May 25, 2010 — New research reveals how organizations use specific practices and policies to minimize the impact of business downtime caused by information security problems and deficiencies, and achieve the fewest incidents of loss or theft of sensitive information.

A new report from the IT Policy Compliance Group (ITPCG) entitled “Automation, Practices and Policies in Information Security for Better Outcomes,” highlights how organizations with the “best results” exhibit very unique profiles for automation, practice and policy that others can learn from to help improve their own information security posture.

Covering forty practices and twenty-seven areas of policy coverage, the detailed findings of the IT PCG’s most recent report deliver fact-based insight into what’s working best, including:

· Comparison of benchmarked outcomes for organizations surveyed along with a description of declining outcomes during 2009

· The top 10 information security practices that result in better outcomes

· The major policies that result in better outcomes

· A comparison of financial outcomes for organizations that incorporate specific practices and policies

“As this report indicates, most enterprises can significantly reduce data loss and improve service levels by implementing-and automating-a portfolio of effective security practices and policies,” said Everett Johnson, CPA, past international president of ISACA. “Many excellent resources, such as the COBIT framework for IT governance, are available at no cost to help enterprises reach their goals and provide higher levels of control and protection for their information assets.”

An executive summary free download and a full report are both available at: .

Based on the research, the report provides guidance and recommendations that include:

• Conducting an inventory of current practices, policies and levels of automation currently implemented for information security

• Conducting an analysis to determine the gaps between current practice and the detailed benchmark findings by comparing currently implemented practices and policies against benchmarks in the research

• Developing an action plan to improve practices, policies and due-diligence for information security by evaluating the most deficient practices and policies and setting short and long term goals

• Measuring and reporting on results from improvements to demonstrate progress and success

“Companies that successfully manage business risks are those that have aligned their IT processes to mitigate regulatory, legal and contractual requirements with automation and a continuous assurance improvement program,” noted Rocco Grillo, a managing director in Protiviti’s Security & Privacy Management Practice. “The 2010 IT Policy Compliance Group benchmark report demonstrates that mature security programs manage risk through the adoption and implementation of information security policies along with automated controls. They are the same companies that operate with less downtime caused by the loss of data or compromise of critical assets"

Visit /research_reports/ for additional information.

February, 2010 — Organizations that have a chief information security officer (CISO) derive more value from their information assets, according to new research from the IT Policy Compliance Group.

Benefits of having the CISO position include:

• Higher customer retention, revenue and profit
• Lower rates of customer data loss or theft
• Reduced financial exposure from data loss
• Higher levels of business productivity related to IT assets
• 50 percent lower costs for audits

B ased on the IT Policy Compliance Group’s (ITPCG’s) benchmark research of 809 organizations, the aptly titled “Best Practices for Managing Information Security,” covers the impact that organizational structure and strategy are having on managing the value of information and information assets.

“The degree of alignment between outcomes and the effectiveness of managing productivity and risk related to the use of IT is a must-read for anyone managing the information security function.” emphasized Jim Hurley, Managing Director, IT Policy Compliance Group.

“Managing information security requires security governance and a top-down approach from the C-Level,” said Rocco Grillo, Managing Director with Protiviti’s Information Security & Privacy Management practice. “All too often, the role of information security is buried in the IT organization and not aligned to reduce risks and costs from losses related to security and privacy breaches as well as meeting compliance obligations.”

In addition to examining the relationship among benefits, risk, outcomes, and who leads the information security and assurance function in organizations, the new research report also covers:

• Who sets direction for information integrity, availability and confidentiality standards
• Organizational strategies involving legal counsel, business divisions, human resources and IT
• Critical policies and targets missing by nine of every 10 organizations
• Standardization of procedures and controls
• Detailed coverage for managing information security and assurance functions
• Detailed coverage of day-to-day operations in IT
• Impact of senior management reporting structures

“Effective information security and management require senior management to be responsible and accountable,” according to Everett Johnson, CPA, past president of ISACA. “Organizations with CISOs or similar positions that demonstrate clear support from the top, can be extremely valuable to the business in this competitive environment.”

Visit /research_reports/ for additional information.

September 2009 - A new research report from the IT Policy Compliance Group highlights the top practices for delivering the most effective information security based on primary research of thousands of organizations. Entitled “ Guidance for Best Practices in Information Security and IT Audit,” the report is available for download for members of www.itpolicycompliance.com .

