Ponemon Auditors' Survey Reveals Poor Opinion Of Security Programs

Auditors generally take a dim view of the data security programs at organizations that they audit, according to a Ponemon Institute survey sponsored by Thales eSecurity. Only about one-third of the respondents said that the organizations are proactive in managing privacy and data protection risks. Further, three of five say they don't feel data security is a strategic priority. Fewer than half believe these organizations have sufficient resources to meet their data compliance requirements. The net outcome is that half the audits they conduct reveal serious deficiencies or compliance failures.

The survey indicated a somewhat jaundiced view of the effectiveness of regulatory requirements. Only 40 percent of the auditors said that the organizations they serve believe that compliance actually improves their data security. Two-thirds said that internal policies were a prime means for assessing data security compliance, while just over half cited regulations and laws. Fewer cited industry mandates (45 percent) and contract obligations (34 percent).

Ponemon surveyed 505 auditors, two-thirds of whom characterized themselves as internal auditors. Four of 10 work for business corporations, with the balance spread among auditing and accounting firms, IT consulting and security services companies, and government.

Internal auditors were generally more negative about their organizations' security programs than their external counterparts. For example, 51 percent of external auditors said the organizations they audit make data security a priority, compared with 38 percent of internal auditors. Business units generally control compliance budgets but are not considered the part of the organization most responsible for compliance, the auditors said.

"It's kind of like the fox guarding the hen house," said Larry Ponemon, the institute's chairman and founder. "Business units rather than the law department, IT organization or even compliance own budget, and they determine whether or not to invest in audit." The survey showed that business units control audit budget in 54 percent of the organizations, but are considered primarily responsible for audit in fewer than a quarter of the cases.The survey also addressed how auditors regard the role of encryption in security and compliance. Seven of 10 auditors said that information assets cannot be fully protected without the use of encryption.

Desktops and mobile devices topped the list (71 percent) of areas in which encryption is most important in protecting information, followed closely, in order, by encryption over public networks and databases. Encryption is the protection technology of choice over data masking, tokenization and truncation in four key areas: databases, applications outside the database, storage and data at point of capture.

Tokenization--which is an increasingly popular alternative for Payment Card Industry Data Security Standard (PCI DSS) compliance, in particular--was close (37 percent) to encryption (43 percent) in point of capture protection. Key management was cited as a challenge for encryption programs, particularly the administration of keys, followed by protecting them in storage.

Two-thirds of the auditors said that the use of hardware security modules (HSMs) for encryption and key management reduces the time spent on demonstrating compliance. Just under half the auditors said that they most frequently recommend the use of HSM over software, while a third said they recommend HSM but allow software-based encryption and key management. The balance said they most frequently recommend software.

See more on this topic by subscribing to Network Computing Pro Reports Virtualization Security (subscription required).