Aveksa.com/blog

Access Governance Issues Identified at FEMA

 digg it |   delicious |   StumbleUpon |  reddit 

Yet again, another Federal government agency has been identified as having serious access management and access governance failures. As reported by InformationWeek, a new report from the Department of Homeland Security Office of the Inspector General identifies serious access governance issues at the Federal Emergency Management Agency (FEMA).  

FEMA Cybersecurity Fix Could Take Years  

"FEMA also had access control problems. KPMG found password, patch management, and security configuration problems on servers supporting financial and support systems. User account control was another problem, as accounts weren't reviewed for appropriateness, weren't disabled or removed promptly after employees were fired, and weren't documented properly upon being handed out."

It's not surprising that the Federal government is lagging behind commercial enterprises. In fact, this is issue was reflected in the findings of recent research conducted by the Ponemon institute and commissioned by Aveksa.

Based on the responses of the 100 government IT practitioners that participated in the global multi-industry survey, the results show that FEMA is not the only government agency with access related issues that must be resolved. Some of the findings included:

1. Access Management is a worsening problem for government organizations:

• Most respondents in government (79 percent) said their users have too much access to information resources that aren't pertinent to their role in the organization.

2. Government organizations can't keep pace with access change:

• Three out of four respondents (75 percent) say that they can't respond quickly enough to changes in employee access requirements
• More than half (60 percent) reported that they are unable keep pace with the number of access change requests that come in on a regular basis.

3. Access policies are not regularly checked and enforced:

• Sixty percent of organizations do not have or do not strictly enforce access governance policies
• Sixty-three percent do not immediately check user access requests against security policies before the access is approved and assigned.

4. Organizations lack the budget, resources and staff to effectively govern user access:

• More two-thirds (68 percent) of respondents said that a lack of IT staff was a key problem in enforcing access compliance policies.
• Fifty-nine percent of organizations reported that they don't have enough technologies to manage and govern end-user access to information resources

Click here to download the Ponemon Institute 2010 Access Governance Trends Survey

With the number of failures that continue to be identified, it's time for all government security Czars to focus on tackling the issue of governing user access as its a straightforward initiative that can be easily dealt with right now.  The Federal government should look to the security thought leaders in industry that have tackled the access lifecycle management and policy enforcement challenge as they understand the best practices and have a framework for dealing with access change. 

We would welcome a conversation with any Government agency or department security Czars on how to instantiate a set of effectively access governance business processes and policies.  We would also be happy to connect these Czars with some of Aveksa's thought-leading customers to help them understand the an implementation roadmap and maturity model for achieving continuous access management and governance.