Survey: Half of compliance pros say their organizations botching identity, access control

Ponemon Institute’s survey of 845 audit and compliance professionals indicates they think identity and access management are important for secure business operations, but believe their companies find it difficult to collaborate across IT and business management functions to deliver IAM.

Polled about their organization’s approaches to identity and access management, audit and compliance professionals in industry and government expressed a high level of frustration with how their IT and business management units are managing IAM.

Almost half (45%) of the 845 respondents questioned by the Ponemon Institute for the research study released today said their own organization does not effectively focus its IAM policies and controls on areas of business risk.

The compliance professionals, 68% of whom said IAM products were in use in their organizations, also expressed frustration that IT and business management groups weren’t collaborating well in deploying IAM.

“The compliance and audit folks think collaboration is important, but they acknowledge their companies’ shortfall in this area,” says Larry Ponemon, chairman and founder of the research firm, which focuses on privacy, data breach and security topics. The “Audit & Compliance Professionals: Survey on Identity Compliance” study released today by Ponemon was sponsored by SailPoint Technologies.

Access control, password management, user provisioning and role management constitute aspects of IAM that respondents said were used to meet such regulatory compliance requirements as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act and privacy laws.

However, 65% of the professionals surveyed in the Ponemon study complained that “IT staff lacks understanding of risk management and compliance,” a drawback that made it difficult to implement IAM controls effectively. The IT department in most cases was deemed the most responsible for selecting, deploying and monitoring IAM products in the organization.

In addition, the poll reflected the opinion that IT departments and audit and business people often do not collaborate well on issues concerning IAM compliance. Of those polled, 61% said “there is no collaboration whatsoever” or “collaboration rarely occurs"; 25% called it “okay, but could be improved,” and 14% calling it “excellent.”

Ponemon said the results of the study indicate that according to the respondents, “the IT people don’t have an appreciation of audit and compliance, what the rules are, and don’t prioritize compliance. They think IT cares more about efficiency.”

He added a similar survey of IT people undertaken last February on the same topic showed the flip side of the coin, with IT professionals unhappy with audit and compliance professionals.

Learn more about this topic

Regulatory compliance demands puts IT on the spot

07/31/07

Despite high number of data breaches, database security not a priority

06/07/07

Data breaches plague U.S. companies

05/15/07

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies