1.  Home
  2. MIDRANGE-L
  3. July 2007

Re: Preparing for a High-profile Termination

Something else known to guy(s) who do everything. When no
one is in the building, there is a burglar alarm system ...
different people have been issued id-codes which they change
even less often than passwords. Guess how many people have
told their id-codes to co-workers who have not yet been
issued their own id-codes?

If we are going to be changing physical locks and passwords,
perhaps also change burglar alarm codes.

Some computer technicians claim they need to know everyone
passwords, so that if anything goes wrong they can get into
anyone systems. Same kind of arguement is used with company
burglar alarm system.

Here's another HIT BY BUS story, that could be a learning
experience. Lessons in this story include:
* Security is only as good as the weakest link, of which
there can be several ... e.g. there is a lock on gate to
factory, which hangs loose during the day ... a crook could
substitute crook's lock, then after place locked up, drive up
unlock crook's lock, fill up vehicle, put back on company
lock.
* Security by obscurity is not good enough
* Former employees know where things are kept
* False ceilings mean locked doors can be circumvented
* Long time employees are aware of multiple security holes,
never fixed because never in any budget
* Do you use checks that are pre-signed & if any of them went
missing, how soon would you realize they went missing?
* It is not enough to say a former employee is not coming
back, there also ought to be instructions what to do if they
do come back.

I work late almost every nite after rest of office crew gone
home. A senior engineering manager had heart attack. I was
told he wasn't coming back, that it had triggered early
retirement. One nite he shows up looking for "his stuff." I
tell him he's looking great! (He really looked like death's
doorstep.)

I tell him they reassigned his office & I have no idea
where "his stuff" went. (true) He tells me they told him it
is in the vault. (This is a small locked windowless office
where we store our master set of keys, confidential papers,
accounting records, checks that have someone signature pre-
printed, etc. ... say, if some of them went missing, how soon
would we figure that out?)

I tell him I no longer have key to vault (true) so I can't
get in there (false, it has false ceiling that can be climbed
over, but it has been years since I have been sufficiently
energized to use that kind of "top door" (I have not done so
since I spent several hours one weekend stuck in a roof crawl
space)).

He says he can get in.
I follow him, curious.

He goes to accounting lady desk, opens a drawer, looks at
tags attached to keys, takes one key & unlocks a file
drawer. In back of the week's paychecks, that get
distributed at end of week, is a lock box, which he opens
with another key from accounting lady desk, and takes out the
key to the vault, which he then opens, so he can
retrieve "his stuff." I carry it out for him, to his vehicle
being driven by his wife. (He really is physically much less
than the man I remembered as a co-worker.)

Next day I ask accounting lady if these arrangements get
changed after departure of high-profile people, and if having
her desk unlocked makes sense to her. She says she's been
asking for a desk that's lockable for over 10 years, and
perpetually been told there's no budget for it.

Since this happened, she has been issued a lockable desk, but
it looks kind of flimsy to me.

---- Original message ----
Date: Tue, 3 Jul 2007 14:54:39 -0700 (PDT)
From: Steve Martinson <smartfamily2003@xxxxxxxxx>
Subject: Re: Preparing for a High-profile Termination
To: midrange-l@xxxxxxxxxxxx

Booth & Tom:

I agree that someone in a position of power would also
likely know passwords for a whole bunch of profiles,
especially in the smaller shops where the poor guy runs the
whole show (we consult mostly to community banks that are in
that mode). Reviewing the profile object "created by"
attribute is already on my list.

Validation lists are important too! Thanks.

Best regards,

Steven W. Martinson, CISSP, CISM
Sheshunoff Management Services, LP.
Senior Consultant - Technology & Risk Management
2801 Via Fortuna, Suite 600 | Austin, TX 78746
Direct: 281.758.2429 | Mobile: 512.779.2630
e.Mail: smartinson@xxxxxxxxx

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.