Friday, 30 January 2009

Security - we don't need no steenkin' security

Shortly after I joined the company, I spent quite a bit of time (including time at home) working on putting together some policy documents. These dealt with a number of issues including security. In fact, I am certificated for ISO 27001 and after about 2 years, I managed to get the company audited successfully. It was hard work but worthwhile - it has surprised more than a few people how useful that accreditation has proven to be. In several cases, our senior sales people were told by customers that the final decison to buy from us came about because we were accredited for ISO 9001 & 27001, and our competitors were not.

When we started on the SAP project, I presented the consultants with the relevant paperwork. This detailed what security standards we expected them to reach, what we would allow and what we would not. This is not designed to stop people from working - but it is to ensure that a good level of security is maintained and that the data and systems are protected. It also included an agreement for them to sign.

They were not happy with this - I received regularly demands to reduce security level to allow them to do things. When one of their guys came in to install the servers, he wanted full admin access and our network security account details. You can guess what he was told - in plain language, take a hike. We were told that they were working to ISO 27001, but it is quite clear that they are not and that they haven't the faintest idea of what the standard is about.

They want a permenent VPN connection to our systems - OK that need not be a problem, but it allows any of their people access - they have a lot of staff (I asked how many, but they wouldn't tell me) any one of whom can connect to our system at any time day or night. We regularly find them looking around the systems - we've set-up internal blocks so they only have access to the SAP servers. After all why would they need access to anything else? We have intrusion detection facilities and it regularly gets tripped by someone trying to find a way into areas that they are not allowed (2-3 times a month).

What does get me pissed is that we've identified that several of their staff are using a single acount, so it is impossible to identify who did what. They create accounts in the SAP system for people and we have no idea who they are or what they do. Worse, our AV has picked up stuff that has come in from them a number of times - a couple of them were really nasty trojans and a couple of keystroke loggers.

And this takes me to another topic - the number of consultants. We were told that we would need 6 people; 4 main workers, the project manager and a specialist for the finance. In fact, I have lost count of the number of different people that been involved - some have been to one or other of our sites, some I know have connected via a VPN connection and I believe that there are about 8 or 9 that have connected using other peoples accounts. As far as I can tell, we have had at least 41 different consultants and probably more.

At the beginning, we were quoted a set number of days consultancy work to do the implementation (370). In fact we are now well over 800 days, there are another 65 booked for the next 10 weeks, plus, it seems clear that we are still no closer to go-live than we were 5/6 months ago and we will need yet more people. In addition, during the work over the last 2 years, they keep insisting that certain things were not part of the "original blueprint" and that these items are part of a "second phase" of work. Well we certainly never agreed to any such "second phase". I was told by the project manager quite confidently that we should expect to budget for at least another 70 - 100 days of consultancy work each year for the next 5 years.

Now the worst bit - like a lot of companies, we have had to do a lot of work to implement Sarbanes-Oxley. Yes it was a real PITA, but we got there on our old systems. The first one of their financial consultants insisted that SAP automatically complied with SOX, and that may be true - but a process he tried to put in place most certainly did not and the FD went ballistic when he found out. He actually kicked the guy out (had security escort him off the premises) and refused to allow him back on site.

The consultant firm replaced him with a woman who really seemed to know her stuff - for a while the FD began to think that maybe it would all come together. But then she announced she was leaving to have a baby and they gave us a new guy - he barely spoke English. After a couple of weeks, the FD had him kicked into touch as well because he just didn't know enough about the finance system - he was then replaced by another guy. This one does seem to know about it, but he is crap at explaining things - he is also less than careful, and we keep finding that he has done stuff on one system, but not the others. As a result, some (a lot) of the testing has been a total waste.

Oh well - another day, another dollar. I'm going for a beer. More later


  1. When I read such posts I always wonder what's the point of view on the other hand.

    Your security standards are high, maybe too high for some companies to deal with you.

    Now about the number of days this project is taking, did the project deviate from its original plan and/or have you asked for features/changes that weren't in the initial scope (this can obviously lead to scope creep, which I've published a 9 article series about).

  2. PM Hut, The project is pretty much what was agreed at the beginning (although see a new post I'll be doing for more on that) None of what we asked for was "new". I do know about scope creep tho' and I have seen what it can do from both sides, so I understand your question.

    As for security, well I am not accredited, but I try to work to ITIL standards. I don't think they would be classified as very high - I've never worked for the DoD.

  3. As the security man in my company this story makes me feel like you, but a bit luckier.

    We achieved to not allow user's managment to anyone except a two of our own IT admin staff.

    No VPN access except an emergency or implementation follow-up short term.

    During the project (13 months, full company migration to SAP) we knew different consultants, with very different level of security approach, from total ignorance of what security is to knowing enough and feeling comfortable with our company's policy and restrictions.

    A professional consultant understand and adapt himself to the restricted permissions enviroment. Others, noviece or not professionals, blames security restrictions because their own lack of experience into those ordered enviroments.

    It is clear that the shortage of enough good consultants offers possibilities to many no professional consultants.