Intelligence blunder: You wanna be Australia's spyboss? No problem, just walk right in The Australian Security Intelligence Service, ASIS, has seemingly demonstrated a peculiar weakness in its access control systems. A fluke administrative stuff-up allowed its Director-General – its most senior and therefore most sensitive role – to turn up and function for five days while he wasn't actually employed by the …
Most places I've worked don't have automatic revocation of access. What usually happens is a note is sent to HR who then sends a note to IT, who then sends a note to the appropriate sub-dept, who then assigns the ticket, usually to the wrong person.
5 days sounds about right.
5 days sounds about right.
Really? I work for a big software company, and the moment someone in HR hits the "not an emoloyee any more" button, you're gone. No logins, no badge access, name removed from email aliases, phone wiped. I'd say 2 hours, tops, for the changes to roll through LDAP worldwide.
Makes it all the more embarassing when HR selects the wrong name in the scrolling list, of course...
This post has been deleted by its author
Or ASIS reports best ever productivity figures after management unable to interrupt for a week.
Seriously though, it would be entirely appropriate to deny access under such a case and failure to reject access should be seen for the security lapse it could have been. Who else "can't access" their systems?
It would be rather unlikely that someone would have their access rights terminated automatically unless the system was fully integrated with the "other business systems" and that would be expensive and thus cost prohibitive to gov't.
ecofeco has it right. The Access admin person would have to be right on top of the situation and since the Director General was still working, they probably kept him in the system so he could do his job in the meantime.
The secrecy contracts he agreed to probably have to be complied with forever anyway. The Director would be least likely to pull a "snowden" anyway.
A "Vistor Management System" would revoke access for a visitor more quickly (offers one day passes and checks various lists for backgrounds), an employee would take a few days at least, unless he was fired for just cause and then he should have been removed immediately. That is almost always a manual process to permanently remove people.
Too expensive to integrate with their HR system, probably. But I can guaranfuckingtee it is integrated with their security clearance system. It's entirely possible that not booting him out was simply to save the Once and Future Ruler the indignities of another colon level security screening.
To me that sounds highly plausible as I can't imagine any Once and Future staff wanting to catch hell for putting his Once and Future boss through the screening process because of nothing more significant than a contractual oversight. It would not be a fun place for an admin to be. Sure, they wouldn't be fired for annoying the New Old Boss, but they could sure as shit be reassigned to act as on-site liaison/exchange in some hellhole like Texas (or somewhere equally awful). Senior
Management never plays by the rules anyway, and as the guy responsible for breaking rules and being ultra-secretive about it I would expect 'by the book' compliance to be even less prevalent. Seriously, who do you report that kind of thing to? Those five days would seem like a super compressed 1hr 33mins and your sphincter would likely never fully recover from the strain.
Everybody knows the Aussie agency is in a shed in the garden in the first place, and everybody knows everybody else as 'Bruce,' what's the point of all the security fallderal?
"Hello, who are you?"
"Oh, I'm Bruce!"
"Right, grab a beer from the fridge and let's chat."
"Hello, who are you?"
"Oh, I'm Ivan."
"GET HIM!"
The security clearance is not tied to employment, so termination of employment does not revoke security clearance. What does happen is that a security pass is handed in, but that only happens as part of manual employment termination procedures. Since employment was not meant to have ended, those manual procedures would not have been carried out. Possession of the pass would have enabled continued entry, regardless of employment status.
For what purpose was he granted security access other than his employment contract defining his responsibilities in such a way that he is permitted?
That is not to say they need to delete his identity records or confiscate his cards but a process wasn't followed. In this case it appears benign but they need to look at how this happened to avoid future cases where it is not 5 days and the contract is not being renewed.
Just because there was nothing written down and signed to say that he was officially employed does not mean that there was no contract. A contract can be verbal, etc, etc. If they want him to do the job and he turns up and does it to their satisfaction and they pay him for his time then a contract, written or not, exists.
A written contract is only a hint as to what has been agreed, and beyond that isn't much use to those who signed it. Only a judge in a court of law can definitively determine what it actually meant, whether or not it was fair and legal in the first place, and whether or not one or both parties to the contract had kept or broken it. That happens only if there's been a significant falling out.
If the Director General had been terminated for cause, all those people who just waved him in without checking against the computer... would presumably have been told by someone that the former Director General had been terminated with prejudice (if not the extreme kind) and was to be regarded as someone not to be let in!
Since no big alert went out that the Director General was no longer the Director General, what were they to think? Manual systems quite properly take precedence over computerized ones - otherwise, some hacker could make anyone he liked Director General of ASIS for at least a day.
@John Savard
There is wisdom in your post, but the problem is that human systems are the easiest to compromise.
While the process of terminating an employee's access need not be computer automated, it should be enforced rigidly in such a situation. Yes, flexibility is valuable to maintain productivity but that has to be weighed against the potential damage that could occur if the wrong decision is made.
In the case of someone having access to national security systems and private information on citizens, the security of the Australian public must trump the convenience of the organisation. There is no margin for error - if someone's contract is up then their access should be revoked until they are formally reinstated.
That IT/security staff continued as normal is not the issue - the glaring problem is that someone with authority TOLD them to.
