Firms Reduce Security Threats by Mapping Risks, Testing Programs

Top companies rely on a combination of testing and carefully identified security procedures to minimize physical and IT security threats, according to a recent report from AberdeenGroup.

To determine the best-in-class companies, Aberdeen looked at a combination of the number of physical-related security incidents, IT security-related incidents and non-compliance incidents in 2007.

The report, Logical/Physical Security Convergence, said that 81 percent of the best-in-class firms have prioritized logical security control objectives as a function of risk, audit and compliance requirements, while 73 percent have conducted formal risk assessments.

In its most recent report, Aberdeen said 64 percent of these firms have implemented controls to monitor and verify that requirements of internal policies and external regulations are being satisfied. Fifty-five percent create a clear mapping of risks and security controls to the various regulations, standards, policies and best practices to which they relate. Forty-five percent have implemented consistent security and compliance policies across logical and physical security aspects of the operation.

Aberdeen recommends that firms seeking to improve their security standards should map out the company’s “security landscape,” identify requirements for auditing and reporting and prioritize physical and logical security control objectives.

An earlier Aberdeen report on security governance and risk management found that firms that take a holistic view of risk could improve security, sustain compliance and improve leverage from existing IT resources. More than three-quarters of the best-in-class firms applied such an approach.