Tuesday

Data - every organisation's second most valuable resource.

It's said that only an organisation's staff is more valuable than its data. Well, the University of Stirling doesn't value either of them, or at least those at the top don't.

One of the complaints that Eileen MacDonald made to Kathy McCabe about me was that I had made data security so tight that it was making it impossible for Eileen to do her work. As Database Administrator it was my job to ensure that every employee had the data permissions necessary to allow them to do their job, and it would be a stupid Database Administrator that prevented staff from doing so.

However, although Eileen had all the permissions necessary for doing her job, she saw herself as special, and she wanted special treatment that would allow her to log on to databases as the account that actually owned the data. This was a definite no no, and the external auditors had already agreed with me that only the Database Administrators should have that level of access. The account that owns the data has no restrictions. It can do whatever it likes with the data. Data permissions were not preventing Eileen from doing her work; but her bad attitude and incompetence were.

Common sense should have led Kathy to explain to Eileen that she wasn't special, and that she should do her job in the proper manner just like everybody else, and just as I had been explaining to her for years. Kathy's relationship with Eileen was such that common sense played no part. Kathy organised special meetings for the whole team to discuss whether Eileen should be allowed to log on as the data owner. It should never have reached that stage, and it was only Kathy trying to undermine me in public and to lend support to her friend. Even Peter Kemp got involved in what should really have been a trivial matter left for the Database Administrators and auditors to decide.

Fortunately the team agreed with me that there was no need for Eileen to work any differently from everybody else.

Data security was never a strong point with Kathy. But I would bet that if there was ever a problem with data security and something went wrong, she would be anxious to put the blame on someone else.

There was a real eye opener a few years ago when I discovered that Kathy, along with about twelve other users of the Student Records system, had a very insecure password. Her user name is KM7, and of all things for the Information Systems Development Manager to choose as a password, Kathy chose KM7. Kathy had maximum data privileges on the database, and anybody who, just like I did, tried her username as her password, would have been able to run riot by updating and deleting data in the systems. Students are always trying to hack into systems. We have no way of knowing whether they did or not.

As well as 13 people choosing their username as their password, an astonishing 118 database users all shared the same password, and it wasn't just a coincidence. Internal procedures were designed in a way that would make that likely to happen. Anyone could have logged on as one of those users using software that's freely downloadable from the internet, and made a complete mess of the data. We would have had no idea who did it either. And for all we know, it might have happened.

There was another example of Kathy's blasé approach to database security in 2008. Somebody in the team had given the business users permission to use a software tool that bypassed normal data integrity rules. This allowed a whole load of junk to be imported straight into the Student Records database from spreadsheets. Whoever allowed this would have known that they should have checked with the Database Administrators first, but they didn't, because they knew that we wouldn't have allowed it. As well as being the team manager, Kathy was also the Project Manager for Student Records, so she was doubly responsible. However, Kathy was anxious to play down the significance of this mess, because of her own lack of ability in controlling her staff.

Ironically, just before I left, I was being asked by an employee from another team to work on increasing security, yet my own manager couldn't care less about security when it impacted on her friendships with team members. If being friends was more important to Kathy than being a manager, she should never have taken up the job.

No comments: