Friday 26th

The Operations Manager is off sick again today. Something about a nervous breakdown. I feel sorry for him, so I buy a Get Well Soon card and circulate it around the department for signatures. Then I put it in a joke envelope: it bears a picture of a leather-clad woman with the legend 'Wendy the Whip Illustrated Bondage Catalogue.' I address it to him and mark it Private and Confidential. I'm sure this will give him a good laugh. It might give his wife something to think about too.

I log in and check my e-mail. There is a broadcast message from Finance about payroll deductions. Apparently we can now make donations to charity tax free by having them deducted directly from gross pay. This sounds worth checking out. The payroll system itself has been put out to a bureau service, but somewhere there must be a database that holds all the information that needs to be uploaded to the bureau each month: pay increments, bonuses, overtime payments, deductions, etc. I wonder where it is?

The phone rings. It's the manager of the cashier's office.

"Hi there, Billy. We've just taken delivery of a new database system for storing pay data and sending updates to the company that handles the payroll. Audit have asked us to get someone from IT Department to check the security on it. Do you know anyone who could do that for us?"

Do I just?!!

"I'd be delighted to help. I'll be round in two minutes."

I make it in 45 seconds.

I give the system a quick once over. Hmm, whoever set this up knew what they were doing. The computer is isolated from the network and requires three different people to enter passwords. This is going to be a toughie. Still, I've never been beaten yet.

I quiz the finance clerk about how the system works. Who enters the data? When is it uploaded to the bureau? Who checks it? Whose passwords are needed to complete all the steps? After a few minutes I decide I rather like the role of security auditor; it gives me an excuse to ask outright all the things that would otherwise require days of sleuthing.

Half an hour later I know all I need to. The only real problem is the passwords. They are specific to the payroll system and therefore unrelated to the e-mail login passwords that I can find from my packet analyser program. On the other hand, maybe...

"One last question: how do you choose your password? Is it the same as your e-mail password?"
"Oh, no. I thought it would be better to use a different one."
"No, no, no. Look, if you used a different password for all the systems around here you would have to remember six at least. Then you'd either forget one or you'd start writing them down which would be a breach of security. Much better to stick to one and not change it."
"OK, if you really think so."
"I do, definitely. And make sure you tell that to all the others."

Later in the evening I go back to the computer and load the database, using the passwords retrieved from my packet analyser file. After browsing through all the salaries and making a few notes I select Goering's record. (That's the Chief Executive.) He's been getting some bad publicity recently about his huge pay rise, so I decide to help smooth things over by authorising the whole of his salary to be donated to Save the Children.

That should push up his popularity rating no end. I'm sure he'd thank me if he knew. I don't think I'll tell him though.