Given the article says that they had to rush it all through with the G-G, who, one might ask, was authorised to instruct the staff at ASIS to overlook the fact that the Director General was no longer legally employed and how was this authorisation transmitted?
Maybe there is a good answer for all of that but there had bloody well better be because you would think that any organisation asking for more data to be recorded on the Australian people would be on their best behaviour to prove to the public that the information they want access to will be properly respected and access to it secured.
I worked for a multi £billion organisation where the Head of our department left under a cloud but was still allowed to sign off contracts up to £10M up to 7 months later. In that time I had to talk to HR and his replacement 3 times over the previous 2 months to get anything done.
During those 7 months he was regularly seen in the corridors chatting with old cronies in spite of his access to secure areas supposedly having been revoked.
On a semantic note, the author did say 'automatic' rather than 'automated'.
Perhaps holding onto the words rather than their implied meaning (a hazard of the medium) but it is common use to say that someone who commits a gross misconduct will be 'automatically' fired.
Even if Richard did mean what the posters above are suggesting he meant (and he very well may have!) then you are missing another option, which is that the user account - when created - was given a validity period matching the employment contract and, once that validity period expired, the account could no longer be used to access system resources.
Anyone familiar with Active Directory knows there is such an option, as there is in *nix. Most other systems - such as Web portals or Oracle databases can be scripted such that it checks the main user accounts periodically and disables/expires any logins that don't have a matching active account.
Regarding letting HR indirectly control the IT systems - it should never be up to IT to grant/deny/revoke access. We may do the work to apply the permissions but, where it is avoidable, we shouldn't be the ones to decide who and what.
This post has been deleted by its author
" it should never be up to IT to grant/deny/revoke access"
Of course it should. Other departments may have procedures to request network access but it is IT that should review every request and make the ultimate decision of course company heirachy might overrule but depends on your IT director. It is IT that is ultimately charged with data security, they are the experts in data control, firewall rules, malware risks, latest threats, password security, PCI compliance, data protection act compliance etc.
If you've never been in a situation where a director or head of department has not requested a stupid access permission that would open up a security hole at sometime in your career and had to refuse that request I'd be surprised.
"You've not spotted how that doesn't make sense?"
It does make sense - IT should review every request and make the ultimate decision. In the real world company heirachy might overrule, doesn't change the fact that IT should make the ultimate decision. They should also object if they try to get overruled. However as the CEO is unlikely to be in IT, he overrules you then you may be forced to either resign in disgust, whistleblow to the board or just complete the request making sure you CYA if it all goes wrong.
This is all off-topic but it's up to IT to work with the relevant people to define levels of access and processes for requesting, amending and revoking that access.
Once those levels are defined, it should be agreed that changes to the levels must follow another process, involving sign-off from the relevant person.
@AC
Nothing in my post is saying that IT can't - or even shouldn't - advise on these issues but I am talking about the granting of a pre-defined level of access, not fulfilling a random request. Of course the latter happens but in that case you work with the relevant people to define a level of access that is compatible with system security policies and then the the manager making the request can decide if the employee should be granted this newly-defined (and now documented) level of access or whether one of the existing permission sets are more suitable.
You appeared to say "it should never be up to IT to grant/deny/revoke access"?
Of course a department manager should inform IT of a new starter what their role will be and what applications etc they may need access to (for non-standard) roles. But it is up to IT to make decisions on what access should be granted to achieve this or whether it is overreaching. There will always be procedures in place with various levels of sign-off but this is usually decided by IT based upon how confidential or what security needs to be put in place to achieve that.
For instance IT may request that all VPN access requires a big checklist of safeguards put in place with a director sign-off before granting it. The department manager might fill in the form to request it but it was up to IT to decide how this will be granted, exactly what it will give access to and ultimately whether it is felt that the requested purpose for needing this access is not sufficient to warrant the security risk.
Similarly if previously the HR department had full access to xyz system. If IT feel that this system was not necessary, or that it breaks data protection laws, for instance, then it is well within their remit to close access to it. If there is likely to be any impact to the users by doing that then I would always expect it to be discussed with them first or explained the reasons behind it but in circumstances it may be necessary.
So I would disagree that "it should never be up to IT to grant/deny/revoke access". I would say it is the primary responsibility of IT to do this and any requests to do this are asked using the relevant company procedures, which if followed correctly and are relevant will be actioned without issue.
I would also say the opposite in that it shouldn't be up to HR to tell IT to revoke access, for instance. A policy should be in place that when someone is due to leave the company IT are told x amount of time before they leave. It is then up to IT to have their own procedures on how to handle this and limit and/or revoke access as necessary. HR should just need to inform the relevant departments of the leaver, the rest is up to IT/security/recoverables/finance etc.
If my contract expired tomorrow and I continued to turn up to work without being turned away by security, in the eyes of the law I am effectively still employed under the same contract. The piece of paper carries less weight than the article's author imagines.
Besides, security clearance is separate from employment.
I remember some years back when Prez. Clinton hadn't got round to signing the US Visa Waiver legislation renewal, so the waiver scheme expired. Did that stop people without visas entering the US? Of course not, the border officials just kept right on letting people in on their own recognizance. Shows how vitally important it is to comply with Iimmigration law...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
