A man reported his ex-girlfriend entered his apartment and taken items without permission.
It would be logical to think that the man in the story had given his girlfriend a key to his apartment, and then did not get it back when they broke up. The question is, when an employee in your organization is terminated or transferred do you remove their access. When employees are terminated or leave an organization do you remove all access immediately, or is there a lag as you wait for the notice go from human resources to IT. If you don’t have your termination procedures properly defined to immediately notify IT to remove access, your organization is exposing itself to a risk of loss or theft.
Many organizations do have well thought out termination procedures, but end up falling short on employee transfers. Many times we assume that since the employee is internal and wants to continue to be employed they won’t abuse access they no longer need. However, the risk of loss or theft is just as probable given the proper circumstances. It is important to make sure you policies regarding employee transfers are just as stringent as when employees are terminated. Just like the man, who while in love couldn’t image anything bad happening, we don’t want to find things missing after a relationship has ended. Have your policies in place to collect the keys or change the locks before it is too late.
Having been a new auditor, I know it can difficult just learning what you are supposed to do. I remember my first day of work out of college, after meeting my managers and central office staff, I was sent to a client site. My instructions were to report to my supervisor who would bring me up to speed. I walked in to a conference room at the clients facilities, introduced myself to my new supervisor, and was promptly handed a box of expenses to test. Other than a spreadsheet that was given to me, those were my instructions. The one auditing class I took in college was how to do statistical sampling, and all the theory behind attestation (audit) work. I learned quickly to ask intelligent questions and get the work done. I also learned what they taught me in school was useless in the field, but in all fairness public sector accounting is different than private sector which is what they taught in school.
The Intern and the Expert
Fast forward two years, now I was the supervisor being sent not only new staff members but interns as well. I was assigned a series of six clients that were all small libraries. Apparently the previous year I had done a library and so was deemed the group expert. As such I was not only given all the libraries, I was given an intern. The intern actually was catching on pretty quickly and I thought all would end well. The challenge doing libraries with a new person was you had just over a week of field work hours per audit. Having an intern actually gave you some extra time since they were charged at such a cheap rate, so you could take some time to mentor. As I was reviewing her work papers she asked why I was writing stuff down, why couldn’t I just tell her what to fix. I explained that review notes were not only meant to give critiques of her work, but also a way I could show my work when charging administrative time. She took her first set of review notes well, and we moved on to the second library.
Starting the second review, I let the intern know my expectations would be higher as we progressed. She dove into the work and seemed to want to complete the review better than the first. The end of the second day rolled around and I was handed roughly half her work papers to begin reviewing. The review notes began to grow longer and longer and I wondered what part of stepping things up she didn’t understand. She had messed up simple things like cross references, page numbering, and documenting tick marks. I stopped reviewing her work papers, pulled her aside and asked her to explain what was going on. “You said you needed to justify your time so I left a lot of stuff for you to write review notes about” was the response I got.
I sat there stunned for probably five minutes, just looking down at the first page of notes I had made. She broke the silence by asking if something was wrong. I took a deep breath and explained that the less time it took me to review her work, the less “justification” I had to provide for charging administrative time. I had a sense of relief when my interns face turned bright red with embarrassment as she realized what she had done. She asked to have the work papers she turned in back so she could correct them. Although my initial attempts at mentoring failed, my intern completed her remaining work without minimal errors. It was a learning experience for both of us.
A man and woman were warned about being in a local park after posted hours. The couple indicated they were searching for a lost cat.
Have you ever needed to go to the office late at night or on a weekend only to find your badge doesn’t provide you with access to the facilities? Have you ever tried to log into your systems only to be locked out based on restricted hours? These two areas of security sometimes go overlooked, but may be valuable controls. I am not advocating we all go out and set the system to use restricted hours, but I am asking you to consider the thought. We want employees to be able to access work anytime, anywhere. In order to facilitate this we asses the risks around having remote access and implement controls to allow the most secure connections possible. What we may not consider is the business reason the person may have for this access.
Take for example an employee who takes payments during normal business hours. After hours and on the weekends we know they can not accept payments, yet as part of allowing them to access the network during off business hours we allow them to log into all authorized applications. You may being shaking your head right now and saying “so what?” You know your systems log all the activity in that application so any attempt to alter data within the application would be detected and easily corrected, right. Although this may be the case, why even waste the time reviewing logs for malicious activity when there shouldn’t be activity in the first place. In the physical security space, we consider activity during non-business hours as unusual and respond accordingly. Yet we make ourselves do extra work to identify abnormalities in our systems when a similar control may be available. I am not saying to create this control just to implement it, I am just suggesting we consider time based restrictions on access for our systems when we feel it is appropriate. Users may just be looking for that lost document they need for a meeting in the morning, or they could be doing something you would rather not have to clean up in the long run.
An injured skunk was seen walking towards a small wooded area, officers left it alone.
Often, we are asked to allow things into our environments that just are not right. Perhaps the security configurations are not set up to standards, but the critical application just won’t function if standards are enforced. Maybe you have a third party vendor who has to place devices in your network but won’t allow you access and requires certain ports open through your perimeter. Whatever the reason may be, you just have to hold your nose and let it into your environment because it will drive revenue, or allow your organization to meet compliance requirements. This will make things more difficult to manage the environment because you still have to ensure other systems are not compromised. So we add more layers to handle the potential vulnerability placing those devices on the network may create. At the same time we need to press the importance of our security standards and work to help bring the “skunks” up to a more acceptable level of conformance. Information security isn’t just about managing devices, it also about educating people.