The top 20 security controls carried by SANS and the Center for Stategic and International Studies are sometimes mentioned to me by practitioners and managers of information security as a be-all and end-all for information security, as in “this is all we have to do to be safe and sound.”

The list is incomplete and inaccurate

I wish it were that simple, but it’s not. And anyone who’s convinced it is, is fooling themselves and those around them.

The list of the top 20 controls contains the following:

• Inventory of Authorized and Unauthorized Devices
• Inventory of Authorized and Unauthorized Software
• Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• Boundary Defense
• Maintenance, Monitoring, and Analysis of Security Audit Logs
• Application Software Security
• Controlled Use of Administrative Privileges
• Controlled Access Based on Need to Know
• Continuous Vulnerability Assessment and Remediation
• Account Monitoring and Control
• Malware Defenses
• Limitation and Control of Network Ports, Protocols, and Services
• Wireless Device Control
• Data Loss Prevention
• Secure Network Engineering
• Penetration Tests and Red Team Exercises
• Incident Response Capability
• Data Recovery Capability
• Security Skills Assessment and Appropriate Training to Fill Gaps

You can find more about these controls at both SANS and the Center for Strategic and International Studies at the following locations:

SANS: 2o Critical Security Controls

CSIS: Twenty Important Controls for Effective Cyber Defense and FISMA Compliance

Don’t get me wrong.

I think SANS and the Center for Strategic and International Studies have done everyone a favor by focusing on these controls. And, I actually think the list is a good one: with many of the controls on it being among those that are most automated by the best performing organizations among the 6,000 plus that have participated in benchmarks with the IT Policy Compliance Group.

But, the problems with the list are these:

1) it’s an incomplete list that’s primarily focused on  “technical controls”

2) there’s no assessment that one control may be better suited than another

3) the concept of managing risk is missing from the list

4) the focus and claims are somewhat over the top for one of the lists

Incomplete

The list happens to call attention to what’s also known as technical controls: those things you can place in the IT environment to manage risks directly related to technical procedures involving computer networks, systems, applications, data and software. What the list completely ignores is the people aspect of controls, or procedural controls, and policies that drive what the organization is trying to accomplish, direct behavior and which provide the ground rules defining what’s acceptable and what’s not.

A more complete listing of policies, procedures and controls can be found in the IT Policy Compliance benchmark research report entitled: Automation, Practice and Policy for Information Security.

Your mileage will vary

In addition to being incomplete, you’ll find the benefits of implementing any of these controls will vary: some controls will deliver far larger gains in reducing risks, while others provide less benefit in reducing risk. An example is the implementation of malware defenses versus account monitoring and control. Both are shown to reduce risk, but of the two, the use of malware controls is more important.

Differences in effectiveness for a wide range of controls, procedures and policies can be found in the same IT Policy Compliance report: Automation, Practice and Policy for Information Security.

Risk is missing

The entire concept of risk is completely missing from the lexicon. Why are controls implemented for IT? Ultimately it’s to manage the risks involved in using automated information systems and modern-day networking to fulfill your mission as an organization. But, the authors of this list present a list of primarily technical controls as universal and applicable to all organizations from small businesses to the largest of global multinationals, and from small town governments to the largest of nation-state agencies.

Focus and Claims

The focus and claims of the two are also very different between the two lists.

The report issued by the Center for the Strategic and Internal Studies is focused on Cyber-defense and Homeland Security among Federal agencies, while the one from SANS is focused on any business of any size and in any industry. It is very clear what the proposed focus and claims (FISMA compliance) are from this policy-think-tank.

But, the SANS prologue for its version of the report does not limit it to Federal agencies. Rather the language makes the list appear to be something for all organizations in every industry and size. In fact, the prologue for the SANS list states the automation of the Top 20 Controls will radically lower the cost of security while improving its effectiveness.  I have no doubt implementing more of these controls will increase the effectiveness if effectiveness  is measured by such things as reductions in severity-level 1 incidents, loss of theft of data, downtime due to IT failures, the loss or theft of data, or audit deficiencies found in IT.

