Quality of contract staff declines...
"Forty-two per cent were able to connect a personal device like an iPod, USB key, or PDA to their work PC"
58% of contractors unable to connect peripherals to computers shock.
More than 80 per cent of temporary staff have the same level of access to company documents as permanent staff but without the same accountability, according to research released today by security firm Websense. The survey of more than 100 temporary staff found that 88 per cent of respondents were able to access documents from …
While the stats may appear a bit hairy, looking deeper at the reasons, having had the issue of Temp user(s) Account land on my lap in serveral companies, I saw a common theme, and quickly sloped my shoulders to somebody else.
1) the Business typicaly never hire a temp to start after the SLA for Account Creation, (then Norm i've seen is 5 Days) most Temps are need within 48 hours due to business demands (IT have been unwilling to negoatiate a reduced SLA)
2) HR will not invest in automated systems which feed IT New/Leaver Requests.
3) New/Leaver Requests can be baffling for the Business at times with a high percentage of managers not using them for years on end, so information is basic and in most cases unhelpful. IT/HR never seem willing to offer guidence or are not approachable by the business for assistance. In defence bof a couple of IT departments I worked for, PR exercises to the business had a low take up, i guess the releationship was to far damaged.
4) The Business is never educated in the risks of allowing Temp1 accounts to exist in a way they understand,
5) Sys Admins do not always follow thier own policies or police them.
6) The Business lie to IT about the duration of a User to by pass the mountain as they see of Admin involved in the whole process.
All my Utopian fixes where quickly dismissed.
given the number of businesses that use work-experience interns and "consultants" as replacements for permanent staff, with the vague idea that the former are just as good as experienced workers, only cheaper, and that the latter can be disposed overnight of without having to go through the redundancy process.
Too much focussing on short-term gain, and this is an accountant talking. Beat them all to a bloody pulp with a copy of Microsoft Course 2830B, aka 'Security for Morons', is my advice. Or if you feel really strongly about it, Prentice-Hall's "Principles of Auditing".
Then email me the whereabouts of their graves so's I can dance on them with my BOFH.
Actually, this surprises me, as historically it's always been the opposite problem. I've lost count of the amount of hours I've had to sit twiddling my thumbs because in order to do the job, I need access to X computer system, or Y set of documents, when temps don't get access to it.
Why are temporary staff any more of a risk than permanent?
If these practices take place then chances are that permanent staff can access the same things and do the same things, in which case temp staff are no more a risk than perm staff.
Unless being temp makes you less honest for some reason?
1. Background checks are usually less than perm staff, or none at all.
2. Someone wishing to infiltrate an organisation by nefarious means will use the temp/agency staff route as the quickest easiest means of physical access.
3. Due to the difficulties of getting a new ID set up for the new temp person often arriving at short notice, they are more likely to get lent another users ID, which is more likely to have privileged access compared to a standard new users ID.
After twelve years as a developer and consultant, I must say that I have rarely, if ever, experienced such latitude in my access to client IT infrastructure.
Any bank is going to insist that you use their own hardware to access their resources, and you are generally quite clearly warned that your activity will be logged - which is quite a deterrent if you want to seek for information you're not supposed to have access to.
Most other companies are going to give you a PC as well, and if they do allow you to log on to their network with your laptop, you never have access to in-house network discs.
Besides, has anyone forgot about reputation ? As a consultant, my job is to leave a customer happy so that he calls me back. That won't happen if they find evidence that I've ripped their customer database, now will it ?
On top of that, it is a non-trivial task to define the business rules, roles and policies, let alone all the connectivity and development work necessary to make it work.
Identity Management/Provisioning/De-Provisioning systems are extremely complex and difficult.
All of the IDM projects that I've been involved in over the last 3-years, most of them were large banks that were seeking SOX compliance. They are multi-year engagements costing upwards of $20m.
Unless the Auditors, legal department, compliance department, or government regulation demands it; small/medium companies aren't about to fork out for the necessary investment to get this implemented.
Off the shelf products from Oracle, IBM, CA, Sun etc aren't cheap (nor is the consultancy involved in implementing them).
Doing the same in-house without custom tools is also very difficult and costly. It is made more difficult by the fact that most small companies follow a very ad-hoc approach to user access. It worked fine when there were only 6 of them working from a garage - everyone knew each other and needed the same level of access. Once they developed into a 20+ team, it became more difficult to maintain access for all new employees; or the correct levels of access to all the bespoke (non-integrated) applications that were being purchased. Before you realise it, you are a company of 300+ with over 50 redundant accounts belonging to ex-employees that still have full access to the corporate database (and every other application the company has) ...
The more systems, roles and employees/users, the more complex the problems become - and the more complex the solution becomes; but procrastinating won't make it go away.
Biting the hand that feeds IT © 1998–2021