The report describes 12 baseline practices implemented uniformly by the best performing organizations---those experiencing the least loss or theft of data, the highest IT service levels, and the fewest problems with audit---shown below.

Focus area	Baseline Practice
Managing communications about directions and aims	Distributing IT policies for adoption and exceptions
Managing IT processes, the organization and relationships	Managing IT security from a non-IT operations role
Managing the information architecture	Protecting information security, IT audit and customer data
Managing human resources	Delivering training to employees and contractors
Acquiring and managing IT assets	Maintaining an updated list of IT assets
Managing information and data	Using controls to automatically detect and prevent sensitive data from leaking
Managing operations	Automatically detecting and preventing unauthorized changes to critical IT assets
Ensuring systems security	Continuously monitoring critical IT assets and verifying findings against IT security standards
Monitoring and evaluating	Conducting daily and weekly assessments of critical IT controls
Managing quality	Conducting monthly assessments of procedural controls
Managing risks	Defining business risks based on objectives and standards for integrity, availability and confidentiality
Governance	Conducting ongoing assessments of business conditions, risks and controls

While many of these practices may appear to be commonsense, there is nothing common about their implementation.

Although uniformly implemented by 1 in 10 of the best performing organizations, a majority of organizations (7 in 10) experiencing higher levels of data loss or theft, more downtime from IT failures, and more trouble with audit, are typically implementing just 6 of these practices.

By comparison the 2 in 10 organizations experiencing the highest levels of data loss or theft, the worst IT service levels, and the most trouble in audit are typically implementing just 2-to-3 of these practices.

Going beyond the baseline practices, organizations with the best outcomes for information security practices also implement 10 other practices, at levels that are far above all other organizations.

The report also covers financial benefits measured by the benchmarks for improving information security and IT audit practices, including:

· Fifty percent less money spent on regulatory audit annually

· Fifty percent less time is spent supporting audit in IT

· Lowest rates of financial exposure and loss from customer data loss or theft

· Six percent higher customer retention rates

· Eight percent higher revenues

· Six percent higher profits

Click here to learn more about baseline practices and the top 10 practices for information security and audit in the most recent benchmark report, free for members of ITPolicyCompliance.com.

Feb. 2009 — The IT Policy Compliance Group (IT PCG) has released its latest benchmark research report titled, “Managing Spend on Information Security and Audit to Improve Results” Based on research conducted with more than 2600 firms, the study reveals that 68 percent of firms are under-spending on information security relative to the financial risks and losses they are experiencing. Yet incremental increases toward the funding of best practices are responsible for financial returns ranging from 200 percent to more than 100,000 percent for the average organization.

The new research, sponsored by the Computer Security Institute, The Institute of Internal Auditors, Protiviti, ISACA, IT Governance Institute, and Symantec Corp. (NASDAQ: SYMC) outlines a risk-based approach to budgeting for information security that rewards results; the practices responsible for managing business and financial risks from the use of IT; and the substantial reductions in spending on audit in IT.

“Like an insurance deductible, all organizations are willing to sustain some level of financial loss or theft to customer data or some level of business downtime from IT disruptions,” said Jim Hurley, managing director of IT PCG. “However, the research findings show that an organization’s loss-tolerance is exceedingly low, and the financial returns for small improvements are extraordinarily high.”

Top Business Risks

Firms ranked three business risks from IT well ahead of other possible risks: Confidentiality of sensitive information; Integrity of information, assets and controls in IT; and Availability of IT services. The IT PCG report leverages ongoing benchmarks to measure the performance of firms against these three risk areas. The results of the benchmark surveys can be broken up as follows:

• Worst Outcomes: 19 percent of all firms are experiencing more than 15 losses or thefts of data each year, 80 or more hours of business downtime from IT failures, and more than 15 audit-failing deficiencies.

• Normative Outcomes: 68 percent of all firms are operating at ‘normal’ levels experiencing between 3-15 losses or thefts of data each year, between 7-79 hours of business downtime from IT failures, and between 3-15 audit-failing deficiencies.

• Best Outcomes: 13 percent of all firms are achieving the best results, experiencing fewer than 3 losses or thefts of sensitive information each year, less than 7 hours of business downtime, and fewer than 3 audit-failing deficiencies. The financial returns among these organizations range from 22 percent to more than 3,000 percent annually.

Surprisingly, the difference in outcome between the worst performers and the best performers was not as a result of the size of security budgets. In fact, the differences in size of security budgets were negligible. What mattered was how those budgets were used.

Reducing Risks & Costs

“Firms can either wait until an emergency pushes them to reprioritize, or they can decide that it is in their best interests to institute these industry proven practices,” said Hurley.

The new report details the following five practices being leveraged by those with the best outcomes and the least financial losses:

• Leveraging a senior management team to manage risk
• Prioritizing risks, improving controls, and automating procedures
• Continuous assessment of controls and risks
• Leveraging technical controls, policies, and IT change management
• Comprehensive reporting

"This report is a clear demonstration of the benefits that organizations can achieve from effective management of security, availability and other IT-related business risks," said Brian Barnier, member of the IT Governance Institute's Risk IT Task Force. "Good practices such as the freely downloadable COBIT framework can help organizations take specific actions to mitigate risk and maximize value."

September 8, 2008 - The IT Policy Compliance Group today announced the availability of its latest research report entitled “Improving Results for Legal Custody of Information.”

The research shows that spending on legal data custody, on legal settlements, legal expenses, and internal costs to find, protect preserve and produce information is much lower for those companies with the most mature practices when responding to legal requests for information. Specific practices implemented among best-in-class organizations for the legal custody of information result in much lower expenses, including

• 94 percent lower spending for legal settlements and fees than firms with the worst practices
• 92 percent lower spending among these firms for IT to find, protect and preserve information on legal hold
• 80 percent lower spending on legal settlements and fees than a majority of firms with normative practices
• 75 percent lower spending among these firms for IT to find, protect and preserve information on legal hold

As the maturity of practices for legal data custody improve in firms, the monies spent on legal services and legal settlements decline substantially.

“As the report shows, proper IT governance-including data governance and up-to-date policies and procedures-can help an enterprise fulfill its legal responsibilities thoroughly and effectively,” said Everett Johnson, CPA, past international president of ISACA. “Strong IT governance activities help executives direct their IT for optimal advantage, reduce IT-related risks and increase confidence in the information provided by IT, all of which are increasingly critical since the report shows IT departments currently spend significant time responding to legal summonses.”

Click here to download the complete research report, entitled “Improving Results for the Legal Custody of Information.”

“Proper collection and subsequent handling of legal data not only helps an organization avoid spoliation claims and save significant amounts of money, but it also helps organizations protect themselves, their employees and clients,” said Lily Bi, CIA, CISA, director of technology practices for The Institute of Internal Auditors. “The strategic actions derived from these research findings stands as a valuable resource for internal auditors looking to mitigate risk and help organizations improve practices in this area.”

A few of the simple but very effective practices that organizations can take to improve results include:

• Establishing ground rules for reasonable anticipation of litigation
• Indexing as much data as possible to drive down costs
• Implementing standard procedures for releasing information from legal hold

“Litigation is increasing and the data gathering techniques performed during court cases are more sophisticated today. Those hard realities are driving more organizations to enhance their in-house capabilities and capacity to address the risks and costs associated with legal discovery,” according to Rocco Grillo, managing director with Protiviti Inc. “The IT Policy Compliance Group report clearly demonstrates the need for IT and legal departments to work together. Both the cost savings and the cost of non-compliance are too significant to ignore.”

To find out which practices are most responsible to improving results and lowering legal settlement fees, legal expenses, and costs in IT to find, produce, protect and preserve information subject to legal requests, download the complete research report, entitled “Improving Results for the Legal Custody of Information.”

More mature practices for managing IT equal better business results and lower financial risks

May 15, 2008 - The IT Policy Compliance Group today announced the availability of its 2008 annual research report titled “IT Governance, Risk and Compliance - Improving business results and mitigating financial risk” IT governance, risk and compliance (IT GRC) is about striking an appropriate balance between business reward and risk.

According to the annual report which can be downloaded at /research_reports/it_governance/read.asp?ID=12 the maturity of IT GRC practices and capabilities are having a direct impact on the fortunes of organizations.

Primary benchmark research shows that the way to improve business results and reduce financial risk, loss and expense is to increase or enhance the competencies, practices and capabilities governing the use and disposition of IT resources.

The report, which incorporates responses from more than 2,600 organizations globally, concludes that slightly more than one in 10 organizations is posting the best business results and the least financial risk. The most recent benchmarks measure the

impact that improvements to data protection, regulatory compliance and IT service level resiliency have had on business results, including: customer satisfaction, customer retention, revenue, expenses and profits.

