The need for a fancy identity-management system to control access to IT systems depends on how big and complex you are and how much pain your company can take. Linda DiPaola, with less than 500 employees to track, does just fine without any system at all.

DiPaola, director of internal audit at Empire Resorts, a New York gaming and resort management firm, depends on process, not technology, and it's working perfectly well.

DiPaola says her approach is all about managing risk. From an access control perspective, that means upholding the sanctity of segregation of duties and ensuring that user permissions to IT ...