back to article We bet your firm doesn't stick to half of these 10 top IT admin tips

IT is perceived in mixed ways by users. Some look on the amazing stuff it does and think there must be witchcraft going on in there somewhere. Others think that because they configured their Wi-Fi printer and Sky box at home, they're a genius of computing. If you're to preserve order, security and governance in the use of your …

  1. small and stupid

    11. Dont be a pedantic dick.

    1. AMBxx Silver badge

      Was there a delay in your post being accepted? Everyone below this seems to have misread it as 'be a pedantic dick'

  2. Pete 2 Silver badge

    Nowhere to hide

    In some places, security (and H & S) is used as an excuse for not doing anything. "I can't send you that data ... it might not be secure" "I can't do that for you ... you're not authorised". "I can't access that ... I haven't been given permission".

    The first tenet of security is to allow the right people to have access and for everyone who needs to, to know who those people are. After that, comes the need to deny those who shouldn't be allowed.

    1. Halfmad

      Re: Nowhere to hide

      Actually first you have to properly secure and control access to the information appropriately so you CAN give the right people access, that's normally why people become overly paranoid about data, because thought never went into where and how to secure it initially.

      For example a manager may need to see everything on the system, but a secretary only information for one part, if the way the data is store doesn't allow segregation of the data into parts, in other words it's "all or nothing" then that's not much bloody use.

      A lot of systems are like this, allow anything to be entered, but allow far too much to then be seen, or even worse seen and no record of it being viewed.

    2. Anonymous Coward
      Anonymous Coward

      Re: Nowhere to hide

      The first tenet of security is to allow the right people to have access and for everyone who needs to, to know who those people are. After that, comes the need to deny those who shouldn't be allowed.

      No, the first principle of security is to set up a policy which describes who does what, as that describes the do and do-not boundaries of activity, the risk tolerance of the organisation in the areas where this cannot be defined with precision and the authorisation process to change the policy or sidestep it and accept the risk that creates.

      That was, by the way, the original definition of a firewall as well: a device that implements a security policy.

      1. arrbee
        Headmaster

        Re: Nowhere to hide

        "That was, by the way, the original definition of a firewall as well: a device that implements a security policy."

        Hmm, I suspect the original definition had more to do with walls and, err, fire.

    3. 0laf

      Re: Nowhere to hide

      Availability is only one of the holy trinity of security and it's not got anything over the other two.

      Confidentiality

      Integrity

      &

      Availability.

    4. OzBob

      Re: Nowhere to hide

      Yep I work for a government department (now as a contractor) and my favourite saying is "Security is also providing access to those who should, as well as denying it to those who shouldn't". It's both BTW, not one first then another.

      I do manage to get on well with the local security administrator, who is prepared to find a way to follow the rules but provide the access in a reasonable manner. Just lucky, I guess.

      1. I ain't Spartacus Gold badge

        Re: Nowhere to hide

        my favourite saying is "Security is also providing access to those who should, as well as denying it to those who shouldn't".

        This is really important. Actually I could even make an argument that in almost all cases, proper access is more important than data security. Unless of course your data has real life-and-death implications. For two reasons:

        Firslty - you're probably trying to do something. If you can't do that something (whatever it is), then your whole organisation is rendered pointless.

        Secondly - if you over-secure everything, so that people can't get their work done - then they'll just break the rules. And then your security it toast.

        Obviously this is all subject to sensible risk assessment. Sometimes the risk of the right thing not getting done is less than the risk of the data being leaked or damaged - in which case your security needs to be more inflexible, people need to understand why this is and know they'll get hammered if they break the rules.

        This is possible though. You can get people to agree to quite unreasonable procedures, so long as everyone agrees that the risk is high enough to justify the pain. And extra effort, and resources, are dedicated to helping the people on the ground to get their work done.

        I give an example. My Mum works with vulnerable children. But as an outside consultant for a very well known charity, seeing as she's retired. They've got their network wrapped up nice and tight. So tightly in fact, that she's been working for them since she retired ten years ago - and only got issued a mobile phone this year. So sure, they can now remote delete this data, and enforce a password on her. But before that she had all the details on her personal phone, with no password.

        She wasn't allowed to remote connect to their network (or even connect in the office) until she'd done several of those shitty online courses. But you couldn't get onto those online courses, without access to the network! Ahem. So she had to drive 60 miles to the nearest office, only for some shitty online video course thingy - that was a total bureaucratic waste of time. So because she was unable to connect to their secure (so secure you can't access it) data system, she was emailing stuff to her boss to upload, from her personal email account in the clear. And IT were no help, and just followed their procedures.

        Sadly many of these big charities seem to have swallowed all the bureaucratic crap of big corporations and government - mostly I suspect by hoovering up all the crappy middle management types that are unemployable elsewhere - because they pay too many staff.

        Chaos would be bad. This information is in some cases very sensitive. But just finding the names and addresses of families with disabled kids is easy - there'll often be stories in the media and charity press releases with names, that you can cross rereference with the phone book. I'd suggest that helping them is probably more important than hindering your frontline people - and there's an argument for keeping the sensitive notes in paper form, and never committing them to computer. But if you must, then you need to commit much more IT resources to the necessary hand-holding.

        1. Richard Jones 1

          Re: Nowhere to hide

          @I aint Sparticus,

          It is also an argument for something pretending to be an organisation to get organised and recognise the needs it has and deal with processes the right way. Your Mum cannot possibly be the first case of her situation, so there should be a secure, agreed process sorted out to deal with such cases and avoid the run around that is apparently needed. Sending file(s) encrypted would be a start! Providing the tools for the job would also be 'useful'.

          1. I ain't Spartacus Gold badge

            Re: Nowhere to hide

            To be fair to them, the original charity got eaten - due to running short of money/competence. She was taken on as an anomaly, a consultant with considerable (and probably unique) expertise and experience. So our new heroes had no place in their multitude of procedures for a non-employee who was non-office based with a completely random level of caseload. They solved some of that by employing her, but all other procedures seem to have broken down.

            That's a problem the article fails to address. The author calls for all procedures to be rigorously enforced on everyone, and exceptions added to procedures. Unless you're a very simple organisation, that's almost bound to fail. Once you get a few cases of it failing, then people will be sharing and writing down passwords - sending emails to and from their own accounts and squirrelling data away heaven knows where.

            Your procedure needs to designate certain people who can override the rules quickly, but are capable of doing so with an understanding of the risks, consequences and IT capabilities. And deciding to do this as a one-off, update the procedures to cover this from now on, or to do something as a short-term stop-gap with better secured replacement to follow.

