Consulting firm Protiviti has released its report entitled The Current State of IT Security and Privacy Policies and Practices, surveying over 100 IT professionals on how their organizations manage sensitive data in regards to customer privacy and legal compliance. The results indicate that while companies are becoming more adept at accumulating large amounts of data, they are less astute at classifying and managing it. In fact, almost 25 percent of respondents were reported to believe that their senior management had, at most, very little understanding of what makes data sensitive.
Other key findings of the report include the fact that only 26 percent of participants felt that senior management in their organizations had an “excellent” understanding of the distinction between sensitive and non-sensitive data. While the majority (69 percent) of firms reported having an accessible policy for data classification (i.e. sensitive, public, confidential), only about half reported an actionable plan to actually implement the categorization. As far as data leakage policy goes, 86 percent of companies indicated that they had an acceptable use policy, while 81 percent have a record retention/destruction policy, 75 percent employ a written information security policy (WISP), and 65 percent have a data encryption policy in place.
Almost 75 percent of the surveyed IT executives and professionals reported the presence of a crisis response plan for responding to a data breach, though 27 percent either don’t have or were unknowledgeable of whether or not their organization has such a policy. Over 70 percent of respondents claimed that their company used on-site servers for the storing of sensitive data; just 2 percent of participants reported using the cloud for that purpose.