About 700 people attended the ISACA NA CACS Conference in Orlando this week. Book-ended by formal workshops on either side of the conference, this senior-level set of IT auditors and information security professionals attending the conference were able to share a lot of insight, experience and learn from one another about what’s working and what’s not – something that’s sometimes hard to find at other conferences.

The IT Policy Compliance Group delivered one of its mini-workshops on information risk at one of the sessions. At this workshop, attendees were able to assess the maturity of their organizations practices for handling sensitive information, and identify areas that – if improved – will result in lower rates of data loss or theft, fewer audit deficiencies to correct, and less worry about IT service hiccups impacting business operations.

The nine practice domains covered by this workshop included:

• Spend on IT, information security and compliance
• Policies and procedures
• Use of frameworks
• Use of IT controls
• Use of change controls
• Use of tools
• Automation of procedures
• Operational cadences
• Reporting

The interesting finding from the workshop is the tally of where participants rate themselves and their organizations.

Of the approximately 90 people in this session, none voluntarily scored themselves as a 1 on a 5-point scale (a worst performer). This is roughly equivalent to a bottom 20th percentile ranking. Whether people were too embarrassed to admit it, or not, no one wanted to be identified publicly as a complete laggard: not too surprising!

The largest segment involved about 40 percent of the 90 attendees who rated themselves and their organizations as 2′s on a 5-point scale. This is equivalent to a 20th-to-40th percentile ranking. And, it’s roughly twice as large a population for this range which normally comes in at about 20 percent. It’s an indication that some of the  1′s in the crowd likely opted to remain silent and anonymous. After all, the purpose of the exercise is to give people tools to improve outcomes.

The next segment of attendees involved about 30 percent of the 90 attendees who self-rate themselves and their organizations as 3′s on a 5-point scale. Somewhere in the middle-range, this is equivalent to a 40th-to-60th percentile ranking. And, 30 percent of the attendees is slightly lower but within expected ranges.

The last major segment involved about 30 percent of the 90 attendees who self-rate themselves and their organizations as 4′s on a 5-point scale. Somewhere between average and the best performers, the 30 percent is slightly more than expected ranges.

Finally, only one person of the 90 attendees rates himself and his organization as a 5 on a 5-point scale. The interesting finding is that this person confirmed that he and his teams had fully implemented most – if not all – of the practices identified in the workshop: another clear indication the IT Policy Compliance Group benchmarks can – and are – used to navigate reliable paths to improved outcomes.

Equally important, everyone participating in the workshop left the session with the knowledge that their rating matched their outcomes, and these matched the practices implemented – or not implemented – to better protect and handle sensitive information.

One of the interesting observations made by several of the attendees is that while spend data is important to argue for additional resources, the workshop helped them to focus on the areas where additional spend should be allocated to achieve their improvements. For some, the workshop results are additional ammunition needed to galvanize calls-to-action. For others, the results are eye-opening.

If you’re interested in taking the workshop yourself, or using it within your company or organization, head on over to ISACA, download a copy of session 227: What Color Is Your Information Risk – Today?  Simply answer the questions posed by the nine exercises and add up your subtotal scores to find where your organization is today.

As some of the astute workshop participants noted, results are going to depend on your role and position in the organization. The method to normalize results for your organization is to compile results from appropriate levels and roles from within your organization.

You can find some of the research findings for this workshop here:

http://www.itpolicycompliance.com/research-reports/archived_reports/

And, you can find related on-line self assessments here:

http://www.itpolicycompliance.com/assessments/all_self_assessments/

If you have questions or observations, please let us know?

As has been said many times before – you can outsource business functions and procedures but you can’t outsource the risks.

What about the impact of your vendors handling information or IT resources for you: what impact do they have on your business risks?

In this age of Cloud computing services, outsourced IT services, off-shored IT services and all-manner of outsourced IT:  some – not all – CIOs and CISOs are becoming chief procurement and vendor managers, while many others are becoming exposed to it.

I’ve spoken with some members whose entire day – and all of IT – is taken up managing vendors: because that’s whose delivering all IT services, applications and information for these companies. Others I’ve spoken with have indicated that vendor management is becoming a concern, but only for “not-run-the-company” uses of IT.

Aside from telecommunications services, many of these suppliers specialize in soup-to-nuts procedures and applications for a particular industry: for instance on banking, education, healthcare, insurance, law enforcement, pharmaceuticals, or travel and entertainment as examples. What none of these suppliers specialize in is information security, information assurance, governance and risk management. The onus for managing these “governance” issues of your vendors – is yours!

Research now available from the Group reveals that about 2-in-10 organizations are ignoring – or shoving to the side – the impact of information handling and security procedures by their vendors. Another 5-in-10 are paying lip-service to risks by telling their vendors what’s expected of them in standard contract language and then ignoring it completely after contracts are signed. The remaining 3-in-10 are going beyond dusty boiler-plate contained in procurement contracts.

The primary reasons driving those with the most active vendor management practices include:

• Risks to business operations and procedures when something goes hiccup
• Evidence needed for audits and regulatory reporting
• Risks to the brand and reputation of the organization
• Risks involved with using Cloud-based IT services
• Risks or liability from the loss or theft of sensitive data and customer information
• Risks to financial reporting requirements

And the benefits of actively managing your vendors? Among those with the most active vendor management programs, the benefits include significantly:

• Reduced rates of data loss and theft
• Reduced audit findings related to IT that cost money to fix
• Reduced numbers and severity of Internet security threats
• Reductions in costs and liabilities
• Reductions in business downtime from unexpected IT hiccups

Whether you like it or not, more of us are becoming managers of vendors. It may have started recently and small for you, with the outsourcing of Email or Web-services. Or it might have gone big-time for you long-ago when legacy mainframe applications – that are still being used to run the business by the way – were outsourced to specialist firms.

Whether you are already knee-deep in the swamp managing your vendors or are only now becoming wet, we hope to provide you with some practical guidance about what’s working based on the experience of others. Knowing which procedures to focus on, which procedures to automate, which questions to ask, the metrics needed, what red-flag triggers to employ, and how often to assess and report on risk are just a part of being able to successfully manage your vendors. And, being able to communicate up-the-chain to inform your business stakeholders what the business risks, trends and corrective-action-plans are is also a critical part of managing your vendors.

Although many of us are at different stages, one thing is certain:  managing the “governance” issues of your vendors handling information and IT resources – related to value, risk, assurance, and information security – is not going away.  It’s here today – and here to stay.

Find out which practices are working to better manage risks related to vendors handling information or IT resources at  http://www.itpolicycompliance.com/blog/latest-research2/vendor-risk-management-for-it

We hope you enjoy and are able to take advantage of the findings to improve outcomes for your organization.

Do you know of any organizations with:

• Not enough technical security controls to manage the organizations risks?

• Untrained people and procedures to manage such controls?

• Inadequate funding for the information security program?

I’ve seen all three of these factors play-out time and again, at more than a few firms. And, it’s not just among small businesses where this occurs: although more small businesses than large firms lack the security controls, trained staff, policies, procedures and wherewithal to fund the necessary controls to manage their risks.

Based on research conducted with more than 2,000 organizations, the lack of information security controls — and the funding needed to purchase, deploy, maintain and train people — is directly related to the outcomes organizations experience.

Figure: Technical Information Security Controls by Outcomes and Size

Source: IT Policy Compliance Group, 2012

Outcomes and the use of Information Security Controls

Is this surprising? It probably shouldn’t be.

And, even though I run into the problem of not enough controls, not enough money, and not enough staff when talking with individuals, I’m continually baffled by what seems to be a lack of understanding — in this day where the Internet is the organizations network to customers and suppliers — of the relationship between outcomes and the appropriate management of risk.

So, to reiterate what this means for those who are new to this site or have never seen this information before: the outcomes described in this blog post, which are measured across thousands of firms, track the following among others:

• Changes in revenue
• Changes in profit
• Changes in customer retention
• Business downtime from IT disruptions and failures
• The loss or theft of sensitive information
• Audit deficiencies to correct in IT

For example, those with the worst outcomes post the biggest declines in revenue, profit and customers, while posting the biggest gains (sic) in business downtime, loss or theft of information, and audit deficiencies. Those with the best outcomes experience the opposite of these results.

The colored portions of the charts display the relative percentages of organizations implementing these broad class of information security controls. The red, yellow and green colors display the implementation of these controls by outcomes experienced, whereas the blue-colored blocks display the implementation rates by size of organization.

Primary Take-Aways

There are three primary take-aways from this chart that you might want to share with others in your organization:

1)      Larger organizations tend to implement more controls than smaller firms

2)      Organizations with the best outcomes implement more controls

3)      Organizations with the worst outcomes implement fewer controls

Lessons for Decision-Makers

The lessons for those who are in charge of making decisions about funding:

• Short-term profitability may be goosed by keeping expenses down, but at what risk to shareholders and bondholders
• All it takes is one event to topple the reputation and brand of the organization
• It might occur tomorrow, next week, next year, or five years from now
• Unlike the one-in-six barrels of a pistol aimed at your head, if you lack controls, things are more likely to blow-up sooner than later
• It may have taken 10 years, 20 years, 50 years or more to build the brand
• All of this can be unraveled with one-click of a mouse

For more information on IT controls and outcomes or to see how your organization compares with your peers and your industry on the topic, try the free  IT Controls and Outcomes or the Industry Spend Comparison self assessment tools – among others – at IT Policy Compliance.

And as always, let us know what else the Group can do to assist your efforts.

Are you in an industry that’s ahead of the curve — or behind it — for delivering more value and less risk with IT? A recent look at findings across more than 6,000 organizations reveals some interesting insight about how well – and poorly -  some industries are faring when it comes to the use of IT.

The top-level analysis of 6,000 organizations reveals that some industries post better outcomes while others experience worse, as follows:

The top five industries

• Aerospace
• Consumer durable goods
• Travel, entertainment and accommodations
• Pharmaceuticals
• Healthcare services

The bottom five industries

• Waste management
• Consumer electronics
• Medical devices
• Advertising and public relations
• Apparel

Are there really top performing industries?

Well, yes and no – and some industries are doing better than others. The lists above clearly indicate some industries are doing a better job than others in delivering more value and less risk related with IT. And these are the keys to the findings: 1^st that the differences are relative from one industry to another, and 2^nd it’s the combination of more value and less risk that are defining the differences between some industries.

But one of the key findings from the research is that not one industry, not Aerospace at a higher-end, or Waste management at a lower end of this higher value, lower risk performance-spectrum is in the absolute categories of “best” or “worst”. Rather, the relative tendency of these and others industries is about the average.

Moreover, not all firms in an industry are in the top or bottom. For example, not all firms in Pharmaceuticals are achieving the same high value – low risk results. Similarly, not all medical device companies are posting the same low value – high risk results. See the details* at the end of this post if you’re interested in some of the details.

What may generate interest based on a hook to a story — upon closer inspection — tends to be more subtle and complex. However for many of us, the fact that we work in a particular industry, say healthcare, insurance, banking, education, manufacturing, retail or another industry, tends to be a primary reference we use for comparison, as in “I’m in automotive manufacturing, and we’re different than other industries. What does this mean for me?”

We all believe that our industry is unique. I’ll never forget a conversation I had with a senior IT auditor in the pharmaceutical industry who told me his industry was much different from Banking because the impact of their making a mistake (in drug trials for instance) is measured by life and death, whereas bankers measure it in profit and loss, even though this publicly-traded firm reported financial results each quarter. And, this gentleman had spent more than 10 years in banking before moving to pharmaceuticals. By contrast, I’ve had similar conversations with people in the banking industry who’ve downplayed the relevance and risks in the utility industry, even though potential worst-case outcomes are reversed between utilities and banking. As I said, we all think our industry is unique.

But, one of the things I’ve learned from the ongoing research of the Group, is that although we think the industry we’re in is unique, when it comes to delivering more value and less risk related to the use of IT, it’s not.

Many of the differences when it comes to the use of IT, from one industry to another – and from one company to another – stem from the fact that applications and business processes enabled or automated by applications emphasize competitive advantages that help to differentiate organizations within their industry. And, what these applications focus on, differs considerably from one industry to another. For example, logistics for defense applications have nothing to do with medical device imaging applications as used in hospitals. Nor do dosimeter measurement applications in the Nuclear electric-generation industry have anything to do with yield management applications in the retail industry.

Although the application-focus of IT is different from industry to industry and firm to firm, the research results published by the Group reveals the procedures that yield more value and less risk from IT – and therefore place more trust in the use of IT – are actually quite common across firms and industries.