            No-one has the resources, or foresight, to get procedures totally correct - and keep them current with changing circumstances. Anyone who claims otherwise is delusional. And while they think they have the best systems in the world, will almost certainly find that they've been circumvented massively at lower levels in order to get stuff done.

            1. I ain't Spartacus Gold badge

              Re: Nowhere to hide

              Oh, and any IT management who enforces monthly password changes that can't re-use any major elements of the previous one should be beaten to death with their own rulebook. Their inability to understand basic human nature and abilities has rendered them unfit to manage.

              Passwords are rubbish anyway. But if that's all the budget allows for, then for God's sake at least engage your brain as to how normal users react to passwords. I know very few people who can remember more than one or two passwords (if even that). In my previous corporate life I had 4 different ones for building access, email, Oracle accounts and the AS400 stock/sales stuff. Some had to be regularly changed - and the AS400 stuff I only used every couple of months, so had no choice but to write down. It wasn't on a post-it note on the monitor though.

              1. Pedigree-Pete

                Re: Nowhere to hide

                Passwords. Wot like iThingy accounts. Bloody Apple.

        2. Anonymous Coward
          Anonymous Coward

          Re: Nowhere to hide

          What your Mum did is a firing offense where I work.

        3. Doctor Syntax Silver badge

          Re: Nowhere to hide

          "and there's an argument for keeping the sensitive notes in paper form, and never committing them to computer."

          It must be a bad argument! The consequence would be anybody who feels they really must have access to them will photocopy them and then there'll be uncontrolled copies around the place. Uncontrolled because there'll be a ban on copying them so all the copies will be sub rosa.

        4. JimC

          Re: So She had to drive 60 miles

          Yep. This isn't fundamentally security, its a simple cost/benefit thing.

          Given an exception like this you can either put in the systems , processes, monitoring, staffing and everything else required so that every now and then people don't have to drive 60 miles, or else you accept that every now and then people do.

          Guess which one tends to work out cheaper for a small organisation? Its just the money. If you're a small organisation on a tight budget then gonzo level sophisticated systems just don't pay for themselves, and of course the more complicated the security the higher the risk, so the more attention it needs and so it snowballs.

          Given efficient admin, business processes etc. a really well managed organisation would work it out so that when the need comes to drive the 60 miles there are a whole raft of useful things they do to make the trip worthwhile, not just a single damn video, but again that's nothing to do with security.

    5. KA1AXY

      Re: Nowhere to hide

      Thanks to HIPAA, I now get content free emails from my doctor and pharmacy, reminding me of an appointment (withholding the date and time), or prescription renewal reminders (withholding name of the medicine).

      I ask you, what purpose do these emails serve? Mind you, I have expressly opted in and agreed to a lengthy pile of legalese in order to get them. Yet, apparently, "email is not secure", so names of medications and time of appointments must be withheld, even if I have requested them to be sent to me.

      Idiots. And expensive as well.

      1. P. Lee

        Re: Nowhere to hide - re: content free emails

        > "email is not secure"

        It could be that HIPAA has something other than your convenience in mind. For example, what if email processing is outsourced to an organisation which has a financial interest in collating what drugs you are taking, or Google starts selling information about your medical history or medicinal usage?

        HIPAA is going to look at all data under an organisation's control and if it is going to be controlled, it is controlled, no excuses.

        Encrypted email would seem to be the obvious answer, but that's too hard to roll out universally - emailing links to hosted encrypted appointment web pages is probably the best way to go, but far more trouble than sending a vague prompt.

        1. Doctor Syntax Silver badge

          Re: Nowhere to hide - re: content free emails

          " what if email processing is outsourced to an organisation which has a financial interest in collating what drugs you are taking"

          There's a simple answer to that. DON'T DO IT.

          Apart from any immediate security issues there's the longer term one. If email purports to come from one organisation but actually comes from another you're training recipients to blindly trust that what it purports to be. In short, you're training them to be phished.

          We really need to have signing as a required part of the email protocols. No wonder email isn't secure.

      2. kain preacher

        Re: Nowhere to hide

        That's not HIPPA that's just a piss poor Dr./hospital. When I had Kaiser I got emails reminding me of The day,time,Dr and location of my appointments via text and email

    6. NoneSuch Silver badge

      Re: Nowhere to hide

      Unfortunately, policies are great until you try to apply them to the senior execs. I've only worked for one company where word came down from the Presidents office that the policies were to be followed by everyone, or else.

      In the other businesses, 90% of the infractions were caused by senior staff who were not held accountable for the porn browsing, music / movie storage / download, darkweb crap I had to deal with. Some was ignorance, other would plead ignorance then do it again later on the same day they were cautioned.

  3. nijam Silver badge

    > 3. You're responsible for your equipment

    I will take no more care of equipment provided than do my employers themselves. E.g., since they've signed up for a "no claims" insurance policy (i.e. cover only for items costing over £2000 each) I wouldn't dream of putting it on my household insurance either.

    1. graeme leggett

      Companies, especially the larger ones, self-insure on small value stuff (your definition of small may be different to theirs) as the cost/risk is lower than the hassle of paying the premium and making the claim when required.

      You don't, and shouldn't, have to insure the company's kit, but you shouldn't be careless either.

  4. Ralph B

    There is one who keeps to all these rules.

    There is only one who keeps to all these rules.

  5. TeeCee Gold badge
    Facepalm

    .... laptop nicked from the back seat of their car....

    Depends how senior the owner is. I know of one who went one better and got his fleet car nicked with the laptop in it. Within a week a new laptop was his and a new Merc on order.

    Which was a shame really as a few days later the cops called to say they'd found his car. It was still locked, with the laptop in it, parked about 200 yards from where he thought he'd parked it before getting wankered that evening.....

    1. Rich 11 Silver badge

      At least his own drunkenness stopped him from driving while drunk.

    2. P. Lee

      >It was still locked, with the laptop in it, parked about 200 yards from where he thought he'd parked it

      Thieves will often move a car and leave it there to see if it is lo-jacked before trying to sell it on.

      Or he may have forgotten where he put it.

  6. Doctor Syntax Silver badge

    And, in my opinion, if it's humorous enough (a user once reported the loss of his expensive pager to my team as “We think my three-year-old put it either in the bin or down the bog”) then that's fair game.

    No it isn't. Any parent should be aware of keeping important stuff out of a three-year-old's reach.

    1. Mayhem

      Children are like idiot savants. The moment you think something is child or idiot proof, it isn't.

      My friend's standard technique for getting stuck cds out of the factory car stereo system is to leave the four year old near it for 15 min or so, and he frequently succeeds by hitting the right secret random combination of buttons. It's depressingly reliable.

