who needs access for what task, and remove the appropriate access when tasks are no longer necessary. This role-based access protocol restricts system access to authorized users only.
"That seems simple, but so many times security audits are done and you find 30 percent of the admin accounts are still active, even though that person doesn't work there anymore and hasn't for months. As soon as those privileges are not needed to do their job, those privileges or authorizations should be removed," he said.
Pescatore and Schrier recommend configuring security management software tools so the authorizations of two administrators are required before significant changes can be made. Implementation of this type of software in a network environment forces departments to avoid the risky practice of giving only one employee the keys to the digital kingdom. Pescatore said Tivoli and Computer Associates provide tools that create automated logs for documenting network changes and blocked accesses.
Pescatore said the software would log if an employee were trying to surf an unauthorized database, making administrators aware of suspicious activity. Although it can be expensive to install such software agents on every necessary server, that price might be dwarfed by the cost and humiliation of having to notify 27 million citizens that their information was compromised, he said.
Keeping a Watchful Eye
The NASCIO report identified malicious employees as the No. 1 insider threat to a department's data, and it offers ways to deal with them. According to the report, IT employees may be too proficient for roles-based access and security awareness protocols. Their activity should be monitored and audited for abnormalities and dealt with quickly through severe consequences, including criminal charges if necessary.
NASCIO Executive Director Doug Robinson recommends departments pay attention to employees who are under stress.
"Perhaps they are going through a divorce, a foreclosure or financial instability," he said. "They are disgruntled because of a performance appraisal compensation or a raise that they didn't believe was adequate. They were demoted; they were fired perhaps."
Schrier said he also believes that managers should keep an eye out for employee stressors. "Certainly a warning sign for management is if an individual is taking a lot of overtime or is using a lot of overtime. It means that particular individual is probably being overworked," he said. "It requires some of the responsibilities to be spread around."
According to Schrier, if managers watch overtime and disperse responsibilities, they might also reduce the chances of IT workers getting too attached to their code. People who get too wound up in their work can become overly possessive, as if they're working on personal property instead of government-owned resources and projects.
IT shops should know as much as possible about prospective employees before hiring them by expanding background check procedures. The Post's August article reported that Childs "carried a list of convictions, including aggravated burglary, aggravated robbery and theft, according to court documents." He spent four years in a Kansas prison, but according to court documents he omitted those details from his employment application for San Francisco government service, The Post reported.
After the Storm
Although most of the dust has settled, San Francisco's Department of Information Technology still has a pile of digital debris to sift through. Apparently disgruntled network administrator Terry Childs left a networking device hidden on the city FiberWAN network that, as of this writing, IT staff are still trying to locate -- months following Childs' arrest.
The IDG News Service reported on Sept. 10, 2008, that an outside router was installed on the FiberWAN network that provided unauthorized remote access. City officials discovered it in August and don't have the correct user name or password, so they can't log on to the device and see what's going on. The prosecution has a screenshot of the message received when the improper login information is entered: "This system is the personal property of Terry S. Childs."