52
IT Risk Management Report 2: Myths and Realities Trends through December 2007 Volume 2, Published January, 2008 IT RISK MANAGEMENT
IT Risk Management Report 2: Myths and Realities
Trends through December 2007 Volume 2, Published January, 2008
IT R
Isk
Ma
na
ge
Me
nT
“ IT Risk Management is more than using technology to solve security problems. With proper planning and broad support, it can give an organization the confidence to innovate, using IT to outdistance competitors.”
– Greg Hughes, Chief Strategy Officer Symantec Corporation
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Risk Management concepts guide an increasing number of IT decisions, but myths about IT Risk persist. Recent information helps correct
misunderstandings about IT Risk, and direct attention to emerging areas of concern.
Myth one: IT Risk is Security Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Relationships among Security, Compliance, Availability and Performance Risks help explain industry and public perceptions.
But even as IT professionals take a less security-centric view of IT Risk, data loss threats are growing in importance.
Myth two: IT Risk management is a project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Project management serves IT well, but falls short when IT Risk environments and business goals change constantly.
Matching assessment and mitigation efforts to incident rates is a key to responsible, cost-effective IT Risk Management.
Myth three: Technology alone mitigates IT Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
IT Risk mitigation is more complex than deploying technology. Balanced controls depend on trained personnel following clear,
effective processes—with supporting technologies to keep them informed and effective.
Myth four: IT Risk Management is a science . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
With roots in Operational Risk Management, process-improvement disciplines, and business governance, IT Risk Management
spans the boundary of business management and science. Emerging frameworks and best practices help guide effective implementations.
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
With IT at the core of many critical business processes, IT Risk Management is a business imperative. Effective management
not only protects information and infrastructure, but unlocks resources for the pursuit of strategic business initiatives.
Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2
executive summaryIT Risk—encompassing security, availability, Performance, and Compliance elements—has
become a critical issue for executives and boards of directors. In this second volume of the IT
Risk Management Report, symantec extends its analysis of IT professionals’ insights into the
nature of IT Risk and the most effective ways to manage it, with added focus on availability and
Performance Risk.
The Report addresses persistent myths about IT Risk, concluding that:
• IT professionals are adopting a more balanced, less security-centric view of IT Risk—more of
them now see availability Risk as critical or serious than any other element
• Compliance Risk is more than security Risk formalized by law: data breaches, outages and
disasters may cause irrecoverable losses of customer loyalty, revenue, and company value
• Reactive or annual project-oriented IT Risk Management is better than nothing. But IT
professionals’ expectations of monthly incidents in a constantly-changing global and regional
business and technology environment call for a continuous, process-oriented approach
• Best-in-class organizations deploy controls balanced across strategic, support, delivery, and
security categories, positioning themselves to correct the missing or faulty processes that
cause most incidents
• Over the past year, survey participants saw no improvement in asset Inventory Classification
and Management controls, and a decline in Data Lifecycle Management
• IT Risk Management builds on Operational Risk Management and manufacturing quality
disciplines, spurred on by sarbanes-Oxley and other regulations affecting Corporate
governance, and supported by its own emerging frameworks, standards, and best practices
symantec recommends a continuous IT Risk Management process starting with risk
assessment, paying close attention to cultural and training issues, and addressing long-term
structural improvements as well as “early wins.” Most implementations will focus on security
Risk and associated controls in the early stages, but should follow up with availability Risk and
delivery controls, and include Compliance and Performance Risk with strategic controls for an
integrated, effective program over the long term.
3
Highlights
This report is intended for executives with responsibilities at the intersection of IT and business
risk, including CIsOs and vice-presidents of Risk Management, Data Center Operations, and
Compliance/audit. Report insights are based on the collective experience of IT professionals
worldwide, and symantec’s deep expertise in every element of IT Risk Management.
Be sure to check these highlights:
• although IT professionals agree with consumers about the severity of Data Leakage incidents,
they may underestimate their frequency: see Security Risk and data leakage under Myth 1
• IT professionals expect IT incidents to occur about once per month: see Incident rates and
reactions under Myth 2
• Process issues cause 53 percent of IT incidents—most often because no process is in place to
manage the incident: see The importance of process controls under Myth 3
• IT Risk Management is more than a defensive exercise—it identifies tradeoffs among
risks, costs, and controls for confident, risk-aware pursuit of opportunities: see Process
improvement disciplines under Myth 4
4
Introduction
as IT grew from a back-office specialty to the core of financial, telecommunications and other
modern businesses, exposures to IT Risk have grown to match. not long ago, IT Risk occupied
a small corner of Operational Risk—the opportunity loss from a missed IT development
deadline. Today, the success of organizations and even nations may hinge on mastering a broad
landscape of IT risks.
The World economic Forum provides a sense of scale. They rank a breakdown of critical
information infrastructure among the most likely core global risks, with 10 to 20 percent
likelihood over the next 10 years and potential worldwide impact of $250 billion.1 sustained
investment in IT—almost $1.2 trillion or 29 percent of 2006 private-sector capital investment in
the U.s. alone2—fuels growing exposure to IT Risk.
as the world grows more dependent on IT systems and processes, management of IT Risk
becomes a practical necessity. Those who neglect this emerging discipline may squander
opportunities from fear of trivial or imagined threats, or fail to take elementary precautions
against significant threats.
IT Risk elements
IT Risk encompasses the full spectrum of risks that may affect or result from IT operations:
external natural disasters or changes in government regulation, internal processes that affect
product or service quality, IT organizational and datacenter performance, loss of intellectual
property, supervisory or legal controls, and much more.
symantec differentiates among the four classes of IT Risk elements illustrated in Figure 1
according to their source and potential impact on organizations, specifically:
• Security Risk—that information will be accessed, manipulated or used by unauthorized parties
• Availability Risk—that information or applications will be made inaccessible by process,
people or systems failures, or natural disasters
• Performance Risk—that underperforming systems, applications, staff, or organizations will
diminish business productivity or value
• Compliance Risk—that information handling or processing will fail to meet regulatory,
IT or business policy requirements
Why IT Risk is important now.
IT Risk: definition, elements, and controls.
What we’ve learned so far—and why some myths still endure.
5
Figure 1: IT Risk encompasses four types of element, each with its own drivers and potential impacts.
Detailed descriptions of these risk elements, with sources and potential impacts, may be
found in an earlier report.3
Today’s IT Risk environment
every organization has a unique IT Risk profile. But dramatic global changes in IT Risk affect most
organizations. There has been no shortage of “breakout” IT Risk stories in the popular press:
• Repercussions from the theft of more than 45 million customer credit- and debit-card
numbers crippled earnings at a retailer4
• a spree of denial-of-service attacks directed at Web sites in a european country brought
down government, banking, and even small school Web sites5
• Inadequate manual information management processes plagued a health care provider’s
transplant center, disrupting and delaying essential patient care6
• a government entity in the United kingdon lost CDs containing 25 million personal records,
including financial details of more than 7 million families7
Behind the headlines, symantec’s Internet Security Threat Report (IsTR) documents the
transition from a hacker culture of nuisance virus outbreaks and network vandalism to an
underground criminal economy in which bank accounts, compromised servers, passwords
and credit cards are bought and sold in bulk.8 Professionalization and commercialization of
malicious activities, along with more intense attacks and more frequent outages, have raised
awareness and regulatory attention across the entire spectrum of IT Risk.
