Photo source: Reuters |
For the second time in recent months, President-elect Barack Obama’s records were illegally accessed by employees of the organization responsible for maintaining them.
This time, nine workers at the Illinois Secretary of State’s office are being fingered as the culprits. The office did not release the names of those involved.
State officials said that the nine had looked up Obama’s street address on the office’s computer system — despite the office having earlier sent out a memo warning all employees not to access the president-elect’s information without authorization.
After an investigation, the Illinois Secretary of State’s office determined that the employees had been motivated merely by idle curiosity, Penelope Campbell, a spokesperson for the office, told InternetNews.com. The office yesterday suspended them without pay for a minimum of three days, Campbell said. The sentence is relatively light because officials determined there had been no malice involved, she added.
The illegal peeks at Obama’s records occurred over several days, beginning Nov. 5, according to Campbell. After officials discovered that the records had been accessed, police from the Illinois Secretary of State’s office and the U.S. Secret Service were called in.
It’s the second recent attempt by an organization’s employees to illicitly access their records on Obama. On Nov. 21, three Verizon Wireless employees viewed Obama’s mobile phone records, leading to company president and CEO Lowell McAdam to apologize publicly to the president-elect. The employees were eventually dismissed.
The breach at the Illinois Secretary of State’s office also isn’t the first time that government employees have been found illegally snooping into records.
In October, Ohio government workers ran checks on the records of Samuel Joseph Wurzelbacher — better known as “Joe the Plumber,” a nickname bestowed by presidential candidate Sen. John McCain during a debate with Obama, during which McCain cited Wurzelbacher as an example of a middle-class worker.
They accessed the files through the state computer system at least four times, leading to investigations by Ohio inspector general Thomas P. Charles and the Ohio State highway patrol.
Such breaches can easily be prevented by implementing role based access governance, Brian Cleary, vice president of products and marketing at enterprise access governance vendor Aveksa, told InternetNews.com.
Analysts and security experts have long said that role management is critical to access control and compliance in organizations.
“You can’t tell employees of an organization or government agency to internalize and memorize policies in a three-ring binder, you need automated access control,” Cleary said. Such control would be implemented by policies based on users’ roles.
These roles have to be specified by employees of the business side of organizations rather than the IT department, Cleary said. “The business team understands what’s necessary to perform a particular job function, while IT teams don’t,” he added. Also, the business team has audit teams who understand what regulations apply to a particular business process.
Getting an organization’s business size to define user roles should be familiar advice to enterprises and government departments, as it echoes guidance long given by many vendors of security products and by security analysts.
One major reason why businesses and government offices need to rev up their security procedures is that liability for these breaches may not be limited to the culprits themselves.
“While we point to employees and say it’s a misuse of access, the bigger issue is companies and government organizations and entities own these liabilities,” Cleary said.