The insider theft incident last week at Stens Corporation is evidence of how organisations need to implement an access governance change management control framework.

According to a report by Softpedia, Scott R. Burgess and Walter D. Puckett used to work for Stens Corporation, a distributor of replacement parts for small engine outdoor power equipment and after quitting their jobs in late 2004 and early 2005, respectively, Burgess and Puckett went on to work for a rival company.

Authorities claim that until September 2006, the two men illegally accessed private information stored on computers belonging to Stens on twelve separate occasions. According to prosecutors, the men used still active credentials to access sensitive information for almost two years.

According to assistant US attorney Todd S. Shellenbarger, Burgess and Puckett face a maximum sentence of five years in prison and a fine of $250,000 each. The Federal Bureau of Investigation and the Indiana State Police have collaborated in the investigation.

According to Brian Cleary, vice president of products and marketing at Aveksa, to prevent incidents such as this, organisations need to implement an access governance change management control framework that provides access visibility to all information resources both within and external to the enterprise.

Cleary said: “It also needs the control to understand whether the access is appropriate for the user's functional role or task, the on-going monitoring to ensure that access risk is being dynamically managed and the use of automatic access event-driven rules to understand what actions need to be taken when access change is requested or detected.”

He claimed that when an employee terminates their relationship with the company, it is vital that the IT department has automated procedures to remove access to all enterprise information resources to ensure that they secure their sensitive data and systems quickly and effectively.

IT departments are quick to remove network access privileges because many information resources are secured by the firewall, but Cleary said that this is not sufficient enough as accounts to information resources must also be revoked.

Cleary said: “Surprisingly, having orphaned accounts to information resources is quite common in both small and large organisations as IT departments struggle to keep pace with the amount of requests for initial user access or change to existing access coming from the business.

“Providing or changing access becomes the priority because IT doesn't want to be a barrier to the business being able to move forward. Revoking access at the specific information resource level takes second priority if the user's network access has been de-provisioned, but as stated this is a false sense of security.

“As more and more data, information resources and services are moving into the cloud, this becomes a control nightmare for IT organisations because information resources that can be accessed via the web can't be controlled with network login. What's worse is that many IT departments are unaware of how many cloud based applications and services the organisation is actually using so they don't have the visibility to know what to revoke.”