Funding, Testing Shortfalls Threaten Compliance

A new survey from the Security Compliance Council finds that many businesses are failing to spend enough time or money to ensure that they can make the grade with auditors.

New research published by the Security Compliance Council contends that very few companies are succeeding in their initial efforts to meet the demands of government IT regulations.

According to the report, which is based on interviews conducted with 671 executives working in IT, finance and legal positions at companies located around the globe, only 11 percent of all the firms involved in the survey were considered to be passing muster in their compliance-oriented efforts.

Those firms harbored fewer than two problems that could cause them to fail inspection from compliance auditors, SCC said.

Most companies, or 69 percent of those participating in the study, were found to have between three and 15 specific compliance shortcomings, while 20 percent of those interviewed evidenced more than 15 problems, according to the industry group, which is backed by the Computer Security Institute, the Institute of Internal Auditors and Symantec.

The most frequent types of compliance issues reported in the study were problems with IT systems configuration and change management, insufficient audit logging and security monitoring, and ineffective end user and applications controls.

Other common problems involve improper handling of documentation, poor IT security policies and inadequate PC and laptop access controls.

Researchers said that it was not hard to identify the internal procedures being used at the few companies that are having the most success with their efforts, as those firms spent the most money addressing the problem and also conducted the highest percentage of in-house audits.

Firms who said that they complete internal compliance tests on a monthly schedule fared far better than those doing so on a less regular basis, said Jim Hurley, director of research at security software maker Symantec.

"There are a lot of businesses with very immature technology controls, and the management of data knowledge is another telling pint, laggards simply arent collecting the right data," said Hurley.

"If you look at the IT budgets of the companies who are not doing well, they are very low and the spend on security is low; these are firms often looking to do the bare minimum of what they believe they need to do to comply."

Of the 20 percent of companies with the most compliance-related issues, most have "no hope" to passing muster over regulations such as the U.S. governments Sarbanes-Oxley Act or HIPAA (the Health Insurance Portability and Accountability Act), according to Hurley.

The report said that in addition to performing internal audits at least once a month, companies succeeding in their compliance efforts dedicate at least five IT workers days per month purely to managing regulatory issues, and spend more than 10 percent of their overall IT budgets on security.

/zimages/6/28571.gifRead more here about how companies deal with data loss.

At the other end of the spectrum, those companies identified as compliance laggards in the report are only testing themselves for regulatory conformity on an average of once every eight months. A majority of the firms that are struggling are spending less than 10 percent of their IT budgets on security.

While all of the businesses surveyed have purchased some compliance-related technologies, merely buying applications to help meet the guidelines is an ineffective strategy, Hurley said.

Having the right executives in charge of a program is another hallmark of the winners, according to the researcher.

"Businesses need people to lead them through compliance by looking at the problem from multiple perspectives, by looking at the changes that need to be made to business procedures, or by giving employees new training," said Hurley.

"Software is part of the problem but not the whole issue; theres also got to be tighter linkage between auditing tools and more traditional IT security products."

Among the actions that Security Compliance Council said directly improve companies abilities to cut down on deficiencies and improve their overall standing are increasing the frequency of internal audits, better documenting IT procedures, assets and controls, establishing more clear compliance objectives and hiring additional staff, contractors and service providers to help address their existing issues.

While the results remain fairly bleak, Hurley said that many companies are actually in the process of better addressing compliance.

Most of the firms not qualifying for the top rating in the report have been waiting to see what other companies have done to meet compliance demands and are in the process of executing new strategies to that end, the research said.

"Most companies know what their problems are, theyre just struggling to find something to do about their own specific challenges," said Hurley.

"The companies who do it best will drive a learning culture whereby lessons from their first audits arent lost, which should help them understand common problems across all their compliance efforts, and help focus spending on additional resources."

/zimages/6/28571.gifCheck out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.