulatory audits each year. However, the averages are not shared equally. Most small firms—six of every ten—are typically subject to one audit each year, while the other four in ten face more than one audit annually (Figure 17).

Figure 17. Multiple regulatory audits


The number of annual audits facing midsize firms is almost equally distributed, with one-third facing one audit, another third subject to two audits, and the remaining firms confirming with three or more regulatory mandates.

N: 943

Number of annual audits by size of organizationNumber of annual audits



$1 billionor more

0%

10%

20%

30%

40%

50%

60%

70%

80%

37%

19%

44%

One

Two

Three or more

Key findings

Large enterprises must demonstrate compliance with more regulatory audits.

In contrast, large enterprises are more burdened with multiple regulatory audits involving the IT function. About two in ten large enterprises must produce evidence of conformance with only one mandate annually. Less than four in every ten large enterprises are subject to two regulatory audits, while nearly five in ten, or almost half, must deal with three or more regulatory audits annually.

The correlation between regulatory audit and data protection

Is there a relationship between the firms with the fewest data losses and thefts and how these same firms perform when it comes to regulatory audit? Yes. The benchmarks show that almost all—96 percent—of the firms with the best regulatory compliance results are the firms with two or fewer data losses or thefts in the past year (Figure 18).

Figure 18. Correlation between compliance and data loss


Although 96 percent of the firms operating as compliance leaders are the same firms with the fewest data losses, there is a small percentage of leading firms (4 percent) experiencing the worst data loss rates. This distribution of the population experiencing data loss accounts for all of the compliance leaders.

A clear majority of the compliance laggards—64 percent—are also the firms with the worst records for data loss and theft. These firms are losing sensitive data thirteen times, or more, annually. A small percentage of these firms (2 percent) are experiencing the fewest data loss rates. However, this distribution of the population experiencing data loss does not account for all of the compliance laggards: The remaining one-third (34 percent) are operating at the norm for data loss, with an average of 6 data losses or thefts annually.



More than 12 losses/thefts of sensitive data annually

Less than 3 losses/thefts of sensitive data annually

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Per

cen

tage

of o

rgan

izat

ion

s

N: 943

Compliance lagging more than 16 deficiencies

Compliance leading less than 3 deficiencies



The results for data loss and theft among the compliance norm and laggards show that 32 percent are losing the most data, 80 percent are losing data between three and ten times annually, and only 2 percent are losing the least data each year. Organizations with the best compliance records are the same firms (96 percent are the same) with the least data loss or theft. Clearly, whatever the firms with the best regulatory audit results are doing, it is resulting in the fewest losses or thefts of sensitive data.

Most sensitive data

The benchmarks show that the organizations with the fewest data losses actually rank IT security data above all other forms of data. After IT security data, the leaders rank customer, corporate, employee, financial, audit and reporting, intellectual property, and partner data as more important than sales data (Figure 19).

Figure 19. Most sensitive data


0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

1 2 3 4 5 6 7 8 9 10 11 12

1. Customer data2. Corporate data3. Employee data4. Partner data

5. Financial data6. Sales data7. Design data8. Manufacturing data

9. Sourcing and logistics data10. Intellectual property data11. Audit and reporting data12. IT security data

Laggards Leaders

N: 475

Key findings

Firms that perform well on regulatory audit have the least data loss and theft.

In contrast, firms with the most data losses rank financial data most important and, with the exception of IT security data, rank other forms of data similarly to that of the leaders, the firms with the fewest data losses. The instructive lesson about this ranking is that IT security data is ranked as most important by less than half of the population ranking this most important among the leaders.

Improving results to protect sensitive data must involve an assessment of the importance of different forms of data to the organization. Clearly, the leaders understand that protecting the keys to the vault (IT security data) is the first step in protecting the actual contents of the vault (all other forms of data).

Sources of data loss

The leading cause of data loss among all organizations is user error, which accounts for one in every two losses of data. User error can only be corrected with policies, education, training, and monitoring (Figure 20).

Figure 20. Causes of data loss or theft




0%

10%

20%

30%

40%

50%

60%

N: 475

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

1. Lost or stolen laptops2. Improperly disposed computer equipment3. User errors4. Transferred backup media5. Inappropriate access to IT6. Insufficient controls; business procedures7. Insufficient controls; IT procedures8. Internet threats, attacks, and hacks

9. Employee fraud10. Accidental damage to computing equipment11. Inappropriate use of IT12. Violation of policies13. Unauthorized access to IT14. Insufficient auditing, monitoring, and reporting15. IT vulnerabilities16. Insufficient IT controls

Perc

enta

ge o

f org

aniz

atio

ns

$50 million to $999 millionLess than $50 million $1 billion or more



After user error, the most common contributions to data loss and theft include violations of policy, Internet threats and attacks, lost and stolen laptops, IT vulnerabilities, and insufficient controls in IT. These sources of data loss and theft can be countered with a combination of policy violation sanctions and procedural and technical controls.