But, the claim about radically lowering the cost of security is ludicrous. In fact you will spend more, not less, to implement and manage more controls. The benchmark results across more than 6,000 organizations proves you will spend more. And, the benchmark results also prove that your effectiveness will indeed “radically” increase through sharp reductions in risk measures.

So, how do the two proponents claims score on the old truth-o-meter?

To some extent they both do, but what is missing from the report issued by both organizations tends to obfuscate some rather critical controls – as well as totally ignore the concept of risk in its entirety. So I would rate the truth-o-meter for these aspects as somewhat true – due in large part to what is not covered or is missing. But the casual “it’s for everybody at all times in all circumstances” approach – along with the unjustifiable claim of saving money – from SANS rates this portion of the claims to be mostly untrue. In summary if you assume the SANS approach is gospel, you are likely to experience a letdown.

Let us know what your experience is.

A random collection of recent headlines, includes:

April 26th:  ICO fines only 2% of self-reported data breaches

See more here: http://www.pcpro.co.uk/news/security/374326/ico-fines-only-2-of-self-reported-breaches

The information Comissioner’s Office is apparently not levying fines. People in the UK are asking “Without sticks in place, will the laws be ignored?.”

Related article from the BBC on UK public sector accounts for bulk of data breach fines

See more here:  http://www.bbc.co.uk/news/technology-17843371

Example provided: Midlothian Council fined £140,000 versus a £1,000 fine for a private-sector company.

Find the UK Information Comissioner’s Office here: http://www.ico.gov.uk/

They simply don’t worry about fines in China,  instead they arrest you ….

April 26th:  1,700 Arrested on Stealing Personal Data

See more here:  http://news.xinhuanet.com/english/china/2012-04/26/c_131551961.htm

Looks like the problems are everywhere.

And now that you’re done filing your taxes …

April 26th:  IRS worker caught snooping on ex, others

See more here: http://www.seattlepi.com/local/article/IRS-worker-caught-snooping-on-ex-others-3498550.php

Related article:

Refund Tax Fraud here: http://www.forbes.com/sites/janetnovack/2012/04/24/refund-tax-fraud-iphone-feed-identity-theft-by-employees/

Related article:

Tax Prep Companies Sharing Client Data here: http://www.cleveland.com/business/index.ssf/2012/04/many_tax_preparation_software.html

On a recent dank and cold Spring morning I drove to a local business as did another 15 or more other people, and we stayed there from a little after seven in and morning until after three in the afternoon – with eleven of these people taking the CISSP exam.

The atmosphere of the exam brought back a flood of memories for me and my fellow CISSP members to the time when we each took the exam. Although the setting was considerably different for me (abundant sunshine and milder temperatures), the experience of taking the exam for us was nearly identical: high expectations, worry about forgetting something, remembering to read and re-read each question to make sure you understood the questions, and a zoned focus. Without a doubt, there is little that compares to the rigor, experience and stamina required to take this exam.

For those unfamiliar with it, the CISSP exam is a six hour long test of your concentration, endurance, and yes your background and knowledge. As some have said, it’s not a test of your hands-on-experience, rather it’s a test of your knowledge and ability to sift through several possible correct answers, or through several wrong answers. In this way, it reflects some of of the ill-defined problems and hues we have to deal with on a daily basis.

On this recent cold and wet Spring morning, eleven candidates were sitting for the exam, seven men and four women, whom I’m guessing range in age from mid-thirties to maybe mid-forties. All of them are employed by the same company. In addition to my fellow proctors, the instructor for these eleven CISSP candidates was there to greet and talk with us. As she said, “I just hope they all pass…I worry that if they don’t it will be a reflection on my teaching.” In addition to her, it was easy to sense the worry and tenseness among the eleven candidates taking the test.

The morning got off to a bright and expectant start after the candidates were checked-in, given instructions and told to start the exam. Within about the first hour, five of the eleven had to be escorted to the bathroom and the atmosphere remained one of studied intent as the candidates plowed through each question on the test.

By two hours into the exam, nine of the eleven had been escorted to the bathroom and the studied-intent had given way to some amount of arm-stretching and body-wriggling as people were trying to stave-off the effects of concentrated focus while being confined to a chair with little exercise.