Secu
rity
Availability
Perform
ance
Compliance
ITRisk
Keep Bad Things OutKeep Important Things In
Internal and ExternalMalicious Threats
IT Policy andExternal Regulations
Application Performanceand IT Performance
Natural Disasters and System Failures
Ensure Adequate ControlsAutomate Evidence Collection
Optimize ResourcesEnsure Correct Configuration
Keep Systems UpEnsure Rapid Recovery
against the array of external and internal IT risks, organizations deploy controls—IT processes
and technologies designed to close vulnerabilities, maintain continuity of operation at specified
performance levels, and achieve and document compliance with external and internal policy
requirements.
A look back
The initial IT Risk Management Report, Volume 1 was published in February 2007 and is
available at www.symantec.com/about/leadership. From more than 500 in-depth surveys,
it determined that IT professionals:
• see their organizations as more effective deploying technology than process controls
• Consider IT asset inventory, classification and management, and secure application
development processes to be significant problem areas
• Target people and process improvements over technologies as their best opportunities to
move from good to great
• Identify areas of misalignment between levels of their IT organizations about sources of IT Risk
The most encouraging result was that best-in-class organizations—even though they faced
higher risk levels—experienced fewer incidents than less-effective organizations. Their effective
defense against more intense attack may be attributable to the balanced investments across a
range of controls to mitigate the full spectrum of IT risks.
This report
From February to October 2007, symantec surveyed 405 IT Professionals about various aspects
of IT Risk Management. Methodology and sampling were generally comparable with those
of the first survey; please see the appendix for details. This report of its findings complements
Volume 1 in several ways, specifically by:
• Increasing emphasis on availability and Performance Risks, to balance the security and
Compliance emphasis of Volume 1
• Balancing recurring and new survey material to assess changes in the IT Risk environment
since collection of earlier information
6
new survey questions addressed emerging issues with important implications for IT Risk
Management, specifically:
• Data leakage—risks to an organization’s information assets from both external malicious
activity and internal errors
• Endpoint management—the need to extend policy-based control over fixed and mobile
endpoints in sprawling, porous, worldwide networks
• Data center virtualization—IT Risk Management implications of adopting virtualization
technologies to improve utilization and productivity of storage and servers
• Zero-day exploits—the need for new defenses as the time needed to create and
disseminate malicious code that exploits a published vulnerability converges on zero
The second survey extends and further defines key issues and trends raised in the first.
This report will compare results against those of the first survey to identify trends and
differences, and explore new insights from the latest research.
Progress and persistent myths
The survey data itself, and conversations with IT professionals around the world, revealed
a contradiction. awareness of the importance of IT Risk Management to organizations and
the IT profession continues to rise. Yet in an emerging discipline, this awareness has not yet
dispelled a few persistent misunderstandings about the nature and extent of IT Risk, the
best ways to manage it, and the shortcuts and traps that lie along the path.
This Report applies new survey data and symantec Consulting experience to the analysis of
four myths about IT Risk Management, specifically that:
• IT Risk and IT Risk Management are exclusively or primarily concerned with IT security
• IT Risk Management is an annual, semiannual, or other periodic exercise
• Technology controls are sufficient to address most IT Risk Management concerns
• IT Risk Management is a science, with principles that are universal across time, geography,
and business environment
7
IT Risk covers more than
IT Security—and even Security Risk
presents new challenges.
Security is important, but not the whole story.
Compliance: law and policy.
How Availability and Performance are different, and why they can’t be ignored.
9
Myth One: IT Risk is Security Risk
no myth about IT Risk Management is more persistent than the idea that it is concerned
primarily with identifying and mitigating security risks. It may be that the word “risk” seems to
apply more easily to security than performance, availability, or compliance. Or IT professionals’
consumer and early career experience may have conditioned them to anticipate IT security risks
over others. Regardless of the cause, overestimating security Risk can cause misallocation of
time and resources, and significant exposure to other IT risks.
even when security risks remain top-of-mind, they need to be considered in balance with the
full range of IT Risk elements. This section reviews some critical relationships among IT Risk
elements, and points out the value of a balanced approach.
Figure 2: Importance ratings of IT Risk elements. (n = 130)*
although focus on security Risks persists, survey results document emergence of a broader
view. Figure 2 shows that slightly more survey participants gave “Critical” or “serious” ratings
to availability Risk than to any other element: 78 percent, against 70 percent for second-place
security, 68 percent for Performance, and a low of 63 percent for Compliance Risk. This result
may reflect a focus on availability among survey participants who are directly accountable for it,
and underestimates the impact of Performance risks that—as we will see—are often business-
critical. The data also support two important conclusions. First, a majority of participants rates
every area of IT Risk either “Critical” or “serious.” second, only 15 points separate the top- and
bottom-rated categories. IT Professionals are adopting a more balanced view of IT risks.
10
* In this Report, stacked-bar graphs show risk levels in ascending order from top to bottom. This is a change from Volume 1, to help readers combine top risk levels by reading from the scale instead of calculating. Colors assigned to risk levels are unchanged. Variation in the number of data points represented in the graphs reflects differences in the survey items presented to and completed by participants.
Security Risk and data leakage
Whatever their ranking, security risks are undeniably important. external attacks, malicious
code released onto public networks (with ever-shrinking latency), and attempts at unauthorized
access to information and systems remain significant burdens for IT departments worldwide.
and symantec has documented increasing professionalization and commercialization of
computer crime9—an alarming development, especially for industries with high-volume or
high-value electronic transactions.
security risks compromise customer trust and reputation: customers’ rights and expectations
demand that organizations protect their personal information and money. Customers are
especially hard on companies they see as careless with their information—a 2007 consumer
survey on data security showed 62 percent of consumers more upset when information loss
is due to negligence rather than theft.10 Infowatch highlights the scale of these breaches—the
average incident exposes the personal information of 785,000 customers.11 The 2007 loss by
the Uk government of more than 7 million families’ financial records underscores the risk.12
Because customers withdraw from transaction providers and venues they don’t trust, data
leakage constitutes a serious threat not only to consumers, but to electronic commerce and
banking.13 In the U.s., financial losses from credit-card fraud are assigned to issuers, insulating
cardholders from direct financial risk. But new forms of fraud—phishing, identity theft, and
underground marketing of private information—threaten reputation, creditworthiness, privacy,
autonomy, and other nonfinancial assets. a history of serious breaches could stem or reverse
online retail growth, regardless of financial guarantees. The same conditions apply in electronic
banking, securities, and currency trading, where IT security risks present a direct threat to the
liquidity of financial markets.
survey results show that IT professionals agree with their customers’ about the gravity of data
leakage: 63 percent believe a data leak would have serious impact on their businesses (see
Figure 3 on page 12).
