Auditors blame IT for botched IAM

Auditors and compliance professionals in industry and government are frustrated with how their IT departments are handling identity and access management, according to a new survey.


Auditors and compliance professionals are frustrated with how their IT departments hande identity and access management (IAM) projects, according to a new survey.

Almost half (45%) of the 845 respondents recently questioned by the Ponemon Institute said their own organisation does not effectively focus its IAM policies and controls on areas of business risk.

The compliance professionals, 68% of whom said IAM products were in use in their organisations, also expressed frustration that IT and business management groups weren't collaborating well in deploying IAM.

"The compliance and audit folks think collaboration is important, but they acknowledge their companies' shortfall in this area," says Larry Ponemon, chairman and founder of the research firm. The "Audit & Compliance Professionals: Survey on Identity Compliance" study released this week by Ponemon was sponsored by SailPoint Technologies.

Sixty-five percent of those surveyed complained that "IT staff lacks understanding of risk management and compliance," a drawback that made it difficult to implement IAM controls effectively. The IT department in most cases was deemed the most responsible for selecting, deploying and monitoring IAM products in the organisation.

The poll also found that IT departments and audit and business people often do not collaborate well on compliance. Of those polled, 61% said "there is no collaboration whatsoever" or "collaboration rarely occurs"; 25 percent called it "okay, but could be improved," and 14% calling it "excellent."

Ponemon said the study shows that according to the respondents, "the IT people don't have an appreciation of audit and compliance, what the rules are, and don't prioritise compliance. They think IT cares more about efficiency."

He added a similar survey of IT people last February on the same topic showed the reverse, with IT professionals unhappy with audit and compliance professionals.

Now read:

BT and Siemens in identity management tie-up

Find your next job with computerworld UK jobs