New Developments

In New Developments, internal auditors will find information about the most recent IT and audit research reports and survey results; new IT, security, and privacy legislation; and other news items of importance to auditors.

Companies Lack Sound Data Security Policies

Companies are not following simple data security procedures, such as identifying the risks associated with the storage and transportation of confidential information and establishing policies regarding lost portable devices, according to Data Security Policies Are Not Enforced (PDF, 183 KB), a new survey released by the Ponemon Institute, a privacy and information management research firm. Additional data security procedures lacking in many organizations include the enforcement and employee awareness of policies concerning data security.

More specifically, the study of 893 IT professionals in the United States offers insights into the technological challenges many organizations face. As the study indicates, 39 percent of employees surveyed said they have lost a personal digital assistant, cellular phone, USB memory stick, zip drive, or laptop containing sensitive or confidential business information. More troubling, however, is the finding that more than half of those surveyed ― 56 percent ― admitted that their employer would never be able to determine the type of data contained on a lost device.

"Privacy and data protection policies are meaningless if they do not address the full spectrum of threats and if they are not enforced," explains Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "The development of comprehensive policies, along with training and stringent enforcement of those policies should be a priority in any enterprisewide data security program."

In addition, the survey found critical discrepancies between company policies and actual employee behavior. For instance, 51 percent of survey respondents said that they store confidential information on an external memory stick even though 87 percent believe that company policy forbids it. Also, 33 percent of survey participants send workplace documents to a home computer as an e-mail attachment, 17 percent turn off security settings or firewalls on company-owned computers, and 46 percent share their passwords with a coworker, while 48 percent, 80 percent, and 67 percent of survey respondents, respectively, are unsure whether company policy forbids each of these actions.

"Data breaches remain the leading cause of financial losses in businesses, with over 75 percent of Fortune 1000 companies falling victim to data leakage, and this is not going to change without improvements in the enforcement of data security policies," says Vimal Vaidya, founder and chief executive officer of RedCannon Security, a provider of secure mobile-access solutions, which sponsored the survey.

For more information about the study or to download the full report, visit RedCannon's Web site (PDF, 183 KB).