The recent story about Jason Cornish, a disgruntled employee of pharmaceutical company Shionogi is getting a lot of attention this week. In a nutshell, he resigned after a dispute with management, and was kept on as a consultant for a few months after. =============== |
Rob VandenBrink 579 Posts ISC Handler Aug 17th 2011 |
Thread locked Subscribe |
Aug 17th 2011 1 decade ago |
I don't have a problem with what you wrote, it's really what you didn't write I have to question. In my opinion, allowing any former employee continued access to your systems is fundamentally wrong, I don't care why they separated. Unfortunately, it's behavior I have seen more than a few times with clients and former employers.
If you accept the premise that your greatest risk comes from the person(s) you hire -- even the "gruntled" ;) -- then allowing an individual who left on less than genial terms to continue consulting is insane! Proper termination procedures will ensure prompt removal of access rights and a general cleanup such as you mentioned. |
Anonymous |
Quote |
Aug 17th 2011 1 decade ago |
I agree on all counts. Unfortunately, I see the same as you - people leave and management leaves hiring their replacement until much too late, or worse, gives their responsibilities to someone already on staff, then never trains them.
Hiring the person who left back in as a consultant is a common "solution" to these - fixing one bad idea with another bad idea. We're seeing this week what the risk is of this approach. |
Rob VandenBrink 579 Posts ISC Handler |
Quote |
Aug 17th 2011 1 decade ago |
Another area that is commonly neglected is controlling the information that not only consultants remove from the company but also full time employees. Although it is stated in our company policy that information is the sole property of the company, employees do run reports and export them maybe to portable media. What happens to those reports when an employee leaves? Even if the equipment was removed, they can still have printouts, copied media, items saved in personal PCs, etc. It is very difficult to contain information in smaller shops.
|
Rob VandenBrink 3 Posts |
Quote |
Aug 17th 2011 1 decade ago |
I got laid off last year, then got called back a few weeks later because the PKI I implemented melted down. They wanted me to fix it as a consultant, which would have required Enterprise Admin.
No way, not a chance - way too much risk to me, and they should have thought things through before deciding I was expendable. I want nothing to do with that company ever again, and I'm certainly not going to take the risk of something going wrong while I have access and getting blamed. That may even be the case here, who knows? So, stupidity on both sides here, but mostly the company's - he wouldn't have been disgruntled in the first place if they hadn't fired him, then they compounded the error by using him after that. He erred by accepting the work, but he may have done so because he wanted to use the access to get them back. Don't, just don't. How much will this mess cost that company? I bet a lot more than it would have cost to find a consultant rather than use their ex-employee. |
Rob VandenBrink 4 Posts |
Quote |
Aug 17th 2011 1 decade ago |
The central tenant of the problem of who watches the watch-keeper is trust. Restrict access to the superuser accounts and the IT job becomes more difficult. Provide access to superuser accounts you must trust.
Establishing the infrastructure that limits access without using superuser takes time and effort. Separation of duties to use the accounts requires bodies. All of the above takes money. Superuser access provides the most privileges with the least amount of time, effort, bodies and money. You now trust the watch-keeper to tell you the time. Who is watching the watch-keeper? Unconditional trust is a risk. To mitigate risk requires and investment. The balancing act of investing money across low risk off occurring verses large impact or high risk of occurring verses small impact is a balancing act of risk management decision making. It can be unnerving if you reflect on the number of IT people who have grown-up in basements of home soothed by the gentle purring of their server fans while they honed the computer skills so valued by companies and stunted social and emotional skills needed by society. I will speculate the problem of watch-keepers out of sync happens more often than disclosed in the media. If it was a rampant problem the time, effort, bodies and money need to establish the infrastructure to support the unconditional risk would be a solution in the toolboxes of MBA that manage companies instead of “are you done yet”. |
Rob VandenBrink 1 Posts |
Quote |
Aug 18th 2011 1 decade ago |
For all I know when they say "secret VMware console",
it could mean that he SSH'd into the servers, and used the command line to shutdown and delete things. He was a consulant... it could very well be that he was in a position of trust and needed this access. Suggestions like enforcing some kind of specific assignment 'separation of duties' are burdensome with not a clear proven benefit. Separation of duties implies imposing limits on each team members' area of responsibilities, which means more employees are required If someone's duty is to troubleshoot fix, or preen a VMware environment, then as a result, they're in a position of trust, and you're still screwed if they misbehave at any time. The only assured saving grace is to have good backups.... |
Mysid 146 Posts |
Quote |
Aug 19th 2011 1 decade ago |
The best thing to do is have all of your access tied to some sort of central Identity and Access Management solution so that as soon as you are flagged as terminated in the system, your accounts are disabled.
|
Jasey 93 Posts |
Quote |
Aug 19th 2011 1 decade ago |
I have to disagree with the idea of not hiring an ex-employee as a consultant, or a previous consultant again. The assumption is that in both cases, the termination was on good terms. I know a lot of companies in the US force retirement on employees when they turn 65, and some opt to retire earlier. It is common practice to have them at the retirement party on Friday afternoon as a departing employee, and back at their desk again on Monday morning as a consultant. This separates them from the company's employee benefits system -- especially the health insurance, since they are now elligible for goverment funded medicare. I am a consultant myself -- for the past 25 years -- and not because of retirement. I try to help these retiring employees understand how to set themselves up as a business, with liability insurance, to protect themselves from accusations fo misdeeds, as well as accidents, etc.
|
Moriah 133 Posts |
Quote |
Aug 19th 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!