|
| Recent
Articles |
The Ex-lawyer And Red Hat Support
When I bought my first home, I used a lawyer that a friend referred me to. The lawyer was great, thorough, responded quickly and took the time to explain things in plain English. I used him again 2 years later for an...
Google Not Having Luck Hiring In India
The Times Of India reports that Google has had trouble finding enough quality talent to hire for its Indian offices. India may have an exploding IT industry, but Google has been notorious in setting its standards super-high for job candidates, and it isn't finding enough bodies to put...
The IT Consultant Keeps Spare Parts Handy
An IT consultant needs to be aware that PC vendors are typically very willing to cover inexpensive products like a mouse under standard warranties. But because as an IT consultant your client can probably buy a replacement part of that type for as little as $10, it's probably...
Dell’s Reputation Tipping Point
All sorts of opinions are flying around about Dell's recall of over four million laptop computer batteries announced Monday. A quick scan of blog posts in Technorati show some people saying it's the largest product recall in consumer electronics history.
Credibility Is Key For Successful IT Integrators
Credibility is an overused buzz word but it is so critical to business success that it can't be overlooked. As an IT Integrator you need to be seen as having high credibility. This is what will set you apart from your competitors.
|
 |
|
11.14.06
Jim Hurley Has Noted Your Compliance
 By David Utter
The former Aberdeen Group VP now works as managing director of the IT Policy Compliance Group founded by Symantec, the Computer Security Institute (CSI), and the Institute of Internal Auditors (IIA); we talked about the group's recent study of factors that motivate companies to ensure better compliance with policies by their staffs.
Regular audits, ongoing monitoring of IT resources, and budgeting for security have a profound impact on how well a firm's employees comply with policies. That compliance becomes more important at publicly traded firms, where provisions of Sarbanes-Oxley provide additional incentive to stay on top of people and potential issues.
Group managing director Jim Hurley said in our call that the top ten percent of the over 1,000 companies they studied from January to July 2006 on compliance evidenced a bare minimum of problems. On average, those firms only had one significant and material security issue and one compliance issue to handle.
Contrast that with the bottom twenty percent of the study group, where 35 percent of the security and compliance issues out of the entire group occurred. Audits happened infrequently in this portion of the group, about once every nine months.
The top group performed audits much more frequently. Those that had the fewest issues generally assessed compliance issues an average of every 21 days. The middle 70 percent tend to do audits every six months.
Hurley said that for small businesses (less than $50 million in annual revenues) the main issues were access controls, and business continuity and disaster recovery. Poor access controls can put too much information in the hands of those who don't need it.
Since internal employees can cause as much or more mischief than someone outside the firm, companies need to manage access better.
Medium sized businesses ($50 million to $500 million) and large ones ($500 million+) both had documentation as their top challenge, followed by access controls. I asked if pressure from items like SOX or HIPAA would cause these bigger firms to keep a closer eye on access controls, and Hurley said that could be a likely hypothesis.
Database security at medium and large businesses is an issue for them. So much corporate information, including data on their customers, resides in table after table of databases at countless firms. Hurley said that companies lost an average of 450,000 records per reported incident.
Like many efforts, security benefits from having more money tossed its way. The leaders in regulatory compliance spent at least ten percent of their IT budgets on security, while the laggards spend less than seven percent.
When 52 percent of the top performers' security spend goes toward automating compliance monitoring and associated tasks, those companies do better than ones that spend 42 percent on automation.
For all size firms, access control will be the issue that persists in requiring continual focus. IT Policy Compliance Group plans to continue to benchmark of organizations participating in its study; those numbered 1,059 for their initial report. Hurley also suggested other developments from the Group on the compliance issue would be publicized soon.
About the Author:
David Utter is a business and technology writer for SecurityProNews, WebProNews, and InternetFinancialNews.
|