    2. Anonymous Coward
      Anonymous Coward

      I think the guy was let off for perceived honesty, responding positively to honesty is better than the next guy who looses his kit dreaming up some scam that is hard to disprove but leaves us all ethically poorer and in a world of pedantic distrust.

    3. KA1AXY

      New parents usually learn that AFTER the pger has been flushed.

    4. Phil O'Sophical Silver badge

      Any parent should be aware of keeping important stuff out of a three-year-old's reach.

      Any parent should know that a three-year-old's rreach is much bigger than you'd think...

      1. MonkeyCee

        Mischief is often gravity based, and is thus faster than light.

      2. Doctor Syntax Silver badge

        "Any parent should know that a three-year-old's rreach is much bigger than you'd think..."

        It might be much bigger than you'd think. I think bigger.

    5. TomPhan
      Trollface

      Are pagers important stuff? Has the 1990's made a comeback?

  7. Anonymous Coward
    Anonymous Coward

    11. If you use an unattended install or image don't leave the local administrator password in plain text on the hard drive and allow users to access it.

    Some may think the above doesn't happen that often but I can assure you there are some big multinationals and some big I.T. suppliers that still do this. One only recently upgraded an office to thin clients that all have the same admin password and what is worse without giving it away it's on the top ten list of most common passwords.

  8. Warm Braw Silver badge

    You can never be 100 per cent sure that someone is meant to be there

    In most offices, someone you know without a badge is more likely meant to be there than someone you don't who has one. Blindly trusting badges is rather like letting in the nice man with the peaked cap who claims he wants to read the meter.

  9. Efros

    On point 3

    My work issues us with a MacBook Air, after much probing and eventually a f2f meeting with the tech director it came to light that they held us financially responsible for anything, absolutely anything that happened to said piece of kit. When pushed on this I was told that they have a very reasonable insurance scheme to cover for any such damage/loss. I asked if the laptop was necessary for me for my job, they assured me it was, I then suggested that if it was that necessary then they should pay the insurance, they refused and so my MBA currently resides in the bottom drawer of my locked filing cabinet in my office. I use my own laptop.

    1. Anonymous Coward
      Anonymous Coward

      Re: On point 3

      And where is your office?

      :)

      1. Efros

        Re: On point 3

        Office is at work!

    2. Michael H.F. Wilkinson
      Happy

      Re: On point 3

      No! No! No!

      The standard procedure is to stick the locked filing cabinet inside a disused lavatory with a sign on the door saying "Beware of the Leopard".

      Said lavatory should be in the basement.

      Be sure to remove the lights ...

      ... and the stairs

    3. allthecoolshortnamesweretaken

      Re: On point 3

      Do I need a badge to enter the building?

      1. Darryl

        Re: On point 3

        Nah, just wait for someone else to go in and follow them.

    4. Eltonga
      Headmaster

      Re: On point 3

      Well, for one, we lack of context information.

      It might well be that the rest of the office is working with beaten off 6 years-old Dells while your department "won" an internal ego contest and got those shiny new MBAs, and the price to pay for that Pirric victory was that insurance fell on your department's head...

      Or of course it can be that the company's heads are full of it.

  10. ukgnome

    tailgate - oh the joys

    When I worked for EDS I once prevented someone from tailgating. They were very persuasive in their argument as to why they should be allowed through the back door. I explained that as they din't have their pass I couldn't verify that they should be in the building. I was extremely polite to the point of sickly as I explained that they should visit reception and have them allow them entry to the building. I thought nothing of this until I was asked to report to the UK managers office.

    Yep, I had prevented the manager from entering her own building. This had made her late for the EMEA meeting as the big directors had visited. They were delighted that I had stopped her, and weirdly I ended up with a gold day for my ruthless door barring.

    1. Aqua Marina

      Re: tailgate - oh the joys

      An anecdote I was told several times over the past year justifying this position. The CEO of a large company, I think it was Target but couldn't be sure, deliberately used to visit the office, and enter the building through the warehouse. If ever he didn't get challenged by the time he made his way into the offices at the other side, he sacked the floor manager.

      1. PatientOne

        Re: tailgate - oh the joys

        Had something similar here: Chief Exec wouldn't wear his ID to see who would challenge him. He was pleasantly surprised by the number who did.

        He didn't sack anyone for not challenging him, but he did write to their manager to express his concern over security...

    2. I ain't Spartacus Gold badge

      Re: tailgate - oh the joys

      An SAS commander in the Malaya emergency supposedly reprimanded the guards at a training camp for not firing on a returning patrol who hadn't properly approached or identified themselves.

      He then apparently screwed up in some way himself, and got fired at for his pains. So he reprimanded the guards for missing him...

      I've seen this from two different sources, but being a forces story, that has no bearing on whether it's actually true or not...

      1. Anonymous Coward
        Anonymous Coward

        Re: tailgate - oh the joys

        While on gate guard duty, the RSM took pains to tell us to detain (lock up) anyone who returned to camp in a state of inebriation. They were to be kept detained until the RSM arrived to review the logs and order their release.

        Second person to turn up (staggeringly) drunk was... the RSM.

        Come morning, he really wasn't happy, but those were his orders...

    3. allthecoolshortnamesweretaken

      Re: tailgate - oh the joys

      The trick is to make it look like the guy who has the proper badge is tailgating you.

      Also, there are a lot of places where a hivis vest and a clipboard with some official looking forms will do just nicely.

    4. P. Lee
      Facepalm

      Re: tailgate - oh the joys

      Who needs to tailgate?

      I just go to reception, tell them I've forgotten my pass and they give me a new one, access all areas, no manager checks, no identity verification, access all areas.

      And I don't know the receptionist, as she's in a different building from mine.

      Security? Wassat?

      1. paulf
        Alert

        Re: tailgate - oh the joys

        @ P. Lee "Who needs to tailgate? I just go to reception, tell them I've forgotten my pass and they give me a new one, access all areas, no manager checks, no identity verification, access all areas."

        Have an up vote as I've had this experience also. I don't forget my badge that often but when I do I ask the receptionist politely for a temporary badge and it's issued with no checks, no confirmations, NQA. I'm on "Morning" terms with all the receptionists and admins so they all kinda know me, but not well. That means it's wide open for someone they may not recognise but has the smooth talking and well researched social engineering nailed before entering the building.

        On a related note - It's depressing to find out how much more of the buildings I can access with a temporary badge (which are usually issued to the cleaning staff each evening) than I can with my own badge as part of the Engineering dept at Paulf & Co.

    5. Anonymous Coward
      Anonymous Coward

      Re: tailgate - oh the joys

      I had prevented the manager from entering her own building. This had made her late for the EMEA meeting as the big directors had visited. They were delighted that I had stopped her, and weirdly I ended up with a gold day for my ruthless door barring.

      Reminds me of a safety/security story from many years ago. (It was at the time of the big storm that Michael Fish famously got wrong). A big R&D site was closed due to storm damage that threatened to bring down sone metal siding. A senior director arrrived, and was turned away at the gate by the site safety officer who was 'only' a mid-level technician when not wearing the safety officer hat. A big row ensured with director doing the "do you know who I am, little man" rant, ultimately ending with a literal "doesn't matter who you are, the site's closed. Fuck off".

      Director complained to MD about his treatment, and to the great joy of the technician (& his union) was smacked down for being an asshole and trying to pull rank when the safety officer was correctly doing his job.

  11. Anonymous Coward
    Anonymous Coward

    4. Think when you're sending information

    .. and when you're RECEIVING information too.

    Spam filters are not perfect, especially not when the board is worried about missing that one all-important customer email from someone who evidently writes in a style resembling porno merchants. It means your spam filter can let things through, and the whole idea of a zero-day vulnerability is that tit has been as yet undetected or defences have not yet been rolled out.

    Thus, if you get an email with an unexplained invoice and you run MS Office, you way want to avoid opening that attachment (Libre/OpenOffice is generally OK as it doesn't run VB that well). Oh, and if it's from your boss asking you to do something urgently like transferring money or authorising high level access, find a way to check it out of band. Send an SMS or call for confirmation. If he/she objects, just point out that quite a lot of money has disappeared via fakes and you want to spare them that embarrassment..

    1. Anonymous Coward
      Anonymous Coward

      Re: 4. Think when you're sending information

      I used to work for a company that made Pens. Any email about pens would always flag up the spam filter, and cause it to melt down, No combination of training, weighting or rule modification ever produced anything other than an overall spam flag.

      Any email containing the words in closeish order "pen is" (self explanatory) "specialist pen is" (cialis penis) "this soft pink pen is hard to manufacture" (this one really did happen) were simply marked as spam, meaning that we had to relax the system, and allow through all other penis, cialis and pink soft and hard items through.

  12. Anonymous Coward
    Anonymous Coward

    Irredentism

    Points 1 to 3 are IT

    Points 4 onwards are general business management and I would expect HR to lead on most of them. Does IT really control building security and passcard management? Looks like the IT SysAdmin has irredentist tendencies and thinks he runs the company.

    1. nichomach

      Re: Irredentism

      IME, it's frequently the case that if it involves technology or has wires in it, other departments are keen to offload it onto IT.

    2. Naselus

      Re: Irredentism

      1) Computerized door control systems are IT, which is maybe 90% of doors on commercial properties in the western world. This is a good thing, unless you want to let the geriatric ex-farmhand who gets the minimum-wage night security job to try and troubleshoot database issues.

      2) Physical access control is taught as part of infosec training from the lowly Sec+ right up to the almighty CISSP, so we're ideally trained for the job anyway.

      3) Almost any company of <250 people has an 'anything with a plug on it is IT' policy. While I'd be entirely happy not to have this responsibility, I am regularly torn away from doing the actual useful things I was very expensively trained to do in order to change lightbulbs and re-fuse plugs. I had hoped this would go away as my hourly rate climbed, but unfortunately my employer appears to think that for the price of an experienced sysadmin he should get a janitor thrown in for free. I just thank god that we don't have an elevator, as if I was left trying to fix that we'd have 5-6 fall deaths per year.

      1. usbac

        Re: Irredentism

        @ Naselus

        I work for a mid size company. Actually, I kind of like doing the stupid little stuff. I really don't mind changing a wall thermostat, installing the new dishwasher in the break room, or changing batteries in emergency lights. The kind of stuff that somehow seems to fall under "IT".

        It gives me a nice mental break from trying the figure out why Microshit's latest server OS is doing something strange. Or trying to figure out why the shipping software I wrote four years ago screws up only when shipping a 3 pound package to Kurblackistan and the recipient has two K's in their last name!

    3. Swarthy Silver badge
      Thumb Up

      Re: Irredentism

      Upvoted for teaching me a new word today.

    4. I am the liquor

      Re: Irredentism

      Point 3 isn't really IT either. It's about off-loading financial liability for uninsured risks from the company to the employee.

  13. chivo243 Silver badge
    Flame

    We have rules

    Set up by the Directors, but they don't see why they need to follow them.

    Do as I say damn it, NOT as I DO!

    1. Naselus

      Re: We have rules

      I recall working as a steward at the commonwealth games many years ago (I was about 18 at the time). We were given a basic 2-day security course covering more or less the same stuff in this article, and then deployed; are main job was to make sure that only people wearing badges got through.

      The head of security for that year's Commonwealth games not only did not bring his badge to work, but threw a fit whenever any of the staff he was employing to prevent people without badges strolling around called him up on it. I'd expect that sort of idiocy from general directorate types, but this was a man who had literally spent 40 years training for and working in event security. And it wasn't an embarrassing 1-off occurrence - he simply didn't think he himself would require a badge to identify himself to the 800+ contractors he'd hired to enforce the rules he had written and then insisted on flouting.

  14. frank ly

    More tailgating

    I worked on a large 'secure' site that had employee tracking by proximity card. If you tailgated and didn't offer your card to the reader, the system thought you were outside the area you were actually in, so it wouldn't open the door for you when you later 'swiped' from inside. You had to phone security and explain to them what you'd done. After the first lapse, the vast majority people always gave a scan before they went through a controlled door.

    (I was sure that security had been given carte-blanche to act like sarcastic dickheads when they got one of those phone calls. It seemed to work though.)

    1. Anonymous Coward
      Anonymous Coward

      Re: More tailgating

      I used to have to go into a server room which had a double entry door system. In between was a pressure pad. If the pad detected more than 100Kg a polite voice used to say "One at a time please". You then had to smile nicely at a camera so security would open the second door.

      One time a colleague forgot his server room access card so borrowed someone elses. It's possible if the someone else hadn't been a she he might have got away with it. They were both fired immediatley.

      1. Naselus

        Re: More tailgating

        Which seemed like a great idea until the next time someone had to add a new server to the rack.

        1. Anonymous Coward
          Anonymous Coward

          Re: More tailgating

          Seperate door and loads of paperwork for that, however some of the offsite technicians had toolbags that took them over the limit.

      2. Jess

        Re: If the pad detected more than 100Kg

        If I had a Mac Pro Tower in each hand I'd be well over that. (In fact one, would probably do it.)

  15. Anonymous Coward
    Anonymous Coward

    I spent two WEEKS tailgating..

