>enterprise special interests
>smb special interests
>industry special interests
home > guidance > enterprise special interests


Rationalize control objectives and controls


Organizations with the least loss and theft of sensitive data audit implement fewer, risk-relevant, control objectives (policies) than all other firms.  In addition, the leaders implement more controls, between three and four times more, than the number of control objectives (Figure 1).

 

Figure 1: Audit more business functions





























Source: IT Policy Compliance Group, 2007

 

Guidance recommendations

 

If your control objectives are not focused on core business and regulatory risk, then they are candidates for a diet.  If there are not enough procedural and technical controls to implement policies, then it’s likely time to put some teeth into policies.  Based on the benchmark results, the optimums include:

 

 

·       30 control objectives

·       105 procedural and technical controls

·       3.5 more controls than objectives

 

 

© IT Policy Compliance Group, 2007

 

 









Seven of ten (70%) of compliance deficiencies are directly related to deficiencies being found in IT security. more...



Latest Blog Topics:

Topic : Policy Shapes Outcomes
Topic : Who’s sets objectives: Legal, Business lines or IT?
Topic : Who Manages Information Security?

© 2008 IT Policy Compliance Group, USA, All Rights Reserved.privacy policy | terms of use | contact us