The ongoing Terry Childs fiasco within the city government of San Francisco could have been easily avoided. Thanks to Chad Perrin for his excellent summary of the story. As things stand the city is not able to update, change, or manage their WAN because they have had the only person who knows the admin passwords arrested and retained on a $5 million bond.
Read Chad's post for the details. My advice is for every business owner and government administration to immediately check on the controls of their IT infrastructure. Ask yourself these questions:
1. Do you have centralized authentication and rights management?
2. Are passwords on infrastructure devices and applications routinely changed?
3. Who are the key individuals in your security hierarchy? Have you exposed yourself to unacceptable risk levels by granting them too high a level of trust?
4. Do you do background checks on new hires?
5. Do you have a written policy governing administrative passwords and rights management?
The answers to these questions are going to give you your task list for the remaining weeks of the summer. Get your access control system under control before you face the same embarrassment the City of San Francisco is suffering.
Richard Stiennon is a security industry analyst. He is currently consulting, speaking and writing on all manner of security topics for IT-Harvest, the IT research firm he founded to cover the security space. He was most recently chief marketing officer for Fortinet. He has served stints at PricewaterhouseCoopers, Gartner, and Webroot Software.
The Leader in Network Knowledge
