SF Not an Exception In Giving IT Too Much Control 245
CWmike writes "The city of San Francisco's IT department is certainly not the exception when it comes to allowing just one person to have unfettered rights to make password and configuration changes to networks and enterprise systems. In fact, it's a situation fairly common in many organizations — especially small to medium-size ones, IT managers and others cautioned in the wake of the recent Terry Childs incident."
Not news to nerds (Score:5, Informative)
The configuration? Well I am not real sure what they mean? Basic configs such as IP addreses and such have been documented at even the shoddiest implementations I have seen. Plus, if you know how to run that server, you probably know or can find and make changes to the "configuration". But if there is only one person at that company that knows that server/technology, well then there is probably only one person that knows the configuation! What should the accounting manager know how to run our servers?
But the bigger issue is that in a SMB, and in my current positions, I could CHANGE THE PASSWORD!!! Doh, they forgot that you can do that!
TFA goes on to say things about hiring an administrator and then an auditor for the admin. WTF? Never heard of this happening in my career. I do know the military uses these methods, but that makes sense for them. The average sign printing company (even a 200 employee company) can't do that.
TFA highlights a situation that we all knew existed... and didn't even give a (reasonable) proposed solution.
Re:Not news to nerds (Score:2, Informative)
It happens. I was called in to try to rescue a small web shop's hosting business. The hosting business was a side business of the web design shop, with two web servers, a database server, and a mail server. All the hosting stuff was run by one guy, he was the only one who knew the passwords, and they unfortunately went with him when he died on the operating table. Five months later, when the increasingly unpatched servers started falling victim to attacks, they called me to try to fix the mess. Of course there were no backups, no way of retrieving anything. It was a mess.
Re:It will happen again, and continue to happen. (Score:3, Informative)
Luckily these people are becoming less and less common. Why?
Bosses are getting smarter. Some of the bosses actually come from an IT background and know what is going on.
Computers are common. People even Non-IT people are use to using computers, and have a general high level idea what is going on.
SOX and ISO documentation is part of the job now not just a nice to have.
Global Competition, Big fishes in small ponds have been tossed into the ocean. Are you sure you are smarter then everyone else.
Saying it can't be done may lead to lets get bring in a consultant. If if the consultant say he can do it you are down knocked down a peg, and if you are that much of a jerk your boss won't be favorable about it.
So over time I see this becomming less and less and issue. However you they are still around. And when they get fired they will make a big fuss about it but overall the company will probably run better.
Re:It will happen again, and continue to happen. (Score:3, Informative)
If something can't be done (by you) and it needs to be done, then what's wrong with bringing in a consultant?
You're not in competition with the guy, he's an expert at whatever you're hiring him for, not to do your job.
When you hire the consultant, just make sure he's not the kind who works behind a closed door. You're paying him to share information with you too, so that you can do general administration on the subject later