Filed in archive
Security
by Scott Wilson on February 3, 2009
As if Fannie Mae weren't already having enough troubles, it seems that at the height (depth?) of the credit market implosion late last year it was also suffering an insidious threat from within its own ranks: a logic bomb planted by a disgruntled contractor who was in the process of being released.
Information Week has more details on the story. I came upon it by way of the SANS daily handler's diary, which asks "How do you audit your production code?" ... an extremely relevant question these days, with tens of thousands of IT jobs on the chopping block and staff loyalty at an all-time low. How many agitated engineers are polishing up their own "deadman" logic bombs right now, either guarding against, or taking vengeance in the event of, their own termination from employers for whom no love is lost?
The SANS discussion comes up with four old standbys for internal security: separation of duties, (minimum) role-based access, mandatory second-party review, and strong versioning/change management systems. None of these are new concepts, either in principle or execution, but it amazes me how many companies implement few or none of them internally. Even worse are those who have designed such systems, but regularly circumvent them with a nod and a wink because the design proved cumbersome or an inexact match for internal requirements. This often happens at the same time the organization is beefing up security against perceived external threats, which statistically represent a far lesser threat.
To be blunt, if you don't have internal controls, design some. If you have them but they aren't being followed, change them. A well-designed system isn't going to significantly impede staff from performing their work. There is a certain innate resistance in IT staff, particularly on the operations side, to being locked out of anything, but it's a cultural problem that it's time to address. If you are heading for a round of layoffs, or even if your staff just think you are, don't rely on serendipity to protect the livelihoods of those who remain.
Permalink: Internal threats alive and well
Trackback: http://publish.creative-weblogging.com/publish/mt-tb.pl/142440
Addthis
Ask
Blinklist
del.icio.us
Digg
Fark
Facebook
Google
Lycos
Ma.gnolia
Mr Wong
Netscape
Netvousz
Newsvine
Reddit
StumbleUpon
Slashdot
Tailrank
Technorati
Wink
Yahoo
Vote for Internal threats alive and well:
|
Rating: 9.67 out of 3 vote(s) cast.
|
Subscribe
Marketplace
-
Online MBA Degrees - earn your mba degree online with one of hundreds of programs available at elearners.com
Use the search to look for other interesting posts
| RSS |  See all blog subscribe options |
 What is RSS? | |
| Yahoo! |
|
| Addthis |
|
| Bloglines |
|
| Newsletter | |
| Follow us on Twitter! |
