Alan admits his “trust no one” attitude comes from his New Jersey upbringing and is not common among his Indianapolis neighbors and coworkers. But the essence of computer security is forethought mixed with paranoia. Rather than protecting against what miscreants have done in the past, you must think about what they might do in the future.
Realize, too, that all good things must come to an end. The person you hire today will sooner or later move to another job or retire or even die in the saddle, leaving all his home office desk and all the papers in it (including your corporate passwords) to his nephew who has felony convictions in five states. Or your company may suffer business reverses one day and be forced to let your new hire go.
Think pre-nup. Everything is lovey-dovey today, but will everything be lovey-dovey 10 years from now? We have no way of knowing.
What we do know, however, is that by having security access policies in place, and following them, we can minimize the risk of disgruntled ex-employees sabotaging our IT infrastructure. And rule number one for doing this is to give people only as much access as they need to do their jobs. Alan says he’s not just talking about passwords, but that “key code access to server rooms and external access to IT systems should be limited only to those who absolutely need these privileges.”
He also says:
Fast-forward nine years
Why nine years? Why not? Anyway, a good long time after hiring, your no-longer-new person may starting coming back from lunch with the smell of liquor on his breath. At the same time, changes in your business make his skills less valuable than they once were, and he has made no effort to learn new ones.
It’s time to say, “Hit the road, Jack.”
But before you say that (or even start humming the famous Ray Charles song), you need to alert IT personnel — especially management — about the impending departure. In confidence. And, Alan says, you need to review “all of the company systems the employee has access to. Make a check list of the affected systems and require a confirmation of action once the employee leaves.”
The check list is important, because forgetting one key or a single obscure password can ruin the rest of your careful security preservation work. And your termination checklist should cover all employees in order to protect yourself from termination-based lawsuits — which might be frivolous, but can still be expensive and should be avoided whenever and however possible. “Consistent policies,” right?
Here’s Alan’s basic “time of departure” checklist:
Alan says that if you learn nothing else from what he’s said here, you should remember two main points: