Three Security-Fortifying Steps to Take Now
Maintaining the best security is tough, with more applications running in the cloud, hackers getting more creative, and regulatory penalties increasing. What’s a security manager to do?
A white paper from PwC, Fortifying your defenses: The role of internal audit in assuring data security and privacy, looks at the role internal auditors can play in keeping an enterprise safe. Before you groan (yes, I know, we all hate those nit-picky, can’t-see-things-from-IT’s-perspective auditors), PwC’s recommendations make sense in light of today’s complicated IT environment.
PwC acknowledges that many companies already have comprehensive security controls and privacy policies in place. Notes Dean Simone, head of PwC’s risk assurance practice in the United States, “To battle the ever-changing hacker profiles and accelerating rate of technological change, companies need to constantly re-evaluate their privacy and security plans.”
Based on figures cited in the white paper, IT’s not keeping up. For example, “In 2011, only 39 percent of nearly 10,000 executives in 138 countries said they reviewed their privacy policies annually, compared to 52 percent in 2009. Only 41 percent had an identity management strategy in 2011, a decrease from 48 percent in 2009.” Those are not good signs.
PwC offers three lines of defense IT can establish to fortify an enterprise’s defenses, quoted here from the report:
Management: Companies that are good at managing information security risks typically assign responsibility for their security regimes at the highest levels of the organization. Management has ownership, responsibility and accountability for assessing, controlling and mitigating risks.
Risk management and compliance functions: These functions facilitate and monitor the implementation of effective risk management practices by management and help risk owners in reporting adequate risk-related information up and down the firm.
Internal audit: Provides objective assurance to the board and executive management on how effectively the organization assesses and manages its risks. It’s imperative that this line of defense be at least as strong as the first two for critical risk areas.
It’s not enough to have policies in place -- an enterprise has to make sure the policies are enforced and those policies are sufficiently up-to-date to handle the latest security threats.
The 12-page report is available at no cost here. No registration is required.
-- James E. Powell
Editorial Director, ESJ
Posted on 09/17/2012 at 1:35 PM