Knowing How – and Where – Your Confidential Data Is Classified and Managed: A Survey on the Current State of IT Security and Privacy Policies and Practices
Click to watch the accompanying video to the 2013 IT Security and Privacy Survey.
It’s the phone call every CIO fears. It’s 3 a.m., and you’re notified that there’s been a major security breach and data loss at your company. Millions of customer records have been compromised. What’s worse, the breach occurred at one of the organization’s data management vendors, and there’s a realization that 1) you and your company do not know the level of security protocols the vendor has in place, and 2) your company bears full responsibility, under the law and in the court of public opinion.
Fortunately, many CIOs, IT departments, and executive management and information management teams are addressing these issues every day. The results of Protiviti’s second annual IT Security and Privacy Survey indicate a number of positive trends, as well as critical areas for improvement:
- Information management as strategic priority – There is an encouraging rise in the involvement of the CIO in activities including but not limited to data governance oversight and execution, along with crisis communications. More CIOs are in place today within companies, reflecting a recognition that data is a critically important asset that must be managed differently and even more effectively than other assets.
- Lack of key data policies – One in four companies do not have a written information security policy (WISP) and one in three lack a data encryption policy. These are critical gaps when considering the legal implications of such omissions.
- Less-than-ideal data retention and storage practices – The stream of data companies are managing is increasing almost daily, yet few address this volume with a detailed and comprehensive classification system. Many, in fact, treat all of their data the same, rather than classifying it appropriately.
- Unprepared for a crisis – In light of the many well-publicized data breach incidents and numerous data breach and privacy laws, a surprisingly high number of companies are not adequately prepared to respond to such a crisis.
These findings, other results from this study and our analysis are included in our report.