New Developments

In New Developments, internal auditors will find information about the most recent IT and audit research reports and survey results; new IT, security, and privacy legislation; and other news items of importance to auditors.

Managers Share Data Security Worries

Now IT professionals and internal auditors can look into the major drivers and challenges management faces in making effective information security decisions. The IT Compliance Institute (ITCI) report of 297 business, compliance, and IT managers, Information Security and GRC (PDF, 1.3 MB), explores the state of information security management in companies all over the world, including management's support of information security activities and the gaps that exist among current information security management practices.

According to the IT education, research, and analysis services organization report, survey responses reveal that there is still a real disconnect between information security, corporate strategy, and risk management, even though approaches to information security management have matured. For example, only 8 percent of respondents viewed information security as an integral part of a robust risk management strategy, 42 percent stated that their company does not view information security as part of risk management, and 35 percent said management has only a moderate or worse view of information security threats and risks.

In addition, less than half of the companies represented in the study make a consistent effort to consolidate multiple security control implementations, pointing to management's inability in forming an integrated information security management picture. Reasons for this include a lack of executive support or representation in the form of a chief information security officer (CISO) or chief security officer (CSO). Of those companies that do have a CISO or information security manager in place, less than 50 percent of CISOs or information security managers define information security policies.

Due to the lack of strategic management, the report explains, information security management is subject to redundant cycles of tactical incident response and localized control implementations and to inaccurate quantification and qualification of information security management risks. "Information security is one of the more mature domains of internal information controls," the report explains. "However, as survey responses show, many managers do not look beyond immediate security risks when making ISM [information security management] decisions. Considering the costs associated with ISM, lack of oversight can in itself represent a substantial capital risk."

To read the full report, visit the ITCI Web site.