August 08, 2002, 12:00 AM — In early June of this year, a culture center and literary museum in
Norway had a problem. The Ivar Aasen Center of Language and Culture had
received a gift -- an archive of over 1600 books and documents,
catalogued in a database. Unfortunately, the archivist who set up the
data bank died...taking the password with him. The director of the
museum ended up appealing to hackers over a radio broadcast, asking for
help in breaking the password so they could get their own valuable
information from the database.
A few weeks ago, a woman I know sent me some mail. Her company had a
series of spreadsheets of financial information. Those spreadsheets were
on a computer that was password-protected, and the person possessing
that password had resigned from the company and left the country. They
needed their financial data immediately, but they didn't have the
password and didn't know how to get in. She needed some help.
Today, a friend was talking about a sales call he'd participated in. The
client had just installed new hardware and had to configure the switch
to acknowledge the new connection. When the client went to configure the
switch, the techs started asking each other where the password was. Who
has the password? Do you have the password? No. They didn't, and the
switch remained unconfigured.
Last year, a coworker of mine had worked as the head of security for a
small company. When he left the company, he tried to make sure he did a
knowledge transfer -- he talked to the guy taking his place, he gave the
guy all the passwords, and he instructed his replacement on the setup of
the security systems. None of it was -documented-, but he taught his
replacement as well as he could. Still, for almost a year, he was
receiving calls from his replacement asking him about little details the
replacement had forgotten or missed.
Documentation and knowledge transfers are -important-. It's crucial to
write down information necessary to the functioning of a business or a
network. In the IT world, we have the 'hit by a bus' concept -- the
worst-case scenario. If it would effectively destroy the company if a
bus hit a single person due to the fact that they are the only one who
knows how anything works, then the company has a problem.
Document procedures, policies, and operational details -before- there is
a need for them; by the time there is a need, it'll be too late. Write
down passwords, if necessary; don't store them in an electronic file,
and don't leave them lying around. Put them in a locked box, and write
them down again when they change. Make sure that more than one person
knows how to keep the company going. If a bus hits one person, make sure
the company can still go on.