I recently heard this sentiment about how industry doesn’t impact risk (or value) outcomes as much as we think, echoed at a recent meeting of people responsible for their organizations information security programs. A lot of head-nodding and agreement occurred when one of the attendees said, “You know, we’re all dealing with the same problems and the same issues. We need to start looking at this (security as an exercise in managing risk from the use of IT) as a set of practices along a maturity-spectrum, not something that’s unique to our industry.”

Control your own destiny

The Group’s research findings reveal a tendency toward better outcomes among some industries, and a similar tendency to better outcomes by size. But the research also shows that neither of these factors (size nor industry) by itself (or together) is enough to achieve best or worst outcomes when it comes to the use of IT.

We’ve also documented that value and risk outcomes related to the use of IT are largely driven by specific practices, such as those governing the management of value and risk, organizational structure, spending on IT, spending on information security, frameworks to manage IT, procedural controls to manage value and risk, frequency of assessment and reporting, IT controls to manage risk, and tools to automate procedures and reporting among others. The research findings also show that it’s the practices that are completely aligned with and responsible for better and worse outcomes. For example, where the practices are implemented, organizations consistently experience and report much higher value and lower risk. And, where the practices are not implemented, organizations routinely experience and report much lower value and higher risk outcomes.

The ample evidence contained in the research reports that are freely available at IT Policy Compliance present good news to everyone. It’s not industry or size that define likely outcomes. Rather, it’s the defining practices. Instead of being confined to a specific industry or defined by size, the defining practices — where implemented — are the primary drivers of more value and less risk from the use of IT.

Research reports

You can find the defining practices responsible for delivering more value and less risk from the use of IT in the research reports. The benefit of the research reports is their comprehensiveness. Their drawback is a lack of comparision with peers in your industry or between industries.

Self-assessment tools

If you don’t have the time to read research reports  -  and many do not  -  then use the quick two-minute interactive self-assessment tools. The benefit of the interactive self-assessment tools is their simplicity and ease of use, along with the ability to do peer- and industry- comparisons.

The research reports and assessment tools are both freely available at IT Policy Compliance.

Use the self-assessment tools, let us know what you think — and let us know about others that will assist your efforts.

*More on the details:

The numbers: more than 6,000 organizations and 41 industries. A minimum of 50 sampled firms per industry with samples in some industries exceeding 300. Standard deviations that range from 1 to 2 sigma (68% to 95% of the observed sets of outcomes and practices) for the top and bottom five industries listed, otherwise 31 of the other industries sampled fall within the 1 sigma range (68% of the samples). The value and risk outcomes consistently tested include: changes in revenue, profit, customer retention, loss or theft of data, business downtime due to IT problems, and audit deficiencies found in IT. Each of the industries in the top and bottom rankings is based on un-weighted composite scores of value and risk across all outcomes rather than a single outcome. Scores for any one outcome are similar to others, such that a majority of firms experiencing a category of outcome along a five-point scale for one outcome experience very similar results for other categories of outcomes. For example, almost 97 percent of the firms scoring the highest changes of revenue also experience the least amount loss or theft of sensitive information. On the opposite side of the ledger, a similarly high level involving 89 percent of firms suffering the worst changes in revenue also experience the highest number of losses or thefts of sensitive data. Not all firms in an industry are performing at the same level. For example, not all firms in consumer electronics are at the bottom, nor are all firms in healthcare services at the top. The findings simply indicate relative differences in value and risk outcomes among industries.

We recently had the opportunity to review some of the changes in the number of regulations impacting IT that have occurred over the past few years and thought you might like to see the increases and what some of the best performers are doing to cope with the additional burdens.

Increases in regulatory burdens on IT

One of the metrics tracked in the benchmarks dating back to 2006 involves frameworks and regulations that IT functions in organizations are managing. In 2006 the average number of such regulations and frameworks being managed by IT functions came in at eight in number. However, this is somewhat high because not all firms were similarly impacted. The average number of firms impact by these measured just 35 percent, with a preponderance of larger firms more susceptible to a larger number of regulatory burdens impacting their IT functions.

This increased to an average number of 14 regulations and frameworks impacting IT by the end of 2011: an increase of 75 percent over five years. But what is astounding is the nunber of firms such regulations are impacting. This increased from 35 percent to 70 percent of all organizations from 2006 to 2011: a doubling in five years.

