Polled about their organisation’s approaches to identity and access management, audit and compliance professionals in industry and government expressed a high level of frustration with how their IT and business management units are managing IAM.
Almost half – 45% – of the 845 respondents questioned by the Ponemon Institute for the research study released today said their own organisation does not effectively focus its IAM policies and controls on areas of business risk.
The compliance professionals, 68 per cent of whom said IAM products were in use in their organisations, also expressed frustration that IT and business management groups weren’t collaborating well in deploying IAM.
“The compliance and audit folks think collaboration is important, but they acknowledge their companies' shortfall in this area,” says Larry Ponemon, chairman and founder of the research firm, which focuses on privacy, data breach and security topics.
Access control, password management, user provisioning and role management constitute aspects of IAM that respondents said were used to meet such regulatory compliance requirements as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act and privacy laws.
However, 65% of the professionals surveyed in the Ponemon study complained that “IT staff lacks understanding of risk management and compliance”, a drawback that made it difficult to implement IAM controls effectively. The IT department in most cases was deemed the most responsible for selecting, deploying and monitoring IAM products in the organisation.
In addition, the poll reflected the opinion that IT departments and audit and business people often do not collaborate well on issues concerning IAM compliance. Of those polled, 61% said “there is no collaboration whatsoever” or “collaboration rarely occurs”; 25% called it “okay, but could be improved”, and 14% calling it “excellent”.
Ponemon said the results of the study indicate that according to the respondents, “the IT people don’t have an appreciation of audit and compliance, what the rules are, and don’t prioritise compliance. They think IT cares more about efficiency.”
He added a similar survey of IT people undertaken last February on the same topic showed the flip side of the coin, with IT professionals unhappy with audit and compliance professionals.