As part of IT audits my role is to ascertain if the client has control of all the credentials and intellectual properties that they need to successfully run and protect their business. These extend from domain admin passwords through network devices – local machine passwords and details for web site domains and ftp accouts. In fact it can be quite a task getting the client to recollect all the things that they need passwords for.
So whats the worst case scenario ? I once had to do a debrief with an IT Manager who was leaving a company at short notice – 8 days to be precise. I had to extract 12 years of work and knowledge without any formal documentation and create a report for the client with any risks identified. Luckily a new IT manager was appointed rapidly and we were able to work through the learning process to get the client back to a position of control.
What if thats not an option ? What if your IT is outsourced and one morning the company running your IT decide they are not going to give you your details ? Far fetched you think ?
Unfortunately not. This was the exact situation faced by a client who had decided to get a third party to carry out a piece of remedial work to improve user performance issues. Once they requested the appropriate passwords they were hit with a demand for a large amount of money and the ultimatum that they would not get the passwords without the money being paid.
You would think that the law would be quite strong here with the Computer Misuse Act as the mainstay but as always the law is like a big ship – moving slowly. Yes the legal approach may be the only line open to many who cannot get the credentials they require but the risks of not having them can seriously endanger a company or organisations ability to function.
So make the first point of your IT audit – “Are you in control – and if not how do I get there ?”