Survey Reveals that Employees, Partners and Contractors Have Too Much Access to Information Assets; Access Policies are Not Enforced in Most Enterprises
Traverse City, Mich., and Waltham, Mass.—Feb. 5, 2008— Privacy and information management research firm the Ponemon Institute and Aveksa, Inc., the market-leading provider of enterprise access governance solutions, today announced the results of The 2008 National Survey on Access Governance. Findings gathered from a survey of almost 700 experienced IT practitioners show that vast majority believe that employees, temporary employees and independent contractors have too much access to information assets that are not pertinent to their job function, and that access policies are not being regularly checked or enforced by their organization. These results suggest that many businesses are facing significant business risks because of inconsistent approaches to access management across the enterprise.
Access governance ensures that users have appropriate access rights to the specific information resources that are needed to do their job and appropriate for their role within the organization. The overall objective of The 2008 National Survey on Access Governance is to learn from the perspective of IT security and compliance practitioners how well access risk and compliance management is being achieved within their organizations. The Ponemon Institute surveyed almost 700 IT professionals with a median of approximately 10 years business experience and nine years IT/information security experience. Based on their responses, Ponemon has identified five major challenges businesses face in implementing an effective access governance framework across the enterprise:
• User access rights are poorly assigned—78 percent of respondents believe that individuals have too much access to information assets that are not pertinent to their job description: very often (11 percent), often (33 percent) or sometimes (34 percent). In addition, 59 percent of respondents strongly disagree, disagree or are unsure that there is little risk that employees, temporary employees and contractors have too much access to information resources.
• Policies are not regularly checked and enforced—69 percent indicated that access policies within their organizations were either enforced poorly or not at all. Meanwhile, only 30 percent of respondents state that their organization makes sure user access policies are validated. These businesses are at risk because user roles are not static but dynamic. Therefore, regular reviews and monitoring of change is necessary to ensure that compliance objectives and business risk tolerances are met.
• Organizations are not able to keep pace with changes to users’ roles and they face serious noncompliance and business risk as a result—Responses show that more than half (55 percent) describe their company's ability to grant access rights based on role and job function as poor or nonexistent, including 42 percent that say it is not done at all. These findings suggest that businesses might find it too difficult to manage access rights at the individual level because of changing roles and responsibilities with respect to information access. As a result, there is a huge
risk for organizations that individuals may be able to access information resources that are not in alignment with their roles and responsibilities.
• Senior management lacks understanding of the importance of access governance—Senior management does not seem to understand the risks of inappropriate user access and what resources are needed to ensure compliance and avoid business risks. 74 percent of respondents believe that senior management does not view, or is unsure that, access governance is a strategic security imperative.
• Collaboration is viewed as critical but is not being achieved—83 percent believe collaboration among business units, audit and compliance, and IT security functions is either important or very important for compliance with regulations and mandates. Despite their acknowledgement of the importance of collaboration, 57 percent of respondents report that these stakeholders do not collaborate (or are unsure about collaboration) to achieve access compliance within their organizations.
“Poor access governance can result in a number of costly threats to the enterprise. This study shows that IT practitioners recognize the importance of access governance as a key element for successfully implementing an effective information resource compliance and risk strategy,” said Larry Ponemon, chairman and founder, Ponemon Institute. “Traditional approaches, including homegrown technologies and manual management processes, have proven to be fraught with failure and risk. Unless enterprises acknowledge business as usual is failing, we believe rampant access mismanagement will continue to plague organizations.”
“The fact that most organizations feel that employees are being granted access rights outside of their business role clearly illustrates the risk that most enterprises face,” said Brian Cleary, vice president of marketing for Aveksa. “The constant shifting of business roles within these companies only compounds the problem to the extent that considerable gaps are left unaddressed in their access compliance and risk management efforts. Aveksa’s customers have recognized that only with a centralized, enterprise-wide access policy and process management approach can they make compliance sustainable and better manage the business risks associated with granting users access to information resources.”
For a full copy of the 2008 National Survey on Access Governance, visit: http://www.aveksa.com/campaign/2008_Survey_on_Access_Gov.cfm.
About Aveksa
Aveksa provides the only comprehensive, enterprise-class, access governance, risk management and compliance solution. Aveksa automates the monitoring, reporting, certification and remediation of user entitlements and roles; enables role discovery and lifecycle management; and delivers unmatched visibility into the true state of user access rights. With Aveksa, business, security and compliance teams can effectively collaborate and enforce accountability. Our growing customer base includes leading global Fortune 1000 organizations in financial services, healthcare, transportation and manufacturing. For more information, go to www.aveksa.com.
About the Ponemon Institute
The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries. Visit the Ponemon Institute at www.ponemon.org for more information.
