Could IT staff pose a hidden risk?
- 15 June, 2003 22:00
Companies have been warned to closely monitor IT managers and their access to critical data as they often "possess more knowledge than the CEO."
Principal consultant with corporate security specialist Insight Intelligence Joe Goicoechea says IT staff pose a real threat if organisations do not regularly undertake audits to ensure they aren't just wandering through systems without accountability mechanisms in place.
Goicoechea supports surveillance of IT managers, especially those who are disgruntled with proof of logon usage and systems accessed. Audit trails, he says, are used extensively in large organisations and can provide proof of misuse and unauthorised access.
He says it would be inappropriate to say organisations need to spy on IT professionals; instead he refers to it as accountability.
Australian IT professionals who spoke with Computerworld (Australia)agree that while it is possible for IT people to abuse their powers, the consequences are high.
Huntsman Chemical Company Australia IS manager Wes Kosior says audit trails are useful, "but a good IT person would know how to cover his or her tracks".
He says IT staff with full access can be a risk, but "there is a need to understand the staff and have trust in them".
Security policies apply to the entire company including IT staff, he says, and IT staff in large organisations do not have access to all company information.
"Not every IT person has access to sensitive information and normally only one or two people would have global access; our IT policy is signed by all users including IT," Kosior says.
While no formal audits of IT staff activities are undertaken, he says log files of some high-level transactions are available for most systems. Kosior said this is necessary to "carry out investigations, sometimes to clear someone or to back up accusations."