Excessive access rights. Almost one-third of respondents cited this finding, making it the top response. Individuals should have rights only to information needed to perform their jobs, and those should be revoked when no longer needed they.
Segregation of duties. Users shouldn't have access to responsibilities and functions that conflict with one another. Lack of segregation of duties might allow people to circumvent controls.
Access control compliance with procedures. Access control ensures that users have access only to the systems and information they need to properly do their jobs.
Lack of audit trails/logging. With regulatory compliance a key part of risk management, organizations need to have the proper trails and logging procedures in place.
Lack of documentation of controls. Compliance means having documentation that the proper controls are in place.
Excessive developers' access to production systems and data. Make sure application developers have appropriate access to production systems and data, and determine the risk if they have too much.
Lack of review of audit trails. Audit trails must be reviewed on a regular basis, and updated as needed.
Lack of clean-up of access rules following a transfer or termination. Access rules need to be revoked or changed when someone leaves the organization or is transferred. Failure to do this can result in damaging security breaches.
Use of production data in testing. Testing of systems and applications shouldn't involve production data, as this could introduce security risks.
Disaster recovery plan/business continuity plan testing. Have disaster recovery and business continuity plans been tested adequately? Organizations can't afford to risk extensive systems downtime and lost business.
The Secret of Apple's Success
Money Woes Take a Toll on Worker Performance
10 Ways to Build Lean, Agile Teams
Tech Salaries Rising After Two-Year Stagnation: Dice Survey
The State of Security: Malware Rises as the Era of Spam Ends
10 Things CIOs Can Expect From RIM's New CEO
