Only 34% of IT security professionals believe the business understands security, a survey of more than 100 organisations has revealed.
That is despite 68% of organisations defining and documenting their IT security authorisation procedures based on processes agreed with the business, according to the survey by SAP security firm Turnkey Consulting.
Sixty-nine per cent of organisations said they are reviewing their security settings to ensure compliance with corporate standards, but 55% record security logs and have a process in place to analyse these and respond when a threat or vulnerability is identified.
Most organisations (87%) said they have a dedicated team responsible for user administration, but only 60% of these perform regular reviews to determine whether the user access is still appropriate for that person or role.
Some 80% of organisations said they have processes in place to manage staff role changes in terms of system access, and 85% require business involvement, but only 47% test the changes before they go live.
The survey found that while 73% maintain a segregation of duties matrix for their SAP applications, only 68% configure the matrix to suit the specific requirements of their business and review it regularly for suitability.
Fifty-eight per cent of respondents said their support team is able to process business transactions and 59% also have procedures in place for privilege escalation, with half of these using an automation tool for this.
IT systems are the lynchpin that support business processes, from e-mail communication to financial transactions, said Richard Hunt, managing director of Turnkey Consulting. "Therefore, far from security being the sole responsibility of the 'techies', business ownership is vital to ensure that there is adequate control placed over who can do what in business critical systems," he said.
Business users need to understand and clearly define their requirements to the technical team who can then translate this into a configuration that ensures each role has the appropriate system access, he said.