Aveksa.com/blog

Report From IT Policy Compliance Group on Information Security & IT Audit

 digg it |   delicious |   StumbleUpon |  reddit 

IT Policy Compliance Group (IT-PCG) has issued a new report entitled, "Guidance for Best Practices in Information Security and IT Audit."  Covering more than 100 of the most common practices for information security and IT audit, the report also identifies guidance for practices that are responsible for better outcomes, including managing:

• The integrity of information
• Compliance with regulatory audit
• Business risks related to the use of IT
• Information security practices and procedures
• Information security policies

To view the report click here:  

http://cmpgnr.com/r.html?c=1528530&r=1527189&t=1418553616&l=1&d=91229392&u=http%3a%2f%2fwww%2eitpolicycompliance%2ecom%2fresearch%5freports%2f&g=0&f=-1 

This is some of the best benchmark research that we have seen regarding IT governance practices, including how well organizations are rating against access policy and control best practices. 

Some interesting findings from the report include:

Only one-in-ten experience the best operating outcomes

- About 1 in 10 organizations (12 percent) experience the best outcomes for information security and IT audit with the lowest levels of data loss or theft, least business disruption and fewest problems with audit

- A majority of organizations, nearly 7 in 10 (69 percent) are experiencing higher rates of data loss or theft, higher levels of business disruptions from IT failures, and more difficulty with passing regulatory audits in IT

 Almost 2 in 10 organizations (19 percent) experience the worst outcomes with the highest rates of data loss or theft, the highest levels of business downtime, and the most difficulties passing audits in IT.

Significant Gaps for Individual Practices

In addition to comparing practice domain implementation levels, significant gaps exist between the level of implementation of specific practices between most organizations and the best performers. For example, the practices with the most consistent significant gaps include:

- The frequency of controls assessments

- Employing common controls between IT audit and information security

- Conducting self-assessments of procedural and technical controls

- Automating procedural and technical controls

- Protecting IT security data

These five practices contain the largest gaps between the levels of practice implementation when compared with the best performers for almost 9 of every 10 organizations. The rank ordered list of the top "must improve" practices with the largest gaps compared to the best performing organizations changes as organizations approach "nearly best-in-class."

Baseline Practices for Better Outcomes

Another baseline practice among best performing organizations is the use of automation to detect and prevent unauthorized changes to critical IT assets. By preventing changes to assets and information that are violations of policy, the best performing organizations are eliminating problems and costs associated with recovering from problems that are more prevalent among organizations with less well developed practices.

Practice Improvements Pay Off

Top line results, including customer retention, revenue and profitability

- Annual audit expenses

- Time spent - labor - in IT on audit

- IT resiliency and business service levels

- Financial risk from data loss or theft

This supports the recommendations that Aveksa makes to its customers.  Implementing a roles-based access governance control framework not only enables organizations to manage access request and change more effectively, it pays off dividends by lowering inherent business risk related to access control failures, improving IT security operational efficiency while reducing internal audit costs as well external audit fees.