IT vulnerabilities such as inadequate documentation and poor PC access controls put enterprises at risk of being noncompliant with regulatory mandates and prone to security events -- and most companies have at least a few such deficiencies present in their environments, according to research released Monday.
The IT Policy Compliance Group surveyed 876 corporations and government agencies, and 69 percent said during the first half of this year they had averaged between three and 15 "compliance deficiencies" that had to be corrected. Another 20 percent said their organizations tallied more than 16 deficiencies, with 36 on average. The remaining 11 percent -- the top performers in the survey -- reported an average of only two compliance deficiencies.
The report, entitled "Managing Spending in IT to Improve Compliance Results," noted that 55 percent of these compliance deficiencies led directly to financial losses due to a security event, and 45 percent were of the type that required remediation to pass external audits or other regulatory reviews.
The survey also identified the Top 10 deficiencies. Beginning with No. 1, they are: documentation; PC and laptop access controls; IT configurations and controls; user, application and server access controls; IT audit, logging and reporting; database access controls; IT security policies and standards; information access controls; business continuity controls; and data archive and management controls.
When the IT Policy Compliance Group asked 520 of the 876 organizations how much money their organizations allocate to IT security as a percentage of the IT budget, the group found -- not surprisingly -- that more spending in general leads to fewer compliance deficiency problems.
Firms that spent more than 10 percent of the IT budget on IT security are consistently among those with the lowest levels of compliance deficiencies. The best-performing segment spent an average of 10 percent of the IT budget on security compared with 7.5 percent spent by the 69 percent of companies deemed the "industry norm," and 6.8 percent spent by the bottom 11 percent or "industry laggards."
Among organizations with stronger policy-compliance track records, there's less spending on contract labor and more on automation of procedures and controls through software or scans, the IT Policy Compliance Group reports.
The firms that were more successful in IT policy compliance are "automating the IT audit and monitoring process on a once every two-days basis, sometimes even more," said Jim Hurley, director of the IT Policy Compliance Group. "The firms that were laggards [in this survey] did the same audits on a once-a-year basis."
IT Policy Compliance Group is a research group formed last year to publish studies on achieving IT policy and regulatory goals. It is supported by the Computer Security Institute and the Institute of Internal Auditors, along with firms Protiviti and Symantec.
This year's survey of 876 organizations is based on interviews with IT managers and directors, as well as individuals from legal, finance and internal audit departments who are knowledgeable about regulatory compliance. The majority of surveyed companies are from North America with some Asian and European organizations are included as well.