Retention Practices Lost in Shuffle of Handling Sensitive Enterprise Data
Information and IT leaders are focusing on basic retention practices and governance responsibilities, rather than the data security and privacy issues that have led to scandals such as those in news accounts of late, according to a new consultancy survey.
Information and IT leaders are focusing on basic retention practices and governance responsibilities, rather than the data security and privacy issues that have led to scandals such as those in news accounts of late, according to a new consultancy survey.
In its second annual enterprise IT security and privacy survey, Protiviti queried approximately 200 CIOs and IT security officials across various industries on their practices, concerns and plans. The 2013 survey results paint a portrait of data practitioners working better with management on sensitive data, increasingly interested in outsourcing or deploying efforts, but hamstrung by the growing volume and variety of data retention demands.
According to the survey, 38 percent of respondents have data retention policies with defined destruction dates (up 16 percent from 2012), and in terms of organizations with no real retention policy, or one that involves keeping information without a defined destruction date, survey results remained in the single-digit range. Most troubling to consultants at Protiviti were responses in two other categories, where organizations had either a “basic” or “detailed” classification system to define data, with varying retention policies and destruction dates depending on the classification. Basic system practitioners were down 9 percent from last year, representing one-quarter of survey respondents in 2013. Nineteen percent of respondents had detailed systems, a 10 percent drop from 2012 that reflects CIOs and IT leaders hampered by other issues to the point where they’re “not taking the best approach” with these critical data management and retention practices.
“IT departments today are focused more and more on ‘fighting fires’ in numerous areas – ERP systems, access management, IT governance, mobile device implementation and support ... As a result, few have the resources available to be proactive in helping to manage the data-related challenges of their organizations,” the survey authors wrote. “At the same time data continues to grow – at some point it becomes critical to address this volume with a detailed and comprehensive classification system that provides a clear understanding of how all types of information – sensitive, confidential and otherwise – are being managed.”
With governance, the role of CIOs to create and oversee DG efforts has grown, according to the survey. CIOs were in charge of governance for 38 percent of respondents in 2013 (up 7 percent from last year), as governance responsibility for chief privacy officers (4 percent), chief security officers (16 percent) and chief financial officers (2 percent), all declined by small degrees. Also decreasing in responsibility and execution of governance activities were individual department leaders, which Protiviti suggested is a general step in the right direction in terms of governance best practices.
When it comes to where that sensitive enterprise data is stored, more are looking outside of traditional enterprise walls, though cloud computing still brings some “reticence.” Protiviti reported that use of on-site servers for sensitive data decreased from 2012 by 14 percent, to 57 percent of respondents this year. Off-site servers increased 7 percent in year-over-year responses, hitting 21 percent in the 2013 survey, and data not stored in any centralized location remained flat at 8 percent. Rising one percentage point was use of cloud deployments for sensitive data, now at 3 percent. A measly figure currently, the rate of organizations taking even their most sensitive data into the cloud “will likely rise” based on the increasing confidence on cloud security.
To access the report, entitled “Knowing How – and Where – Your Confidential Data is Classified and Managed,” or register for a June 18 Web seminar on the results, click here.
In its second annual enterprise IT security and privacy survey, Protiviti queried approximately 200 CIOs and IT security officials across various industries on their practices, concerns and plans. The 2013 survey results paint a portrait of data practitioners working better with management on sensitive data, increasingly interested in outsourcing or deploying efforts, but hamstrung by the growing volume and variety of data retention demands.
According to the survey, 38 percent of respondents have data retention policies with defined destruction dates (up 16 percent from 2012), and in terms of organizations with no real retention policy, or one that involves keeping information without a defined destruction date, survey results remained in the single-digit range. Most troubling to consultants at Protiviti were responses in two other categories, where organizations had either a “basic” or “detailed” classification system to define data, with varying retention policies and destruction dates depending on the classification. Basic system practitioners were down 9 percent from last year, representing one-quarter of survey respondents in 2013. Nineteen percent of respondents had detailed systems, a 10 percent drop from 2012 that reflects CIOs and IT leaders hampered by other issues to the point where they’re “not taking the best approach” with these critical data management and retention practices.
“IT departments today are focused more and more on ‘fighting fires’ in numerous areas – ERP systems, access management, IT governance, mobile device implementation and support ... As a result, few have the resources available to be proactive in helping to manage the data-related challenges of their organizations,” the survey authors wrote. “At the same time data continues to grow – at some point it becomes critical to address this volume with a detailed and comprehensive classification system that provides a clear understanding of how all types of information – sensitive, confidential and otherwise – are being managed.”
With governance, the role of CIOs to create and oversee DG efforts has grown, according to the survey. CIOs were in charge of governance for 38 percent of respondents in 2013 (up 7 percent from last year), as governance responsibility for chief privacy officers (4 percent), chief security officers (16 percent) and chief financial officers (2 percent), all declined by small degrees. Also decreasing in responsibility and execution of governance activities were individual department leaders, which Protiviti suggested is a general step in the right direction in terms of governance best practices.
When it comes to where that sensitive enterprise data is stored, more are looking outside of traditional enterprise walls, though cloud computing still brings some “reticence.” Protiviti reported that use of on-site servers for sensitive data decreased from 2012 by 14 percent, to 57 percent of respondents this year. Off-site servers increased 7 percent in year-over-year responses, hitting 21 percent in the 2013 survey, and data not stored in any centralized location remained flat at 8 percent. Rising one percentage point was use of cloud deployments for sensitive data, now at 3 percent. A measly figure currently, the rate of organizations taking even their most sensitive data into the cloud “will likely rise” based on the increasing confidence on cloud security.
To access the report, entitled “Knowing How – and Where – Your Confidential Data is Classified and Managed,” or register for a June 18 Web seminar on the results, click here.