IT pros impede PCI, Sarbanes Oxley compliance

Corporate IT professionals lack a critical understanding of risk and compliance issues and pose a barrier to collaborating on compliance initiatives with audit and compliance professionals, according to a study of 845 IT pros and audit and compliance managers conducted recently by the Ponemon Institute.

I think what they're saying is that IT practitioners care about their effectiveness and making IT better, but they don't care about compliance the same way compliance and audit people care. Larry Ponemon, founder and chairmanPonemon Institute

The study found that 65% of audit and compliance pros surveyed believe their IT counterparts lack the knowledge of risk and compliance issues to collaborate on identity and access management. In contrast, 42% of IT pros said audit and compliance managers lacked sufficient technical expertise to collaborate.

"I think what they're saying is that IT practitioners care about their effectiveness and making IT better, but they don't care about compliance the same way compliance and audit people care," said Larry Ponemon founder and chairman of the Traverse City, Mich.-based Ponemon Institute. "It's definitely true that collaboration is an issue and creating problems for identity or access management, but not clear if both sides share a common view of why those problems exist."

Experts say a number of high profile data breaches, such as the massive breach earlier this year at TJX Cos. Inc., is fueling spending on technologies that lock down data and monitor systems containing critical information. But technology alone won't solve the problem of data leakage, experts warn.

Collaboration between IT and compliance professionals as well as sound security policies are essential to keeping data locked down. Identity and access management is critical to compliance because it defines the process of an organisation to allow end users to access systems containing critical data.

"A lot of people have the misconception that it's only technology, but it's also the control practices that an organisation has in place," Ponemon said. "When people leave or move into new job functions, access rights change in conformance to what they are currently doing."

Compliance: Quiz: Must-have compliance technologies: A five-question multiple-choice quiz to test your understanding of the content presented by expert Trent Henry in this lesson of SearchSecurity.com's Compliance School. PCI compliance costs often underestimated, study finds: Companies are moving forward with PCI DSS projects, but many are underestimating the costs associated with compliance. COSO and COBIT: The value of compliance frameworks for SOX: In an attempt to blaze a path through the myriad of compliance regulations and requirements, organisations are looking to frameworks like COSO and COBIT. What are the PCI DSS compliance benefits of tokenisation?: Security expert Joel Dubin defines tokenisation and discusses how the technology can help ease the burden of achieving PCI DSS compliance.

Ponemon said collaboration between IT and compliance and audit professionals is an important factor in reducing risk at an organization. IT pros also need to have the tools to assign access rights and change privileges when the organization changes. Compliance managers need to know whether access rights conform to the organization's policies and that the policy reduces the business risk, Ponemon said.

Meanwhile, an organization's business unit views identity and access control as a business need, he said. If end users can't access the systems they need to do their job, the business unit may step around IT and compliance managers by sharing a common password to bypass an access control system.

"I think IT people are coming to the realization that they have an important part to play in ensuring integrity and security of an organization," Ponemon said. "At the end of the day, IT has a lot of power but many times the business units have more control."

Both IT pros and compliance and risk managers agree that identity management and access control needs to be addressed to comply with current regulations and avoid a high profile data breach. According to the survey, 71% of compliance professionals believe identity and access management is "very important" or "important" for meeting compliance requirements within their organizations versus 70% of IT professionals.

But audit and compliance professionals may not feel comfortable collaborating with IT pros, Ponemon said. According to the survey, only 23% of respondents said they should be involved in the monitoring of compliance and 5% said they should be involved in shaping policy.

"The IT practitioners are more likely to own the creation of identity policy and fixing of deficiencies," Ponemon said. "It's hard to gauge the mindset of audit and compliance people in general, but there is a significant technology component that they may not feel comfortable with."

In addition, the study found that IT and compliance pros don't agree on what rules and regulations are driving compliance initiatives. Sarbanes Oxley and the Payment Card Industry Data Security Standards are ranked by compliance and audit professionals as the main drivers for spending on compliance projects in 2007. But IT professionals put much more weight into data breach laws and privacy laws such as the Gramm-Leach-Bliley Act and state data breach notification laws, than compliance professionals.

The Web survey was conducted independently by the Ponemon Institute and underwritten by identity and risk management vendor Sailpoint Technologies, based in Austin, Texas. Respondents averaged about eight years of experience in the audit or compliance field and more than three years of experience in the position they currently hold. About 50% of respondents said their job function or position is located within the corporate compliance department. About 22% said they report to the organization's chief financial officer, and 13% are located in the IT department.