“Fundamentally, IT GRC is concerned with two objectives: delivering value to the business and mitigating business risks from IT,” said Everett Johnson, CPA, immediate past president of ISACA and the IT Governance Institute. “Successful organizations accomplish these goals by aligning the business and IT strategy, and embedding accountability for effective IT into the organization, beginning with top leadership.”

According to the report, the raw scores clearly show that firms with better IT Governance, Risk and Compliance (IT GRC) results are enjoying much better performance when it comes to satisfying customers, retaining customers, and growing revenues and profits, than all other organizations. Some of the business results among firms with the most mature practices include:

• 17 percent higher revenues
• 14 percent higher profits
• 18 percent higher customer satisfaction rates
• 17 percent higher customer retention levels
• 96 percent lower financial losses from the loss or theft of customer data
• 50 times less likely to have customer data stolen or lost
• 50 percent less spent on regulatory compliance annually

“IT GRC is about managing the business of IT, including its top-line and bottom-line contributions”, said Jim Hurley, the managing director, IT Policy Compliance Group and a principal research manager with Symantec. “The latest research conducted by the IT Policy Compliance Group, focused on business-results, provides a factual basis to assess the maturity of current practices, the business outcomes related to existing practices, and the ability to reliably identify the practices and capabilities that are delivering the most value.”

The report contains several recommendations to help improve IT-GRC maturity levels and business results.

• Use of a Balanced Scorecard, to improve the delivery of value from IT
• Staff the governance committee from senior business, financial, legal, IT, regulatory and audit committee members
• Drive improvements to business outcomes with a measurable, continuous quality improvement program throughout IT
• Insist on monthly measurement and reporting to drive improvements
• Increase and automate technology controls to mitigate and avoid financial risk, brand damage and business disruptions
• Improve the skills and automate activities within IT assurance, audit and risk management
• Segment and limit access to sensitive data, where possible, to reduce exposure and costs
• Manage change management and prevention of unauthorized change to avoid higher financial risks and cost inefficiencies
• Continuously measure the effectiveness of controls to maintain an appropriate balance between reward and risk

“The latest ITPCG research findings reinforce that information security and privacy are critical business issues that are most effectively and efficiently addressed with well managed IT compliance programs,” said Rocco Grillo, managing director within Protiviti’s IT security practice.

“The maturing of GRC standards is playing a unifying role with companies that are embracing the role of IT compliance in addressing security and privacy exposures - the study’s results support empirically what we are seeing in the marketplace," he said. “Notably, the research indicates that protecting sensitive data is becoming the biggest priority in IT compliance. This no doubt is a result of costly data breaches and post-breach remediation requirements, as well as PCI and other regulatory compliance requirements.”

Topics researched by the IT Policy Compliance Group benchmarks are part of an ongoing research calendar established by input from supporting members, advisory members, general members of the group, as well as from findings compiled from ongoing research. The most recent benchmarks included in this report were conducted between December 2007 and March 2008 with 558 separate, qualifying organizations. The consistent findings related to tracking questions from earlier benchmarks conducted between June 2007 and March 2008 with up to 2,608 separate firms have been included, but only where errors do not skew results from the research. The majority of organizations (90 percent) participating in the benchmarks are located in North America and the remaining ten percent of the participants for the research findings come from countries located in Africa, Asia Pacific, Europe, the Middle East and South America.

Dec. 5, 2007 — The IT Policy Compliance Group today announced the availability of its latest benchmark research report titled “Core Competencies for Protecting Sensitive Data.” The report, which incorporates responses from more than 450 organizations globally, concludes that only one in ten organizations is in the enviable position of adequately protecting their sensitive data. The report also analyzes the variables between those companies that are leaders and laggards in the area of data protection, providing insight into which actions and best practices can lead to less data loss, improved compliance results and sustained competitive advantage.

Click here to download the complete research report, titled “Core Competencies for Protecting Sensitive Data.”

One of most striking findings from the research is the correlation between the loss of sensitive data and regulatory compliance results: firms that excel at protecting sensitive data also perform well on regulatory compliance audits. Almost all (96 percent) of the organizations with the least loss of sensitive data are the exact same organizations with the fewest regulatory compliance deficiencies that must be corrected to pass regulatory audits. In contrast, the majority (64 percent) of the organizations with the most loss of sensitive data are the same organizations with the largest number of regulatory compliance deficiencies that must be corrected to pass audit.

