Friday, July 27, 2007

800,000 stolen social security numbers: a 22-year-old scapegoat?

Link From Slashdot...
"Their report also faults the chain of command, which was muddled by contractors. The Inspector General identified Jared Ilovar as 'a 22-year-old, $10.50-an-hour employee' hired just three months earlier, who received his assignment from…another intern. The intern reported to a $125-an-hour consultant, who reported to another $200-an-hour consultant…"

From intern's letter to Columbus Dispatch:
I will always ask for written instructions and/or policy instructions. I will no longer assume I am following the rules and/or policy if I haven't actually been instructed of such rules and/or policy by a supervisor and/or administrator.
I would like to thank OAKS for the opportunity they gave me several months ago and I wish the outcome of all of this was much different than it is.

Of course, do so will only brand him as a troublemaker. Seven or more e-mail messages exchanged over where to have lunch today is one thing, but actually putting work related matters into writing, be it a formal document or otherwise is something I've found many "executives" in government or out are reluctant to undertake.

From the PDF version of the Investigative Report:
In hindsight, administrators we interviewed universally agreed that they should have notified the patrol and other authorities at least 48 hours earlier.

Ummm, so why hasn't ayone else been fired, or even reprimanded in any way?
Finally, we note that the theft would never have compromised the identities of hundreds of thousands of state employees, taxpayers, public assistance recipients and others had OAKS administrators responded appropriately to a call they received from an assistant state auditor in late February 2007. The auditor warned that access to Social Security numbers and other sensitive data was readily available on a shared drive on the OAKS intranet. Four months later, state officials would learn that the stolen backup tape contained a massive quantity of data that had been stored on that drive.

Why? Nobody else fired, government worker or contractor. Why?
Given the complexity of the OAKS conversion and the enormous pressure nearly 300 state employees and contractors have been under to meet tight delivery schedules, it is clear that security and confidentiality were secondary concerns at OAKS.

Ahhh, I see, they were under time pressure, so all is forgiven.

So, for all future management types, project planning types, government desk-jockeys, contractors, and even interns, lets save you those thirty or so seconds you couldn't find to come up with a better backup strategy than this:

(1) It makes no sense to take the most recent back-up tape home, or even off-site. It DOES make sense to have back-ups off site, but consider how you are likely to use them... The most likely uses for back-up tapes at all are: Software failure resulting in lost or corruption of data; human error resulting in same; hard drive failure; total system failure (in roughly that order of likelihood). In all such cases you are going to want to have a back-up tape on-site, not off-site.

(2) When would you be most likely to need an off-site tape? Well, I'm thinking that would be only in the event that the site (you know, the place where your computers are) is destroyed or unavailable for some reason. Hurricane Katrina comes to mind. Although in that case, having someone you work with take the tapes home and leave them on their TV set, or in their car, or anywhere else they are likely to leave them wouldn't be any better than just leaving them on the top of a bookshelf somewhere in your data center. Next 911 comes to mind, but there too, you wouldn't want them nearby, just laying around. Oh, and by the way you would need to arrange for an alternate facility to take such a tape (you know, for the "restore" part of the "back-up" plan). And if you didn't have time to think of your plan as far as where to take the tapes, it's really, REALLY hard to imagine that you even have an alternate site in mind, much less that you have made arrangements to use it on a moments notice. Weren't planning to run the whole system on your son's Playstation were you? When your primary site becomes unavailable, nobody is going to expect you to have everything running again the same day, even if such a thing was remotely possible (even if you had planned for such an eventuality). So what would it matter if your backup were a day old, or a week old? And don't tell me you only have ONE set of back-up tapes. You do daily back-up right? And Weeklies? Throw in some incremental tapes for times when they will do? No? Maybe you need to find an intern to make a back-up strategy for yourselves.

Really, you people are an embarrassment to your profession. The sooner you retire or resign the better. Maybe higher ups in governments, both state and federal should help the process along a bit. A bit more than firing an intern that is.

All we like sheep have gone astray; we have turned every one to his own way; and the LORD hath laid on him the iniquity of us all.[Is53:6]

No comments:

Post a Comment