Should lawyers be in charge of defining and managing critical standards for protecting sensitive information? This is the fundamental question that decision-makers need to be asking when it comes to protecting an organization’s most valuable assets: its core business information and customer data. Legal eagles: stuck in the middle

According to research by the IT Policy Compliance Group, most organizations, nearly 7-in-10 are relying on legal counsel to direct, establish and maintain the organizations objectives for the availability, integrity and confidentiality of information. But the track record of these organizations shows that placing legal counsel in charge is not working. Among these organizations, the rate of data loss or theft of customer data averages more than 8 such events each year.

Whether data loss or theft are due to intentional misuse, fraud, theft, mistakes, employees, stolen laptops, misplaced thumb drives, third-parties, contractors or cyber-crime, customer data loss and theft rates are much higher among organizations where the legal function is in charge of establishing and managing the objectives and standards. In comparison, the legal function plays a more advisory role among other organizations, including those with the highest and lowest levels of data loss or theft.

Figure 1: Who’s in Charge of Critical Information Standards

Source: IT Policy Compliance Group, 2010

Figure 1: The most data loss and theft is occurring among organizations where information integrity, availability and confidentiality are defined and managed by business lines. Organizations with fewer data losses and thefts define and manage these by legal counsel. Those with the least loss or theft of data are being led by IT.

The business line blues: most data loss and theft

Unfortunately, about 2-in-10 organizations are experiencing the highest rates of data loss and theft. Among these organizations, core information integrity, availability and confidentiality objectives and standards are being established and maintained by business units and business divisions. In these situations, those closest to customer data are being charged with establishing and managing legal, regulatory, and IT objectives for the organization when it comes to customer data--- much like a “fox guarding the hen house.” Research shows this approach is not working at all: these organizations have the worst track-records for protecting sensitive information.

IT-led best performers: least data loss and theft

In contrast, slightly more than 1-in-10 organizations posting the least loss or theft of customer are charging IT with the responsibility of establishing and maintaining critical objectives for information availability, integrity and confidentiality. Unlike the other approaches, where legal counsel or business lines are in charge, the evidence shows the IT-led approach is yielding much better results.

Importance of legal guidance and regulatory mandates

In formulating guiding principals, including input about legal requirements, business unit needs, human resource considerations, and local conditions, it is important to see what form of guidance is working in other organizations.

Among those with the least loss or theft of customer data, internally developed and maintained standards for information integrity, availability and confidentiality are the most commonly employed form of guidance for information security policies. After these, the use of regulatory mandates and guidelines, and legal requirements and interpretations round out the top forms of guidance employed by organizations with the best track records for protecting customer data.

In comparison, those experiencing the most loss and theft of customer data are only sometimes using internally developed standards and guidelines for information integrity, availability and confidentiality.

Figure 2: Use of Guidance by Outcomes Experienced

Source: IT Policy Compliance Group, 2010

Figure 2: Standards for information integrity, availability and confidentiality are almost always implemented by organizations with the lowest data loss and theft. Implementation levels for these standards, regulatory mandates and legal statutes are only sometimes implemented by organizations with higher levels of data loss and theft.

Importance of business-focused policies and controls

Not all policies and controls to effectively manage business risks related to the handling of customer data are equally weighted, and some are downright dangerous. For example, a CISO at a major financial services firm insisted on partitioning the organization’s flow of customer credit card data through the use of hardwired firewalls and related controls. Accommodations to meet business needs — over time — resulted in holes in the firewalls, negating the original control objectives implemented with the chosen approach mandated by the CISO.

Policies and control implementations must be different in order to accommodate geographic differences in local statutes and cultural conventions while adhering to overall standards of the organization. Forcing a one-size fits all set of policy and controls on managing customer data may be easier for IT to manage, but it often results in negative unintended consequences among organizations, especially where business lines are not participating in shaping policy decisions about controls and risks.

A flexible and more logical approach to policy and controls is more adaptable than hardwired methods, and will help the organization to adapt to evolving regulatory and legal challenges while implementing objectives for managing customer data.

Lessons learned

While other factors such as user training, segregation of duties, data backups, the classification of data, inventorying sensitive data, testing for the leakage of data, risk-based monitoring and reporting all play key roles in stemming the loss and theft of customer data, the approach to policies and controls established by the organization has the most impact.

Establishing the “rules of the road” may be best led by IT, but it must be accompanied by significant contributions from legal counsel, business unit managers in local regions, human resources, as well as a clear understanding of the impact that policy and controls will have on local operations.