Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
919293949596979899100
2-18
Customer Needs Assessment
Determine Risk Tolerance
Regulatory Compliance
Although companies are expected to comply with these regulations, most fall
short, according to the IT Policy Compliance Group. In its 2007 survey of 475
companies, the compliance group found that “eighty-seven percent of organi-
zations—about 9 out of 10 firms—are not leveraging the appropriate compli-
ance and IT governance procedures, which would reduce costs, business
disruptions, and lost or stolen data.” (Why Compliance Pays, p. 4.)
The IT Policy Compliance Group categorized organizations according to their
level of compliance and then listed the number of attacks organizations in
each category experienced during a 12-month period:
Lagging organizations
—Twenty percent of the respondents are lagging
organizations, which have the most cause for concern: these companies are
“correcting an average of 26 IT compliance deficiencies each year... and are
suffering from 22 losses or thefts of sensitive data each year, most of which
are never publicly reported.”
Normative organizations—The normative organizations represent 67
percent of the 475 companies and are trying to correct “six compliance
deficiencies.” These organizations are “experiencing six business disrup-
tions, and have five losses or thefts of sensitive business data annually.”
Leading organizations—Accounting for only 13 percent of the 475
organizations, leading organizations must “correct only two compliance
deficiencies.” The payoff for this compliance is fewer disruptions and
losses from attacks. Such companies have only “two business disruptions
annually, and have two losses or thefts of sensitive data each year.”
Many companies that want to improve their regulatory compliance are planning
to install a network access controller. In fact, regulatory compliance is one of
the leading drivers for the adoption of network access controllers. In an
Infonetics Research study, 54 percent of companies cited regulatory compliance
as a reason for deploying or planning to deploy a network access controller.
(See “Infonetics Research: 80 Percent of Large Organizations Plan to Enforce
NAC in the Network,
Industry Analyst Reporter
, June 4, 2007.)
Quantify Your Company’s Risk Tolerance
As you evaluate and then document your company’s risk tolerance, try to be
as specific and as detailed as possible. Estimate your company’s losses and
describe what it would take for your company to recover from these loses.
This detailed analysis will not only help you put the necessary access controls
in place but will also help you justify those controls to upper management and
user communities. (For more information about working with both upper
management and users, see “The Human Factor” on page 2-39.)