By three hours into the exam, all but one of the candidates had been escorted to the bathroom and the body-wriggling gave way to more exasperation as people grew weary while still trying to maintain a sole focus on the test questions. For a few, this became more difficult as the body-language in the chairs attested that included day-dreaming, several get-up-and-away breaks and other attempts to recharge the mind and body on the task at hand. One of the candidates even had his head down on his desk with his hands folded over the rear of his head and a look of resigned exsperation, as in “What was I ever thinking about when I signed up for this.”

Many of the others were doing what they could to try and stay alert, including using very different physical tactics to move different parts of their body to stimulate blood-flow. The next few hours went by with nary a whimper or change of pace as the candidates plowed through each and every question on the exam.

But, the afternoon settled in with an obvious steadfastness as the time alloted for the exam started to wane. First two hours to go, then one hour to go. At that point, the supervising proctor told all of the candidates to make sure they had started copying answers onto their scoring sheets.

For many of us, the experience brought back memories of the strategies we employed to take and pass the exam. One person simply whizzed through the exam in less than three hours, never looked back to check anything and checked-out of the exam early. But, his experience was not the norm this morning with these eleven candidates. The earliest to check-out among these candidates was a woman who finished after five-and-a-half hours.

Another of us remembered going through each question on the exam from front to back, and then going through all of the questions a second time, from rear to front just as a sanity check, and checked-out of the exam after five-and-a-half hours. Another of us remembered going through the exam answering the easy questions first, answering the tougher questions via a process of wrong-answer-elimination, and then spending the last portion of time on the toughest questions that “were a complete guess.” Many of us remember using almost all of the alloted six hours to check and re-check answers.

And, almost all of us remembered a huge let-down feeling after leaving the exam, one that was dominated by the nagging doubt about whether we had passed. Most of us were not sure we had passed: the test was that rough. Almost all of us were on pins-and-needles for five-to-six weeks until we found out the results, and then were overjoyed when we learned we had passed. And I think all of us remembered the exhaustion that came from sitting through a six hour exam that required complete focus for the entire time.

So, to the eleven candidates who sat for the CISSP exam recently, I salute your stamina, resolve, and hopefully your passing the exam. You’ll feel wonderful when you do.

For those unfamiliar with it, the CISSP (Certified Information Security Professional) is an exam administered by the International Information Systems Security Certification Consortium, or as its known as (ISC)2.

The exam focuses on ten (10) domains of knowledge, covering the following:

• Access controls
• Telecommunications and network security
• Security management
• Application security
• Cryptography
• Security architecture and design
• Operations security
• Business Continuity and Disaster Recovery
• Ethics, Legal, Regulatory, Compliance and Investigations
• Physical and environmental security

See more about the CISSP and the (ISC)2 here.

And, let us know what your experience was like.

Join the industry’s leading practitioners of IT audit, security, governance and risk management at the ISACA North American CACS (Computer Audit Control and Security) conference from May 7^th through the 10^th in Orlando, Florida.

The buzz at ISACA conferences is unique because of the depth and breadth of coverage, the experience of attendees, and the learning that comes from old and new contacts alike.

The NA CACS conference has more than 100 speakers in seven tracks and 70 sessions covering a wide range of IT audit, security, governance and risk management topics.

And sessions are allocated to the new CobiT 5 for those looking for an update on ISACA’s latest framework for accelerating more value from and trust in IT.

In addition, pre and post- conference workshops on May 5^th, 6^th and 11^th include sessions on: controls and security of Web applications, IT risk management, performing IT audits: a practical approach, server virtualization security and audit, cloud computing audit and assurance issues, and data loss prevention.

Prepare for professional exams, earn up to 44 CPE credits, learn from those that have done it, share your knowledge or experience, and make new friends.

For more information, see ISACA at:

http://www.isaca.org/education/upcoming-events/pages/north-america-CACS-2012.aspx

The privacy-gaffes of Google, Facebook and other tech-titans involving the use of personally identifiable information (PII) has recently been overtaken by hornets and wasps making noises about privacy and surveillance involving governments on both sides of the pond. And the focus is legislative policy and intent that could have longer-term repercussions for private companies, their customers and consumers throughout the World.

In a rather interesting twist, recent coverage points out an intriguing — and controversial “do as I say, not as I do” — stance, both the EU and US are taking when it comes to data available through the Internet, including personal and company information.

Governments want to have your information cake and eat it too

On the one-hand government legislative bodies are taking a harder-line with respect to consumer notification in the event of data breaches and the burden this imposes on private sector businesses.

On the other hand, governments are taking the position that any and all information is usable by law enforcement and intelligence communities, by surveillance or by sharing, without the normal legal protections afforded citizens in place and without notifying consumers — or private businesses — that such information has been acquired directly or indirectly.

Time to pay attention

If you are in charge of your company’s legal department, its information security programs, data retention programs, and regulatory compliance and audit programs, now may be the time to be paying attention to, and participating in the dialogues that are underway on both sides of the pond.

The decisions that are being legislated by governments are going to impact your company as well as you personally. With this is mind, a few recent headlines might serve to whet your appetite, inform your thinking and help you act.

Privacy in the EU

In Europe, proposed modifications to the EU’s 1995 Privacy Directives will require companies to notify consumers if their PII has been lost or stolen due to a privacy breach among other changes. Similar to existing consumer notification laws in the US, this would be European-wide. The proposed changes to the 1995 EU Privacy Directive will also impact non-EU businesses that happen to conduct business in the EU.

Some of the recent headlines include the following:

Report: IT directors believe EU data protection changes will raise costs

The New EU Data Protection Proposal: Getting Ready with the Spanish Example

Original 1995 Directive, look here: http://bit.ly/1995Dir or here http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML

Updates to the 1995 EU Privacy Directive, look here: http://bit.ly/2012Reg  or here http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf

Surveillance and the EU

Some of the recent headlines about government surveillance programs include:

Anonymous’s new target – the INDECT crime surveillance project

Surveillance plans could breach EU laws, expert claims

Spy tech exports from Europe face tighter scrutiny

Poland Withdraws from EU Surveillance Project

Surveillance and the US

While the EU is grappling with changes to citizen-privacy laws and government surveillance, US regulators and legislators are grappling with what to do about privacy-gaffes made by some of the biggest tech-titans – including Google and Facebook – while dealing with government surveillance. Recently proposed legislation covering surveillance under the name of CISPA (Cyber Intelligence Sharing and Protection Act) is bringing out the pros and cons in abundance, including some of the following:

Demand your data back from google and facebook

Web inventor Berners-Lee shoots down CISPA

CISPA Author Rogers: China’s Cyber ‘Predators” Must Be Stopped

CISPA’s Latest Critic: The White House

CISP Monitoring Bill: Just the Facts

Do you know of any organizations with:

• Not enough technical security controls to manage the organizations risks?

• Untrained people and procedures to manage such controls?

• Inadequate funding for the information security program?

I’ve seen all three of these factors play-out time and again, at more than a few firms. And, it’s not just among small businesses where this occurs: although more small businesses than large firms lack the security controls, trained staff, policies, procedures and wherewithal to fund the necessary controls to manage their risks.

Based on research conducted with more than 2,000 organizations, the lack of information security controls — and the funding needed to purchase, deploy, maintain and train people — is directly related to the outcomes organizations experience.

Figure: Technical Information Security Controls by Outcomes and Size

Source: IT Policy Compliance Group, 2012

Outcomes and the use of Information Security Controls

Is this surprising? It probably shouldn’t be.

And, even though I run into the problem of not enough controls, not enough money, and not enough staff when talking with individuals, I’m continually baffled by what seems to be a lack of understanding — in this day where the Internet is the organizations network to customers and suppliers — of the relationship between outcomes and the appropriate management of risk.

So, to reiterate what this means for those who are new to this site or have never seen this information before: the outcomes described in this blog post, which are measured across thousands of firms, track the following among others:

• Changes in revenue
• Changes in profit
• Changes in customer retention
• Business downtime from IT disruptions and failures
• The loss or theft of sensitive information
• Audit deficiencies to correct in IT

For example, those with the worst outcomes post the biggest declines in revenue, profit and customers, while posting the biggest gains (sic) in business downtime, loss or theft of information, and audit deficiencies. Those with the best outcomes experience the opposite of these results.

The colored portions of the charts display the relative percentages of organizations implementing these broad class of information security controls. The red, yellow and green colors display the implementation of these controls by outcomes experienced, whereas the blue-colored blocks display the implementation rates by size of organization.

Primary Take-Aways

There are three primary take-aways from this chart that you might want to share with others in your organization:

1)      Larger organizations tend to implement more controls than smaller firms

2)      Organizations with the best outcomes implement more controls

3)      Organizations with the worst outcomes implement fewer controls

Lessons for Decision-Makers

The lessons for those who are in charge of making decisions about funding:

• Short-term profitability may be goosed by keeping expenses down, but at what risk to shareholders and bondholders
• All it takes is one event to topple the reputation and brand of the organization
• It might occur tomorrow, next week, next year, or five years from now
• Unlike the one-in-six barrels of a pistol aimed at your head, if you lack controls, things are more likely to blow-up sooner than later
• It may have taken 10 years, 20 years, 50 years or more to build the brand
• All of this can be unraveled with one-click of a mouse

For more information on IT controls and outcomes or to see how your organization compares with your peers and your industry on the topic, try the free  IT Controls and Outcomes or the Industry Spend Comparison self assessment tools – among others – at IT Policy Compliance.

And as always, let us know what else the Group can do to assist your efforts.

Are you in an industry that’s ahead of the curve — or behind it — for delivering more value and less risk with IT? A recent look at findings across more than 6,000 organizations reveals some interesting insight about how well – and poorly -  some industries are faring when it comes to the use of IT.

The top-level analysis of 6,000 organizations reveals that some industries post better outcomes while others experience worse, as follows:

The top five industries

• Aerospace
• Consumer durable goods
• Travel, entertainment and accommodations
• Pharmaceuticals
• Healthcare services

The bottom five industries

• Waste management
• Consumer electronics
• Medical devices
• Advertising and public relations
• Apparel

Are there really top performing industries?

Well, yes and no – and some industries are doing better than others. The lists above clearly indicate some industries are doing a better job than others in delivering more value and less risk related with IT. And these are the keys to the findings: 1^st that the differences are relative from one industry to another, and 2^nd it’s the combination of more value and less risk that are defining the differences between some industries.

But one of the key findings from the research is that not one industry, not Aerospace at a higher-end, or Waste management at a lower end of this higher value, lower risk performance-spectrum is in the absolute categories of “best” or “worst”. Rather, the relative tendency of these and others industries is about the average.

Moreover, not all firms in an industry are in the top or bottom. For example, not all firms in Pharmaceuticals are achieving the same high value – low risk results. Similarly, not all medical device companies are posting the same low value – high risk results. See the details* at the end of this post if you’re interested in some of the details.

What may generate interest based on a hook to a story — upon closer inspection — tends to be more subtle and complex. However for many of us, the fact that we work in a particular industry, say healthcare, insurance, banking, education, manufacturing, retail or another industry, tends to be a primary reference we use for comparison, as in “I’m in automotive manufacturing, and we’re different than other industries. What does this mean for me?”

We all believe that our industry is unique. I’ll never forget a conversation I had with a senior IT auditor in the pharmaceutical industry who told me his industry was much different from Banking because the impact of their making a mistake (in drug trials for instance) is measured by life and death, whereas bankers measure it in profit and loss, even though this publicly-traded firm reported financial results each quarter. And, this gentleman had spent more than 10 years in banking before moving to pharmaceuticals. By contrast, I’ve had similar conversations with people in the banking industry who’ve downplayed the relevance and risks in the utility industry, even though potential worst-case outcomes are reversed between utilities and banking. As I said, we all think our industry is unique.