11
Figure 3: Impact severity estimates for data leakage from corporate information systems. (n=277)
But our survey participants judged that the probability of major data leakage incidents at their
organizations is comparatively small: only 46 percent of them expect incidents as often as once
a year (see Figure 4); a slight majority expects an incident only once every five years.
Is this a realistic assessment, or are survey participants underestimating this risk—and
overestimating the effectiveness of their mitigation efforts?
Incident rates for data leakage are notoriously complicated, due to:
• Lack of consistency in reporting standards across organizations and jurisdictions
• strong points of view held by organizations that report incident data, e.g. consumer-privacy
advocacy groups and banking industry organizations
• an understandable reluctance of victimized organizations to disclose incidents except to their
customers and as required by law
• a twofold “threshold” problem: smaller incidents may not be widely reported, so incident rates
seem lower, but average impacts seem higher
• a misguided focus on criminal activity, although most breaches are due to employee error14
Because of these factors, data leakage incident information may be reported in fragmented,
inconsistent fashion, leading to lower predictions of incident frequency.
survey participants’ confidence in data protection may be misplaced, given the broad
availability of stolen data for sale on the Internet. Identities, complete with U.s. bank account,
credit card, government-issued identification numbers and birthdates, are available for
purchase online from U.s. $14 to $18.
12
Notapplicable
Notconsidered
Minimalimpact
Someimpact
Seriousimpact
and with large impacts possible from even a single data-security breach, symantec recommends:
• Careful analysis of security event logs using technology and services available from Managed
security service Providers (MssPs)
• Monitoring of trends across the security threat landscape, using the Symantec Internet
Security Threat Report and other sources
• at a minimum, a quick review of network endpoints, considering vulnerabilities to both
internal error and external malfeasance
• evaluation of some of the new, information-focused security tools developed specifically to
help organizations address data leakage
Figure 4: estimated frequency of data leakage from corporate information systems. (n=277)
Compliance
Compliance Risk stems from failure to meet regulatory or business requirements for
information handling or processing. In highly regulated industries, compliance failure may
compromise the organization’s reputation, profitability, or even existence.
since many regulations govern privacy and information security, Compliance is sometimes
seen as derivative of security. But Compliance Risk is more than security Risk formalized by
law. Regulations including new U.s. Federal rules for legal discovery broaden the scope of
Compliance Risk beyond security concerns. and even regulations unrelated to IT may require
dramatic changes to IT infrastructure and processes, adding complexity and competing for
scarce IT resources with mitigation of other risks. The U.s. sarbanes-Oxley act of 200215 and
the eU Markets in Financial Instruments Directive16 are just two recent examples of regulatory
initiatives not aimed at security Risk, but with far-reaching consequences for IT.
13
The compliance obligations of organizations subject to local, regional, and national regulations
include the costs of maintaining and reporting compliance to the satisfaction of external
regulators, the challenges of setting and meeting internal policies and standards to assure
that external requirements are met, and obligations governing the security, availability and
performance of their IT services for internal clients.
Compliance impacts
The IT Policy Compliance group examined financial impacts of IT compliance in 2007. after
finding an association between compliance and lower rates of data loss and theft, the study
determined that after loss and theft incidents, public companies experienced eight-percent
declines in stock price, active customer base, and short-term revenues.
In addition, the study found that firms spent an average of $100 per lost record in litigation,
settlements, restoration, and improvements.17 noncompliance with standards and internal
policies introduces risks even when regulatory controls are moderate. Combining these direct
and indirect impacts with intangibles losses of reputation, loyalty and employee morale justifies
the ranking of Compliance as a critical IT Risk.
14
IT Risk: Value and Vulnerability
IT Risk element Compromised core values Risk origins
security Trust, customer reputationexternal attacks, malicious code, physical destruction, inappropriate access, disgruntled employees
ComplianceLegal, financial, and operational integrity
Changing or misunderstood regulations, missing or poorly-defined IT policies, insufficient auditing capability
Performance efficiency and productivityPoor system architectures, network congestion, inefficient code, inadequate capacity, ineffective process design
availabilityFinancial and supply-chain integrity, commercial responsibility
network failures, inadequate change management, data center failures, regional disasters
Availability and performance—different kinds of risk?
availability Risk concerns inaccessibility of information or applications during a systems outage
and recovery. Performance risk concerns reduce business productivity or value when teams,
systems or applications underperform. Often overshadowed by security and Compliance
concerns—and sometimes unrecognized outside IT— these risks differ in several important ways.
Frequency and impact
security and compliance risks attract attention because of their high visibility and impact:
virus outbreaks, data loss, or lawsuits may require disclosure, are a staple of the business
press, and are devastating to the individuals and companies involved. In the U.s. alone, twice-
weekly updates barely keep up with the rate of new data breaches, some involving hundreds
of thousands of records18 and million-dollar fines. In contrast, common availability and
performance events tend to be incremental, and may escape notice—a few seconds’ delay in
serving a Web site, a few percentage points lower transaction capacity, a near-miss in meeting
recovery-time or recovery-point objectives. Yet the cumulative burden of IT underperformance
weakens any organization, and a single breakout event may be enough to bring it down.
Transfer of harm
a second difference is that while security and Compliance risks involve transfer of harm—from
thief to victim or government to organization—availability and Performance risks often play out
inside the walls, as reduced revenue, added expense, or lost profit. stakeholders can, should,
and do complain, but incremental availability and performance shortfalls rarely attract outside
attention, nor are the affected organizations likely to seek it.
But when they occur, availability and performance disasters can be nightmare scenarios:
transaction processing at a crawl on the busiest shopping day of the year or during a market
crash, failures cascading through backup systems during a site or regional disaster, or essential
services missing when they’re needed most. Worse, availability and Performance disasters are
often irrecoverable over the short term.
A reciprocal relationship?
Finally, some IT professionals see availability and Performance as reciprocal to security and
Compliance. This seems true at the extremes: information locked in a safe on the ocean floor
might be secure and safe from the legal and regulatory consequences of disclosure—though at
great cost to its availability, and the performance of systems that use or serve it.
15
But the reciprocal relationship security and Compliance have with availability and Performance
extends to the middle ground. every improvement in distribution of information raises the
risk it will fall into the wrong hands, or violate principles governing its use. Likewise, attempts
to secure information often make it less available, and may compromise the performance of
systems that process it. This reciprocal relationship is at the core of many tough decisions in IT
Risk Management.
