Never has the need to prove compliance with external regulations and internal policies been more acute than it is today. The likely consequences of failing to prove that your organization is compliant and that you are strictly adhering to your own policies can be significant, up to and including possible criminal penalties for top corporate executives. And the buck doesn’t stop there. Anyone who is familiar with the Enron story may also remember that it resulted in the once grand Arthur Andersen being brought to its knees, illustrating the thoroughness that external auditors will apply to ensure that they are not implicated.

Organizations today must prove beyond a shadow of a doubt that not only do they have a security program in place, but that it is enforced and is consistent across your organization. Information technology departments play a key role in this endeavor. Shortcomings in IT policies can have potentially serious consequences.


Research by Gartner has shown that 65 percent of all successful computer attacks take advantage of badly configured systems such as use of out-of-the-box default conditions, configuration of user accounts that have privileged rights, simple configuration errors or unscrupulous system administrators. If that’s not bad enough another in a recently published survey conducted by the U.S. Secret Service together with Carnegie Mellon University’s Software Engineering Institute CERT Program found that eighty-six percent of people who carried out insider sabotage held technical positions and ninety percent had system administrator or privileged system access – which meant they held the passwords to override the system and access the network.

No matter how secure a system may be, if the controls to access that system are not adequate, eventually this will be exposed. A recent Audit Commission report in the UK highlighted that problems are frequently a result of poor access controls that inevitably increase the risk of accidental damage and deliberate abuse. Instances such as the failure of management to escort disgruntled employees from buildings and remove all IT system access facilities have resulted in such staff having the time and opportunity to vent their anger on the organization and cause major disruptions. Interestingly, the report found the main reasons for breaches were ineffective policies, and the failure to enforce policies.