Secure Digital Solutions, a professional services organization with headquarters in Minneapolis, Minnesota, recently conducted a survey of 122 information security and privacy leaders to determine how organization size, regulatory responsibility, program maturity, and investment spending are related. The study examined six key components of an information security and compliance program. These areas include;

  1. Understanding of Regulatory and Data Security Requirements
  2. Policy & Procedures
  3. Expertise within Data Security & Compliance Program
  4. Regular Monitoring & Assessment
  5. Timely Remediation (within 90 days of gap finding)
  6. Technical Control Adoption/Implementation

The study found that eight out of ten respondents have established a control framework to address information security and privacy related requirements. Of these, the largest group report using industry control frameworks such as ISO 27001:2005, COBIT or NIST.

In addition to the control frameworks the study also examined who in the organization the information security office reports to. The majority of respondents indicate it as a function within the information technology department.

Organizations continue to struggle with understanding the regulatory landscape, but see the need to invest in this area to move the overall program closer to an optimized state. As experienced by many businesses, regulations often provide the necessity for action; however, improvement of processes, reporting of control compliance, and efficiency in control remediation and risk acceptance, are all practices that are under scrutiny by regulators and corporations alike. Most organizations understand the necessity for these practices to allow business to remain flexible and respond to market demands while maintaining and achieving a continual state of compliance. These are also areas where improvement is likely to continue over the next 12-18 months.

To read the full report visit here.