Survey says: You're at risk

It's survey week here at the Internet home of secure identity -- two different surveys popped into my inbox. Today's results are from a risk management survey given to about 1,250 IT decision-makers at large enterprises.

It's survey week here at the Internet home of secure identity (or, as the French say, le maison de l'identité sécurisée) -- two different surveys popped into my inbox. We'll look at one in this issue and the other next time.

Today's results are from a risk management survey given to about 1,250 IT decision makers at large enterprises (72% of which have more than 1,000 employees) conducted by the Davis Murphy Group for Courion Corp.

THE NEW SECURITY PROFESSIONAL: Watch out CISOs and CSOs: Chief Risk Officers may be gaining on you

Among the highlights of the survey:

• Nearly half (48%) of all companies have discovered excessive user rights within their systems.

• 39% of respondents say they have identified instances of inappropriate access by privileged users within their organizations.

• 56% say they found cases in which access was still active for a user's prior role.

That's right, nearly 15 years after electronic provisioning, re-provisioning and de-provisioning became available, more than 50% of the survey respondents could cite instances of inappropriate privileged access for users (either still with the company, or not).

Have you not been listening?

A heartening 90% of respondents did indicate that IAM was a "core component" of their company's IT risk management program. And two-thirds responded that their organization had "an accurate assessment of the level of risk it faces as related to IT security."

So how did those "excessive user rights" 48% reported occur? Perhaps the heartening responses were more an expression of wishful thinking of the survey takers' behalf.

It's highly recommended (and, indeed, required by some regulatory authorities) that users' access get reviewed and certified by their managers and/or resource owners on a regular basis -- at least annually, but often more frequently. The survey results show that only 59% of organizations require business managers to certify access while only 52% require certification by resource owners. 26% claim a combination of managers and IT do the certification (29% say owners and IT do it) but, again, this doesn't tell us how involved the non-IT certifiers are -- do they perform due diligence, or simply sign off on IT's report?

More than 40% responded that the certification is done irregularly, if at all!

In a classic understatement, Kurt Johnson, vice president of strategy and corporate development for Courion said: "The results of this survey indicate that there is still widespread misunderstanding of the impact user access reviews have on enterprise IT risk."

What's your organization doing?

Learn more about this topic

Three simple rules of risk management

Risk management shouldn't be a solo IT project

Conducting a risk assessment

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.

IT Salary Survey: The results are in