But, one of the things I’ve learned from the ongoing research of the Group, is that although we think the industry we’re in is unique, when it comes to delivering more value and less risk related to the use of IT, it’s not.

Many of the differences when it comes to the use of IT, from one industry to another – and from one company to another – stem from the fact that applications and business processes enabled or automated by applications emphasize competitive advantages that help to differentiate organizations within their industry. And, what these applications focus on, differs considerably from one industry to another. For example, logistics for defense applications have nothing to do with medical device imaging applications as used in hospitals. Nor do dosimeter measurement applications in the Nuclear electric-generation industry have anything to do with yield management applications in the retail industry.

Although the application-focus of IT is different from industry to industry and firm to firm, the research results published by the Group reveals the procedures that yield more value and less risk from IT – and therefore place more trust in the use of IT – are actually quite common across firms and industries.

I recently heard this sentiment about how industry doesn’t impact risk (or value) outcomes as much as we think, echoed at a recent meeting of people responsible for their organizations information security programs. A lot of head-nodding and agreement occurred when one of the attendees said, “You know, we’re all dealing with the same problems and the same issues. We need to start looking at this (security as an exercise in managing risk from the use of IT) as a set of practices along a maturity-spectrum, not something that’s unique to our industry.”

Control your own destiny

The Group’s research findings reveal a tendency toward better outcomes among some industries, and a similar tendency to better outcomes by size. But the research also shows that neither of these factors (size nor industry) by itself (or together) is enough to achieve best or worst outcomes when it comes to the use of IT.

We’ve also documented that value and risk outcomes related to the use of IT are largely driven by specific practices, such as those governing the management of value and risk, organizational structure, spending on IT, spending on information security, frameworks to manage IT, procedural controls to manage value and risk, frequency of assessment and reporting, IT controls to manage risk, and tools to automate procedures and reporting among others. The research findings also show that it’s the practices that are completely aligned with and responsible for better and worse outcomes. For example, where the practices are implemented, organizations consistently experience and report much higher value and lower risk. And, where the practices are not implemented, organizations routinely experience and report much lower value and higher risk outcomes.

The ample evidence contained in the research reports that are freely available at IT Policy Compliance present good news to everyone. It’s not industry or size that define likely outcomes. Rather, it’s the defining practices. Instead of being confined to a specific industry or defined by size, the defining practices — where implemented — are the primary drivers of more value and less risk from the use of IT.

Research reports

You can find the defining practices responsible for delivering more value and less risk from the use of IT in the research reports. The benefit of the research reports is their comprehensiveness. Their drawback is a lack of comparision with peers in your industry or between industries.

Self-assessment tools

If you don’t have the time to read research reports  -  and many do not  -  then use the quick two-minute interactive self-assessment tools. The benefit of the interactive self-assessment tools is their simplicity and ease of use, along with the ability to do peer- and industry- comparisons.

The research reports and assessment tools are both freely available at IT Policy Compliance.

Use the self-assessment tools, let us know what you think — and let us know about others that will assist your efforts.

*More on the details:

The numbers: more than 6,000 organizations and 41 industries. A minimum of 50 sampled firms per industry with samples in some industries exceeding 300. Standard deviations that range from 1 to 2 sigma (68% to 95% of the observed sets of outcomes and practices) for the top and bottom five industries listed, otherwise 31 of the other industries sampled fall within the 1 sigma range (68% of the samples). The value and risk outcomes consistently tested include: changes in revenue, profit, customer retention, loss or theft of data, business downtime due to IT problems, and audit deficiencies found in IT. Each of the industries in the top and bottom rankings is based on un-weighted composite scores of value and risk across all outcomes rather than a single outcome. Scores for any one outcome are similar to others, such that a majority of firms experiencing a category of outcome along a five-point scale for one outcome experience very similar results for other categories of outcomes. For example, almost 97 percent of the firms scoring the highest changes of revenue also experience the least amount loss or theft of sensitive information. On the opposite side of the ledger, a similarly high level involving 89 percent of firms suffering the worst changes in revenue also experience the highest number of losses or thefts of sensitive data. Not all firms in an industry are performing at the same level. For example, not all firms in consumer electronics are at the bottom, nor are all firms in healthcare services at the top. The findings simply indicate relative differences in value and risk outcomes among industries.

