They should make sure that everything on production servers is documented. That all changes are logged. And that those logs are kept secure, so they'll actually be useful next time there's something to investigate.

Full documentation of what went on the servers, and when, would have cleared Oliver by confirming when and why he installed Cain & Abel. Inventories would have allowed OIT staffers to identify anything else on the servers that wasn't an authorized installation. Checksums would have helped spot modules that were infected by malware or replaced by intruders.

And full documentation doesn't just help against old-style threats like SQL Slammer. Rootkits, the hot new problem, are designed to be hard to spot. Knowing what an uninfected system is supposed to look like, down to the details, gives IT people a fighting chance at catching and dealing with a rootkit.

Sure, keeping tight control over what's on servers will be more work. But the OIT already knows that procedures have to be tightened up -- remember those unencrypted passwords and ex-employee accounts? With today's security threats, such safeguards are no longer optional.

Think of them as IT's version of Sarbanes-Oxley, only a lot more useful than the real Sarb-Ox. Those controls are the price the OIT -- and all IT people -- will have to pay if we really want to ever get things back to normal again.