Study: 'TMI' Access to Information

Ponemon study shows ineffective access management processes pose risk to businesses

February 5, 2008

4 Min Read
Network Computing logo

TRAVERSE CITY, Mich. and WALTHAM, Mass. -- Privacy and information management research firm the Ponemon Institute and Aveksa, Inc. (, the market-leading provider of enterprise access governance solutions, today announced the results of The 2008 National Survey on Access Governance. Findings gathered from a survey of almost 700 experienced IT practitioners show that vast majority believe that employees, temporary employees and independent contractors have too much access to information assets that are not pertinent to their job function, and that access policies are not being regularly checked or enforced by their organization. These results suggest that many businesses are facing significant business risks because of inconsistent approaches to access management across the enterprise.

Access governance ensures that users have appropriate access rights to the specific information resources that are needed to do their job and appropriate for their role within the organization. The overall objective of The 2008 National Survey on Access Governance is to learn from the perspective of IT security and compliance practitioners how well access risk and compliance management is being achieved within their organizations. The Ponemon Institute surveyed almost 700 IT professionals with a median of approximately 10 years business experience and nine years IT/information security experience. Based on their responses, Ponemon has identified five major challenges businesses face in implementing an effective access governance framework across the enterprise:

  • User access rights are poorly assigned-78 percent of respondents believe that individuals have too much access to information assets that are not pertinent to their job description: very often (11 percent), often (33 percent) or sometimes (34 percent). In addition, 59 percent of respondents strongly disagree, disagree or are unsure that there is little risk that employees, temporary employees and contractors have too much access to information resources.

  • Policies are not regularly checked and enforced-69 percent indicated that access policies within their organizations were either enforced poorly or not at all. Meanwhile, only 30 percent of respondents state that their organization makes sure user access policies are validated. These businesses are at risk because user roles are not static but dynamic. Therefore, regular reviews and monitoring of change is necessary to ensure that compliance objectives and business risk tolerances are met.

  • Organizations are not able to keep pace with changes to users' roles and they face serious noncompliance and business risk as a result-Responses show that more than half (55 percent) describe their company's ability to grant access rights based on role and job function as poor or nonexistent, including 42 percent that say it is not done at all. These findings suggest that businesses might find it too difficult to manage access rights at the individual level because of changing roles and responsibilities with respect to information access. As a result, there is a huge risk for organizations that individuals may be able to access information resources that are not in alignment with their roles and responsibilities.

  • Senior management lacks understanding of the importance of access governance-Senior management does not seem to understand the risks of inappropriate user access and what resources are needed to ensure compliance and avoid business risks. 74 percent of respondents believe that senior management does not view, or is unsure that, access governance is a strategic security imperative.

  • Collaboration is viewed as critical but is not being achieved-83 percent believe collaboration among business units, audit and compliance, and IT security functions is either important or very important for compliance with regulations and mandates. Despite their acknowledgement of the importance of collaboration, 57 percent of respondents report that these stakeholders do not collaborate (or are unsure about collaboration) to achieve access compliance within their organizations.

"Poor access governance can result in a number of costly threats to the enterprise. This study shows that IT practitioners recognize the importance of access governance as a key element for successfully implementing an effective information resource compliance and risk strategy," said Larry Ponemon, chairman and founder, Ponemon Institute. "Traditional approaches, including homegrown technologies and manual management processes, have proven to be fraught with failure and risk. Unless enterprises acknowledge business as usual is failing, we believe rampant access mismanagement will continue to plague organizations."

Ponemon Institute LLC

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights