Policies are guiding principals that are used to shape outcomes and desired end-results.
Recently completed benchmark research conducted by the IT Policy Compliance Group shows that policies – and procedures – for information security are responsible for driving outcomes related to the availability, integrity and confidentiality of information.
The benchmarks show huge gaps in some of the information security policies being used by organizations. For example, organizations with the highest levels of customer data loss and theft have very different information security policies than those with the fewest losses or thefts of customer data.
A clear majority - about 8-in-10 – of the organizations with the least loss or theft of customer data are using 10 unique policies for the information security function. A few of these “top-10” policies for information security, include:
- Policies describing maximum acceptable risks
- Policies describing minimum acceptable service levels
- Regulatory mandates and legal requirements
- Coverage of third-parties and contractors
In contrast, a slight minority – fewer than 2-in-10 – of the organizations with the highest levels of customer data loss or theft use these same policies.
In addition to information security policies, the recent benchmarks also measure procedures being employed to implement policy.
The research clearly shows that some of the most critical policies – and procedures to implement policy – governing outcomes for the information security function are either being ignored – or are not taken seriously – by almost nine-of-ten organziations.
Look for the upcoming research report for more information at www.itpolicycompliance.com.