    The irony was, I started this by accident (got out of bed late 2nd day on the job and forgot my freshly issued badge, so I took a chance). It took two full weeks before I was challenged by security - all those days I had the badge in my pocket.

    Unfortunately for them, the damage was already done.

    My job there was to verify site and systems security..

  16. Just Enough
    Meh

    Click Bait

    What a horrible click-baity headline. Don't do it again.

    1. Anonymous Coward
      Anonymous Coward

      Re: Click Bait

      It's either that or banning ad blockers. You choose.

      :)

  17. Michael H.F. Wilkinson

    I recently received a phishing attempt

    They claimed there had been a remote access to my account blah blah, etc would I log in to this URL to reset my password otherwise my account would be blocked.

    As most fishing attempts are filtered, I forwarded this to our IT people, remarking this was a new phishing attempt not filtered by the system. I got a prompt (automated) reply, that "ticket blah blah had been resolved". The phishing attempt came through the filter because it had emanated from the IT guys themselves to educate users. Clearly I am a suspicious enough blighter to pass this rather trivial test, but apparently it is necessary to carry out these tests, because many users apparently fall for it.

    1. KA1AXY

      Re: I recently received a phishing attempt

      I regularly delete any request to "verify" my account. If it's blocked I'll call and have it unblocked. That has never been necessary.

      1. Michael H.F. Wilkinson

        Re: I recently received a phishing attempt

        Those request are common indeed. Most of them get blocked by now

        1. chivo243 Silver badge

          Re: I recently received a phishing attempt

          The new ones always have to do with payments due or payments you didn't know you paid...

          1. Doctor Syntax Silver badge

            Re: I recently received a phishing attempt

            "The new ones always have to do with payments due or payments you didn't know you paid..."

            According to the Beeb the very latest ones know your postal address. I wonder if the recipients are TalkTalk customers.

  18. 0laf

    The CEO problem

    Yeah #8 is great unless the arse demanding they be exempted from the rules is backed up by the chief exec. Then you just have to make a record of it to cover your own arse then do as you're told.

    1. Anonymous Coward
      Anonymous Coward

      Re: The CEO problem

      So you add it to the policy: "Rule 8a: the CEO is not required to abide by this policy". And point it out to the auditors next time they visit.

      1. Edwin

        Re: The CEO problem

        Hum. The inherent assumption here is that the process is effective, adds value and makes sense. Looking at IT in any number of large corporations, this is a risky assumption at best.

  19. zebm

    What about side loading?

    I worked for a blue chip where they had an extreme side loading policy - my view was that if I compiled the open source code myself then I wasn't breaching policy but knew better than to ask for confirmation. Others would use standalone laptops with unencrypted hard drives and admin passwords taped to them...

  20. joeW

    encourage staff to challenge anyone who's not displaying their badge

    If I'm expected to do a security guard's job as well as my own, I'll want a security guard's pay on top of my current salary.

    1. Velv
      Facepalm

      Re: encourage staff to challenge anyone who's not displaying their badge

      Congratulations you've proven you're part of the problem and not part of the solution.

      1. joeW

        Re: encourage staff to challenge anyone who's not displaying their badge

        What I'm not is a fucking bouncer. "Challenge them", yeah, no bother, all 65kg of the skinny IT nerd that I am is going to go around challenging people for the good of my employers. The one time it turns out to be a fucking nutter I'm challenging will go really well for me. Yeah, we have occasionally had proper nutters try to get in (my employers have contracts with some rather unpopular companies, I'll say no more).

    2. Anonymous Coward
      Anonymous Coward

      Re: encourage staff to challenge anyone who's not displaying their badge

      And do you require a safety officers pay because work also expects you to not do anything hazardous at work, and report any hazardous thing you see?

      It's enlightened self interest. Since the intruder might not be after company secrets so much as a mobile phone left on a desk or a purse left in a handbag.

  21. Doctor Syntax Silver badge

    "Is the recipient authorised to receive it?"

    It goes far beyond that. Once it's gone it's out of your control. The recipient may be authorised to receive it but how do you know they won't: show it to colleagues who aren't? Print it out and leave it lying about? Keep it on a laptop left lying on the back seat of a car in central London?

    This doesn't just apply to email. On my last permie job the vendors of a new warehouse management system said they would need access to the network and it was decided to simply hand them some 2FA device. So the whole company network was now accessible to whoever had this device and the relevant instructions - which were probably written on a label tied to it - and completely beyond our control. I left before the whole thing had gone live so never found out how it turned out.

  22. maimonides

    "IT is perceived in mixed ways by users. Some look on the amazing stuff it does and think there must be witchcraft going on in there somewhere. Others think that because they configured their Wi-Fi printer and Sky box at home, they're a genius of computing."

    This paragraph is incomplete. Allow me to finish...

    And then, there is the majority. Those ungrateful people think, that just because internet is down and waiting time for new computer is two month and antivirus makes their PC useless and demented password policy is senseless, that IT is not up to the task and should be outsourced by less overpaid monkeys and things will be roughly the same, except monkey cages will not be as smelly and awful.

    Mostly they are right.

    Even barely competent IT dept is like a black swan. They generally exist only in reg stories.

    1. glen waverley
      Headmaster

      downvote cos ...

      ... of yr northern hemispherist attitudes.

      Here I can see black swans whenever I feel like it. Only have to go to the river or the lake, depending which city I happen to be in.

      1. Kernel

        Re: downvote cos ...

        Yeah, considered to be a bit of a pest species here, hence the regulars of any swan that isn't white.

  23. Duncan Macdonald

    Nice Theory - but

    1) How many outfits have all their IT systems set up correctly - all too often if one person has to provide temporary cover for another, the only way to do so is to log on as that other person. (Or wait weeks for all the authorization tables to be updated, additional user licenses purchased etc.)

    2) See (1)

    8) Proper procedures are good for routine activities - they are not much good under exceptional conditions.

    (Crude example - the payroll printer breaks down on payday - there is no time to follow the "correct procedure" of repairing or replacing it but diverting the print job to a printer in another office allows the time critical payroll job to complete.)

    Having "proper procedures" that take too long can result in a company loosing out to more agile competitors.

    9) Security is not the second most important thing. Safety, company survival, company profits and company growth are more important. Also in many companies, senior management convenience is counted as far more important than security.

    Security is an overhead - (people, software, equipment and employee time) so for most companies, they spend as little as possible on it. This tends to mean that the chief security officer for a company is a fairly low ranked person who can be easily overridden by senior management. (The correct point to stop with security spending in a company is at the point where the loss prevention from increased security no longer exceeds the cost of the increased security.)

