Monday Mashup is back after taking a respite for the Labor Day holiday. Today I offer the tale of Terry Childs. His epic story of meteoric rise and catastrophic plummet (well, not really, but it draws readers) speaks volumes about the importance of IT general controls.
Mr. Childs was—until his recent relocation to the San Francisco County jail--a network engineer for the City of San Francisco. He apparently took his job a bit too seriously. Just as management was about to terminate Mr. Childs, he commandeered the city's Cisco network, effectively barring anyone and everyone from using city computing systems.
As the case sees daylight, an important lesson is being taught. We now know that management tolerated Mr. Childs' unacceptable behavior far longer than reasonably prudent because Mr. Childs was highly skilled and very effective in his role. His superiors knew that he had too much authority, that there was not a contingency resource following behind him, and that administrative access to the network was not being monitored. In fact, his department had a "give Terry whatever he needs to keep us afloat" mentality. So it's not surprising that he had all the right signatures on all the right approval documents.
Three important kinds of controls appear to have been absent in this case. Administrative controls were not being effectively executed. Roles having too much authority vested in them were not segregated. And technical controls like audit logging were not in place to detect problems early and prevent their escalation. The next Monday Mashup will discuss some of the problems that administrative controls have, and the reasons why organizations need effective segregation and technical controls.
►
Search This Site
Tip Sheet
Links
About ISACA
About ISACA Sacramento (Chapter 076)
Get Content (RSS)
Posts
Comments
ISACA Headlines
In Other News
Latest Incidents
SANS Institute Security Awareness Tip of the Day
0 comments:
Post a Comment