Sunday, July 13, 2008
IT Policy Compliance Group Issues 2008 Report on Best Practices
(Courtesy of ITpolicycompliance.com)
The IT Policy Compliance Group just released their annual report on the state of affairs of what they refer to as IT governance, risk and compliance (IT GRC).
The goal of the group is to promote the development of research and information to assist IT and Finance professionals meet their organization's policy and regulatory compliance goals. They do this by providing information for organizations to improve compliance results by providing reports based on primary research.
If you take the time to check out their site, they have other items of interest to anyone charged with the ever growing responsibility of protecting systems from those who have the intent to compromise them.
The recently released report suggests that measuring the value delivered by IT has been traditionally associated with applications that have an impact on customer service, sales, expenses and profit. Unfortunately -- as more organizations have their data compromised -- the result of not protecting information can be a loss of revenue, added expenses (legal costs), and a loss of consumer trust.
This is especially true, if the compromise becomes a matter of public record.
Included in the report are an analysis of recent losses incurred by a large retailer ($530 million) and a large financial services firm ($100 million). The analysis takes into account the loss of revenue due to business disrruption, loss of consumer trust in addition to the harder costs, such as legal expenses. Other analysis includes losses suffered by a automotive manufacturer and a rental and leasing company.
IT departments are constantly being challenged to be up and running 100 percent of the time to maximize efficiency. While doing this, they need to protect their data and adhere to legal and regulatory requirements at the same time.
The challenge is to manage business opportunity and risk at the same time. The 2008 report shows that the firms with the most mature practices in compliance and risk management are doing better and spending less to achieve their goals. This translates into more revenue, profit and customer retention.
The report shows that continuous improvement in risk management and compliance with a focus on operational excellence is paying dividends. Organizations with a mature compliance process have evaluated their processes and made them part of the culture within an organization. While this encompasses the involvement of all facets of an organization, two key items are the support of senior management and training employees to embrace a culture of compliance.
The most mature firms have developed formalized training for their employees, supported by senior management, on subjects like ethics and codes of conduct, IT security and data protection policies, legal compliance, as well as, subjects like sexual harassment and discrimination. They have also developed processes and trained their employees how to deal with emergency situations.
The human factor is always the key to success in any organization. It makes sense that successful organizations focus their efforts through their most valuable resources, which are human beings. Very few exploits are successful without a healthy dose of social engineering.
Also of interest in this informative report is an analysis of results by industry and size. One shoe doesn't necessarily fit all and taking the time to examine all the different types of organizations that use technology to accomplish their goals makes the report a valuable read.
The report, which is located on ITpolicycompliance.com, is only available to members of the site. Saying that, the site is soliciting new members and the sign-up process is simple.
Besides this report, the site has a lot of other valuable information on it, also. I would recommend the site and it's resources to anyone interested in the mysterious world of compliance because it takes it to the level of making sense and developing best practices that will benefit the overall objectives of any organization.