Although any one organization’s experience may differ from the overall results recorded by the benchmarks, the important actions to consider include identifying the source of data loss and theft, and taking actions to stem such loss and theft.

Conduits for data loss

The conduits through which sensitive data is being lost and stolen include data residing on PCs, laptops, and mobile devices; data leaking through email, instant messaging, and other electronic channels; and data that is accessed through applications and databases (Figure 21). In addition to other conduits through which data is being lost or stolen, the appropriate actions to take include identifying the conduits and determining the existence and effectiveness of procedural and technical controls that can reduce or eliminate such data loss and theft.

Figure 21. Conduits for data loss


0%

10%

20%

30%

40%

50%

60%

70%

80%

N: 475

1 2 3 4 5 6 7 8

1. Data residing on PCs, Laptops and other mobile devices2. Data leaking through Email, IM and other

electronic channels3. Data residing in centralized storage facilities and devices4. Data transferred to backup and archive sites

5. Data that has been off-shored or out-sourced6. Data in the hands of business partners and suppliers7. Data accessible through applications and databases8. Data in the hands of sales channel partners

Perc

enta

ge o

f org

aniz

atio

ns

$50 million to $999 millionLess than $50 million $1 billion or more

Key findings

Users account for one-half of all data losses, a loss vector that can be staunched with training and procedural and technical controls.



Years to public disclosure

The benchmarks show a consistent correlation between the frequency of assessment and measurement of controls that firms conduct, and the resulting loss or theft of data and the number of regulatory compliance deficiencies that have to be corrected. The correlation is consistent for every benchmark and across all of the benchmarks conducted by the IT PCG. The probability of a data loss or theft being disclosed publicly is based on the percentage of latent data losses that are reported publicly by the number of firms of a given sample size. The likelihood that any one small business is going to experience a publicly reported loss or theft of data is far less than that of the largest enterprises, simply because there are far more small businesses and too few of the largest enterprises (Figure 22).

Figure 22. Years to public disclosure


The major factor driving delays in data loss becoming public is the frequency of controls assessment, assuming other core competencies for protecting data are implemented. Given the strong correlation between organizations that assess controls frequently and much lower incident rates for data loss and regulatory compliance deficiencies, the assumption for other core competencies being implemented is probably reasonable, but not ironclad.

The relationship between years to disclosure, the size of an organization, and the frequency of controls assessment is based on current benchmark results, and is likely to change in the future as additional local, state, and national laws governing the notification of data losses take effect.

Once per yearTwice per year

QuarterlyMonthly

Year

s to

pu

blic

dis

clo

sure

1000

100

10

1

0.1

N: 708

$100million

$1billion

Monthly assessments

Annual assessments

$10 billion

$100 billion



Source of compliance deficiencies

For 88 percent of all companies—those with more data losses and compliance deficiencies—the primary cause of compliance deficiencies involve five areas directly related to IT security, three other areas that are in the IT function and may involve IT security, and two others that are related directly to procedures that may or may not involve IT. The top five causes of compliance deficiencies for most organizations are:

• User and application access controls

• IT security policies and standards

• IT configuration and change management

• IT auditing and reporting

• Application development and maintenance

After these, the list that rounds out the top ten causes of compliance deficiencies is:

• Application system and server access controls

• Business procedures

• PC and laptop access controls

• Network access controls

• Employee training, education, and certification (Figure 23)

Figure 23. Cause of compliance deficiencies among the norm and laggards


N: 475IT relatedIT security related Procedural

Rank Norm and lagging firms Percentage

1 User and application access controls 63%

2 IT security policies and standards 63%

3 IT configuration and change management 60%

4 IT auditing and reporting 54%

5 Application development and maintenance 50%

6 Application, system and server access controls 50%

7 Business procedures 48%

8 PC and laptop access controls 48%

9 Network access controls 47%

10 Employee training, education and certification 45%



While this list of the primary causes of compliance deficiencies may not match the experience of every organization, many of its components are likely to be present for a majority of organizations. Many but not all of these causes are technology related and lend themselves to mitigation through the use of technical controls. Business procedures, employee training, and education have—at face value—nothing to do with technology. However, there are likely to be areas where technology can be used to effectively lower the cost of implementing procedural controls involving the effectiveness of how people respond to policy and control objectives.



Attrition.org’s data loss database

The data loss database available at www.attrition.org is an open source listing of data loss and theft. It contains a comprehensive list of organizations that have experienced data loss or theft, the date of loss, the country of origin, the type of data loss, whether the loss was due to a source inside or outside the organization, whether third parties were involved, and the number of people affected by the loss, among other findings. The database is updated weekly, if not daily.



About the benchmarks

Topics researched by the IT PCG are part of an ongoing research calendar established by input from sponsoring members and general members and from findings compiled from recent research. The most recent benchmarks that are the basis for this report were conducted with 454 organizations between February and May of 2007. The error margin for this research is plus or minus 4.5 percent. The majority of the organizations (90 percent) participating in the benchmarks are located in the United States. The other ten percent come from other countries, including Australia, Canada, France, Germany, Ireland, Japan, Spain, and the United Kingdom, among others.