A random collection of recent headlines of organizations where controls were not sufficient, includes:

April 7th:  Insurance Company in UK sends PII and financial data to wrong people

See more here:  http://www.dailymail.co.uk/news/article-2126670/Aviva-pensions-fiasco-sends-wrong-details-thousands-customers.html

Confidential information sent to wrong people by UK insurance company Aviva.

April 4th:  Social security number of citizens exposed – Utah Department of Health

See more here:  http://www.health.utah.gov/databreach/

Hackers acquire PII data – including social security numbers – of 180,000 plus people from Utah Dept of Health.

April 6th:  Credit Card Processor Global Payments Hacked

See more here:  http://www.boston.com/news/nation/articles/2012/04/02/global_payments_says_visa_drops_it_after_breach/

Anyone care to guess whether Global Payments was in compliance with PCI?

March 27th:  PII data of 34,000 plus exposed from stolen laptop

See more here: http://huhealthcare.com/healthcare/hospital/data-breach/Press%20Release

Ah, the stolen laptop – again. Data on laptops is said by HU to be encrypted – going forward.

We recently had the opportunity to review some of the changes in the number of regulations impacting IT that have occurred over the past few years and thought you might like to see the increases and what some of the best performers are doing to cope with the additional burdens.

Increases in regulatory burdens on IT

One of the metrics tracked in the benchmarks dating back to 2006 involves frameworks and regulations that IT functions in organizations are managing. In 2006 the average number of such regulations and frameworks being managed by IT functions came in at eight in number. However, this is somewhat high because not all firms were similarly impacted. The average number of firms impact by these measured just 35 percent, with a preponderance of larger firms more susceptible to a larger number of regulatory burdens impacting their IT functions.

This increased to an average number of 14 regulations and frameworks impacting IT by the end of 2011: an increase of 75 percent over five years. But what is astounding is the nunber of firms such regulations are impacting. This increased from 35 percent to 70 percent of all organizations from 2006 to 2011: a doubling in five years.

Number of regulations and frameworks

Source: IT Policy Compliance Group, 2012

The list of regulations and frameworks being juggled by many IT departments in many firms by 2011, includes: Balanced scorecard, Capability maturity models, CIS benchmarks, Data protection and privacy, HIPAA, ISO 2700x-17799, ISO 20000 (ITIL), Legal holds on data, Portfolio management, Project management, Retention and destruction of information, Sarbanes Oxley, SDLC, and Six Sigma.

However, not all of these are identically impacting and therefore being managed by all organizations. For some, IT may be wrestling with other frameworks or industry specific regulations such as Basel II (and Basel III in the future), BISL, CobiT, COSO, DHS regulations, Dodd Frank, EMA, European Data Privacy Directives, FDA rulings, FIPS, FISMA, FTC rulings, GLBA, NIST, Pipeda, PCI, Safe Harbor, SAS 70 and SSAE-16, SEC guidelines and rulings, Solvency II, or SCAP among many others. In fact, the list appears to be endless.

A gold standard practice

One of the best practices we found being implemented among the best performers for providing IT related regulatory evidence uses a “run-once, demonstrate many times” approach to collecting evidence. Instead of having to go back to the well every time an audit is underway, many of these organizations are mapping the risks, policies, procedures, controls, exceptions and acceptances between one regulatory regime and another, and collecting information based on this.

In many cases overlaps range from as little as 65 percent (a few) to as much as 90 percent (many). After the overlaps are identified, it’s far easier and less costly to then work on the unique 35-to-5 percent than to re-start the entire process at the beginning. And, of course there’s always the problem of “how far out of date?” is the information.

But, in general the reaction from both auditors and IT organizations employing the practice has resulted in working smarter, not harder.

It appears the regulatory burdens are not getting simpler or fewer: it would be wise to implement this gold-standard practice of the best performers, if only to retain your sanity and reduce your budgets.