Number of regulations and frameworks

Source: IT Policy Compliance Group, 2012

The list of regulations and frameworks being juggled by many IT departments in many firms by 2011, includes: Balanced scorecard, Capability maturity models, CIS benchmarks, Data protection and privacy, HIPAA, ISO 2700x-17799, ISO 20000 (ITIL), Legal holds on data, Portfolio management, Project management, Retention and destruction of information, Sarbanes Oxley, SDLC, and Six Sigma.

However, not all of these are identically impacting and therefore being managed by all organizations. For some, IT may be wrestling with other frameworks or industry specific regulations such as Basel II (and Basel III in the future), BISL, CobiT, COSO, DHS regulations, Dodd Frank, EMA, European Data Privacy Directives, FDA rulings, FIPS, FISMA, FTC rulings, GLBA, NIST, Pipeda, PCI, Safe Harbor, SAS 70 and SSAE-16, SEC guidelines and rulings, Solvency II, or SCAP among many others. In fact, the list appears to be endless.

A gold standard practice

One of the best practices we found being implemented among the best performers for providing IT related regulatory evidence uses a “run-once, demonstrate many times” approach to collecting evidence. Instead of having to go back to the well every time an audit is underway, many of these organizations are mapping the risks, policies, procedures, controls, exceptions and acceptances between one regulatory regime and another, and collecting information based on this.

In many cases overlaps range from as little as 65 percent (a few) to as much as 90 percent (many). After the overlaps are identified, it’s far easier and less costly to then work on the unique 35-to-5 percent than to re-start the entire process at the beginning. And, of course there’s always the problem of “how far out of date?” is the information.

But, in general the reaction from both auditors and IT organizations employing the practice has resulted in working smarter, not harder.

It appears the regulatory burdens are not getting simpler or fewer: it would be wise to implement this gold-standard practice of the best performers, if only to retain your sanity and reduce your budgets.

Almost everyone that’s in a security role in organizations other than those at Global Payments probably expressed a big sigh of relief along the lines of, “Boy, am I glad it wasn’t me.”

In case you missed the news, see:

Breach Hits Card Processor Global Payments at the WSJ

MasterCard, VISA Warn of Processor Breach at Krebs on Security

And for all we know, some folks in the security-know at Global Payments might even be whispering, “We told you so…”

If this sounds like you, it probably is.

Recent discussions with some CSOs and CISOs indicate it may be time to reevaluate the current approaches to detecting vulnerabilities, infections, and threats, if what happened at Global Security is beyond normal due-diligence and practice.

Some of these people have said that their Web-applications and systems are routinely infected and trying to pretend otherwise is simply foolish and blind. These same people say what’s needed is something that can easily be used by normal systems and network administrators that will readily identify the proverbial needles-in-the-haystacks – in-situ – and allow rapid decisions so as to tackle the highest risk problems.

If this sounds like you, it probably is.

If you’re like these people, it may be time to think beyond the problem that surfaced at Global Payments today, re-think how we can effectively use our resources and avoid the hidden needles from causing more damage. If your networks are already infected and you can’t triage them effectively and fast enough today, then how will you climb-out from behind this potentially no-win posture?

Let us know what you think these might be and we’ll share what we find out.

Cutting IT budgets to reduce operating costs is directly related to reductions in customer retention, revenue and profit. The same organizations focused on reducing operating expenses for IT are – in general – the same ones also reducing the budget for information security and related internal IT audits. After all, information security and audits of IT are operating costs.

Well, do you get what you pay for?

The ongoing research shows the organizations with a special zeal to cut operating expenses in IT are the one’s suffering the highest customer defections, the worst year-to-year performance measured by revenue and profit, and the same organizations suffering from the highest rates of business downtime from IT related disruptions, losses and thefts of sensitive data, and deficiencies in IT found from external audits.

In an earlier post, we highlighted the difference in spend on information security as a percentage of the IT budget was related to outcomes by organizations, and how this spending has changed over the period from 2006 through 2011.

What’s interesting about the findings is that not much has changed during this five year period. The firms with the best outcomes continue to outspend all of their peers when it comes to information security, despite the recession that occurred mid-way into this five year period.

See the original post: Do You Feel Lucky, Well Do You? for spending on information security from 2006-through 2011.

In addition to looking at spend as a percentage of IT spend, it is more instructive to simply look at absolute spending on information security.

