Research Reveals Compliance Problem

The Ponemon Institute says the majority report inadequacies in current practice of ensuring proper access to systems and data

Dark Reading Staff, Dark Reading

August 7, 2007

3 Min Read
Dark Reading logo in a gray background | Dark Reading

TRAVERSE CITY, MIch. and AUSTIN, Texas -- New research from the Ponemon Institute reveals that despite the importance internal auditors and corporate compliance professionals place on ensuring proper access to systems and data – 70 percent of respondents say it is critical to IT compliance – the majority report inadequacies in current practice. Eighty-two percent say a risk-based approach would be more effective.

“Audit and compliance professionals are clearly struggling to gain control over issues at the heart of IT compliance, knowing who has access to what in your organization,” said Larry Ponemon, chairman and founder, Ponemon Institute. “They must do an incredibly complex and important job the hard way – manually and reactively – and they know it. Almost all would prefer to focus their efforts on the areas of greatest business risk, but they need help getting there.”

Commissioned by SailPoint Technologies, the survey, entitled Audit & Compliance Professionals: Survey on Identity Compliance, examines the views of auditors and corporate compliance staff on the state of compliance practices that focus on ensuring proper access to systems and data. Findings from analysis of 845 responses point to a number of inadequacies including:

  • Reliance on Manual Processes – Audit and compliance staff rely on manual efforts to manage compliance processes. Fifty-eight percent manually monitor and test controls on user permissions and activities, depending almost exclusively on reports generated by others rather than software tools (90 percent).

  • Lack of Centralized Control – Organizations have not established clear ownership of compliance oversight or processes around reporting on and monitoring user access to critical systems and data, with a wide majority conducting compliance efforts in a decentralized fashion at the application or department level (86 percent). Fragmentation of the data and distribution of responsibility among many groups are cited as the top two barriers to automating compliance.

  • Poor Communication and Collaboration – Audit and compliance staff report little to no collaboration with departments who share responsibility for IT compliance (61 percent), citing a poor understanding of risk management and compliance among other departments as the key barrier (65 percent).

  • Inattention to Business Risk – Asked if their organizations focus their compliance resources or efforts based on risk, half do not think so or are unsure, and the majority report the information necessary to quantify risk is simply not available (58 percent).

The full survey offers a comparative analysis of responses from audit and compliance staff with responses from IT security professionals to an earlier companion survey published by the Ponemon Institute in March 2007, also commissioned by SailPoint. Major points of agreement between the groups are poor collaboration and reliance on manual processes: IT professionals report little to no collaboration with audit and compliance staff (65 percent), citing a lack of technical expertise as the key barrier (42 percent); and 53 percent characterize efforts as manual and labor-intensive. Eighty-three percent of IT respondents also say a risk-based approach would be more effective for ensuring proper access to systems and data. Key differences are business drivers – audit/compliance groups seek better control and security (44 percent) while IT groups seeks higher efficiency (40 percent).

“Organizations are achieving compliance by throwing people at the problem, but they don’t know where their risks are,” said Jackie Gilbert, vice president of marketing and founder of SailPoint. “By taking steps to centralize and automate their efforts, companies can begin to regain control with a sustainable and effective approach that allows them to identify and reduce potential business risks like intellectual property loss, privacy breaches, brand damage and inaccurate financial reporting.”

Ponemon Institute LLC

Read more about:

2007

About the Author

Dark Reading Staff

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

See more from Dark Reading Staff
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

Concept art, computer code and camera lenses in glowing light green arcs on black background
Application Security
Keep Tier-One Applications Out of Virtual EnvironmentsKeep Tier-One Applications Out of Virtual Environments
byMorey Haber
Sep 25, 2024
5 Min Read
CrowdStrike logo on smatphone screen
Cyberattacks & Data Breaches
CrowdStrike Offers Mea Culpa to House CommitteeCrowdStrike Offers Mea Culpa to House Committee
byJai Vijayan, Contributing Writer
Sep 25, 2024
4 Min Read
Black background and white text saying Dark Reading Confidential
Vulnerabilities & Threats
Dark Reading Confidential: Pen-Test Arrests, 5 Years LaterDark Reading Confidential: Pen-Test Arrests, 5 Years Later
byDark Reading Staff
Sep 10, 2024
42 Min Listen
Reports
More Reports
Webinars
More Webinars
White Papers
More Whitepapers
Events
More Events