Since we don't have a robust identity management tool, several interfaces must be used to remove access. The most important deactivation is the domain account, since many of our critical business systems are configured with single sign-on. Other systems, such as our SecureID servers, Enterprise Servers and remote access, couldn't be tackled ahead of time. And because we were laying off some network engineers, we had to remove access to resources such as routers, switches and telephony systems that are managed independently of the single sign-on environment, and we had to change all administrative passwords. Some of this was handled in advance by using scripts that kicked in after the notification was announced, but scripts don't always work as anticipated.

Notification day is drawing to a close, and so far we have seen a few sensitive documents being sent to addresses -- events that I have started to investigate. Otherwise, everything has been quiet, with all the scripts and account terminations working well. My next task is to figure out how to do more with less, which I'll discuss in my next column.

This week's journal is written by a real security manager, "," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.