I'm going back to IT management fundamentals in this post, a refresher because too often I find companies, large and small, that either aren't paying attention to the basics or are avoiding or ignoring best practices -- if they're even aware of them in the first place.
So let me start with a couple of questions: In your organization, what happens when a key IT individual changes roles, retires, or is shown the door? Does HR expect that person to process and delete all his or her credentials, access cards, logins, accounts, and anything else within or connected to IT?
This is where IT best practices and company policies and procedures are either going to clash or mesh really well. Typically, the more stuff and less federation among enterprise systems means more forms or processes on which HR and IT will spend their energy.
Because IT touches so many services, hardware, software, and systems, inventory management is a critical exercise. And a good test of its worth is when key IT personnel leave. The inventory should distinguish which IT employee has access to what. If you don't have a viable inventory sheet, then you are placing your company in a vulnerable position.
Inventory Red Flags
As part of the inventory process, you're going to want to watch out for how IT managers have registered for hosted and online services. It's not a good practice to register with the individual's email address. Rather, the email associated with registrations should use a general admin account. Having to to transfer the admin role for an account or service can be quite challenging and time consuming.
For example, I know of a situation in which a hosted voice provider insisted that changing the "default admin" of a hosted telephony solution for an enterprise with 250 stations required flipping one extension with the other in the database. But first IT had to renumber the one extension using five digits instead of four digits as it had previously, remove the admin role from the port, and then flip the numbers and extensions back again. This process took more than two hours to complete, topped off by another few hours to clean up the programming of each extension after the features and profiles didn't mesh.
Another example involves Comcast. In this case, a company was unable to submit online payment for more than 50 bills because a former IT employee's email address "owned" the accounts. Comcast had to purge the accounts and then establish a new email address with the authority to administer bill payment and other features associated with the accounts. This type of problem, which opens a company to late fees and disconnects, could have been avoided had the account been associated with a general admin email such as [email protected] rather than an individual's email.
IT is a high-exposure department, as are HR and finance and any other operational role that involves health care, finance, and regulated areas. The same best practices should apply in these cases.
Inventory Hit List
While not inclusive of everything IT, you may want to examine and inventory your wares and have a sense of what needs changing with an eye toward an employee's leave-taking. Look for:
• LAN/WAN equipment logins
• Remote access
• Cloud & hosted services
• Paging/access control/security/camera/fire systems
• IT-related equipment (access)
• Software registrations
• Warranties
• Managed service providers
• Carriers
• Servers
• Internal systems that require LAN or WAN connections
• LAN/WAN equipment logins
• Remote access
• Cloud & hosted services
• Paging/access control/security/camera/fire systems
• IT-related equipment (access)
• Software registrations
• Warranties
• Managed service providers
• Carriers
• Servers
• Internal systems that require LAN or WAN connections
If you really don't think this is a big deal, consider this statistic from InterMedia's 2014 SMB Rogue Access Study: "89% of ex-employees retain access to Salesforce, QuickBooks and other sensitive corporate applications." So for emphasis, I will reiterate that it's not what gets into a company so much as what gets out. Mind your inventory.
Follow Matt Brunk on Twitter and Google+!
