In-Depth

Research Reveals Steps to Protect Sensitive Data

A new report from the IT Policy Compliance Group examined leaders and laggards to identify core competencies and steps to improve data protection.

• By James E. Powell
• 12/11/2007

The IT Policy Compliance Group released its latest benchmark research report, "Core Competencies for Protecting Sensitive Data," which concludes that only one in ten organizations adequately protects its sensitive data. The report’s analysis of variables between leading and laggard companies in the area of data protection offers insight into the actions and best practices that can lead to less data loss, improve compliance results, and sustain competitive advantage.

The report incorporates responses from more than 450 organizations globally. Among its findings is the strong correlation between the loss of sensitive data and regulatory compliance results. Enterprises that "excel at protecting sensitive data also perform well on regulatory compliance audits," the researchers report. "Nearly all (96 percent) of the organizations with the least loss of sensitive data are the exact same organizations with the fewest regulatory compliance deficiencies that must be corrected to pass regulatory audits," ITPCG said in a statement. It notes that 64 percent of organizations with the greatest loss of sensitive data also have the largest number of regulatory compliance deficiencies that must be corrected to pass audit.

Organizations with fewer data losses have the best regulatory compliance audit results. They demonstrate a set of core competencies that also minimize the financial impact of data breaches. ITPCG says the core competencies include:

Organizational structure and strategy

• Implement a world-class compliance program
• Document and maintain policies, standards and procedures
• Reorganize internal controls, IT security, and risk management functions to leverage customer intimacy and operational excellence

Customer intimacy

• Define the roles and responsibilities of policy owners
• Identify and manage business and financial risks
• Deliver employee training and manage exceptions to policy

Operational excellence

• Expand the scope of internal audit to most business functions
• Make control objectives risk-relevant
• Reduce the number of control objectives
• Implement controls that are measured
• Conduct self-assessments of procedural controls
• Increase the frequency of technical controls assessment
• Implement a complete IT change management program
• Use IT change management to prevent unauthorized use or change

After analyzing firms with the least amount of sensitive data loss (leaders) and those experiencing the great data loss (laggards), the researcher identified steps that can help improve data protection. These steps include defining fewer control objectives, conducting assessments more frequently, and leveraging IT change management to prevent unauthorized use or change. The report found that:

• Leaders define 30 control objectives on average and conduct assessments once every 19 days; they experience two or fewer data losses and thefts annually, and two or fewer compliance deficiencies annually.
• In contrast, laggards define 82 control objectives on average and conduct assessments every 230 days; they have 13 or more data losses and thefts annually and 22 or more compliance deficiencies each year.

The research notes that the quality of controls is "not as important as their appropriateness for specific risk and the frequency of controls assessment," said ITPCG in a statement. "Organizations not implementing risk-appropriate controls and not assessing the effectiveness of procedural and technical controls frequently enough are highly predisposed to data loss and theft. Firms with nonexistent controls and infrequent controls assessment are the firms experiencing the highest rates of frequent data loss and theft."

To download the complete research report, click here.