By analyzing the firms with the least amount of sensitive data loss (leaders) and those that experience the most amount of data loss (laggards), the research reveals several steps that can help improve data protection including defining fewer control objectives (expressions of policy), pursuing more frequent assessments and leveraging IT change management to prevent unauthorized use or change.

“Several recent events have demonstrated how damaging the loss of data can be to an organization’s reputation and strategic objectives,” according to Lynn Lawton, CISA, FCA, FIIA, PIIA, FBCSCITP, international president of ISACA. “It is critical to ensure that risk-based controls are in place to deter data loss and theft, and that those controls are regularly tested.”

“Successful organizations focus on selecting the most relevant controls, instead of simply implementing a large number,” Lawton explained. “The survey results clearly demonstrate that selecting, implementing and communicating the key controls, and regularly assessing their effectiveness, is a more practical approach and gets better results than constantly adding to a complex maze of uncoordinated isolated controls.”

The research indicates that the quality of controls is not as important as their appropriateness for specific risk and the frequency of controls assessment. Organizations not implementing risk-appropriate controls and not assessing the effectiveness of procedural and technical controls frequently enough are highly predisposed to data loss and theft. Firms with nonexistent controls and infrequent controls assessment are the firms experiencing the highest rates of frequent data loss and theft.

“Protecting customer and employee data as well as intellectual property has never been as important as it is today due to the rapid increase of compliance requirements and reputation risk,” according to Rocco Grillo, managing director in the Technology Risk practice of Protiviti Inc. “Yet data security breaches and identity thefts continue to occur.”

“Even though controls cannot fully guarantee protection, companies need to conduct the appropriate level of due diligence in information security and risk management,” he emphasized. “Proven programs to maintain and increase effective security and safeguarding of sensitive data have had enormous payback in protecting valuable information from theft or loss. Gone are the days where management can sit back and wait for a crisis or incident to spur them into action — everyone needs to be proactive.”

July 18- The IT Policy Compliance Group today announced the availability of its latest benchmark research report titled “Why Compliance Pays: Reputations and Revenues at Risk.” According to the report, nine in ten firms are exposed to financial risk from data loss and theft that can result in lost customers, reduced revenues and even a decline in their stock prices. These risks, however, could be significantly reduced by implementing core procedural and technical controls and monitoring those controls at least once every two weeks.

According to the report, the probability of a publicly disclosed data loss event among larger enterprises is likely to occur once every three years if the firm is currently operating as a “compliance laggard.” In contrast, organizations with the best compliance results (those with the fewest audited deficiencies) are able to delay the probability of a data loss incident to once in every 42 years. Bottom line: The benchmark research shows that the organizations excelling at compliance are the same firms with the least data losses and the least business disruptions from IT downtime.

“The vast majority of businesses and public institutions are still struggling with high rates of annual compliance deficiencies, resulting in business disruption, data loss and theft,” said James Hurley, managing director of the IT Policy Compliance Group. “While the probability of data loss and business disruption occurring in an organization is less a matter of ‘if’ than ‘when,’ there are a number of compliance, risk and governance practices that, if implemented correctly, could significantly reduce the frequency and impact of these events.”

Best Practices from Compliance Leaders

The research shows that successful firms, those with the fewest data losses and thefts, are driving operational excellence in IT by improving compliance results, especially in IT general controls and IT security controls and procedures. More notable, the benchmarks show the least data loss among firms that are monitoring and measuring controls against objectives consistently, at least once every two weeks.

“An effective IT governance process with concise IT control objectives, along with the right mix of built-in IT controls, allow businesses to set policies and measure against those policies in a consistent manner,” said Everett C. Johnson, CPA, International President of ISACA and the IT Governance Institute. “By creating a measurable and repeatable IT compliance program, businesses are able to adequately produce data and ensure a high level of compliance.”