In addition to specific tracking questions common to each benchmark, each benchmark is designed to discover answers to specific topics. The primary topics of the most recent benchmarks included which controls are consistently measured and assessed by organizations, the scope and extent of change management programs, and how change management programs are being implemented to minimize data loss, theft, and regulatory compliance deficiencies.

Research findings from earlier benchmarks as far back as October 2006 were incorporated, along with findings from the most recent benchmarks, but only when the findings for the previous benchmarks were identical to the most recent benchmarks and where the questions and random selection methods were identical. These results can be found in the main body and in the Appendix of this report.



Industries represented

A wide range of industries participated in the benchmark, including advertising, aerospace, agriculture, apparel, automotive, banking, chemicals, computer equipment and peripherals, computer software and services, construction, architecture and engineering services, consumer durable goods, consumer electronics, consumer packaged goods, distribution, education, financial and accounting services, general business and repair services, government (public administration, defense, and intelligence), health, medical and dental services, insurance, law enforcement, legal services, management, scientific and consulting services, manufacturing, medical devices, metals and metal products, mining, oil and gas, paper, timber and lumber, pharmaceuticals, publishing, media and entertainment, real estate, rental and leasing services, retail trade, telecommunication services, transportation and warehousing, travel, accommodation and hospitality services, utilities, and wholesale trade. Manufacturing accounted for 12 percent of the participating organizations. All other industries account for less than 10 percent of the participating organizations.

Revenue of participating organizations

Thirty-two percent of the organizations participating in the benchmark have annual revenues, assets under management, or budgets of less than $50 million. Another 30 percent have annual revenues, assets under management, or budgets of between $50 million and $999 million. The remaining 38 percent have annual revenues, assets under management, or budgets of $1 billion or more.

Number of people employed by participating organizations

Twenty-nine percent of the participating organizations employ less than 250 people. Twenty-eight percent employ between 250 and 2,499 people. The remaining forty-three percent employ 2,500 or more people.

Job titles of participants

Twenty-six percent of the participants in the benchmark are senior managers (CEO, CFO, CIO, etc.), 12 percent are vice presidents, 33 percent are managers or directors, 28 percent are staff, and 1 percent are internal consultants.

Roles of participants

Thirty-one percent of the participants work in IT, another 28 percent work in finance and internal controls, 12 percent work in legal and compliance, 9 percent work in sales and marketing, 7 percent work in product design and development, and the remaining 13 percent are distributed across a wide range of job functions, including customer service, manufacturing, procurement, and logistics.



About IT Policy Compliance Group sponsors

The IT Policy Compliance Group is dedicated to promoting the development of research and information that will help IT security professionals meet the policy and regulatory compliance goals of their organizations. The IT PCG focuses on assisting member organizations to improve compliance results based on fact-based benchmarks.

The IT PCG Web site at www.itpolicycompliance.com features content by leading experts in the world of compliance, and published reports containing primary research. Research and benchmarks sponsored by the Group produce fact-based insight and recommendations about what is working and why.

The results of Group-sponsored research are designed to help security and compliance professionals to:

• Benchmark IT policy compliance efforts against peers and best-in-class performers

• Identify key drivers, challenges, and responses to implementing successful IT policy and security compliance initiatives

• Determine the applicability and use of automation tools to assist, streamline, and improve results

• Identify best practices for IT policy and compliance programs

IT Policy Compliance Group sponsors

Symantec Corporation 20330 Stevens Creek Blvd.Cupertino, CA 950140+1 (408) 51708000 [email protected] www.symantec.com

The Institute of Internal Auditors 2490Maitland Avenue A l t a m o n t e S p r i n g s , F L 3 2 7 0 - 4 2 0 1+1 (407) 9370.100 [email protected] www.theiia.org

Information Systems Audit and Control Association3 7 0 1 9 A l g o n q u i n R o a d , S u i t e # 1 0 1 0Rolling Meadows, IL 60008+1 (847) [email protected]

Computer Security Institute600 Harrison StreetSan Francisco, CA 94107+1 (415) [email protected]

1290 Avenue of the Americas,

5th Floor

New York, New York 10104

+1 (212) 60308300

[email protected]

www.protiviti.com

IT Governance Institute

37010Algonquin Road, Suite #1010

Rolling Meadows, IL 60008

+1 (847) 660 5600

[email protected]

www.itgi.org

IT Policy Compliance Group

Contact: Managing Director Jim HurleyTelephone: +1 (216) 321 [email protected]

October 2007

The information contained in this publication has been obtained from sources that the IT Policy Compliance Group believes to be reliable, but are not guaranteed. Research publications reflect current conditions that are subject to change without notice.

Copyright © 2007 IT Policy Compliance Group. All rights reserved. 13520226

Founded in 2005, the IT Policy Compliance Group conducts benchmarks that are focused on delivering fact-based guidance on the steps that can be taken that will improve results. Benchmark results are reported through www.itpolicycompliance.com for the benefit of members.

core competencies for protecting sensitive data -...

Documents