Submission + - What u talkin' bout, security?
notquitegary_coleman writes: With a parent company big enough to buy and rename the Sears Tower, and savvy enough to secure their own data using RSA keys...would you expect:
+ A project run by their recently-acquired IT subsidiary, for 80+ independent contractors in Western PA, run on laptops which have cd drives and usb ports accessible, while no anti-virus, anti-spyware, or biometrics/encryption are enabled? (The machines are lojack'd for theft, and the contractors are having a check witheld until they return each machine, so it's clear that the priority is the return of the machines, NOT the security.) These machines have been used on other projects, and have been known to be the transmission route for viruses, as stated during training classes.
+ Project management distributed power-on, operating system, and web portal passwords to all 80 contractors... with all 3 levels of login for every contractor having the SAME 9char password, not set to expire or encouraged/enabled to be changed, and including the name of the company who hired the contractors!
+ Sysadmins for the subsidiary attended training classes with the contractors, because they hadn't been able to test the system at all prior to project start.
+ No testing of the wireless guest access at 20+ client sites, or the backup wireless via a variety of 3G networks, was done prior to project start.
+ The data involved in the project should be protected under HIPAA, PCI and other compliance standards and practices. For 50,000+ clients. Doesn't sound like it is being protected at all.
+ The IT group responsible for the above doesn't return phone calls trying to alert them to the problems inherent in their scheme.
I wouldn't want to be the IT VP in charge of this baby.
+ A project run by their recently-acquired IT subsidiary, for 80+ independent contractors in Western PA, run on laptops which have cd drives and usb ports accessible, while no anti-virus, anti-spyware, or biometrics/encryption are enabled? (The machines are lojack'd for theft, and the contractors are having a check witheld until they return each machine, so it's clear that the priority is the return of the machines, NOT the security.) These machines have been used on other projects, and have been known to be the transmission route for viruses, as stated during training classes.
+ Project management distributed power-on, operating system, and web portal passwords to all 80 contractors... with all 3 levels of login for every contractor having the SAME 9char password, not set to expire or encouraged/enabled to be changed, and including the name of the company who hired the contractors!
+ Sysadmins for the subsidiary attended training classes with the contractors, because they hadn't been able to test the system at all prior to project start.
+ No testing of the wireless guest access at 20+ client sites, or the backup wireless via a variety of 3G networks, was done prior to project start.
+ The data involved in the project should be protected under HIPAA, PCI and other compliance standards and practices. For 50,000+ clients. Doesn't sound like it is being protected at all.
+ The IT group responsible for the above doesn't return phone calls trying to alert them to the problems inherent in their scheme.
I wouldn't want to be the IT VP in charge of this baby.