    Finally if security is applied with too heavy a hand, employee morale and productivity can suffer badly

    1. Jediben

      Re: Nice Theory - but

      "Security is not the second most important thing. Safety, company survival, company profits and company growth are more important. Also in many companies, senior management convenience is counted as far more important than security."

      You won't get much profit, growth or senior management convenience if you have a leak from the air conditioning in the electronically-locked Boardroom which fails, and kills everyone senior.

      1. Mark 85 Silver badge

        Re: Nice Theory - but

        You won't get much profit, growth or senior management convenience if you have a leak from the air conditioning in the electronically-locked Boardroom which fails, and kills everyone senior.

        Allow me to snark a bit.... Profit would go up since no senior management bonuses would need to be paid out. Growth might increase without senior management sticking their noses in where they have no knowledge or expertise. Hmm... maybe a change in management might be beneficial in many companies as long as they don't hire someone else's flotsam/jetsam.

      2. Doctor Syntax Silver badge

        Re: Nice Theory - but

        "You won't get much profit, growth or senior management convenience if you have a leak from the air conditioning in the electronically-locked Boardroom which fails, and kills everyone senior."

        If it's that limited it won't do any harm to profits and growth. In fact it might improve them.

    2. Anonymous Coward
      Anonymous Coward

      Re: Nice Theory - but

      In the case of emergency measures, then by all means come up with an emergency plan to keep business running with the authority to do it. that might mean getting a director to write a short note giving your the carte blanche.

      Even then you work to mitigate the risk. Dead printer in payroll. Take it from nearest normal office and plug it in the payroll office. Redirecting instead, then someone from personnel guards the printer output tray until its finished printing the payslips. Now in my experience not printing the payroll didn't mean not getting paid but... ymmv.

      And if you have an incident then you can use it to improve your procedures for next time. Continual improvement and all that. Add to any procedure " [management role] can override [section numbers] by using [form] countersigned by [senior management figure]"

    3. Doctor Syntax Silver badge

      Re: Nice Theory - but

      "Proper procedures are good for routine activities - they are not much good under exceptional conditions."

      Your proper procedures should allow for emergency actions but require that the action taken is documented. One reason for employing experienced people is to ensure there's someone available competent to deal with the stuff that doesn't get documented procedures because it's unexpected.

  24. Ed Jackson
    IT Angle

    I don't stick to half of those "Ten Top IT Admin Tips" because half of them have nothing to do with IT.

  25. Anonymous Coward
    Anonymous Coward

    1) is a tad unrealistic

    There are some diagnostics that have to be undertaken as the user experiencing the issue. Generally it's best the user is at least present to enter their password when needed, but often they don't want to be - this should be enforced.

    I'm against passwords being written down and shared, but it's nigh on impossible to carry out some diagnostic work without having access as the user affected, and in many cases they may not be sharing their password but leaving their computer logged on for you and buggering off for a tea and a chat with a colleague.

    Of course, in my opinion, this is not an issue when involving IT staff who have access to, say, AD anyway, and could easily change a password and wreak havoc if they so chose. This is where having auditing switched on is important. It often surprises me the levels of trust assigned to new IT staff as they require access to systems to do their job, but no real background checks can be carried out, save for the usual references.

    1. Velv
      Headmaster

      Re: 1) is a tad unrealistic

      Agreed there are issues that can only be diagnosed under the users credentials.

      But the policy will handle that. The user must remain present during the support service. They cannot be permitted to "just bugger off for coffee". Now I know it's difficult for the PFY in his second week to tell the senior manager they can't just leave their password behind or even just leave the computer logged on, but if the senior manager has signed up to the policy in the first place the company should be behind it and the PFY. It doesn't take long for the right culture to be the norm.

    2. Naselus

      Re: 1) is a tad unrealistic

      If the user attempts to leave, then just tell them 'no, I need you here for this'. If they still try to leave, then you can leave too. Clearly, whatever they were working on wasn't important enough for them to hang around to get back on with it as quickly as possible, and so it's not really your problem if the issue remains unfixed until they can find time in their busy coffee-making schedule to be around for it.

      Most users are happy to let the IT guy be in total control over the situation when they need assistance anyway, regardless of relative rank - directors will often prove to be more inclined to be passive and helpful than anyone else when it comes to this, as they need to get back to work and will do whatever you ask of them if that expedites the fix.

      Finally, if any user DOES insist on giving you their password so they can bugger off, then set their account to force them to reset their password at the next opportunity. They very, very quickly learn to stop handing them out when it means having to change their passwords even more regularly.

    3. Mark 85 Silver badge

      Re: 1) is a tad unrealistic

      Where I was working, we in IT did accept passwords and log on credentials for repair. However, when the PC/Laptop/Mobile was handed back, the user had to call into the Security Helldesk for new passwords. All to them, not just the one for the PC.

      However, after one IT lad decided to look where he shouldn't have looked, that policy did change. No handing over credentials/passwords. Firing offence even if it was senior management's equipment and they didn't want to hang around. Lots of pressure for us to ignore it until a junior VP was canned for pushing and demanding we fix his box without his being there to login.

  26. Primus Secundus Tertius

    The Security Chief

    At one place I worked, you could easily spot the chief security officer. Everywhere he went people asked to see his pass.

  27. Anonymous Coward
    Anonymous Coward

    Try to explain 10 to HR...

    Here HR people can get easily overzealous over very small "infringements" (I had to discuss a couple of times because I left the company phone in the car and had to get it - it takes two minutes but if you exit for such time - of course using the badge - they make you spend a 15m permission!), but try to put big ones under the carpet, because usually the culprit goes whining to the nearest unions representative and HR doesn't want any trouble with unions...

    Thereby you see the silly minutiae SS-like enforced, while big security and work issues becomes just, "well, we asked him/her gently to be more careful next time..." - and I'm told I have to learn to treat people, and don't report them if I can avoid it (after all, if then something very bad then happens and becomes a big trouble, the responsibility becomes mine, not HR...)

  28. CAPS LOCK

    tl;dr? Here's an executive summary...

    ... 1. Do everything you must do and do it perfectly.

    2. Don't do anything you mustn't do.

  29. Anonymous Coward
    Anonymous Coward

    One rule to rule them all

    Face outwards, not inwards.

    The best IT departments basically look at what they can do to make the organisation work more efficiently/profitably/happily. When you bring them a problem they stare into space, smile, and say - 'i think i can see a way we can resolve that'.

    The worst ones have their back to the door and their nose in a corporate procedure manual. On the bright side though, working at an office with an inward facing IT department is a brilliant way to enhance your skills, as you get to learn about all the things they should do, but don't (right up to DIY token ring lan installation on a weekend).

    1. KA1AXY

      Re: One rule to rule them all

      Token ring?

