The first thing to check for any manager...

Yesterday I was invited to attend an internal discussion with one of our customers. The customer main business is in finance and they did something that I think more companies should do: they did a war game. They tried to find any potential breach they could have from any type of source, internal or external. I was invited to help them with questions to ask themselves. They did a good and thorough job so I ended up with only one question: Is anyone responsible for all access systems? I think that in any security environment there should be a 2-hand principle. As an example: one person handles the access system, another person should handle the LDAP. We ended up doing a map of whom was responsible for which system. A couple of minutes ago I go an email from my customer where they told me that they added the principle to their security plan and they already changed some access rules internally.