We’ve found some rather interesting material in the ongoing research being conducted by the Group that we’d like to share with you. The findings are focused on the risks that organizations believe are related to the use of IT, and the differences in what are considered to be the least and most risks related to the use of IT.

Simple readings and perception of risks related to IT

From surveys conducted with more than 3,000 organizations, the SIMPLE reading of the highest ranked business risks in priority order include:

Source: IT Policy Compliance Group, 2012

Interestingly, the risks that do NOT show up in the top 5 include such things as brand risks, headline risks and reputational risks. I would have thought that brand risk and reputational risk would rate higher based on constent questions I receive about these two from people all over the World. More on this later in this post.

Others that do not show up in the top 5 include losses of integrity to IT assets or information; internal theft or fraud involving the use of IT assets; impaired revenue or profit due to IT problems; adverse impacts on customer retention and satisfaction; vulnerabilities in IT assets, mistakes made by employees; shortages of skills for critical IT projects; delays to critical IT projects; and the loss of governance over data, applications, audits and risks. It’s not that these are not risks for organizations, it just means that when lumped together with more than 3,000 other organizations, these do not rate as the top risks related to the use of IT.

Now, what’s NOT interesting is the top 5, or even a comparison between the risks that did not make the top 5 and those that did make it into the top 5. Why? Because the SIMPLE view of the readings across 3,000 plus firms masks diffferences in how the different risks are perceived by organization that are of different sizes, from very different industries and that experience very different outcomes.

Outcomes and perceptions of risks related to IT

What’s really interesting are some diametrically opposed priorities for what’s considered high risk or low risk that are aligned by the OUTCOMES that are being experienced by organizations. For example, the MOST RISK among those with the BEST outcomes is the loss of governance over data, applications, audit and risks. The same loss of governance is considered to be the LEAST RISK among the organizations experiencing the WORST outcomes.

So what are these outcomes between worst and best performers? The best performers post the highest positive increases in revenue, profits and customer retention; while the worst performers post the largest declines in the same outcomes. Similarly, the best performers post the fewest hours of business downtime due to problems in IT, the lowest levels of data loss or theft, the fewest vulnerabilities in IT and the least problems with audit related to IT; wherease the worst performers experience the highest of these outcomes.

When the risks related to the use of IT are examined by outcomes, we find a rather interesting relationship for two of the risks: a) the loss of governance and b) brand or reputational risks.

For these two, the differences in the perception of risk to organizations is the most extreme, ranging from least risk among the worst performers, to almost the most risk in the case of loss of governance, and some risk in the case of brand and reputational risk among the best performers.

 The Top 5 Risks from the use of IT – by Outcomes

Source: IT Policy Compliance Group, 2012

Also, the view of the top 5 risks is very different. As can be seen from this view of risk, the top 5 risks – when ranked by best outcomes – are:

• Loss of governance over information, applications, audits and risks
• Loss or theft of sensitive information
• Business downtime
• Employee mistakes
• Unknown and unseen Internet security threats

The loss of governance over information, applications, audits and risks is clearly a management priority, and rightly so. I think what the findings indicate is a lack of management focus – or concern – to these risks among the worst performers, when compared with the best performers.

And based on what I’ve personally witnessed, I’m guessing the reason that brand and reputational risk currently tops-out at “some” risk among a majority of the best performers is that this is the current state-of-practice for the relationship between business risk impact of information and using tecghnology, versus simple communications about technology details without the business-impact connection. Let us know what you think.

To summarize, the notable differences among the best performers is a keen focus on two of the risks:

1. the loss of governance and
2. brand and reputational risks

What’s the risk?

Which approaches to managing risks related to the use of IT work better? Well it depends on what you consider the risks to be, doesn’t it.

The evidence shows the approaches implemented by the best performers work better: after all, these firms achieve the best outcomes. See the free published research reports and self-assessments at ITPolicyCompliance.com for more information about the successful approaches being implemented by the best performing organizations.

What’s the risk? If you don’t have your risk-priorities aligned correctly for your business (and they can be different than those depicted here), you’ll be much less likely to implement approaches being used by the best performers to manage the risks of using IT – and hence be unlikely to post better results.