News, Strategies and Resources for Senior HR Executives  
 
Search
powered by Workindex®
 Advanced Search | Browse the Directory
Web Exclusive Content
Home
HR News Analysis
Features
Columnists
People
Resources and Tools
Technology Center
Legal Clinic
HRE Conferences
HRE Rankings
Webinars
RSS
Career Center
HR Internet Search
powered by workindex
HRE Information
Subscription Center
Advertiser Information
About Us
Contact Us
 

Newsletter Sign-up

Click on the name of the free newsletter below to preview:

HREOnlineTM Update
HRE News & Analysis
Bill Kutik's HR Technology Column
Carol Harnett's Benefits Column
Peter Cappelli's Talent Management Column
Special Offers
People on the Move
Susan Meisinger's HR Leadership Column
HTML Text
E-Mail Address:


Click here to unsubscribe
Privacy Policy
 

Print Email Write to the Editor Reprints

Virtual Lockdown

The story of an IT administrator who paralyzed San Francisco's computer system offers some lessons to employers on the importance of dividing job responsibilities as well as the necessity of background screenings.

By Jared Shelly

It sounds like the plot from an action movie.

The computer network for a major U.S. city is being held hostage by a disgruntled employee who is also an IT whiz. All of the city's information technology administrators are locked out of a network that contains court documents, payroll records and even the mayor's e-mail account.

The rogue administrator -- the only person who knows the password -- sits in a jail cell refusing to cooperate with authorities.

Here's the part where Bruce Willis or Arnold Schwarzenegger saves the day, right?

But this story out of San Francisco in mid-July was all too real. Terry Childs, a 43-year-old network administrator working for the city's Technology Department essentially locked down the government network for more than a week. Childs even allegedly set up a system to have the entire network collapse during its next routine maintenance or if someone attempted to crack the password.

The situation was finally resolved when city Mayor Gavin Newsom secretly met with Childs in jail, and convinced him to give up the password.

The idea of an IT administrator acting unethically is hardly a new concept. In a study of 300 senior IT professionals, one in three (33 percent) admitted to using administrative passwords to access confidential material such as a colleague's salary information or e-mail correspondence, according to a survey by Newton, Mass.-based Cyber-Ark.

While the San Francisco government and its data systems came away without much long-term damage, the situation brings up an interesting quandary for HR in both the public and private sectors: How does a company ensure the safety of its computer systems and the sensitive data held within?

Step one, say experts, is to diversify responsibility, especially at the top levels of IT.

"Making sure you have enough separation of duties is one of the key things," says Matt Shanahan, senior vice president of marketing at the IT security company AdmitOne Security, based in Issaquah, Wash. "[The San Francisco employee] was granted exclusive access to system; he created a password and an account that gave him this super authority. Once you have that, you lock other people out and you gain massive control."

Michael Maloof, chief technology officer of Post Falls, Idaho-based TriGeo Network Security, says that San Francisco's Technology Department was dealing with a high-level employee with a "superiority complex."

"He thought his network was a work of art," says Maloof, "and no one was allowed to touch anything."

The employer should have implemented a backup system where more than one administrator has the highest level privileges.

Although Childs was deeply concerned with protecting the network from others, holding just one password actually put it in much more danger, says Maloof. Simply put, his idea did not pass the "bus test," meaning that if Childs was hit by a bus and incapacitated, no other worker knew the password -- which would have essentially shut the system down.

For Childs, the password incident was not his first brush with the law. Twenty-five years ago, he spent time in prison for aggravated robbery in Kansas, a matter he disclosed when beginning work with the city, according to news reports.

Should the organization have considered his previous record, especially while trusting him with the network's ultimate password?

While an employee's technologic skills are clearly important to a company's IT department, hiring managers should make sure to check backgrounds and attempt to judge an applicant's ethics, says Shanahan.

"Certainly more and more people will take background checks seriously as networks and computing systems become more capable and can wreak more havoc on the business as a whole ... anytime you have an asset of that much importance, you want to be very careful about the individuals who are basically taking control of that asset," he says.

In the wake of the incident, the city's Technology Department should do a "complete account review," says Shanahan.

"Look at all your backups and fail safes in terms of those accounts and privileges," he says. "Look at the process for creating, updating and managing those accounts and make sure you put the right controls in for that. And the third step is looking at employees' records in terms of background checks, to make sure they have clean record and a low likelihood of committing fraud."

San Francisco has a policy of not asking about criminal convictions during, at least, the initial stage of the job-hiring process. A city measure removed a checkbox on job applications that asked about convictions. A city official could not be reached for comment.


August 25, 2008

Copyright 2008© LRP Publications

Sponsored Links
 
HRE logo
 

Back to top

© Copyright 2010 LRP Publications. All rights reserved.