One of the most fundamental methods of controlling insider threat in a company is to manage and monitor both user and privileged access to critical systems and data. Very commonly, companies rely on the trust-based approach to "manage" access control. Simply trusting IT administrators with virtual "keys to the kingdom" may be appropriate in some cases, but for the most part, it is an extremely dangerous proposition that could have disastrous consequences.
Admittedly, a trust-based system-essentially assuming that an IT administrator will behave properly with access to sensitive company data-is actually adequate in most cases. Most IT administrators are not interested in stealing, abusing or manipulating data in their organization. However, all it takes is one frustrated IT administrator to expose employee and customer data, thereby compromising a company's customers, reputation and revenue.
Perhaps the most obvious example of the failings of the trust-based system was the recent lockdown of San Francisco's computer network by a network administrator. Unhappy over the way his office was being run, he set all the administrative passwords on the network devices to passwords only known to him. He used the justification that he required exclusive access to the systems to ensure that they were running properly. When he refused to divulge the passwords, he was arrested. Still, no one could access the administrative accounts of the network devices.
In the end, he did hand over the passwords. This entire ordeal resulted in the local government in San Francisco losing money and credibility. Then pile the recent Intel, Soci??Â«t??Â« G??Â«n??Â«rale and other insider scandals on top and it all starts to become clear about what one employee can do without a process-based system in place.