Almost half ISO 27001 'compliant' firms break with security

You need policy backed by user management software, says analyst

Almost half of businesses that claim compliance with ISO 27001 are sharing privileged user accounts and breaking other standard guidance, according to a survey of IT managers.

Some 47 percent of firms in the UK said they were compliant with the standard. But forty-one percent of these said that they were using various non-compliant practices.

Bad practice by privileged users is putting European data at "high risk", according to the 'Privileged user management -- it's time to take control' report. These practices included use of default user names and passwords, the granting of wider access than is necessary, failure to monitor the users, and an ignorance around the existence of privileged users in the first place.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Almost half of businesses that claim compliance with ISO 27001 are sharing privileged user accounts and breaking other standard guidance, according to a survey of IT managers.

Some 47 percent of firms in the UK said they were compliant with the standard. But forty-one percent of these said that they were using various non-compliant practices.

Bad practice by privileged users is putting European data at "high risk", according to the 'Privileged user management -- it's time to take control' report. These practices included use of default user names and passwords, the granting of wider access than is necessary, failure to monitor the users, and an ignorance around the existence of privileged users in the first place.

Two hundred and seventy European IT managers, including 45 in the UK, were interviewed for the survey that was conducted by Quocirca.

Twenty nine percent of firms in the UK rely on manual control of privileged users, who include system administrators, application service users, and privileged personal users. Only a quarter have implemented privileged user management software, which aims to help businesses enforce and track policy. Around 20 percent plan to implement the software.

UK firms saw privileged users as a medium threat, rating them on average at 2.5 on a scale of one to five, where one meant no threat and five represented a very serious threat.

On a similar scale, they exhibited a medium level of confidence that they could monitor and control privileged user accounts, at 3.1 and 3.2 respectively.

Tim Dunn, VP security at management software firm CA, which commissioned the survey, said at this week's RSA Security Conference in London that there is a "necessity for privileged user access", but that they are "the main target for hackers".

There are a number of recommendations Dunn gave to businesses, including making sure risk managers and other executives "take charge of the problem" instead of "leaving it to IT". Firms should also introduce individual accountability, enforce the segregation of duties for privileged users, secure log files, and implement a privileged user management platform, he said.