When the dependence on IT spend is removed and you are looking at the absolute spending allocated to information security, the results are even more black-and-white. The worst performers are spending about one-tenth compared to the average performers, while the best performers are spending almost 2.5 times more than the average performers. Compared to the worst performers, the best performers are spending almost 25 times more; an astounding difference.

Figure: Outcomes and spending on information security

                                                                                                                                                                                        Source: IT Policy Compliance Group, 2012

Do you get what you pay for?

Is the difference in outcomes related to the differences in spending?

Here we find direct evidence that you get what you pay for: those spending the least have the worst track records for revenue, profit, customer retention, business disruptions related to IT, data losses and thefts, as well as deficiencies in audit. Those spending the most on information security are experiencing the opposite outcomes with the best track records for revenue, profit, customer retention, business disruptions related to IT, data losses and thefts, as well as deficiencies in audit.

In this day-and-age where the notional-perimeter is becoming more and more obsolete, and the importance of IT is becoming more important, reducing operating expenses for information security is like cutting your feet off, to reduce your weight.

You’re bound to lose some weight but at the risk of bleeding to death.

The research findings confirm: You get what you pay for.

Let us know what you think accounts for the differences in spend and outcomes?

Legislative no-man’s land

A seemingly endless number of bills covering privacy of consumer information(more than 35) have been filed in the US, none of which have passed, and all of which are still sitting in committee referrals in the Senate or House of representatives in the United States. Some examples of the lands-of-no-return for these filed bills include:

• Subcommittee on Border, Maritime, and Global Counterterrorism
• Committee on Commerce, Science, and Transportation
• Subcommittee on Crime, Terrorism, and Homeland Security
• Committee on Education and Labor
• Committee on Energy and Commerce
• Committee on Finance
• Committee on Financial Services
• Committee on Foreign Relations
• Committee on Governmental Affairs
• Committee on Health, Education, Labor, and Pensions
• Committee on the Judiciary
• Subcommittee on National Parks, Forests and Public Lands
• Committee on Oversight and Government Reform
• Subcommittee on Transportation Security and Infrastructure Protection
• Committee on Ways and Means,
• Subcommittee on Workforce Protections, the Committee on Homeland Security

For a more complete list of the legislation and status, see the coverage at EPIC: http://epic.org/privacy/bill_track.html

EU refinements

Meanwhile the EU Commission adopted legislative proposals to reform and strengthen fundamental rights to data protection and unify the EU’s data protection laws and enforcement rules on Jan 25 2012.  See “Proposal on the Protection of Individuals with regard to the processing of personal data and on the free movement of such data”

And, see “the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data

Presidential politiks

Not to be outdone by the congress, a recent privacy blueprint and Consumer Privacy Bill of Rights was recently released by the administration of President Barack Obama.

Other than lobbying, will anything change?

Unlikely; the calculus of commercial and government interests – some of which overlap, others of which don’t – and the presidential election-year cycle in the US would indicate that much of what goes on in DC regarding “privacy” is going to stay inside the beltway.

What do citizen-consumers want?

Lost in the endless committee debates, jockeying between commercial interests and real-politicks are the citizens of the world, most of whom are being ignored by businesses and governments alike. Don’t believe it?

The resounding answer from constituents is, “yes” as your own anecdotal evidence from water cooler talk, PTA meetings, and neighborhood discussions on the issue of privacy seems to indicate. And, more evidence for this comes from Australia where the University of Queensland recently completed its latest survey of 1,106 adults recently.

The Personal Information Project being run by Mark Andrejevic at the University of Queensland (http://cccs.uq.edu.au/personal-information-project) found that more than 90 percent of adults want more say in how their personal information is used or not used by companies operating over the Internet, including laws governing their right to privacy, notifications when data is being collected, a do not track option, the right to see what information is stored on a website, and the ability to delete personal data if requested.

See the findings of the Personal Information Project at the University of Queensland for more information: http://cccs.uq.edu.au/personal-information-project

What’s Privacy Worth in the Market?

In recent coverage by the NY Times in “What would you pay for privacy?” (see http://bits.blogs.nytimes.com/2012/03/19/what-would-you-pay-for-privacy/ ) the article cites recent research conducted by ENISA to determine economic choices people would make regarding their personal information.