Based on what is working among organizations with the fewest data losses, the IT Policy Compliance Group report identifies several practices that can assist businesses with improving IT compliance results, reduce business downtime, and reduce data loss and theft. These steps include:

• Implementing more and appropriate IT controls
• Reducing control objectives, making it easier to communicate, measure and report against
• Establishing higher standards for performance objectives
• Encouraging a culture of operational excellence in IT
• Conducting monitoring, measurement and reporting of controls against objectives at least once every two weeks
• Allocating more spend to controls automation

In addition to spending larger percentages of the IT budget on IT security controls, the firms with the fewest undisclosed latent data losses and least number of compliance deficiencies are reallocating monies away from external contract spend towards additional funding of equipment and software, specifically targeted at automating the monitoring and measurement of controls and procedures.

“Control advocates have always been pressed to justify allocating resources on additional controls. This report provides supporting evidence that the appropriate additional controls are not only warranted, but essential to prevent theft and loss,” said Rocco Grillo, a managing director in the Technology Risk practice of Protiviti Inc. “The report also links system resiliency with compliance. That is a novel perspective, however, as the paper indicates, there are great linkages between effective controls and resiliency.”

Click here to download the latest research report titled “Why Compliance Pays: Reputations and Revenues at Risk”.

March 8, 2007 - The IT Policy Compliance Group has announced the availability of its latest research report titled “Taking Action to Protect Sensitive Data.” According to the report, twenty percent of organizations are suffering from 22 or more sensitive data losses per year. The most sensitive losses include customer, financial, corporate, employee, and IT security data, which is either stolen, leaked, or destroyed. The primary channels through which data is lost - in order of risk - includes PC’s, laptops and mobile devices, email, instant messaging, applications and databases.

Organizations experiencing publicly reported data breaches are finding it costs money and customers to not protect data; on average these firms are experiencing an 8 percent loss of revenue and a similar loss of customers worried about personal data. Compounding the revenue and customer losses are additional expenses averaging $100 per lost or stolen customer record to notify customers and restore data.

“Preventative measures such as built-in IT controls are vital to ensuring that businesses protect the data they collect. It shouldn’t be an after thought , but rather considered up-front in the design of hardware and software redundancy to ensure the information is kept secure and supported throughout the data lifecycle,” says Heriot Prentice, director of technology practices at The Institute of Internal Auditors. “It’s that simple. If you collect it, then protect it”.

The benchmark results show that firms with the fewest data losses are identifying sensitive core business data, mitigating user errors, policy violations and internet attacks, and monitoring many different IT controls and procedures weekly. The first line of defense to protect data continues to be the people who are handling data. Businesses must develop and update policies for sensitive data protection, handling, retention, and destruction that include accountability programs.

According to responses from organizations with the fewest losses of sensitive data, they are spending more time monitoring policy compliance and are employing multiple IT controls to reduce the loss of sensitive data. Best-in-class organizations are monitoring and measuring controls and procedures to protect sensitive data once a week, while most firms are conducting such measurements only about once every 176 days. In addition, organizations with the fewest losses of sensitive data classify IT security and regulatory data as sensitive and take the necessary steps to secure it.

“Failing to protect IT security and regulatory audit data is like a bank giving away the combination to the vault,” said Jim Hurley, managing director, IT Policy Compliance Group. “Instead of securities and cash, these firms are putting sensitive data, customers, revenues and business futures entirely at risk.”

The IT Policy Compliance Group report outlines recommendations to help organizations improve sensitive data protection. These include:

· Taking time to identify the most sensitive business data

· Training employees and implementing technology to mitigate user errors, policy violations, and internet attacks

· Monitoring controls and procedures to ensure compliance

· Increasing the frequency of audits and measurements

Click here to download the latest research report titled “Taking Action to Protect Sensitive Data”.

Dec 4, 2006 --- The IT Policy Compliance Group’s has announced the release of its latest research report titled “Managing Spend to Improve IT Compliance Results.” The report is now available for download at the Group supported web site at www.ITpolicycompliance.com.

Some of the key findings from the research report include:

• An unfortunate 20 percent of firms had to correct anywhere from 15 to hundreds of IT compliance deficiencies during the past year.

• Firms spending more than 10 percent of their IT budget on IT security are consistently those with the fewest number of compliance deficiencies.

• Firms with the fewest deficiencies are spending 9 percent more to automate audit and 11 percent less on contractors and outside services.

The IT Policy Compliance Group is dedicated to improving IT compliance results for organizations and is made up of members from several leading organizations including: the Computer Security Institute (CSI), The Institute of Internal Auditors (IIA), Protiviti, and Symantec Corporation. The group conducts fact-based benchmark research to determine the best practices that result in improvements to IT compliance results for organizations.