Availability impacts
When business processes depend—sometimes completely—on IT systems and processes,
IT failures cause business failures. Researchers at Dartmouth and the University of Virginia
investigated one example: hypothetical failure of the supervisory Control and Data acquisition
(sCaDa) network at an oil refinery. sCaDa failure would immediately shut down production
because of safety concerns. The researchers estimated economic impact of $405 million from
a hypothetical ten-day outage at a supplier that contributed 10 percent of the U.s. gasoline
supply. The affected supplier would bear only $255 million of the impact; others in the supply
chain would assume the remaining $180 million loss.19
The example highlights two important facts: First, IT system availability is often equivalent to
business availability. second, in a connected world of global supply chains and collaboration
networks, availability failures in one business cascade directly into others.
Performance impacts
Performance risk compromises business efficiency. a thought experiment illustrates the point:
1 percent loss in labor productivity is just five minutes of an eight-hour day. But for a U.s.
or Western european organization of 10,000 employees, that same loss costs approximately
$4.25 million in wages every year.* How many organizations can say that they lose no more than
25 minutes of productive time (about 5 percent) from slow system response time, inefficient
application design, poor integration, or misaligned IT and business priorities? Figure 5 estimates
the annual costs of productivity losses on that scale and less, for organizations of different sizes.
Figure 2 showed that 68 percent of survey participants rated Performance Risk a critical or
serious threat. add to the direct impacts of Performance Risk on productivity follow-on effects
on customer satisfaction and supply-chain efficiency, and it becomes clear why Performance
Risk is an important target for IT Risk Managers.
16
* assumes 60 percent of employees in the United states and 40 percent in Western europe, all earning their national average hourly wages: $18.58 for the U.s. and $23.31 for the Uk. U.s. average wage per U.s. social security administration, October 2007; Uk per national statistics Office, november 2007.
Figure 5: Hypothetical annual cost of unproductive time, expressed as millions of dollars per minutes lost each day,
for organizations of different sizes.
Beyond Security-centric IT Risk Management
Balanced investments in controls are the keys to successful management and mitigation of IT
Risk, and require a balanced assessment across IT Risk elements. even when security concerns
dominate their risk environment, organizations must take care that a security-centric view does
not blind them to very real availability and performance risks that may be neglected, or even
raised by their mitigation efforts.
17
IT Risk Management is a continuous
process, to address constantly-
changing IT Risk and business
environments.
IT change outpaces point-in-time planning— IT Risk Management is adaptive and continuous.
Start with policy, and deploy the right controls.
19
Myth Two: IT Risk Management is a Project
already involved in hundreds of projects, busy enterprise IT departments may see the
assessment of IT Risk as a one-off project, followed by adjustments to remediate specific
deficiencies. But this is unsatisfactory in a world where risks are constantly changing.
Organizations must monitor IT risks continuously, and make frequent changes to their
management strategy. and while it’s certainly true that the initial stages of IT Risk assessment
will resemble other projects, and that the process can profit from the same discipline and
focus that make any IT project a success, the “project” perception—like the firefighting
mentality that preceded it—can defeat even the best intentions and efforts.
annual projects or “random acts of risk management,”20 are better than nothing at all. But
organizations put themselves at risk when the cadence of their IT Risk Management programs
fails to match the rate of change in their risk environment. effective, continuous IT Risk
Management processes may be introduced to an organization without compromising the
discipline and sense of mission surrounding the launch of major initiatives. This section reviews
some of the ways that business and technology change affects the risk environment, and
outlines some ways leading organizations have introduced IT Risk Management into their core
business processes.
Incident rates and reactions
IT security, Compliance, availability, and Performance incidents assault the modern
organization at an alarming rate. Just ask the people on the front lines—administrators charged
with monitoring and responding to these incidents every day. For IT Risk Management programs
to “manage what they measure,” organizations need to measure the rates of these incidents.
We asked survey participants to estimate the frequency of four types of IT incidents: regulatory
non-compliance, major information loss, major IT failure, and minor IT failure; results are shown
in Figures 6 through 9. We found that:
• 66 percent of participants expect a regulatory non-compliance event at least once
every five years
• 59 percent expect a major loss-of-information event at least once every five years
• 63 percent expect a major IT failure at least once a year
• 69 percent expect a minor IT failure at least ten times a year
These estimates predict an IT incident about once a month for an average organization. at such
an incident rate, annual or bi-annual IT Risk Management is clearly insufficient.
20
Figure 6: Participants’ expected incidence of regulatory non-compliance by their organizations. (n=405)
Figure 7: Participants’ expected incidence of severe impacts from loss of information confidentiality, availability,
or integrity. (n=405)
21
Figure 8: Participants’ expected incidence of severe impacts to their IT organizations that interrupt critical business
operations. (n=405)
Figure 9: Participants’ expected incidence of minor impacts to their IT organizations that impair the work of individuals
or groups. (n=405)
The changing risk environment
Not only are IT and business environments rife with every kind of IT Risk, but the risks are
constantly changing. In the Introduction, we saw evidence of a transition in the type of Security
Risk faced by organizations; in fact, every category of IT Risk is evolving all the time, driven by
technology change, company go-to-market strategy, and the macro business climate.
Other elements of IT Risk are changing just as fast. The Compliance Risk environment is in
constant flux as regional and national governments enact new legislation, organizations
introduce frameworks and standards for IT Governance and other processes, and companies
adjust policies to meet the needs of their unique business strategies and environments.
Availability Risk changes, for example when entering new markets with unreliable power and
communications infrastructures—and in disaster-prone areas, it can literally vary with the
22
weather. Performance Risk shows long-term trends based on the availability and affordability of
high-performance systems, applications, and personnel. But it also shows seasonal variations
based on demand cycles that vary from one organization to another, and the resources available
to meet them.
IT Risk Management—a continuous process
With such variability in IT Risk environments over time, any project-oriented or point-in-
time IT Risk Management process will quickly find itself overtaken by events. Changing IT
Risk environments call for adaptive IT Risk Management that anticipates and responds to
environmental change as it remains aligned to strategic organizational objectives. Adapting
environmental and event monitoring to the frequency of IT incidents represents a critical best.
Major changes in business strategy are rare, but operational and go-to-market adjustments
happen every day. For example, “software-as-a-service” applications offer flexibility and rapid
time to market, but present significant challenges across the spectrum of IT risks. IT Risk
Management programs must track such developments, understand their business context, and
develop a Risk Management posture to accommodate and support them.
Risks from technology are evolving, too. The Symantec Internet Security Threat Report tracks
changes in the Internet threat landscape over time in its “Future Watch” feature covering
emerging threat activity likely. Figure 10 illustrates some recent topics. As discussed above,
annual benchmarks are only a single contributor to an organization’s continuous assessment of
IT Risk—alert managers will supplement them with both formal and informal indicators of risks
introduced by changing technology, people, and processes.
Figure 10: Summary of the Symantec Internet Security Threat Report Future Watch topics.
23
ISTR Future Watch Topics
– Polymorphous Win32 malicious code
– Web 2.0 security threats and AJAX attacks
– Microsoft Vista
– Increased vulnerabilities due to fault injection “fuzzers”
– Modular malicious code
– Bot networks
– Phishing targets and methods
– Advanced spyware developments
– Wireless security threats
– VoIP threats
– Mac OS security
– Malicious code and virtual worlds
– Automated evasion processes
– Advanced web threats
– Diversification of bot usage
Volume VII—Sept 2005 Volume X—Sept 2006 Volume XII—Sept 2007
Continuous IT Risk Management for continuous improvement
Organizations use technology to capture or enter new markets and build efficiencies, inevitably
exposing themselves to new risks as they do. Continuous IT Risk Management programs—
evolving at the speed of business change—can help them measure and then mitigate or accept
those risks in a way that matches their strategy for securing sustainable competitive advantage.
Depending on an organization’s size and strategy, a continuous IT Risk Management program
may be fully staffed in its own department or a task for the CIO. Regardless of its scope, every
program needs a push to get started. symantec has identified these practical first steps that
have helped IT organizations launch successful Risk Management programs:
1. Put one person in charge—chosen according to your organizational structure and
dynamics, but with the authority to make things happen
2. Use an event as a catalyst—an IT incident that provides momentum for IT Risk
Management makes the best of a bad situation
3. Perform an initial risk assessment—avoid the temptation to “just do something,” and
use at least a quick, qualitative assessment to focus efforts for quick returns on modest
investments
4. Start dialogues at the executive and board level—IT Risk Management succeeds when the
whole organization is behind it: start at the top
Controls
Once underway, a successful IT Risk Management program needs to monitor controls to assess
the internal environment, and appropriate sources of information to monitor the external
environment.
More frequent monitoring of internal controls helps cut incidents and associated losses. The IT
Policy Compliance group determined in 2007 that organizations that monitor IT controls more
frequently experience fewer incidents:
Organizations with the fewest unreported data losses and compliance deficiencies are
monitoring and measuring controls once every one to three weeks, and on average at least once
every two weeks…firms with most IT compliance deficiencies and the highest latent data losses
are monitoring and measuring controls once every 6.8 to 8.5 months.21
24
Information
Conversations with business managers provide valuable insights into strategic direction and
go-to-market initiatives; IT vendors can help predict system upgrades and other operational
information.
IT analysts can help identify IT trends and emerging issues to help managers assess the external
environment. One valuable source is the Symantec Internet Security Threat Report, which offers
a six-month update of internet threat activity that includes analysis of attacks, vulnerabilities,
malicious code, and trends in phishing and spam.
Myth and reality
The myth that IT Risk Management can be addressed in a single project, or even as a series
of point-in-time exercises across budget periods or years, ignores the dynamic nature of the
internal and external IT Risk environment. Worse, this view ignores the opportunity value
of capable IT Risk Management—identifying acceptable risks, measured against their costs
and business value, or implementing mitigation processes that allow an organization to take
calculated risks with confidence.
25
People—executing processes
supported by technology—are your
most valuable resource to manage
IT Risk
Process effectiveness is a known weakness.
Frameworks, controls, and the road to improvement.
Key process controls and the critical role of training
27
Myth Three: Technology alone mitigates IT Risk
Organizations manage IT risks by deploying controls. These span a wide variety of activities,
and typically involve people executing processes with technological support, for example
by using compliance management software to create policies mapped against regulations
and best practices, and then monitor and document compliance. The February, 2007 IT Risk
Management Report, Volume 1 examined relationships in the use of eight technology controls
and eight process controls. In a technology discipline populated by many specialists with
engineering backgrounds, it was no surprise to find attempts to solve persistent problems
framed in engineering terms. IT professionals rated their organizations more effective deploying
technology controls to address IT Risk than they did process controls.
The analysis also determined that best-in-class organizations followed a more balanced
approach in deploying technology and process controls. For the 2008 study, we expanded the
analysis to cover a larger set of controls, each with elements of people, process, and technology.
Best in class: risks and incidents
For this study, we asked participants to rate the effectiveness of implementation of 18 controls
critical in managing IT Risk, arranged into four categories: strategic, support, delivery, and
security controls (see sidebar on page 33 for descriptions). We divided our 405 participants into
quartiles based on their overall effectiveness across all 18 controls.
as in last year’s study, we calculated separate indexes for compliance and business process
risk, for each quartile (across six compliance and seven business-process IT Risk areas),
together with the rates at which participants expected IT incidents. These results are shown in
Figure 11.
Figure 11: expected incident rates and ratings for two categories of IT Risk in organizations in each IT Risk Management
performance quartile. Professionals from better-rated organizations see themselves facing more IT Risk, but expect
fewer incidents. (n=405)
28
as they did in Volume 1, these results show that participants who rated their organizations
effective in managing IT Risk saw them facing greater compliance and business process risk—
but expected fewer IT incidents. The relationship suggests that organizations more effective at
deploying controls are rewarded with lower rates of incidents.
Best in class: balanced controls
What separates best-in-class performers from other participants? a closer look reveals that
organizations in the Best quartile deploy strategic, support, delivery, and security controls with
uniformly high effectiveness (see Figure 12). This contrasts with organizations in the Worst
quartile, which deploy security controls at moderate levels of effectiveness, but show less
success with strategic and delivery controls.
again, readers of last year’s report will find few surprises: organizations with strong
performance ratings deploy controls effectively across the full range. no control or category
alone leads to high performance—a combination of effective controls helps best-in-class
organizations achieve their expectation of lower rates of IT incidents.
Figure 12: effectiveness ratings for four categories of controls—strategic, support, delivery and security—
by performance quartile. (n=405)
The importance of process controls
IT professionals are familiar and comfortable with technology controls. But process controls are
often the key to avoiding serious incidents, as demonstrated in a study conducted by symantec
and researchers from MIT’s Center for Information Research in 2007. The study examined root
causes of 85 severity-one security and availability incidents. Figure 13 on page 30 shows the results.
29
Process-based issues caused 53 percent of incidents. In 63 percent of these cases, no pre-
defined process existed to manage the incident—in only 22 percent did an existing process
fail to manage it. environmental configuration issues accounted for 51 percent of incident root
causes; and staff skills for 41 percent.
Figure 13: Root causes of IT incidents. (Total exceeds 100 percent: 63 percent of the incidents had multiple root
causes). (n=85)
The promise of process frameworks
How can other organizations build strong processes to achieve best-in-class performance?
Fortunately, they have help. IT leaders have focused considerable attention in recent years on
IT service Management (ITsM) process frameworks and standards, including the Information
Technology Infrastructure Library® (ITIL) framework managed by the Uk Office of government
Commerce, the IsO/IeC 17799 security and 20000 audit standards, and the Control
Objectives for Information and related Technology (CobiT) best-practices guidance materials
on IT governance.22 Following in the tradition of the quality disciplines that transformed
manufacturing in the 1980s and 1990s, these frameworks and standards address constantly-
changing IT infrastructure and data-center configurations from the standpoint of services
delivered to IT end-users.