The original study is well worth reading if you are with a business or are in a legislative capacity. You can find it here:  http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/monetising-privacy

•  Some of the interesting findings from this study include:  most of the respondents (about 93%) are very interested in whether a firm protects their information or not (basically the same rates found in the Australian study)

• A majority of purchases are made at privacy-friendly firms when there are no differences in prices (not surprising, and the study data backs the finding). As a result, privacy-friendly firms are able to snatch a higher share of the market

• However, when there is price differentiation, consumers show a tendency to choose cheaper services and goods (also not surprising, and the study data backs the finding).

The findings of this study should stimulate interesting discussions about yields, market penetration rates, demographics, and economic game choices among most commercial businesses, and therefore change the landscape of how we think about privacy.

Recommendations of the ENISA study:

• If there are little to no differences in the prices offered for homogeneous goods, privacy-friendly firms will obtain a competitive advantage.

• Regulatory frameworks should allow for sufficient flexibility for businesses to offer different menus regarding prices and personal data requirements

• Standardized and simplified data collection requirements, data protection and privacy policies should be made more visible to consumers in order to enable comparison of terms

• Regulation should encourage the portability and transfer of standardized personalized consumer profiles upon the consent of consumers and in accordance with personal data protection legislation to reduce switching costs for consumers and increase price competition among firms

The study authored by ENISA “Study on monetising privacy: An economic model for pricing personal information“, is one of the better, more recent economics-grounded studies of privacy and the choices that consumers make.

An older study entitled “What is privacy worth? – which is also worth looking at – can be found at: http://www.heinz.cmu.edu/~acquisti/papers/acquisti-privacy-worth.pdf

And, for cynics who are only focused on the cost-risk and cost-benefit tradeoffs of litigation, another small piece of evidence might be of interest from Thompson-Reuters here:  http://graphics.thomsonreuters.com/11/05/PrivacySettlements.pdf

It’s worth the time to download and read these reports to determine how your company can best implement and leverage consumer-friendly privacy policies and practices that will create more business, more revenue and larger profits – while being mindful of competitive displacement.

If you lost your cell phone today, would you get it back?

Don’t expect it back. Worst yet, the information on the phone – and the resources accessed through the phone – are most likely compromised.

A recent study published by Symantec shows you have a 50/50 chance of getting your cellphone back, with people in some cities more likely to notify and return the phone to you, whereas others are less likely.

The recent test run by Symantec involved 50 pre-configured smartphones that were left in publicly accessible places in North American cities.

The key findings include:

• For 50% of the lost phones (25 of them) the finders tried to return the phone
• Once found, 96% (48 of the 50) of the finders accessed the devices to see what they could find

More coverage can be found at these links:

• Lost Smartphone? Don’t Plan On Seeing It Again  (PC World)
• Lost Smartphone? Finders Peek At Data (PC Mag)
• Ottawa an ‘honest’ city when returning lost phones (Ottawa Ctv)
• Symantec’s lost cell phone study confirms the worst in people, Fox News (Fox News)

And, of course the original findings of the study can be found here

• The Symantec Smartphone Honey Stick Project, Symantec

So, what does this mean if you’re dealing with the loss of your own phone, or your company’s phone and you have sensitive information on it, banking applications on it, or passwords for sensitive accounts on it, and more?

Find out by reading what the best performers do about managing mobile computing, Managing the Benefits and Risks of Mobile Computing.

And, see what these organizations do about Data Driven Reporting and Communications about IT.

Risk and controls go together like salt and pepper.

It’s just that sometimes we forget about the ever changing relationship between the two, and instead spend a lot of fruitless time remediating controls in IT based on past assumptions or simply their severity, without any relationship to current business risks, complimentary controls or changed conditions.

Acme Conglomerate

The following story about the experience of one organization helps explain the importance of paying attention to changing risks and controls. Similar conditions at your organization are purely coincidental.

Acme Conglomerate (not the real name of the organization) depended on its financial transaction processing systems to accurately account for store-sales during its heaviest seasons and for routine month- and quarter-end rollups and reporting.

Originally staged on mainframes, the relevant applications were migrated several times to other platforms, including System/36 minicomputers, and then onto PCs. About two years ago the applications were virtualized and run on demand, as needed and from whatever PCs were available.

When the applications were hosted on the mainframes, they were assigned a “severity level 1″ rating if the applications were degraded or not available. The impact of the Sev-Level 1 rating for applications is that someone in IT is dispatched to immediately investigate and restore services as rapidly as possible. The time frame associated with resumption of service for the applications is two hours at Acme Conglomerate.

