AUSTIN, Texas, Feb. 20, 2008 – As investigators sort out whether rogue trader Jerome Kerviel acted alone as alleged or with the knowledge of Société Générale senior officials as some have speculated, a debate is emerging in IT circles asking if the massive fraud owes more to the collapse of financial controls or to the controls that govern information technology systems and the data they house. The extent to which access control exposures may have played a part in the fraud is the subject of a new podcast released today from SailPoint Technologies, Inc. and Enterprise Management Associates.

"Avoiding a Billion Dollar Blind Spot: What Organizations Can Learn about Their Risk Posture from Identity and Access Data" offers constructive insight into the reported allegations in the Société Générale fraud. The scheme is the latest and most damaging in a series of headline-grabbing incidents – many involving access control failures – that have escalated in frequency and impact in recent years. Hosts Scott Crawford, Research Director and Practice Manager in the Security and Risk Management Practice at Enterprise Management Associates and identity risk expert Mark McClain, CEO and founder of SailPoint Technologies, examine the serious questions such losses raise about the state of governance and risk management in the world's largest enterprises.

"What's becoming all too clear is that companies don't have a sufficient understanding of where their risks are," observed Crawford, an expert on IT risk management. "As the facts come to light on this case and companies begin to examine what they can learn from the incident, I think we'll find that business controls remain vulnerable to subversion by users like Kerviel without an effective IT risk management strategy in place."

Following an examination of the case, Crawford and McClain outline five basic issues and related exposures that can contribute to a control failure and offer practical guidance for preventing similar incidents.

"The tendency is to view this case as exceptional, and the lion's share of press articles focus on whether Kerviel could have succeeded in circumventing financial and trading controls acting alone," said McClain. "There's an equally important story here to tell about IT risk controls that in our experience is all too common – it's an instructive case for all companies that outlines the need for IT controls to supplement business controls and validates the importance of user identities as a point of IT control in the enterprise."

Episode 8 of The Identity Intelligence Insider, "Avoiding a Billion Dollar Blind Spot: What Organizations Can Learn about Their Risk Posture from Identity and Access Data" is available at no charge from SailPoint Technologies at http://sailpoint.libsyn.com/index.php?post_id=309182 where listeners can also access previous episodes in the SailPoint podcast series. To view and download a detailed graphical timeline that indicates where key events may have alerted Société Générale to potential access and IT control exposures along the dangerous path Jerome Kerviel reportedly followed during his tenure, go to www.sailpoint.com/news/files/kerviel.pdf. †

† SailPoint's analysis suggests potential exposures that may have occurred based on allegations reported to date and should not be considered conclusive. For selected relevant news articles and sources, go to http://del.icio.us/billiondollarblindspot.

About SailPoint

SailPoint Technologies, Inc. develops identity risk management software that helps organizations gain control over user access to critical systems and data, streamline costly IT compliance processes and reduce the risks of fraud, corporate data loss or theft and failed audits. Founded in December 2005, SailPoint is based in Austin, Texas.