More than 20 percent of billion-dollar companies have already completed one or more ITIL
implementations, 23 and many more are underway. The business benefits these organizations
hope to achieve include:
• IT service improvements such as consistent performance against service Level agreements
with IT risks minimized, managed, or accepted
• IT process improvements including operational best practices, with documentation of
compliance to appropriate policies and standards
30
• standardization of IT infrastructure and processes, to reduce costs, complexity, and time-to-
value of IT investments
and as we will see in the next section, investments in training and staff development are among
the most productive paths to improved performance.
Process trends
While interviewing for last year’s study, we observed that several organizations were making
large investments in secure application development processes. Participants explained that
they were building more secure IT operating environments by eliminating security problems at
the source. Comparing this year’s results with those, we have seen a 10 percent improvement in
the number of participants rating secure application development “over 75 percent effective.”
This indicates that organizations are making thoughtful, effective investments to manage IT Risk.
We predict that Problem Management will be the next area to improve as secure application
Design did. ITIL helps align IT initiatives with business goals, using Problem Management to
minimize “the adverse impact of Incidents and Problems on the business that are caused by
errors within the IT Infrastructure”, and “to get to the root cause of Incidents and then initiate
actions to improve or correct the situation.”24
Our research with MIT showed that IT incidents share root causes. We expect that as IT Risk
Management programs mature, they will begin to deploy more robust Problem Management
processes to eliminate root causes of IT incidents, using or modifying technology as needed, but
relying primarily on processes to manage specific, identified root causes.
In Volume 1 we noted concern over the low rating of the asset Inventory Classification and
Management control. Participants in the current survey reported a negligible increase in
effectiveness for this control, still the most poorly rated in the study. In addition, the current
survey shows a decline of 17 percent in the number of participants who rate Data Lifecycle
Management “over 75 percent effective.”
The combination of these two trends is a concern. Both of these controls classify systems
and information, applying unique policies to each class. This process aligns the treatment of
each class with business objectives. Weakness of these controls suggests that assets will be
treated equally, so that some systems, processes, and objects will be overprotected and others
underprotected from IT Risk, resulting in cost and service inefficiencies.
31
Technology in support of process
although technology cannot substitute for process discipline and expertise, technology
solutions can help standardize, automate, and report key measurements related to process
effectiveness, increasing the span of awareness and control of trained personnel. Process-
support technologies include software and appliances to assist IT organizations with:
• Configuration and Change Management, to improve the discovery, mapping, correlation, and
tracking of changes to applications and servers
• Performance Management, to identify underperforming assets and infrastructure tiers, and
help isolate root causes of underperformance
• Provisioning Management, for consistent patch deployments across operating systems and
geographies, avoiding incompatibilities and timing issues
Technology plays a critical role in the mitigation of IT Risk. But people and processes, supported
by technology, determine how effective your program will be. an organization’s maturity in
deploying IT Risk Management will dictate which investments are most appropriate for your
organization at this time. and while every organization is unique, core Risk Management
problems are common to all organizations.
32
33
Strategic Controls
• IT policy, strategy, and architecture
• Organizational structure, roles, and
responsibilities
• governance, compliance and continuous
improvement
• Data lifecycle management
Support Controls
• asset inventory classification and
management
• Physical and environmental management
• Configuration, change and release
management
• Incident, response and problem
management
Delivery Controls
• service level management
• Operational design, workflows and
automation
• secure application design, development
and testing
• systems build and deployment
• Capacity management
• availability management
• service continuity management
Security Controls
• authentication, authorization and access
management
• network, protocol and host security
• Training and awareness
Key Controls for Managing IT Risk
The key controls listed below were derived from extensive study of published control
standards for IT management, including the Information Technology Information Library
(ITIL), CobiT, and IsO 17799, as well as from symantec’s experience in working with
top-performing organizations throughout the world.
IT Risk Management—like other
business processes—requires
disciplined planning and execution.
35
An emerging business discipline, not a science.
Origins of IT Risk Management.
IT Risk Management in context: Risk Management, Business Strategy.
35
Myth Four: IT Risk Management is a science
This last myth is more widespread within the practice of IT Risk Management than in the
business community at large. as IT Risk Management becomes more widely practiced,
disciplined, and documented—and especially as standards and frameworks encourage
consistent practices—practitioners may come to see it as a set of fixed principles and
relationships, universally applicable across industries and geographies.
Roots and progress
But IT management is an emerging business process, not a science. Rather than experiment
and analysis, IT Risk Management relies on the experience accumulated by individuals and
organizations as they manage their way across a changing business landscape.
We can identify three primary contributors to the current practice of IT Risk Management:
Operational Risk Management
In the Risk Management family, Financial Risk Management is the science, and Operational Risk
a set of ad hoc processes to address events ranging from fire and fraud to supply-chain failure.
Its diversity is captured in its definition: “the risk of loss from inadequate or failed internal
processes, people, and systems, or from external events”25—in effect, covering any risk that
cannot be completely hedged or insured against.
By 2002 the interconnectedness of internal and external networks and business processes had
already given IT Risk Management special status. Logically and taxonomically still a form of
Operational Risk Management; IT Risk Management emerged as a separate practice because:
• Many business operations and transactions now took place entirely within IT systems
• The pace of technology change required more rapid adaptation in technology and process
controls than do other forms of operational risk
• The discipline of IT Risk Management required specialized knowledge and skills among both
IT professionals and business managers
Process improvement disciplines
Process improvement methodologies transformed factories worldwide in the late 1980s and
throughout the 1990s, and launched one of the greatest productivity advances in history.
Manufacturing disciplines drove build quality to unprecedented heights, while computer-
intensive Manufacturing Resource Planning and enterprise Resource Planning technologies
broke through old assumptions about productivity and inventory management.
36
a few pioneering companies demonstrated that these efficiencies could work even across
company boundaries, in supply partner and distributor networks that combined with the
communications efficiencies of the Internet to launch the e-commerce revolution.
IT Risk Management is their natural successor. Too often viewed as a merely defensive exercise,
IT Risk Management helps companies identify both risks and opportunities in their business
environment, and trade-offs between risks and costs, or risks and opportunities. With trade-offs
identified and measurement systems and controls in place, organizations can take appropriate
risks confidently, to pursue opportunities they might otherwise forgo.
Business and IT Governance
Regulations governing business conduct—most prominently sarbanes-Oxley in the United
states—raised the accountability of corporate officers and disclosure standards for business
information, with significant implications for IT. sarbanes-Oxley was an external stimulus
– for many companies, the first – that forcibly aligned business and IT strategies, and made IT
governance a top-of-mind issue for many chief executives.
To meet the requirements of sarbanes-Oxley, eU Privacy and Markets Directives, industry-
specific regulations such as the Health Information Portability and accountability act (HIPaa)
and the Payment Card Industry (PCI) Data security standards, IT needed a way to organize,
evaluate, and balance these requirements systematically to guide effective action—and IT Risk
Management was well adapted for the task.
Current state of IT Risk Management
Most business people are familiar with Risk Management, but few understand the emerging
practice of IT Risk Management, and fewer still appreciate its role in today’s connected
organizations.
IT Risk Management combines the rigor and breadth of Operational Risk Management, the
productivity focus of Manufacturing disciplines, and the stakeholder point of view common
to governance frameworks. It adds process and technology controls unique to the IT world,
and is emerging as a business discipline, like Financial Risk Management or supply-Chain
Management, capable of making a unique contribution to organizational effectiveness.
37
Frameworks and best practices
Documented best practices for IT Risk Management are scarcer than for IT Operations
Management frameworks like ITIL, for example. standards such as IsO 17799, The Code of
Practice for Information security Management systems, and the broader australian/ new
Zealand standard on Risk Management, as/nZs 4360:2005 can help, but these are references
rather than practice guidelines. Frameworks and standards provide an excellent start, but
every organization will add and refine priorities and processes appropriate for its own risk
environment and organizational goals.
Through its research and client work, symantec has identified four IT Risk Management best
practices that are generally applicable across organizations:
1. Assess risk and scope—before taking action, assess the likelihood and probable impact of
each risk. even simple, qualitative assessment will help you avoid coverage gaps and waste
as your program gets underway. keep in mind that not all IT Risk must be eliminated: quick,
cheap corrections may be enough to bring a risk to acceptable levels.
2. Build a risk-aware culture—because businesses take risks for profit, naive risk aversion
can be a barrier to success. IT Risk Management should build a culture that understands
organizational objectives, IT risks, mitigation costs, and their interrelationships.
3. Develop people—MIT research cited in Chapter 4 showed that 41 percent of IT incidents
have root causes based in staff skills. In a separate study, IDC and symantec found
that training and team skill levels have profound impacts on IT performance.26 Training
investments pay off, for example, by refocusing team efforts on high-value activities, which
can improve team productivity by 10 percent or more—more than enough to cover the costs
of training.
4. Give it time—chalk up some early “wins” to build momentum, but focus long-term efforts
on strategic issues identified in your risk assessment—then allow those controls to mature
over time. symantec experience demonstrates that it may take three to five years for IT Risk
Management controls to become completely effective.
Taking the second step
The most important step in any IT Risk Management program is simply getting started, and
in Chapter 3 we suggested using a catalyst event to get your program underway. But what
are the next steps? Based on symantec’s experience with emerging and established IT Risk
Management programs, and analysis of correlations between risks and controls for survey
participants, we see the following as a logical implementation sequence for controls:
38
1. Security risks and controls—survey results suggest addressing security risk first: better
security controls most strongly predicted improvement in incident expectations. and
because information security is IT-centric, IT can act with less dependence on others to
achieve easy wins and gain early momentum.
2. Availability risks and delivery controls—delivery controls, closely associated with
availability Risk, had the second-strongest correlation with reduced incident expectations.
Our research also indicates that organizations facing higher levels of business process
risk deploy delivery controls most often. and because business managers easily grasp
the benefits of reduced availability risk, delivery controls are an excellent step in meeting
business objectives outside the “glass house.”
3. Compliance/performance risks and strategic controls—Compliance and Performance Risk
most closely underpin business units’ daily use of IT services. Managing these risks requires
collaboration to align the actions of IT with the requirements of its business clients. Laying a
foundation with security and availability Risk elements prepares your organization for these
more sophisticated conversations.
Your organization may face a unique set of risks that calls for a different approach: for example
an insurance company in an at-risk region may focus on availability Risk first, or a company
under regulatory review on Compliance Risk. as illustrated in Figure 14, alignment is critical
throughout execution. and regardless of the order of deployment, use the four best practices
as a guide.
Figure 14: Illustration showing how key elements of IT execution interact with the most important issues in IT/business
alignment. execution skills apply across multiple issues, justifying investments in skill development.
39
40
ConclusionTechnology drives the consolidation of industries, globalization of markets, and invention and
reinvention of organizations worldwide. Technology supports collaboration and innovation at
rates never seen before. But technology failures can bring entire segments of the economy to a
halt, corrupt records or leave them inaccessible, and compromise employees’ productivity.
Managing risks introduced by IT is a business imperative. In this report, we have observed that:
• IT failures in your organization ripple through customers, suppliers and partners
• IT risks come from multiple sources, change constantly, and require a continuous program of
discovery, monitoring, and management
• IT risks are managed by the combination of people, process, and technology, balancing risks
against business objectives
• IT Risk Management is a business process that adapts to organizational requirements, guided
by best practices
as you launch or expand your IT Risk Management program, keep in mind that managing IT
Risk rarely means eliminating it. Instead, IT Risk Management disciplines and practices help
keep IT services flexible, adaptive, and aligned to organizational goals in a constantly changing
business climate. In addition, IT Risk Management can provide the insight that allows you to
take calculated risks with confidence and use IT to drive competitive advantage.
The future
symantec will continue its research into IT Risk Management to discover additional practical
recommendations and best practices to help organizations develop and implement their
own programs. Future research will assess the state of deployment and maturity of IT Risk
Management programs, including the prevalence of IT Risk Management initiatives and the use
of programs-based best practices. symantec will continue to explore the how the management
of IT Risk contributes to business productivity, competitive advantage, and the spirit of
innovation.
40
4141
42
appendixMethodology
Data collection
Between February 2007 and October 2007, symantec collected 405 surveys from IT
professionals attending IT events worldwide (approximately 85 percent), or online at
www.symantec.com (approximately 15 percent). each participant received a report comparing
his or her responses to those of a benchmark group. To ensure candid responses and protect
participants’ privacy, symantec contracted a third party, ecosystems, LLC of Vienna Va,
to collect, process, and aggregate the survey results.
Because participants occasionally skipped one or more survey questions, the number of
responses may vary from one question to another.
Differences in questions
For comparison and trend analysis, the current report echoes several questions from the
Symantec IT Risk Management Report, Volume 1, which reported responses from 528
participants last year. The current report also includes results from questions designed to
extend data-set coverage or explore emerging issues.
42
43
Demographics
We fielded the survey to a broad group of IT professionals, across industries, sizes of
organization, participant job role and global region. These demographics provided the variables
for much of our analysis.
Figure a1: Participants by industry. (n=405)
Figure a2: Participants by job role: “professional” includes business, consultants and other non-IT job functions.
(n=405)
43
44
Figure a3: Participants by organization size. (n=365)
Figure a4: Participants by geographic region. This report includes participants from the asia Pacific region, which was
not represented in the previous report. (n=405)
Use of indexes
This report compiled seven indexes to measure the significance or impact of risks, effectiveness
measures, or incident rates across participants, compare results across demographic or other
categories, and for correlation and comparative analysis. each index averages data across the
relevant set of questions.
The indexes are:
• Compliance Index • support effectiveness Index
• Business Process Index • Delivery effectiveness Index
• Incident Rate Index • security effectiveness Index
• strategic effectiveness Index
45
general ReferencesWesterman, george and Hunter, Richard. IT Risk: Turning Business Threats into Competitive Advantage. (Boston: Harvard
Business school Publishing, 2007).