The assignment of Sev level 1 for these applications have not changed since first assigned, when the applications were first deployed on the mainframe. Since then, the retail portion of Acme’s business has declined from 76 percent of its revenues to 22 percent of its revenues.

A brief look at the severity level (or “Sev level”) assignments at Acme Conglomerate reveals:

Sev-levels at Acme Conglomerate

Sev 1: assigned to mission-critical production systems being down with no workaround immediately available

Sev 2: assigned to noticeable changes in performance or throughput for some critical systems that are operating in a restricted manner

Sev 3: assigned to degraded functions or performance impacting only some users of the IT systems

Sev 4: assigned to routine problems affecting a small number of users of IT systems

The original thinking had been that these financial recording and reporting applications were critical to Acme’s financial reporting, that the mainframe being used to generate the information was an expensive resource, and that the inability to produce accurate financial data could lead to business risks the organization wanted to avoid.

Over the years the changes that occurred included, the acquisition of non-retail businesses that represented a larger share of the organizations business, cheaper and more easily replaced IT resources, leading eventually to virtualization and run-anywhere, anytime for the applications. In addition, complementary controls evolved with the evolution of the platforms to deal with notification and more automated forms of remote-recovery in case something was not working. And, one other thing changed: in the past six years the company has had to report on material impacts from operational events related to its financial reporting.

Despite the changes in its business, its systems and complementary controls, Acme Conglomerate has kept the assignment of Sev 1 with these retail financial rollup applications, even when it’s no longer warranted.

Was this a major problem for the company? No, but it did waste resources, including time and money that could have been been spent on more critical issues. And, because IT was forced to treat this application as “Sev 1″ well after it was necessary, additional expenses were borne to treat other Sev-1 problems that posed much higher business risks for the organization.

Which severity level is appropriate at Acme Conglomerate?

Given the changes in its business, its regulatory reporting requirements covering the information and controls, and the systems being used to run these applications, what severity level would you assign to this?

Severity levels and risk

The use of severity levels plays a critically important role by informing people about events that should be responded to, and importantly, what they should do to respond and in what time-frame. But, severity levels are not the only marker to use when making decisions about mitigating actions.

And, business downtime is not the only possible business risk related to the use of information systems. Examples of others include events impacting intellectual property, the brand of the organization, Internet security threats, and other high-profile threats.

But frequently, we forget to take into account the business risks, and as happened at Acme, we forget to update our assumptions about risk as conditions change.

Lessons learned

For some organizations, the lessons have been to develop, implement and maintain a centralized Risk Register, while for others the nature of operations dictates the use of different Risk Registers, some of which are IT-focused, others of which are line-of-business focused. Which approach – business or IT-focused – do you think is delivering better results?

For others, the use of formal change-control boards and change-management systems are required for IT-related resource employed in a production capacity. Why is the use of formal change control procedures helpful?

For others, Sev-levels have been re-thought. For example, I know of some organizations where Severity level 1 is now only associated with potential death or injury, and all other threat-events have lower severity levels associated with them. At others, I’ve seen a time-dimension added to the categorization of threats and severity levels, which includes the impact of non-trivial Internet security threats. At other organizations, the use of automated asset discovery procedures and mappings of assets against regulatory mandates, risk registers, controls, severity levels and policies is common.

To see additional practices, download a free copy of the latest research, Data Driven Reporting and Communicating about IT, at the IT Policy Compliance Group.

What are some of the lessons learned at your organization?

Some additional resources:

Severity Levels and Security, Vista Internet Bank Audits.  www.internetbankingaudits.com/severity_levels.htm

Severity Levels, Columbia University.  services.cuit.columbia.edu/definition-severity-levels

Risk register, Wikipedia.  en.wikipedia.org/wiki/Risk_register

Benefits of a Change Control Board, PMI.  blogs.pmi.org/blog/voices_on_project_management/2011/07/the-benefits-of-a-change-contr.html

Risk and controls, U. Central Florida  pegasus.cc.ucf.edu/~inspgen/RisksControls.htm

Evolution of Risk and Controls, KPMG. www.kpmg.com.cn/en/virtual_library/Audit/The_evolution_of_risk.pdf

Operational Risk Systems and Controls, FSA-UK.  www.fsa.gov.uk/pubs/cp/cp142.pdf