IT R i s k Ma n a gem ent

IT Risk Management Report 2: Myths and Realities

Trends through December 2007

Volume 2, Published January, 2008

 IT Risk Management is more than using technology to solve security problems. With proper planning and broad support, it can give an organization the confidence to innovate, using IT to outdistance competitors.
Greg Hughes, Chief Strategy Officer Symantec Corporation

Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Risk Management concepts guide an increasing number of IT decisions, but myths about IT Risk persist. Recent information helps correct misunderstandings about IT Risk, and direct attention to emerging areas of concern.

Myth one: IT Risk is Security Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Relationships among Security, Compliance, Availability and Performance Risks help explain industry and public perceptions. But even as IT professionals take a less security-centric view of IT Risk, data loss threats are growing in importance.

Myth two: IT Risk management is a project .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Project management serves IT well, but falls short when IT Risk environments and business goals change constantly. Matching assessment and mitigation efforts to incident rates is a key to responsible, cost-effective IT Risk Management.

Myth three: Technology alone mitigates IT Risk .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

IT Risk mitigation is more complex than deploying technology. Balanced controls depend on trained personnel following clear, effective processeswith supporting technologies to keep them informed and effective.

Myth four: IT Risk Management is a science. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

With roots in Operational Risk Management, process-improvement disciplines, and business governance, IT Risk Management spans the boundary of business management and science. Emerging frameworks and best practices help guide effective implementations.

Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
With IT at the core of many critical business processes, IT Risk Management is a business imperative. Effective management not only protects information and infrastructure, but unlocks resources for the pursuit of strategic business initiatives.

Appendix.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Executive Summary
IT Riskencompassing Security, Availability, Performance, and Compliance elementshas become a critical issue for executives and boards of directors. In this second volume of the IT Risk Management Report, Symantec extends its analysis of IT professionals insights into the nature of IT Risk and the most effective ways to manage it, with added focus on Availability and Performance Risk. The Report addresses persistent myths about IT Risk, concluding that: IT professionals are adopting a more balanced, less Security-centric view of IT Riskmore of them now see Availability Risk as critical or serious than any other element Compliance Risk is more than Security Risk formalized by law: data breaches, outages and disasters may cause irrecoverable losses of customer loyalty, revenue, and company value Reactive or annual project-oriented IT Risk Management is better than nothing. But IT professionals expectations of monthly incidents in a constantly-changing global and regional business and technology environment call for a continuous, process-oriented approach Best-in-class organizations deploy controls balanced across strategic, support, delivery, and security categories, positioning themselves to correct the missing or faulty processes that cause most incidents Over the past year, survey participants saw no improvement in Asset Inventory Classification and Management controls, and a decline in Data Lifecycle Management IT Risk Management builds on Operational Risk Management and manufacturing quality disciplines, spurred on by Sarbanes-Oxley and other regulations affecting Corporate Governance, and supported by its own emerging frameworks, standards, and best practices Symantec recommends a continuous IT Risk Management process starting with risk assessment, paying close attention to cultural and training issues, and addressing long-term structural improvements as well as early wins. Most implementations will focus on Security Risk and associated controls in the early stages, but should follow up with Availability Risk and delivery controls, and include Compliance and Performance Risk with strategic controls for an integrated, effective program over the long term.

Highlights
This report is intended for executives with responsibilities at the intersection of IT and business risk, including CISOs and vice-presidents of Risk Management, Data Center Operations, and Compliance/Audit. Report insights are based on the collective experience of IT professionals worldwide, and Symantecs deep expertise in every element of IT Risk Management. Be sure to check these highlights: Although IT professionals agree with consumers about the severity of Data Leakage incidents, they may underestimate their frequency: see Security Risk and data leakage under Myth 1 IT professionals expect IT incidents to occur about once per month: see Incident rates and reactions under Myth 2 Process issues cause 53 percent of IT incidentsmost often because no process is in place to manage the incident: see The importance of process controls under Myth 3 IT Risk Management is more than a defensive exerciseit identifies tradeoffs among risks, costs, and controls for confident, risk-aware pursuit of opportunities: see Process improvement disciplines under Myth 4

Introduction
Why IT Risk is important now. IT Risk: definition, elements, and controls. What weve learned so farand why some myths still endure.
As IT grew from a back-office specialty to the core of financial, telecommunications and other modern businesses, exposures to IT Risk have grown to match. Not long ago, IT Risk occupied a small corner of Operational Riskthe opportunity loss from a missed IT development deadline. Today, the success of organizations and even nations may hinge on mastering a broad landscape of IT risks. The World Economic Forum provides a sense of scale. They rank a breakdown of critical information infrastructure among the most likely core global risks, with 10 to 20 percent likelihood over the next 10 years and potential worldwide impact of $250 billion.1 Sustained investment in ITalmost $1.2 trillion or 29 percent of 2006 private-sector capital investment in the U.S. alone2fuels growing exposure to IT Risk. As the world grows more dependent on IT systems and processes, management of IT Risk becomes a practical necessity. Those who neglect this emerging discipline may squander opportunities from fear of trivial or imagined threats, or fail to take elementary precautions against significant threats.

IT Risk elements
IT Risk encompasses the full spectrum of risks that may affect or result from IT operations: external natural disasters or changes in government regulation, internal processes that affect product or service quality, IT organizational and datacenter performance, loss of intellectual property, supervisory or legal controls, and much more. Symantec differentiates among the four classes of IT Risk elements illustrated in Figure 1 according to their source and potential impact on organizations, specifically: Security Riskthat information will be accessed, manipulated or used by unauthorized parties Availability Riskthat information or applications will be made inaccessible by process, people or systems failures, or natural disasters Performance Riskthat underperforming systems, applications, staff, or organizations will diminish business productivity or value Compliance Riskthat information handling or processing will fail to meet regulatory, IT or business policy requirements

Internal and External Malicious Threats

Se cu

Keep Bad Things Out Keep Important Things In

rit

Ava il a
y lit bi

Natural Disasters and System Failures Keep Systems Up Ensure Rapid Recovery

IT Risk
m
IT Policy and External Regulations Ensure Adequate Controls Automate Evidence Collection

ce
r fo Per

lia nc e

Application Performance and IT Performance Optimize Resources Ensure Correct Configuration

Figure 1: IT Risk encompasses four types of element, each with its own drivers and potential impacts.

