Customer Needs Assessment

Determine Risk Tolerance

Regulatory Compliance

Although companies are expected to comply with these regulations, most fall short, according to the IT Policy Compliance Group. In its 2007 survey of 475 companies, the compliance group found that “eighty-seven percent of organi- zations—about 9 out of 10 firms—are not leveraging the appropriate compli- ance and IT governance procedures, which would reduce costs, business disruptions, and lost or stolen data.” (Why Compliance Pays, p. 4.)

The IT Policy Compliance Group categorized organizations according to their level of compliance and then listed the number of attacks organizations in each category experienced during a 12-month period:

Lagging organizations—Twenty percent of the respondents are lagging organizations, which have the most cause for concern: these companies are “correcting an average of 26 IT compliance deficiencies each year... and are suffering from 22 losses or thefts of sensitive data each year, most of which are never publicly reported.”

Normative organizations—The normative organizations represent 67 percent of the 475 companies and are trying to correct “six compliance deficiencies.” These organizations are “experiencing six business disrup- tions, and have five losses or thefts of sensitive business data annually.”

Leading organizations—Accounting for only 13 percent of the 475 organizations, leading organizations must “correct only two compliance deficiencies.” The payoff for this compliance is fewer disruptions and losses from attacks. Such companies have only “two business disruptions annually, and have two losses or thefts of sensitive data each year.”

Many companies that want to improve their regulatory compliance are planning to install a network access controller. In fact, regulatory compliance is one of the leading drivers for the adoption of network access controllers. In an Infonetics Research study, 54 percent of companies cited regulatory compliance as a reason for deploying or planning to deploy a network access controller. (See “Infonetics Research: 80 Percent of Large Organizations Plan to Enforce NAC in the Network,” Industry Analyst Reporter, June 4, 2007.)

Quantify Your Company’s Risk Tolerance

As you evaluate and then document your company’s risk tolerance, try to be as specific and as detailed as possible. Estimate your company’s losses and describe what it would take for your company to recover from these loses.

This detailed analysis will not only help you put the necessary access controls in place but will also help you justify those controls to upper management and user communities. (For more information about working with both upper management and users, see “The Human Factor” on page 2-39.)

2-18

Page 91 Page 93
Page 92
Image 92
HP Access Control Client Software manual Regulatory Compliance, Quantify Your Company’s Risk Tolerance
Page 91 Page 93
Top Page Image Contents