The messenger is the message
In a blog post entitled “Lending Tree A Little Late In Cutting Off Network Access?“, I read that in the recent Lending Tree breach [link to http://breachblog.com/2008/04/23/lendingtree.aspx no longer works] :
several former employees may have helped a handful of mortgage lenders gain access to Lending Tree’s customer information by sharing confidential passwords with the lenders.
Later, the author describes “an obvious chink in Lending Tree’s information security armor”, (reprinting a U.S. News quotation from Brian Cleary):
These are former employees—how can those user accounts to critical customer data still be active? Those should be shut down. So, their access to all of the information and resources should be revoked on the day of their termination.
Finally, he observes that
If you’re going to rely primarily on human beings to implement the policies, then you’d better make sure that those human beings are either themselves subject to checks and reviews to make certain that they’re following the policies.
All of this is nothing new to EC readers. What surprised me, and what I think is noteworthy here, is that the guy writing this is not some CISSP, CISA, or even CISO. He’s the voice behind the Bank Lawyer’s Blog, an attorney with banking and other corporate clients.
Not to read too much into this, but when the legal profession starts commenting knowledgeably about access termination policies, there’s something interesting afoot.