Detailed descriptions of these risk elements, with sources and potential impacts, may be found in an earlier report.3

Todays IT Risk environment

Every organization has a unique IT Risk profile. But dramatic global changes in IT Risk affect most organizations. There has been no shortage of breakout IT Risk stories in the popular press: Repercussions from the theft of more than 45 million customer credit- and debit-card numbers crippled earnings at a retailer4 A spree of denial-of-service attacks directed at Web sites in a European country brought down government, banking, and even small school Web sites5 Inadequate manual information management processes plagued a health care providers transplant center, disrupting and delaying essential patient care6 A government entity in the United Kingdon lost CDs containing 25 million personal records, including financial details of more than 7 million families7 Behind the headlines, Symantecs Internet Security Threat Report (ISTR) documents the transition from a hacker culture of nuisance virus outbreaks and network vandalism to an underground criminal economy in which bank accounts, compromised servers, passwords and credit cards are bought and sold in bulk.8 Professionalization and commercialization of malicious activities, along with more intense attacks and more frequent outages, have raised awareness and regulatory attention across the entire spectrum of IT Risk.

p m Co

an

Against the array of external and internal IT risks, organizations deploy controlsIT processes and technologies designed to close vulnerabilities, maintain continuity of operation at specified performance levels, and achieve and document compliance with external and internal policy requirements.

A look back
The initial IT Risk Management Report, Volume 1 was published in February 2007 and is available at www.symantec.com/about/leadership. From more than 500 in-depth surveys, it determined that IT professionals: See their organizations as more effective deploying technology than process controls Consider IT asset inventory, classification and management, and secure application development processes to be significant problem areas Target people and process improvements over technologies as their best opportunities to move from good to great Identify areas of misalignment between levels of their IT organizations about sources of IT Risk The most encouraging result was that best-in-class organizationseven though they faced higher risk levelsexperienced fewer incidents than less-effective organizations. Their effective defense against more intense attack may be attributable to the balanced investments across a range of controls to mitigate the full spectrum of IT risks.

This report
From February to October 2007, Symantec surveyed 405 IT Professionals about various aspects of IT Risk Management. Methodology and sampling were generally comparable with those of the first survey; please see the Appendix for details. This report of its findings complements Volume 1 in several ways, specifically by: Increasing emphasis on Availability and Performance Risks, to balance the Security and Compliance emphasis of Volume 1 Balancing recurring and new survey material to assess changes in the IT Risk environment since collection of earlier information

New survey questions addressed emerging issues with important implications for IT Risk Management, specifically: Data leakagerisks to an organizations information assets from both external malicious activity and internal errors Endpoint managementthe need to extend policy-based control over fixed and mobile endpoints in sprawling, porous, worldwide networks Data center virtualizationIT Risk Management implications of adopting virtualization technologies to improve utilization and productivity of storage and servers Zero-day exploitsthe need for new defenses as the time needed to create and disseminate malicious code that exploits a published vulnerability converges on zero The second survey extends and further defines key issues and trends raised in the first. This report will compare results against those of the first survey to identify trends and differences, and explore new insights from the latest research.

Progress and persistent myths

The survey data itself, and conversations with IT professionals around the world, revealed a contradiction. Awareness of the importance of IT Risk Management to organizations and the IT profession continues to rise. Yet in an emerging discipline, this awareness has not yet dispelled a few persistent misunderstandings about the nature and extent of IT Risk, the best ways to manage it, and the shortcuts and traps that lie along the path. This Report applies new survey data and Symantec Consulting experience to the analysis of four myths about IT Risk Management, specifically that: IT Risk and IT Risk Management are exclusively or primarily concerned with IT Security IT Risk Management is an annual, semiannual, or other periodic exercise Technology controls are sufficient to address most IT Risk Management concerns IT Risk Management is a science, with principles that are universal across time, geography, and business environment

IT Risk covers more than IT Securityand even Security Risk presents new challenges.

Myth One: IT Risk is Security Risk

Security is important, but not the whole story. Compliance: law and policy. How Availability and Performance are different, and why they cant be ignored.

No myth about IT Risk Management is more persistent than the idea that it is concerned primarily with identifying and mitigating security risks. It may be that the word risk seems to apply more easily to security than performance, availability, or compliance. Or IT professionals consumer and early career experience may have conditioned them to anticipate IT Security risks over others. Regardless of the cause, overestimating Security Risk can cause misallocation of time and resources, and significant exposure to other IT risks. Even when Security risks remain top-of-mind, they need to be considered in balance with the full range of IT Risk elements. This section reviews some critical relationships among IT Risk elements, and points out the value of a balanced approach.

Figure 2: Importance ratings of IT Risk elements. (n = 130)*

Although focus on Security Risks persists, survey results document emergence of a broader view. Figure 2 shows that slightly more survey participants gave Critical or Serious ratings to Availability Risk than to any other element: 78 percent, against 70 percent for second-place Security, 68 percent for Performance, and a low of 63 percent for Compliance Risk. This result may reflect a focus on availability among survey participants who are directly accountable for it, and underestimates the impact of Performance risks thatas we will seeare often businesscritical. The data also support two important conclusions. First, a majority of participants rates every area of IT Risk either Critical or Serious. Second, only 15 points separate the top- and bottom-rated categories. IT Professionals are adopting a more balanced view of IT risks.

* In this Report, stacked-bar graphs show risk levels in ascending order from top to bottom. This is a change from Volume 1, to help readers combine top risk levels by reading from the scale instead of calculating. Colors assigned to risk levels are unchanged. Variation in the number of data points represented in the graphs reflects differences in the survey items presented to and completed by participants.

10

Security Risk and data leakage

Whatever their ranking, Security risks are undeniably important. External attacks, malicious code released onto public networks (with ever-shrinking latency), and attempts at unauthorized access to information and systems remain significant burdens for IT departments worldwide. And Symantec has documented increasing professionalization and commercialization of computer crime9an alarming development, especially for industries with high-volume or high-value electronic transactions. Security risks compromise customer trust and reputation: customers rights and expectations demand that organizations protect their personal information and money. Customers are especially hard on companies they see as careless with their informationa 2007 consumer survey on data security showed 62 percent of consumers more upset when information loss is due to negligence rather than theft.10 Infowatch highlights the scale of these breachesthe average incident exposes the personal information of 785,000 customers.11 The 2007 loss by the UK government of more than 7 million families financial records underscores the risk.12 Because customers withdraw from transaction providers and venues they dont trust, data leakage constitutes a serious threat not only to consumers, but to electronic commerce and banking.13 In the U.S., financial losses from credit-card fraud are assigned to issuers, insulating cardholders from direct financial risk. But new forms of fraudphishing, identity theft, and underground marketing of private informationthreaten reputation, creditworthiness, privacy, autonomy, and other nonfinancial assets. A history of serious breaches could stem or reverse online retail growth, regardless of financial guarantees. The same conditions apply in electronic banking, securities, and currency trading, where IT security risks present a direct threat to the liquidity of financial markets. Survey results show that IT professionals agree with their customers about the gravity of data leakage: 63 percent believe a data leak would have serious impact on their businesses (see Figure 3 on page 12).

