Two separate security surveys this week on network access control reach similar
conclusions: Employees have immoderate access rights, and management should
face up to the challenge of reining in out-of-control access without sacrificing
productivity gains.

Research firm Ponemon Institute
Tuesday released the results of its "2008
National Survey on Access Governance," which polled 700 information
technology practitioners from business and government on the topic of how organizations
determine who should have access to information resources and the appropriate
level of access.

Ponemon found that 52% of the IT professionals surveyed did not believe access
rights are well-managed in their organization, and 78% thought employees often
or on occasion had "too much access to information resources not pertinent
with their job function." 19% responding simply said they were unsure.

The survey, which was sponsored by security governance vendor Aveksa,
suggests that "People are getting too much access to things," says
Larry Ponemon, the Institute's founder. "The No. 1 issue is that we have
a problem in that organizations that claim to manage roles and responsibilities
may not be doing so."

In the survey, respondents acknowledged the risk to intellectual property,
customer information and general business information from poorly managed access.
The study also sought to shed some light on why organizations are struggling
with the access governance problem.

The decision-making process varies considerably. Twenty-nine percent said access
to information assets is granted on an "ad hoc" basis for certain
projects, 25% said it was to meet "departmental demands," and 21%
cited "job function or role," while 10% acknowledged "no systematic
approach" and 8% thought it was according to "position level or rank."

As to technology use, 36% said they used "homegrown access control systems",
30% said "automated solutions", 13% cited a "a manual process,"
5% said "e-mail requests" and 7% answered "helpdesk."

The Ponemon Institute study concluded "taken together, our findings indicate
that the distributed nature of the organization has resulted in a breakdown
in centralized policy management."

Ponemon's study stated it was hard to pinpoint accountability for granting
access and too frequently there was no review of what employees' jobs require
them to do over time.

A separate survey this week of 2,000 remote workers and IT professionals worldwide
conducted by InsightExpress
and sponsored by Cisco showed
employees are often left to their own devices -- and are enjoying it.

The survey found 56% of remote workers felt that the Internet is safer than
it was last year but 55% of IT staff said they thought remote employees working
outside the office are becoming less aware and disciplined in their online behavior.

The survey showed corporate computers are frequently used for shopping and
social networking while the individual's home computer, not under management
of the IT department, is often used to access work files.

Twelve percent of remote workers admitted to hijacking a neighbor's wireless
connections, with workers in Japan, France, China and United Kingdom confessing
to stealing wireless access the most. China, the United Kingdom, Japan, Australia
and the United States had the highest percentages of respondents who admitted
they open suspicious e-mail and attachments despite the potential for triggering
malware attacks.

Issues with remote workers are coming to the fore because "companies are
becoming highly decentralized," comments Tom Gillis, vice president of
marketing in Cisco's IronPort unit. "There's a blurring line between business
and personal use here."

» posted by abennett

Network World

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine