The Institute of Internal Auditors Research Foundation has issued areportproviding strong guidance on how to assess exposure for personal technology, with a heavy focus on personal computers.
The report is titled “PC Management Best Practices: A Study of the Total Cost of Ownership, Risk, Security, and Audit.”
It might more appropriately be called “The Internal Audit Is Back and Boy Are They Pissed Report.”
This report could be used to justify buying new personal computers, increasing maintenance and security staff — and perhaps firing your IT executives.
The Power of Internal Audit
Internal Audit’s report represents the most comprehensive look at this problem I have ever seen. It is 156 pages of mandatory reading for corporate IT managers.
It represents the work of well over 100 government organizations and private firms, including the American Automobile Association, American Accounting Association, Information Security Association, American Institute of Certified Public Accountants, U.S. Postal Service, National Center for Forensic Science, Florida Department of Transportation, Bank of America, Associated Marine Institutes, Christiana Marine Institutes, Carnival Cruise Lines, Southwest Airlines, Intel, JCPenney Company, Washington Mutual, Ernst & Young LLP, EDS, Deloitte and Touche, National Association of Corporate Directors, PricewaterhouseCoopers, Giga Information Group, Fidelity Investments and the American Bar Association.
Something to remember is that Internal Audit has a huge amount of power. They enforce rules that can’t be broken. You should clearly have someone on senior IT staff to focus on this kind of thing.
While this report generally addresses U.S. corporations, companies in other parts of the world that have had financial reporting problems are likely to use it as a template as well.
The Dangers of Old IT
The report showcases how critical PCs are to a company’s financial integrity and bottom line. It recommends that boards take a much more active roll in ensuring that the enterprise is not exposed to unnecessary or undocumented risk.
It provides a strong overview of PC management best practices. It connects these practices to business risk and provides guidance as to what kinds of insurance you need to protect the firm. For example, having an out-of-date or unpatched version of Windows will probably void the related insurance policy.
The recommendations include a comprehensive risk management program that fully documents and quantifies the “value at risk” as well as the internal controls in place to mitigate that risk. The level of documentation that is required is well above the current practices of most of the IT organizations I’ve worked with.
Obeying the Law
The report deals extensively with legal compliance, calling attention to the Sarbanes-Oxley Act, the Internal Financial Reporting Standards (IFRS), Basel II, the Corporate Economic Reform Program (CLERP), the Gramm-Leach-Bliley Act, HIPPAA and California Law SB 1386.
The clear implication is that in many cases non-compliance with the recommendations could have criminal and civil consequences.
One of the report’s conclusions is that only about 33 percent of corporations have adequate policies in place governing information security. Among that 33 percent, actual practices fall short in many, if not most, of the cases.
To be blunt, this report implies that the vast majority of IT organizations would fail an audit catastrophically. That should get the attention of someone in your own organization — and fast.
Funding New Computers
Under the “Lemons into Lemonade” approach, the report provides a strong arguments for increased funding for projects that reduce costs and increase system reliability and security.
The kind of changes recommended in the report don’t come without cost. By putting the board and executive staff on notice that they may be held accountable, the report makes the case that officers should request sufficient funds to achieve compliance. The danger of criminal charges could do a lot to loosen some budgetary constraints.
The report makes a big deal about timely replacement of PCs. After reading it, if I were a CIO, I wouldn’t allow any machine older than 36 months to remain in my shop.
Internal Audit goes to great lengths to showc that companies have been brought to their knees by old desktop hardware and that the risk of problems increases by several times when hardware is over three years old.
This has nothing to do with fuzzy “user productivity” garbage. It has everything to do with staying in business and out of legal trouble. If you have old PCs, the report actually suggests you should list them as a risk in your financial reports or be in danger of non-compliance on several fronts.
Linux and Mac OS Risk
There is no benefit to alternative platforms. In fact, the report recommends that all platforms be treated as equal. If, rather than Windows, you run a Linux or Mac operating system, the same patch management, software distribution, systems management, virus protection and security infrastructure rules apply.
Any platform — be it Windows, Palm or Unix — that doesn’t have automated patch management is seen as non-compliant and an unacceptable risk.
As a result, this report is a strong argument for monoculture. It doesn’t directly endorse Windows, but it does imply that you should be 100 percent in one platform or as close to it as possible.
The report makes a better argument than Microsoft ever has for insisting that everyone use Windows XP SP2. I still run into IT managers trying to purge the Mac OS from their shops, and this report provides them with substantial support.
As with most audits the rules are binary: You are either 100 percent compliant or you are non-compliant. And non-compliance is a really bad thing.
Microsoft did not fund this report, nor are they listed as having any direct roll in it, though the company is listed — along with nine other large companies — as belonging to the Foundation’s Chairman’s Circle.
It Could Be Too Late
In the end, you have to take your own risks and form your own conclusions. The report costs a trivial $30, or $25 if your company belongs to the Institute of Internal Auditors. Any CIO or IT manager in a U.S. corporation should read it. It’s available online in PDF format.
Oh, and one more thing: This report actually came out in November of last year. Unless you have access to a time machine, that doesn’t give you much time to get ready.
In fact, it could already be too late: You might be required to report your non-compliance in this year’s annual reports. Good luck.
Rob Enderle, a TechNewsWorld columnist, is the Principal Analyst for the Enderle Group, a consultancy that focuses on personal technology products and trends.
I am a little surprised:
Wasn’t the "careless" approach one of the biggest arguments for Windows and MS Office ("Anyone knows Windows", "Anyone can run a Windows network" and so on)?
In my point of view, being in control of one’s computers is the very key to be protected against worms, viruses and audits.
I absolutely agree with you on this point: Any CIO who is not in control of their shop’s IT puts any business at extreme risk and should be replaced.
But I am once again amazed how you managed to lose some bad words on Linux or MacOS (I was already wondering somebody hijacked your account). Good to see some things never change.