11

Not applicable

Not considered

Minimal impact

Some impact

Serious impact

Figure 3: Impact severity estimates for data leakage from corporate information systems. (n=277)

But our survey participants judged that the probability of major data leakage incidents at their organizations is comparatively small: only 46 percent of them expect incidents as often as once a year (see Figure 4); a slight majority expects an incident only once every five years. Is this a realistic assessment, or are survey participants underestimating this riskand overestimating the effectiveness of their mitigation efforts? Incident rates for data leakage are notoriously complicated, due to: Lack of consistency in reporting standards across organizations and jurisdictions Strong points of view held by organizations that report incident data, e.g. consumer-privacy advocacy groups and banking industry organizations An understandable reluctance of victimized organizations to disclose incidents except to their customers and as required by law A twofold threshold problem: smaller incidents may not be widely reported, so incident rates seem lower, but average impacts seem higher A misguided focus on criminal activity, although most breaches are due to employee error14 Because of these factors, data leakage incident information may be reported in fragmented, inconsistent fashion, leading to lower predictions of incident frequency. Survey participants confidence in data protection may be misplaced, given the broad availability of stolen data for sale on the Internet. Identities, complete with U.S. bank account, credit card, government-issued identification numbers and birthdates, are available for purchase online from U.S. $14 to $18.

12

And with large impacts possible from even a single data-security breach, Symantec recommends: Careful analysis of security event logs using technology and services available from Managed Security Service Providers (MSSPs) Monitoring of trends across the security threat landscape, using the Symantec Internet Security Threat Report and other sources At a minimum, a quick review of network endpoints, considering vulnerabilities to both internal error and external malfeasance Evaluation of some of the new, information-focused security tools developed specifically to help organizations address data leakage

Figure 4: Estimated frequency of data leakage from corporate information systems. (n=277)

Compliance
Compliance Risk stems from failure to meet regulatory or business requirements for information handling or processing. In highly regulated industries, compliance failure may compromise the organizations reputation, profitability, or even existence. Since many regulations govern privacy and information security, Compliance is sometimes seen as derivative of Security. But Compliance Risk is more than Security Risk formalized by law. Regulations including new U.S. Federal rules for legal discovery broaden the scope of Compliance Risk beyond security concerns. And even regulations unrelated to IT may require dramatic changes to IT infrastructure and processes, adding complexity and competing for scarce IT resources with mitigation of other risks. The U.S. Sarbanes-Oxley Act of 200215 and the EU Markets in Financial Instruments Directive16 are just two recent examples of regulatory initiatives not aimed at Security Risk, but with far-reaching consequences for IT.

13

The compliance obligations of organizations subject to local, regional, and national regulations include the costs of maintaining and reporting compliance to the satisfaction of external regulators, the challenges of setting and meeting internal policies and standards to assure that external requirements are met, and obligations governing the security, availability and performance of their IT services for internal clients. Compliance impacts The IT Policy Compliance Group examined financial impacts of IT compliance in 2007. After finding an association between compliance and lower rates of data loss and theft, the study determined that after loss and theft incidents, public companies experienced eight-percent declines in stock price, active customer base, and short-term revenues. In addition, the study found that firms spent an average of $100 per lost record in litigation, settlements, restoration, and improvements.17 Noncompliance with standards and internal policies introduces risks even when regulatory controls are moderate. Combining these direct and indirect impacts with intangibles losses of reputation, loyalty and employee morale justifies the ranking of Compliance as a critical IT Risk. IT Risk: Value and Vulnerability
IT Risk element Compromised core values Risk origins External attacks, malicious code, physical destruction, inappropriate access, disgruntled employees Changing or misunderstood regulations, missing or poorly-defined IT policies, insufficient auditing capability Poor system architectures, network congestion, inefficient code, inadequate capacity, ineffective process design Network failures, inadequate change management, data center failures, regional disasters

Security

Trust, customer reputation

Compliance

Legal, financial, and operational integrity

Performance

Efficiency and productivity

Availability

Financial and supply-chain integrity, commercial responsibility

14

Availability and performancedifferent kinds of risk?

Availability Risk concerns inaccessibility of information or applications during a systems outage and recovery. Performance risk concerns reduce business productivity or value when teams, systems or applications underperform. Often overshadowed by Security and Compliance concernsand sometimes unrecognized outside IT these risks differ in several important ways. Frequency and impact Security and compliance risks attract attention because of their high visibility and impact: virus outbreaks, data loss, or lawsuits may require disclosure, are a staple of the business press, and are devastating to the individuals and companies involved. In the U.S. alone, twiceweekly updates barely keep up with the rate of new data breaches, some involving hundreds of thousands of records18 and million-dollar fines. In contrast, common availability and performance events tend to be incremental, and may escape noticea few seconds delay in serving a Web site, a few percentage points lower transaction capacity, a near-miss in meeting recovery-time or recovery-point objectives. Yet the cumulative burden of IT underperformance weakens any organization, and a single breakout event may be enough to bring it down. Transfer of harm A second difference is that while Security and Compliance risks involve transfer of harmfrom thief to victim or government to organizationAvailability and Performance risks often play out inside the walls, as reduced revenue, added expense, or lost profit. Stakeholders can, should, and do complain, but incremental availability and performance shortfalls rarely attract outside attention, nor are the affected organizations likely to seek it. But when they occur, availability and performance disasters can be nightmare scenarios: transaction processing at a crawl on the busiest shopping day of the year or during a market crash, failures cascading through backup systems during a site or regional disaster, or essential services missing when theyre needed most. Worse, Availability and Performance disasters are often irrecoverable over the short term. A reciprocal relationship? Finally, some IT professionals see Availability and Performance as reciprocal to Security and Compliance. This seems true at the extremes: information locked in a safe on the ocean floor might be secure and safe from the legal and regulatory consequences of disclosurethough at great cost to its availability, and the performance of systems that use or serve it.

15

But the reciprocal relationship Security and Compliance have with Availability and Performance extends to the middle ground. Every improvement in distribution of information raises the risk it will fall into the wrong hands, or violate principles governing its use. Likewise, attempts to secure information often make it less available, and may compromise the performance of systems that process it. This reciprocal relationship is at the core of many tough decisions in IT Risk Management.

