Leading Cause of Compliance Deficiencies for Midsize Businesses
The three most areas found most deficient among midsize organizations (between $50 million and $500 million in revenue, assets under management or annual budget) are: 1) documentation, access controls for PCs, laptops and mobile field devices; and 3) configuration and controls change management. Compared with the industry leaders, midsize businesses are more deficient in four of the top ten deficiencies (Figure 1).
Figure 1: Compliance Deficiencies among Midsize Organizations
Source: ITPolicyCompliance.com, 2006
Actions to Improve Results
The top three actions taken by midsize organizations to improve compliance results are: 1) documenting IT security policies, standards and procedures; 2) documenting business procedures, IT assets and controls; and 3) automating IT audit, monitoring and reporting. However, when compared with the industry leaders, midsize organizations are further behind in all ten of the top ten actions to improve IT compliance results (Figure 2).
Figure 2: Actions Taken to Improve Compliance Results by Midsize Organizations
Source: ITPolicyCompliance.com, 2006
Comparing the Most Important Action to Improve Results
About 44 percent of midsize organizations increased the frequency of IT audit, monitoring and audit, compared with 60% of industry leaders. However, the time between auditing and monitoring among midsize organizations is 162 days, compared with 21 days for the industry leaders.
Guidance Recommendations:
Guidance for midsize organizations, based on fact-based benchmarks, include:
- Increase the frequency of IT audits, measurements and reporting to at least monthly if not more frequently.
- Improve controls for PCs, laptops, mobile field devices, information, and data archive
- Prioritize improvements for the areas with the highest deficiency rates
- Reprioritize actions to further improve results
© IT Policy Compliance Group, 2006
| 