      You have my sincerest sympathy.

  30. allthecoolshortnamesweretaken

    We have a much better set of security rules where I work, but I am not at liberty to discuss them.

  31. Dr. Mouse

    "Everyone I've ever worked with who's responsible for premises or security has bemoaned how hard it is to get people not to “tailgate” – that is to let the person in front swipe their entry card then follow them in without doing so yourself. And anyway, we're all taught that holding doors open for people is good manners. It's a security nightmare, though."

    At one place I worked, some guys nicked a large, expensive plasma TV. They walked in, went to the class room (in front of a class full of students), unplugged the TV and walked out with it. Noone questioned them, and the MD and owner of the company held the door open for them as they were leaving!

    1. allthecoolshortnamesweretaken

      Some years ago there was a story floating around about a couple of guys who took all the xerox machines from an office block, claiming they were from the company that the machines were leased from. "Machines are up for replacement with new model as per leasing agreement. We'll just remove them now, delivery of the new ones will be in an hour or so."

      As to tailgating, a couple of years ago I was on a seminar (TRGS 519, if that means anything to you). One of the participants worked in a nuclear power plant. Lots of areas with two-door security access. System keeps track of who enters, who leaves, whi is still in there. One day he tailgated from one area into another. When he wanted to leave the area, the door system wouldn't let him out because according to the log files he wasn't in there.

    2. dr john

      At my first university, some of the rival university's students arrived in overalls in a rented van, dismantled the large glass doors to the student union, and drove off with them. No-one questioned this until late in the evening when a ransom note arrived...

  32. jzl

    Incentivise lying

    Agree with the rest, but not point three.

    If you make employees liable for company kit, then you're incentivising lying and decreasing security. If their laptop goes missing, there will be a delay in reporting it while they desperately try to work out if they can get it back. If they can't, you'll likely face completely erroneous accounts of what happened to it. All for the sake of a few hundred quid of kit.

    1. Anonymous Coward
      Anonymous Coward

      Re: Incentivise lying

      And if you don't, they become reckless about them - not their stuff, no responsibility, who cares about it... once we got the truth because we asked someone to follow us at the police office because we were going to file a report about a stolen PC... and he got scared to file a false report :)

    2. Anonymous Coward
      Anonymous Coward

      Re: Incentivise lying

      Speaking as someone who has had to swap out a laptop for a rep because "it stopped working" and when I dismantled it (to reuse the screen after another rep broke the screen on theirs) found evidence of liquid based damage (probably coffee) such that the alloy frame was corroded, I tend to the making sure responsibilities are clear from the start position.

      That said rep was (to the best of my understanding) let go when it was found he was promoting his own products on company time, suggests that duplicitous reporting of the laptop fault was not a result of company policies.

  33. Stevie

    Bah!

    There are about three people in my enterprise of over 500 who wear their badge as demanded in the Official Memo Re Badges: all the time and above the waist.

    The managers typically wear them clipped to a belt (against policy) and the rest, including 100% of the consultants, never display them.

    Not only os this a security nightmare, it is fucking rude. How in hell am I supposed to know your name when I need to ask you a question in a meeting?

    But now the SAs are insisting on deploying sudo "for security". On some servers. Only for certain staff. And not the SAs.

    HASP * in action.

    * Half-Arsed Security Procedures. Not intended as anything but a sardonic kick in the nuts from them-wot-can to Teh Luzerz.

  34. Lee D

    I have:

    - Told a headteacher of a school "Sorry, you're not allowed access to that information" (They wanted free-reign of the webfilter log but were unable to describe to me why, who, what they were after, did not want records or oversight of THEIR access to the logs, and my policy doesn't allow that. Even if they had demanded it, a list of computer AD accounts, DHCP lease allocations and webfilter logs based on IP would have kept them correlating numbers for weeks. Shockingly, after explaining why and the proper process for such inquiries, they gave up and never asked again.).

    - Disabled a staff user account because they shared their access with a colleague (The reason you have access and they don't is because you're allowed to see it and they are not. If that's hindering them in their job, have them ask for more access, don't just grant it to them via your account as a proxy measure).

    - Refused to issue new staff members details until I see a signed AUP. Yes, it's petty but I'm not going to have you claim that you didn't know you couldn't just copy all our data onto your USB stick.

    - Shut down an entire school's use of a service after it was found with school data on it that we hadn't authorised the dissemination of (someone had typed in all the kids names etc. manually into a third-party website), and which wasn't hosted in the EU. This generated instant and immediate cessation of usage upon discovery, a warning to ALL staff (including cleaners), a review of all services and a staff "amnesty" so they could admit to anything similar they may have done elsewhere. And NONE of that came from me, but from the Data Controller of the school.

    Data protection has PERSONAL LIABILITY now. That means if I - or you - allow things, we can go to jail or be fined, besides what happens to the company or our jobs. I ain't going to risk that for your convenience. You want something, you document it. You don't do it properly and / or try to bypass me, I'll just drop you in it. Because then *I'm* covered and have done what I need to do and it's down to you. And even that doesn't excuse what happened to data which is supposed to be in my care and the loss of business reputation because of that.

    You think we're being petty, we're not. It's a pain in the butt to do all this stuff and causes nothing but arguments and hassle. We don't do it for fun (maybe some do, but the majority not), we do it because we don't want to end up in court or being fined to oblivion, like DOZENS OF DOCUMENTED CASES.

  35. Derek Choate 1

    Nagging will get you nowhere

    As well all know, people tend to be the weakest link in most security regimes and the author seems to think that this can change through some sort of mass conditioning. Sadly, humans are the weakest link because we tend not to be obedient little automatons and no amount of nagging will change that. Ever. Instead we must completely re-engineer our security approach that minimising the amount of damage that individuals can do. For example, forget passwords - go for something much harder to share, like fingerprints or other forms of 2FA.

  36. Anonymous Coward
    Linux

    Tip 0

    Badger the CTO about open source and migrating the enterprise to Linux Mint

  37. Anonymous Coward
    Childcatcher

    Ah yes, securidee

    A few years back I was working in Govt. IT and grew tired of lugging their hefty IL3 secured laptop home on the Tube.

    My solution was to image the hard disk and run it under VMWare on my home PC. It worked perfectly and wasn't detected; indeed when I raised this scenario as a risk to the IA guys they swore it was impossible.

  38. Herby

    Badges? We don't need no stinking badges.

    I am a contractor for a "high profile" sillycon valley company. They have nice access control devices for entering buildings, but after that I keep my badge in my pocket (not displayed) all the time. No challenges (yet).