Availability impacts
When business processes dependsometimes completelyon IT systems and processes, IT failures cause business failures. Researchers at Dartmouth and the University of Virginia investigated one example: hypothetical failure of the Supervisory Control and Data Acquisition (SCADA) network at an oil refinery. SCADA failure would immediately shut down production because of safety concerns. The researchers estimated economic impact of $405 million from a hypothetical ten-day outage at a supplier that contributed 10 percent of the U.S. gasoline supply. The affected supplier would bear only $255 million of the impact; others in the supply chain would assume the remaining $180 million loss.19 The example highlights two important facts: First, IT system availability is often equivalent to business availability. Second, in a connected world of global supply chains and collaboration networks, availability failures in one business cascade directly into others.

Performance impacts
Performance risk compromises business efficiency. A thought experiment illustrates the point: 1 percent loss in labor productivity is just five minutes of an eight-hour day. But for a U.S. or Western European organization of 10,000 employees, that same loss costs approximately $4.25 million in wages every year. * How many organizations can say that they lose no more than 25 minutes of productive time (about 5 percent) from slow system response time, inefficient application design, poor integration, or misaligned IT and business priorities? Figure 5 estimates the annual costs of productivity losses on that scale and less, for organizations of different sizes. Figure 2 showed that 68 percent of survey participants rated Performance Risk a critical or serious threat. Add to the direct impacts of Performance Risk on productivity follow-on effects on customer satisfaction and supply-chain efficiency, and it becomes clear why Performance Risk is an important target for IT Risk Managers.

* Assumes 60 percent of employees in the United States and 40 percent in Western Europe, all earning their national average hourly wages: $18.58 for the U.S. and $23.31 for the UK. U.S. average wage per U.S. Social Security Administration, October 2007; UK per National Statistics Office, November 2007.

16

Figure 5: Hypothetical annual cost of unproductive time, expressed as millions of dollars per minutes lost each day, for organizations of different sizes.

Beyond Security-centric IT Risk Management

Balanced investments in controls are the keys to successful management and mitigation of IT Risk, and require a balanced assessment across IT Risk elements. Even when security concerns dominate their risk environment, organizations must take care that a security-centric view does not blind them to very real availability and performance risks that may be neglected, or even raised by their mitigation efforts.

17

IT Risk Management is a continuous process, to address constantlychanging IT Risk and business environments.

Myth Two: IT Risk Management is a Project

IT change outpaces point-in-time planning IT Risk Management is adaptive and continuous. Start with policy, and deploy the right controls.

19

Already involved in hundreds of projects, busy Enterprise IT departments may see the assessment of IT Risk as a one-off project, followed by adjustments to remediate specific deficiencies. But this is unsatisfactory in a world where risks are constantly changing. Organizations must monitor IT risks continuously, and make frequent changes to their management strategy. And while its certainly true that the initial stages of IT Risk assessment will resemble other projects, and that the process can profit from the same discipline and focus that make any IT project a success, the project perceptionlike the firefighting mentality that preceded itcan defeat even the best intentions and efforts. Annual projects or random acts of risk management,20 are better than nothing at all. But organizations put themselves at risk when the cadence of their IT Risk Management programs fails to match the rate of change in their risk environment. Effective, continuous IT Risk Management processes may be introduced to an organization without compromising the discipline and sense of mission surrounding the launch of major initiatives. This section reviews some of the ways that business and technology change affects the risk environment, and outlines some ways leading organizations have introduced IT Risk Management into their core business processes.

Incident rates and reactions

IT Security, Compliance, Availability, and Performance incidents assault the modern organization at an alarming rate. Just ask the people on the front linesadministrators charged with monitoring and responding to these incidents every day. For IT Risk Management programs to manage what they measure, organizations need to measure the rates of these incidents. We asked survey participants to estimate the frequency of four types of IT incidents: regulatory non-compliance, major information loss, major IT failure, and minor IT failure; results are shown in Figures 6 through 9. We found that: 66 percent of participants expect a regulatory non-compliance event at least once every five years 59 percent expect a major loss-of-information event at least once every five years 63 percent expect a major IT failure at least once a year 69 percent expect a minor IT failure at least ten times a year These estimates predict an IT incident about once a month for an average organization. At such an incident rate, annual or bi-annual IT Risk Management is clearly insufficient.

20

Figure 6: Participants expected incidence of regulatory non-compliance by their organizations. (n=405)

Figure 7: Participants expected incidence of severe impacts from loss of information confidentiality, availability, or integrity. (n=405)

21

Figure 8: Participants expected incidence of severe impacts to their IT organizations that interrupt critical business operations. (n=405)

Figure 9: Participants expected incidence of minor impacts to their IT organizations that impair the work of individuals or groups. (n=405)

The changing risk environment

Not only are IT and business environments rife with every kind of IT Risk, but the risks are constantly changing. In the Introduction, we saw evidence of a transition in the type of Security Risk faced by organizations; in fact, every category of IT Risk is evolving all the time, driven by technology change, company go-to-market strategy, and the macro business climate. Other elements of IT Risk are changing just as fast. The Compliance Risk environment is in constant flux as regional and national governments enact new legislation, organizations introduce frameworks and standards for IT Governance and other processes, and companies adjust policies to meet the needs of their unique business strategies and environments. Availability Risk changes, for example when entering new markets with unreliable power and communications infrastructuresand in disaster-prone areas, it can literally vary with the

22

weather. Performance Risk shows long-term trends based on the availability and affordability of high-performance systems, applications, and personnel. But it also shows seasonal variations based on demand cycles that vary from one organization to another, and the resources available to meet them.

IT Risk Managementa continuous process

With such variability in IT Risk environments over time, any project-oriented or point-intime IT Risk Management process will quickly find itself overtaken by events. Changing IT Risk environments call for adaptive IT Risk Management that anticipates and responds to environmental change as it remains aligned to strategic organizational objectives. Adapting environmental and event monitoring to the frequency of IT incidents represents a critical best. Major changes in business strategy are rare, but operational and go-to-market adjustments happen every day. For example, software-as-a-service applications offer flexibility and rapid time to market, but present significant challenges across the spectrum of IT risks. IT Risk Management programs must track such developments, understand their business context, and develop a Risk Management posture to accommodate and support them. Risks from technology are evolving, too. The Symantec Internet Security Threat Report tracks changes in the Internet threat landscape over time in its Future Watch feature covering emerging threat activity likely. Figure 10 illustrates some recent topics. As discussed above, annual benchmarks are only a single contributor to an organizations continuous assessment of IT Riskalert managers will supplement them with both formal and informal indicators of risks introduced by changing technology, people, and processes.
ISTR Future Watch Topics Volume VIISept 2005 Modular malicious code Bot networks Phishing targets and methods Advanced spyware developments Wireless security threats VoIP threats Mac OS security Figure 10: Summary of the Symantec Internet Security Threat Report Future Watch topics. Volume XSept 2006 Polymorphous Win32 malicious code Web 2.0 security threats and AJAX attacks Microsoft Vista Increased vulnerabilities due to fault injection fuzzers Volume XIISept 2007 Malicious code and virtual worlds Automated evasion processes Advanced web threats Diversification of bot usage

23

Continuous IT Risk Management for continuous improvement

Organizations use technology to capture or enter new markets and build efficiencies, inevitably exposing themselves to new risks as they do. Continuous IT Risk Management programs evolving at the speed of business changecan help them measure and then mitigate or accept those risks in a way that matches their strategy for securing sustainable competitive advantage. Depending on an organizations size and strategy, a continuous IT Risk Management program may be fully staffed in its own department or a task for the CIO. Regardless of its scope, every program needs a push to get started. Symantec has identified these practical first steps that have helped IT organizations launch successful Risk Management programs: 1. Put one person in chargechosen according to your organizational structure and dynamics, but with the authority to make things happen 2. Use an event as a catalystan IT incident that provides momentum for IT Risk Management makes the best of a bad situation 3. Perform an initial risk assessmentavoid the temptation to just do something, and use at least a quick, qualitative assessment to focus efforts for quick returns on modest investments 4. Start dialogues at the executive and board levelIT Risk Management succeeds when the whole organization is behind it: start at the top

Controls
Once underway, a successful IT Risk Management program needs to monitor controls to assess the internal environment, and appropriate sources of information to monitor the external environment. More frequent monitoring of internal controls helps cut incidents and associated losses. The IT Policy Compliance Group determined in 2007 that organizations that monitor IT controls more frequently experience fewer incidents: Organizations with the fewest unreported data losses and compliance deficiencies are monitoring and measuring controls once every one to three weeks, and on average at least once every two weeksfirms with most IT compliance deficiencies and the highest latent data losses are monitoring and measuring controls once every 6.8 to 8.5 months.21

24

Information
Conversations with business managers provide valuable insights into strategic direction and go-to-market initiatives; IT vendors can help predict system upgrades and other operational information. IT analysts can help identify IT trends and emerging issues to help managers assess the external environment. One valuable source is the Symantec Internet Security Threat Report, which offers a six-month update of internet threat activity that includes analysis of attacks, vulnerabilities, malicious code, and trends in phishing and spam.

Myth and reality

The myth that IT Risk Management can be addressed in a single project, or even as a series of point-in-time exercises across budget periods or years, ignores the dynamic nature of the internal and external IT Risk environment. Worse, this view ignores the opportunity value of capable IT Risk Managementidentifying acceptable risks, measured against their costs and business value, or implementing mitigation processes that allow an organization to take calculated risks with confidence.

25

Peopleexecuting processes supported by technologyare your most valuable resource to manage IT Risk

Myth Three: Technology alone mitigates IT Risk

Process effectiveness is a known weakness. Frameworks, controls, and the road to improvement. Key process controls and the critical role of training

27

Organizations manage IT risks by deploying controls. These span a wide variety of activities, and typically involve people executing processes with technological support, for example by using compliance management software to create policies mapped against regulations and best practices, and then monitor and document compliance. The February, 2007 IT Risk Management Report, Volume 1 examined relationships in the use of eight technology controls and eight process controls. In a technology discipline populated by many specialists with engineering backgrounds, it was no surprise to find attempts to solve persistent problems framed in Engineering terms. IT professionals rated their organizations more effective deploying technology controls to address IT Risk than they did process controls. The analysis also determined that best-in-class organizations followed a more balanced approach in deploying technology and process controls. For the 2008 study, we expanded the analysis to cover a larger set of controls, each with elements of people, process, and technology.

Best in class: risks and incidents

For this study, we asked participants to rate the effectiveness of implementation of 18 controls critical in managing IT Risk, arranged into four categories: strategic, support, delivery, and security controls (see sidebar on page 33 for descriptions). We divided our 405 participants into quartiles based on their overall effectiveness across all 18 controls. As in last years study, we calculated separate indexes for compliance and business process risk, for each quartile (across six compliance and seven business-process IT Risk areas), together with the rates at which participants expected IT incidents. These results are shown in Figure 11.

Figure 11: Expected incident rates and ratings for two categories of IT Risk in organizations in each IT Risk Management performance quartile. Professionals from better-rated organizations see themselves facing more IT Risk, but expect fewer incidents. (n=405)

28

As they did in Volume 1, these results show that participants who rated their organizations effective in managing IT Risk saw them facing greater compliance and business process risk but expected fewer IT incidents. The relationship suggests that organizations more effective at deploying controls are rewarded with lower rates of incidents.

Best in class: balanced controls

What separates best-in-class performers from other participants? A closer look reveals that organizations in the Best quartile deploy strategic, support, delivery, and security controls with uniformly high effectiveness (see Figure 12). This contrasts with organizations in the Worst quartile, which deploy security controls at moderate levels of effectiveness, but show less success with strategic and delivery controls. Again, readers of last years report will find few surprises: organizations with strong performance ratings deploy controls effectively across the full range. No control or category alone leads to high performancea combination of effective controls helps best-in-class organizations achieve their expectation of lower rates of IT incidents.

Figure 12: Effectiveness ratings for four categories of controlsstrategic, support, delivery and security by performance quartile. (n=405)

The importance of process controls

IT professionals are familiar and comfortable with technology controls. But process controls are often the key to avoiding serious incidents, as demonstrated in a study conducted by Symantec and researchers from MITs Center for Information Research in 2007. The study examined root causes of 85 severity-one security and availability incidents. Figure 13 on page 30 shows the results.

29

Process-based issues caused 53 percent of incidents. In 63 percent of these cases, no predefined process existed to manage the incidentin only 22 percent did an existing process fail to manage it. Environmental configuration issues accounted for 51 percent of incident root causes; and staff skills for 41 percent.

