Overall, government agencies are in much better shape when it comes to compliance and IT security performance results than their private-sector counterparts. There are fewer government agencies operating as compliance laggards, fewer operating at norm, and more performing as leaders when compared with commercial and non-profit organizations. However, not all Government agencies perform at the same level (Table 1).
Only 3 percent of small government agencies (less than $50 million budgets) operate as compliance laggards with an average of 35 compliance deficiencies and IT security events resulting in financial harm. This compares with 15 percent of midsize agencies ($50 million to $999 million budgets) performing as laggards, and 17 percent of large agencies ($1billion or larger budgets) performing as laggards.
Among small and midsize agencies, 62 percent and 82 percent respectively operate at the norm, exhibiting between 3 to 15 compliance deficiencies and IT security events resulting in financial harm. By comparison, only 41 percent of large government agencies are performing at norm.
The best performers, those with fewer than 3 compliance deficiencies and financially harmful IT security events, are to be found among large agencies with budgets larger than $1 billion where 42 percent of these organizations achieved outstanding IT compliance results. Not far behind are small agencies, where 34 percent are operating as leaders. In comparison, 23 percent of midsize agencies are operating as leaders.
Table 1: Government IT Compliance Results by Size of Budget
|
Government
(Less than $50 million budget) |
Government
($50 million to $999 million budget |
Government
(More than $1 billion budget) |
|
Laggards
(More than 15) |
3%
|
15%
|
17%
|
|
Norm
(3 to 15) |
63%
|
62%
|
41%
|
|
Leaders
(Less than 3) |
34%
|
23%
|
42%
|
Source: ITPolicyCompliance.com, 2006
Government Compliance Pressures Differences
Compared with the private sector, public-sector organizations are under slightly different regulatory pressures. The top three compliance pressures forcing government agencies to take action include:
- data protection and privacy (65 percent)
- data retention, destruction and legal discovery (52 percent)
- FISMA (40 percent)
Closely following FISMA, HIPAA is the next most pressing regulatory mandate causing government agencies to take action.
Among the private sector, the top three pressures are: 1) data protection; 2) Sarbanes Oxley; and 3) data retention, destruction and legal discovery. Like government agencies, HIPAA is the fourth major pressure causing private sector firms to take action.
Strategic Actions - and Performance Results - Differ
The actions being taken by government compliance leaders in responding to regulatory pressures align nearly identically with those of private sector leaders (Figure 1).
However, leading government organizations are implementing three actions that differ significantly from the private sector. These actions include the automation of:
- Monitoring and reporting
- IT configuration and controls management
- IT controls and procedures
The differences between government agencies and private sector businesses in these three areas include: (a) 23 percent more government leaders automating monitoring and reporting; (b) 24 percent more government agencies automating IT configuration and controls management; and (c) 20 percent more government leaders automating IT controls and procedures.
Figure 1: Strategic Actions Taken to Respond by Leaders
Disparity in Results and Actions Undertaken
Government has almost twice as many compliance leaders than the private sector. Research indicates 32 percent of government agencies are able to claim negligible financial impact from IT security events and a small number of regulatory compliance deficiencies compared with 11 percent of organizations in the private sector.
Guidance Recommendations:
Guidance for all organizations, based on fact-based benchmark results, include:
| 