    The previous (other) "high profile" sillycon valley company had similar policies, but after the slot broke off of the badge holder, I did what a cube mate of mine dis, and kept in my wallet. To enter the building, I just brushed my butt next to the reader. Nobody complained there either.

    Yes, the current place of work has LOTS of signs that say "No tailgating". I try to be a good boy.

    1. Anonymous Coward
      Anonymous Coward

      Re: Badges? We don't need no stinking badges.

      Used to work for an access control manufacturer. Had a high profile customer site that used our kit and had an add-on that would print visitor badges. It was just basically a bit of card with a photo and a barcode - the number could be automatically disabled in the system at the end of the day.

      As I was there with the setup/comissioning,I set myself up on the system with my test card - which was a barcode from a Tesco Chicken Sandwich packet. The installer was not pleased - and nicked my test card - bastard.

  39. Jess

    Word

    About 12 years ago I worked in a school.

    I demonstrated to a social worker how much information was hidden within word files. All the blood drained from her skin.

    Another time I had to try to email a security video viewer executable to the local police. Obviously their firewall blocked it. When I embedded it in a word file it went straight through.

  40. Sil

    As we've seen countless times in the biggest scandals of our time, one of the most difficult task is to correctly and timely manage full/very potent rights for admins of all kinds and other high level employees.

    Otherwise you end up with yet another Panama or Wikileak.

    Also, for SMBs at least, you must have clear policies and handling of tape backups, who brings them to the bank or other safe place, how you store them in at least two geographically distant places etc.

  41. Anonymous Coward
    Anonymous Coward

    Jolly good, where's the money?

    It's all down to money, even if most of the points are reasonable.

    Have to follow procedure - right up until the point where because various people have been useless, and/or due to insufficient investment, the customer is going to disappear, or it will cost the company/customer real money. Shortcuts are taken, generally quite safely, as most of the procedure in place is in reality useless.

    There was a product. A security audit revealed a couple of features that whilst not a particular security risk, were distinctly sub-optimal and should be better implemented. Management raised this as a high importance change, we agreed it was not ideal and should be fixed. Whilst we can fix it, doing so will stop us doing our job effectively. A proper fix involves not only improving security on the features, but considerable amounts of new code so everyone can perform their jobs as well or better, testing, new procedures, new tracking systems, contacting a couple of dozen customers, and a mass roll out of new systems.

    We'd love to do this properly - can we have at least a few extra staff to arrange this, and development/support/testing time in the current team? From management came : crickets.

    Obviously that was a bit too much to do at once, so the backup plan would be to incrementally fix customers, and gradually roll out changes. Do management think of this? No - they cut the number of team members.

    Count me in when staff get a bonus for finding process and security issues and suggesting improvements, even when it has a staff and monetary cost. When there's a nirvana of a performance review that's 'you cost the company lots of money this year, but that's ok as we're now the most secure business in our sector, and believe this reduces our future risk. Have a substantial pay rise' it will be worth bothering to change procedure.

  42. Anonymous Coward
    Anonymous Coward

    Difference between Information Technology and Information Governance

    Had a user moan at me about the fact that we have software that blocks write access to USB memory sticks. (I'm a contractor in the IT dept, so even though I'm "IT", I'm not important enough so I suffer with the policies).

    Explained that the IT department allows people to create, change, store and transmit data potentially world wide. The Information Governance Dept says "You can't do that!" and forces IT to do what IG says...

  43. Anonymous Coward
    Anonymous Coward

    It is not the second most important thing

    The business is the second most important item. Security is somewhere below. I've worked with too many organizations where security dictates the business and consistently blocks the business from being able to effectively operate. There is a difference between protecting against legitimate threats and just being a pain in the ass and stopping the organization from conducting business effectively.

  44. dr john

    Stupid password policy

    Students at a college where I lectured all got a computer account. They used their name or badge ID and a password to log in. To make it easy to pass this on to hundreds of new students during week one, all had the same initial password - the legendary changeme ! They were told change it whenever they logged in without changing it. Now almost everyone did this, and they got email reminders during the first week or two as well. So initially all your data was mine as well, until you set a new password. Risky? Yes, but most got the message. And they had little or no data to worry about at this stage, apart from emails being sent in their name of course.

    BUT

    They were also told that at regular intervals they must change their password, the commonest interval being during the second-last week of the last term of the academic year. It used to be the end of every term at one point, but that caused too many problems.

    And if they didn't change it during the second-last week? Their password was reset to...

    Yes, back to changeme - ALL you data, assignments and emails are now my data, assignments and emails!!! A quick delete of a folder by a nasty student taking advantage of this could result in someone they didn't like failing a course!

    This was before I took computing courses, and so when I suggested that this was a very risky thing to do, the IT people told me to go away and leave the qualified people to get on with their work.

    I kid you not.

    Needless to say I often had panicking students coming to my office as they couldn't log in to get their final assignments printed - their "friends" had logged in and changed the password.

    Often these passwords would remain as changeme until the new term started.

  45. crayon

    re: content free emails

    When you receive your content free email you're supposed to login to your

    https://patient.emisaccess.co.uk/

    account to see the content.

  46. Metrognome

    ISO and associated malarkey

    "...ISO adjudicator to take away the certification...."

    I have been working with ISO QA systems since the early 2000's and I have yet to find a case where non-conformities result in a certification lapse, with the exception of bankrupt companies on the brink of calling the administrators in.

  47. CoolKoon

    IT admin tips? More like paranoid corporate CSO tips

    I swear that articles such as these are NOT written (nor recommended) by IT guys, but by those CSO types instead which I had the "fortune" to meet in my life. They seem to want to run everything like the Soviets ran Eastern Europe before 1989: monitoring everyone (including their private communication on social networks of course), giving the least amount of access (he can't do his work properly? Who cares?), encouraging EVERYONE to be suspicious of their colleagues (I've seen such idiotic campaigns alleging that the evil wrongdoer is among the corporate monkeys) and of course to report everyone for anything that seems even remotely suspicious. And then they don't understand why does IT crowd leave that company in flocks like rats abandoning a sinking ship. No sane person would want to (voluntarily) work in such a hostile environment (although mortgage does wonders).

    Then there's this statement that has REALLY cracked me up: "Give them a way to do so identifiably but with guaranteed confidentiality (never anonymously – you can't follow up)." ROFLCOPTER Does any sane person actually believe that any information they report would be confidential (even with the false promise of anonymity, let alone without)? Especially when it involves one's own supervisors? Or to turn it around: could anyone believe that if being accused of something they could defend themselves in any reasonable manner? In corporations with cutthroat attitude and morals (or lack thereof)? This is REALLY something that only someone working as a CSO (or for one) can actually believe in. Everybody else is sane enough not to believe any of this BS.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022