Business Roundtable. Growing Business Dependence on the Internet—New Risks Require CEO Action. (Washington DC:
september, 2007).
Lamy, Lionel. IT Risk Management: A Business Issue of Strategic Importance. (Framingham, Ma: IDC, July, 2007).
Finley, Ian. IT Risk Comes Into Fashion. (Boston: aMR Research, august, 2007).
The Boston Consulting group. Innovation 2007: A BCG Senior Management Survey. (Boston: august, 2007).
IT Policy Compliance group. Taking Action to Protect Sensitive Data. (February, 2007).
Caldwell, French. The 2007 Compliance and Risk Management Planning Guidance: Governance Becomes Central.
(stamford, CT: gartner, Inc. april, 2007).
kark, khalid. 2007 Security Budgets Increase: The Transition to Information Risk Management. (Cambridge, Ma:
Forrester Research, Inc. January, 2007).
Heisser, Jay. Choosing Risk Management Methods. (stamford, CT: gartner, Inc. June, 2006).
Caldwell, French and Mogul, Rich, Risk Management and Business Performance Are Compatible. (stamford, CT: gartner,
Inc. October, 2006).
Rasmussen, Michael, Business Drivers for Enterprise Risk Management. (Cambridge, Ma: Forrester Research, Inc.
February, 2007).
46
end notes1 World economic Forum. Global Risks 2007: A Global Risk Network Report. (geneva. January, 2007), page 8.
2 Bureau of economic analysis. National Economic Accounts: Private Fixed Investment in Equipment and Software by
Type. (Washington DC. november, 2007), Table 5.5.5U.
3 symantec Corporation. IT Risk Management Report, Volume 1. (Cupertino, Ca. February, 2007), Table 1, page 8.
4 sharon gaudin. “T.J. Maxx security Breach Costs soar to 10 Times earlier estimate,” Information Week. (Manhasset,
nY: CMP Media LLC august 15, 2007).
5 Jeremy kirk. “estonia Recovers from Massive Denial-of-service attack,” NetworkWorld. (Boston: IDg. May 17, 2007).
6 Deborah gage and kim s. nash. “We Really Did screw Up,” Baseline. (new York: Ziff Davis. May 14, 2007).
7 Tom Young. “HMRC fiasco places data protection under the spotlight,” Computing. (London: Incisive Media Ltd.
november 29, 2007).
8 symantec Corporation. Internet Security Threat Report Volume XII. (Cupertino, Ca. september, 2007).
9 symantec Corporation. Symantec Reports Rise in Data Theft, Data Leakage, and Targeted Attacks Leading to Hackers’
Financial Gain, press release. (Cupertino, Ca. March 19, 2007).
10 Dr. Larry Ponemon and Vontu, Inc. 2007 Consumer Survey on Data Security. (Traverse City, MI: Ponemon Institute.
June 25, 2007).
11 Infowatch. Global Data Leakage Survey 2006. http://www.infowatch.com/threats?chapter=162971949&id=20778462
6 (Moscow: February 15, 2007).
12 Tom Young, op. cit.
13 Ponemon and Vontu, op. cit.
14 symantec Corporation. Stop Data Leakage Now, article. (Cupertino, Ca. april 17, 2007). http://www.symantec.com/
business/library/article.jsp?aid=stop_data_leakage
15 Lawrence D. Dietz, esq. International Implications of Sarbanes-Oxley: What every IT Professional Should Know.
(Cupertino, Ca: symantec Corporation, October 13, 2006).
16 A Balanced Approach to MiFID Compliance. (Cupertino, Ca: symantec Corporation, March, 2007).
17 IT Policy Compliance group. Why Compliance Pays: Reputation and Revenues at Risk. http://www.itpolicycompliance.
com/research_reports/spend_management/read.asp?ID=10 (July, 2007), page 1.
18 A Chronology of Data Breaches. (san Diego, Ca: Privacy Rights Clearinghouse). www.privacyrights.org/ar/
ChronDataBreaches.htm
19 scott Dynes, eva andrijcic, and M. eric Johnson. “Cost to U.s. economy of Information Infrastructure Failures”,
forthcoming in Proceedings of the Fifth Workshop on the Economics of Information Security. (Hanover, nH: Dartmouth
College Institute for security Technology studies, 2007). http://www.ists.dartmouth.edu/library/207.pdf
20 Jennie grimes. “IT Risk Management: Rising to the Top of CIO agendas,” CIO Magazine, insert. (Framingham, Ma: IDg.
December 1, 2007).
21 IT Policy Compliance group. op. cit., page 23.
46
4747
22 sunny gupta. “ITIL adoption.” E-business Blog. http://www.line56.com (Los angeles: Line56.com, October 13, 2006).
23 O’neill, P. ITIL Adoption Accelerating in IT Service Management, teleconference. (Cambridge, Ma: Forrester Research,
Inc. 2006).
24 Office of government Commerce. Best Practices for Service Support—ITIL: the Key to Managing IT Services. (norwich:
The stationary Office, 2002), page 95.
25 Douglas g. Hoffman. Managing Operational Risk: 20 Firmwide Best Practice Strategies. (new York: John Wiley and
sons, Inc., 2002), page xxii.
26 Cushing anderson. Information Security and Availability: The Impact of Training on IT Organizational Performance.
(Framingham, Ma: IDC, sponsored by symantec Corporation. June, 2007).
4848
notes
49
nO WaRRanTY. The information provided in this document is being delivered to you “as Is” and symantec Corporation makes no warranty as to its accuracy or
use. any use of the information contained herein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors.
symantec reserves the right to make changes without prior notice.
Copyright © 2008 symantec Corporation. all rights reserved. symantec, the symantec Logo, and InFORM are trademarks or registered trademarks of symantec
Corporation or its affiliates in the U.s. and other countries. Other names may be trademarks of their respective owners.
50
About Symantec
symantec is a global leader in
infrastructure software, enabling
businesses and consumers to have
confidence in a connected world.
The company helps customers protect
their infrastructure, information, and
interactions by delivering software
and services that address risks to
security, availability, compliance,
and performance. Headquartered
in Cupertino, Calif., symantec has
operations in 40 countries.
More information is available at
www.symantec.com
For specific country offices and
contact numbers please visit our
Web site. For product information
in the U.s., call toll-free
1 (800) 745 6054.
symantec Corporation
World Headquarters
20330 stevens Creek Boulevard
Cupertino, Ca 95014 Usa
1 (408) 517 8000
1 (800) 721 3934
www.symantec.com
Copyright © 2008 symantec Corporation. all rights
reserved. symantec and the symantec logo are
trademarks or registered trademarks of symantec
Corporation or its affiliates in the U.s. and other
countries. Other names may be trademarks of their
respective owners.
1/08 12818026
Confidence in a connected world.