Figure 13: Root causes of IT incidents. (Total exceeds 100 percent: 63 percent of the incidents had multiple root causes). (n=85)

The promise of process frameworks

How can other organizations build strong processes to achieve best-in-class performance? Fortunately, they have help. IT leaders have focused considerable attention in recent years on IT Service Management (ITSM) process frameworks and standards, including the Information Technology Infrastructure Library (ITIL) framework managed by the UK Office of Government Commerce, the ISO/IEC 17799 security and 20000 audit standards, and the Control Objectives for Information and related Technology (CobiT) best-practices guidance materials on IT Governance.22 Following in the tradition of the quality disciplines that transformed manufacturing in the 1980s and 1990s, these frameworks and standards address constantlychanging IT infrastructure and data-center configurations from the standpoint of services delivered to IT end-users. More than 20 percent of billion-dollar companies have already completed one or more ITIL implementations,23 and many more are underway. The business benefits these organizations hope to achieve include: IT service improvements such as consistent performance against Service Level Agreements with IT risks minimized, managed, or accepted IT process improvements including operational best practices, with documentation of compliance to appropriate policies and standards

30

 Standardization of IT infrastructure and processes, to reduce costs, complexity, and time-tovalue of IT investments And as we will see in the next section, investments in training and staff development are among the most productive paths to improved performance.

Process trends
While interviewing for last years study, we observed that several organizations were making large investments in secure application development processes. Participants explained that they were building more secure IT operating environments by eliminating security problems at the source. Comparing this years results with those, we have seen a 10 percent improvement in the number of participants rating secure application development over 75 percent effective. This indicates that organizations are making thoughtful, effective investments to manage IT Risk. We predict that Problem Management will be the next area to improve as Secure Application Design did. ITIL helps align IT initiatives with business goals, using Problem Management to minimize the adverse impact of Incidents and Problems on the business that are caused by errors within the IT Infrastructure, and to get to the root cause of Incidents and then initiate actions to improve or correct the situation.24 Our research with MIT showed that IT incidents share root causes. We expect that as IT Risk Management programs mature, they will begin to deploy more robust Problem Management processes to eliminate root causes of IT incidents, using or modifying technology as needed, but relying primarily on processes to manage specific, identified root causes. In Volume 1 we noted concern over the low rating of the Asset Inventory Classification and Management control. Participants in the current survey reported a negligible increase in effectiveness for this control, still the most poorly rated in the study. In addition, the current survey shows a decline of 17 percent in the number of participants who rate Data Lifecycle Management over 75 percent effective. The combination of these two trends is a concern. Both of these controls classify systems and information, applying unique policies to each class. This process aligns the treatment of each class with business objectives. Weakness of these controls suggests that assets will be treated equally, so that some systems, processes, and objects will be overprotected and others underprotected from IT Risk, resulting in cost and service inefficiencies.

31

Technology in support of process

Although technology cannot substitute for process discipline and expertise, technology solutions can help standardize, automate, and report key measurements related to process effectiveness, increasing the span of awareness and control of trained personnel. Processsupport technologies include software and appliances to assist IT organizations with: Configuration and Change Management, to improve the discovery, mapping, correlation, and tracking of changes to applications and servers Performance Management, to identify underperforming assets and infrastructure tiers, and help isolate root causes of underperformance Provisioning Management, for consistent patch deployments across operating systems and geographies, avoiding incompatibilities and timing issues Technology plays a critical role in the mitigation of IT Risk. But people and processes, supported by technology, determine how effective your program will be. An organizations maturity in deploying IT Risk Management will dictate which investments are most appropriate for your organization at this time. And while every organization is unique, core Risk Management problems are common to all organizations.

32

Key Controls for Managing IT Risk The key controls listed below were derived from extensive study of published control standards for IT management, including the Information Technology Information Library (ITIL), CobiT, and ISO 17799, as well as from Symantecs experience in working with top-performing organizations throughout the world. Strategic Controls IT policy, strategy, and architecture Organizational structure, roles, and responsibilities Governance, compliance and continuous improvement Data lifecycle management Support Controls Asset inventory classification and management Physical and environmental management Configuration, change and release management Incident, response and problem management Delivery Controls Service level management Operational design, workflows and automation Secure application design, development and testing Systems build and deployment Capacity management Availability management Service continuity management Security Controls Authentication, authorization and access management Network, protocol and host security Training and awareness

33

IT Risk Managementlike other business processesrequires disciplined planning and execution.

Myth Four: IT Risk Management is a science

An emerging business discipline, not a science. Origins of IT Risk Management. IT Risk Management in context: Risk Management, Business Strategy.

35

This last myth is more widespread within the practice of IT Risk Management than in the business community at large. As IT Risk Management becomes more widely practiced, disciplined, and documentedand especially as standards and frameworks encourage consistent practicespractitioners may come to see it as a set of fixed principles and relationships, universally applicable across industries and geographies.

Roots and progress

But IT management is an emerging business process, not a science. Rather than experiment and analysis, IT Risk Management relies on the experience accumulated by individuals and organizations as they manage their way across a changing business landscape. We can identify three primary contributors to the current practice of IT Risk Management: Operational Risk Management In the Risk Management family, Financial Risk Management is the science, and Operational Risk a set of ad hoc processes to address events ranging from fire and fraud to supply-chain failure. Its diversity is captured in its definition: the risk of loss from inadequate or failed internal processes, people, and systems, or from external events25in effect, covering any risk that cannot be completely hedged or insured against. By 2002 the interconnectedness of internal and external networks and business processes had already given IT Risk Management special status. Logically and taxonomically still a form of Operational Risk Management; IT Risk Management emerged as a separate practice because: Many business operations and transactions now took place entirely within IT systems The pace of technology change required more rapid adaptation in technology and process controls than do other forms of operational risk The discipline of IT Risk Management required specialized knowledge and skills among both IT professionals and business managers Process improvement disciplines Process improvement methodologies transformed factories worldwide in the late 1980s and throughout the 1990s, and launched one of the greatest productivity advances in history. Manufacturing disciplines drove build quality to unprecedented heights, while computerintensive Manufacturing Resource Planning and Enterprise Resource Planning technologies broke through old assumptions about productivity and inventory management.

36

A few pioneering companies demonstrated that these efficiencies could work even across company boundaries, in supply partner and distributor networks that combined with the communications efficiencies of the Internet to launch the e-commerce revolution. IT Risk Management is their natural successor. Too often viewed as a merely defensive exercise, IT Risk Management helps companies identify both risks and opportunities in their business environment, and trade-offs between risks and costs, or risks and opportunities. With trade-offs identified and measurement systems and controls in place, organizations can take appropriate risks confidently, to pursue opportunities they might otherwise forgo. Business and IT Governance Regulations governing business conductmost prominently Sarbanes-Oxley in the United Statesraised the accountability of corporate officers and disclosure standards for business information, with significant implications for IT. Sarbanes-Oxley was an external stimulus for many companies, the first that forcibly aligned business and IT strategies, and made IT Governance a top-of-mind issue for many chief executives. To meet the requirements of Sarbanes-Oxley, EU Privacy and Markets Directives, industryspecific regulations such as the Health Information Portability and Accountability Act (HIPAA) and the Payment Card Industry (PCI) Data Security Standards, IT needed a way to organize, evaluate, and balance these requirements systematically to guide effective actionand IT Risk Management was well adapted for the task.

Current state of IT Risk Management

Most business people are familiar with Risk Management, but few understand the emerging practice of IT Risk Management, and fewer still appreciate its role in todays connected organizations. IT Risk Management combines the rigor and breadth of Operational Risk Management, the productivity focus of Manufacturing disciplines, and the stakeholder point of view common to governance frameworks. It adds process and technology controls unique to the IT world, and is emerging as a business discipline, like Financial Risk Management or Supply-Chain Management, capable of making a unique contribution to organizational effectiveness.

37

Frameworks and best practices

Documented best practices for IT Risk Management are scarcer than for IT Operations Management frameworks like ITIL, for example. Standards such as ISO 17799, The Code of Practice for Information Security Management Systems, and the broader Australian/ New Zealand Standard on Risk Management, AS/NZS 4360:2005 can help, but these are references rather than practice guidelines. Frameworks and standards provide an excellent start, but every organization will add and refine priorities and processes appropriate for its own risk environment and organizational goals. Through its research and client work, Symantec has identified four IT Risk Management best practices that are generally applicable across organizations: 1. Assess risk and scopebefore taking action, assess the likelihood and probable impact of each risk. Even simple, qualitative assessment will help you avoid coverage gaps and waste as your program gets underway. Keep in mind that not all IT Risk must be eliminated: quick, cheap corrections may be enough to bring a risk to acceptable levels. 2. Build a risk-aware culturebecause businesses take risks for profit, naive risk aversion can be a barrier to success. IT Risk Management should build a culture that understands organizational objectives, IT risks, mitigation costs, and their interrelationships. 3. Develop peopleMIT research cited in Chapter 4 showed that 41 percent of IT incidents have root causes based in staff skills. In a separate study, IDC and Symantec found that training and team skill levels have profound impacts on IT performance.26 Training investments pay off, for example, by refocusing team efforts on high-value activities, which can improve team productivity by 10 percent or moremore than enough to cover the costs of training. 4. Give it timechalk up some early wins to build momentum, but focus long-term efforts on strategic issues identified in your risk assessmentthen allow those controls to mature over time. Symantec experience demonstrates that it may take three to five years for IT Risk Management controls to become completely effective.

Taking the second step

The most important step in any IT Risk Management program is simply getting started, and in Chapter 3 we suggested using a catalyst event to get your program underway. But what are the next steps? Based on Symantecs experience with emerging and established IT Risk Management programs, and analysis of correlations between risks and controls for survey participants, we see the following as a logical implementation sequence for controls:

38

1. Security risks and controlssurvey results suggest addressing security risk first: better security controls most strongly predicted improvement in incident expectations. And because information security is IT-centric, IT can act with less dependence on others to achieve easy wins and gain early momentum. 2. Availability risks and delivery controlsdelivery controls, closely associated with Availability Risk, had the second-strongest correlation with reduced incident expectations. Our research also indicates that organizations facing higher levels of business process risk deploy delivery controls most often. And because business managers easily grasp the benefits of reduced availability risk, delivery controls are an excellent step in meeting business objectives outside the glass house. 3. Compliance/performance risks and strategic controlsCompliance and Performance Risk most closely underpin business units daily use of IT services. Managing these risks requires collaboration to align the actions of IT with the requirements of its business clients. Laying a foundation with Security and Availability Risk elements prepares your organization for these more sophisticated conversations. Your organization may face a unique set of risks that calls for a different approach: for example an insurance company in an at-risk region may focus on Availability Risk first, or a company under regulatory review on Compliance Risk. As illustrated in Figure 14, alignment is critical throughout execution. And regardless of the order of deployment, use the four best practices as a guide.

Figure 14: Illustration showing how key elements of IT execution interact with the most important issues in IT/business alignment. Execution skills apply across multiple issues, justifying investments in skill development.

39

Conclusion
Technology drives the consolidation of industries, globalization of markets, and invention and reinvention of organizations worldwide. Technology supports collaboration and innovation at rates never seen before. But technology failures can bring entire segments of the economy to a halt, corrupt records or leave them inaccessible, and compromise employees productivity. Managing risks introduced by IT is a business imperative. In this report, we have observed that: IT failures in your organization ripple through customers, suppliers and partners IT risks come from multiple sources, change constantly, and require a continuous program of discovery, monitoring, and management IT risks are managed by the combination of people, process, and technology, balancing risks against business objectives IT Risk Management is a business process that adapts to organizational requirements, guided by best practices As you launch or expand your IT Risk Management program, keep in mind that managing IT Risk rarely means eliminating it. Instead, IT Risk Management disciplines and practices help keep IT services flexible, adaptive, and aligned to organizational goals in a constantly changing business climate. In addition, IT Risk Management can provide the insight that allows you to take calculated risks with confidence and use IT to drive competitive advantage.

The future
Symantec will continue its research into IT Risk Management to discover additional practical recommendations and best practices to help organizations develop and implement their own programs. Future research will assess the state of deployment and maturity of IT Risk Management programs, including the prevalence of IT Risk Management initiatives and the use of programs-based best practices. Symantec will continue to explore the how the management of IT Risk contributes to business productivity, competitive advantage, and the spirit of innovation.

40

41

Appendix
Methodology
Data collection Between February 2007 and October 2007, Symantec collected 405 surveys from IT professionals attending IT events worldwide (approximately 85 percent), or online at www.symantec.com (approximately 15 percent). Each participant received a report comparing his or her responses to those of a benchmark group. To ensure candid responses and protect participants privacy, Symantec contracted a third party, Ecosystems, LLC of Vienna VA, to collect, process, and aggregate the survey results. Because participants occasionally skipped one or more survey questions, the number of responses may vary from one question to another. Differences in questions For comparison and trend analysis, the current report echoes several questions from the Symantec IT Risk Management Report, Volume 1, which reported responses from 528 participants last year. The current report also includes results from questions designed to extend data-set coverage or explore emerging issues.

42

Demographics
We fielded the survey to a broad group of IT professionals, across industries, sizes of organization, participant job role and global region. These demographics provided the variables for much of our analysis.

Figure A1: Participants by industry. (n=405)

Figure A2: Participants by job role: professional includes business, consultants and other non-IT job functions. (n=405)

43

Figure A3: Participants by organization size. (n=365)

Figure A4: Participants by geographic region. This report includes participants from the Asia Pacific region, which was not represented in the previous report. (n=405)

Use of indexes
This report compiled seven indexes to measure the significance or impact of risks, effectiveness measures, or incident rates across participants, compare results across demographic or other categories, and for correlation and comparative analysis. Each index averages data across the relevant set of questions. The indexes are: Compliance Index Business Process Index Incident Rate Index Strategic Effectiveness Index Support Effectiveness Index Delivery Effectiveness Index Security Effectiveness Index

44

General References
Westerman, George and Hunter, Richard. IT Risk: Turning Business Threats into Competitive Advantage. (Boston: Harvard Business School Publishing, 2007). Business Roundtable. Growing Business Dependence on the InternetNew Risks Require CEO Action. (Washington DC: September, 2007). Lamy, Lionel. IT Risk Management: A Business Issue of Strategic Importance. (Framingham, MA: IDC, July, 2007). Finley, Ian. IT Risk Comes Into Fashion. (Boston: AMR Research, August, 2007). The Boston Consulting Group. Innovation 2007: A BCG Senior Management Survey. (Boston: August, 2007). IT Policy Compliance Group. Taking Action to Protect Sensitive Data. (February, 2007). Caldwell, French. The 2007 Compliance and Risk Management Planning Guidance: Governance Becomes Central. (Stamford, CT: Gartner, Inc. April, 2007). Kark, Khalid. 2007 Security Budgets Increase: The Transition to Information Risk Management. (Cambridge, MA: Forrester Research, Inc. January, 2007). Heisser, Jay. Choosing Risk Management Methods. (Stamford, CT: Gartner, Inc. June, 2006). Caldwell, French and Mogul, Rich, Risk Management and Business Performance Are Compatible. (Stamford, CT: Gartner, Inc. October, 2006). Rasmussen, Michael, Business Drivers for Enterprise Risk Management. (Cambridge, MA: Forrester Research, Inc. February, 2007).

45

End Notes
1

World Economic Forum. Global Risks 2007: A Global Risk Network Report. (Geneva. January, 2007), page 8. Bureau of Economic Analysis. National Economic Accounts: Private Fixed Investment in Equipment and Software by Type. (Washington DC. November, 2007), Table 5.5.5U.

Symantec Corporation. IT Risk Management Report, Volume 1. (Cupertino, CA. February, 2007), Table 1, page 8. Sharon Gaudin. T.J. Maxx Security Breach Costs Soar to 10 Times Earlier Estimate, Information Week. (Manhasset, NY: CMP Media LLC August 15, 2007). Jeremy Kirk. Estonia Recovers from Massive Denial-of-Service Attack, NetworkWorld. (Boston: IDG. May 17, 2007). Deborah Gage and Kim S. Nash. We Really Did Screw Up, Baseline. (New York: Ziff Davis. May 14, 2007). Tom Young. HMRC fiasco places data protection under the spotlight, Computing. (London: Incisive Media Ltd. November 29, 2007). Symantec Corporation. Internet Security Threat Report Volume XII. (Cupertino, CA. September, 2007). Symantec Corporation. Symantec Reports Rise in Data Theft, Data Leakage, and Targeted Attacks Leading to Hackers Financial Gain, press release. (Cupertino, CA. March 19, 2007). Dr. Larry Ponemon and Vontu, Inc. 2007 Consumer Survey on Data Security. (Traverse City, MI: Ponemon Institute. June 25, 2007). Infowatch. Global Data Leakage Survey 2006. http://www.infowatch.com/threats?chapter=162971949&id=20778462 6 (Moscow: February 15, 2007). Tom Young, op. cit. Ponemon and Vontu, op. cit. Symantec Corporation. Stop Data Leakage Now, article. (Cupertino, CA. April 17, 2007). http://www.symantec.com/ business/library/article.jsp?aid=stop_data_leakage Lawrence D. Dietz, Esq. International Implications of Sarbanes-Oxley: What every IT Professional Should Know. (Cupertino, CA: Symantec Corporation, October 13, 2006). A Balanced Approach to MiFID Compliance. (Cupertino, CA: Symantec Corporation, March, 2007). IT Policy Compliance Group. Why Compliance Pays: Reputation and Revenues at Risk. http://www.itpolicycompliance. com/research_reports/spend_management/read.asp?ID=10 (July, 2007), page 1. A Chronology of Data Breaches. (San Diego, CA: Privacy Rights Clearinghouse). www.privacyrights.org/ar/ ChronDataBreaches.htm Scott Dynes, Eva Andrijcic, and M. Eric Johnson. Cost to U.S. Economy of Information Infrastructure Failures, forthcoming in Proceedings of the Fifth Workshop on the Economics of Information Security. (Hanover, NH: Dartmouth College Institute for Security Technology Studies, 2007). http://www.ists.dartmouth.edu/library/207.pdf Jennie Grimes. IT Risk Management: Rising to the Top of CIO Agendas, CIO Magazine, insert. (Framingham, MA: IDG. December 1, 2007). IT Policy Compliance Group. op. cit., page 23.

10

11

12

13

14

15

16

17

18

19

20

21

46

22

Sunny Gupta. ITIL Adoption. E-business Blog. http://www.line56.com (Los Angeles: Line56.com, October 13, 2006). ONeill, P. ITIL Adoption Accelerating in IT Service Management, teleconference. (Cambridge, MA: Forrester Research, Inc. 2006). Office of Government Commerce. Best Practices for Service SupportITIL: the Key to Managing IT Services. (Norwich: The Stationary Office, 2002), page 95. Douglas G. Hoffman. Managing Operational Risk: 20 Firmwide Best Practice Strategies. (New York: John Wiley and Sons, Inc., 2002), page xxii. Cushing Anderson. Information Security and Availability: The Impact of Training on IT Organizational Performance. (Framingham, MA: IDC, sponsored by Symantec Corporation. June, 2007).

23

24

25

26

47

Notes

48

NO WARRANTY. The information provided in this document is being delivered to you AS IS and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the information contained herein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. Copyright 2008 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and INFORM are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

49

About Symantec Symantec is a global leader in infrastructure software, enabling businesses and consumers to have confidence in a connected world. The company helps customers protect their infrastructure, information, and interactions by delivering software and services that address risks to security, availability, compliance, and performance. Headquartered in Cupertino, Calif., Symantec has operations in 40 countries. More information is available at www.symantec.com

Confidence in a connected world.

For specific country offices and contact numbers please visit our Web site. For product information in the U.S., call toll-free 1 (800) 745 6054.

Symantec Corporation World Headquarters 20330 Stevens Creek Boulevard Cupertino, CA 95014 USA 1 (408) 517 8000 1 (800) 721 3934 www.symantec.com

Copyright 2008 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 1/08 12818026

50