Security Basics mailing list archives
RE: When IT Manager breaks rules
From: "Trevor Greenfield" <tgreenfield () internode on net>
Date: Fri, 18 May 2007 18:26:48 +0930
Why not just 'adjust the policy' and request the helpdesk to ask HR for confirmation that the request is legitimate, with the requisite details coming from HR. Copy the request to your manager. My guess in an organization your size there would be some legislative compliance you need to fulfil (eg Sarbanes-Oxley). Perhaps make it as a 'suggestion' in tightening up the compliance. An external audit would then show this up as loophole that had been closed. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of WALI Sent: Thursday, 17 May 2007 1:03 PM To: security-basics () securityfocus com Cc: security-basics () securityfocus com Subject: When IT Manager breaks rules Hi guys...an odd question here!! I am mad at my IT Manager, he is such a sissy!! Being a internal security analyst in-charge, I want to enforce a few policies at help desk. One of them is, not to create any user account unless an email arrives from HR to HelpDesk, informing of the user's badge ID, the department he/she belongs to. The status of employment and all those things. The procedures are in place but sometimes it so happens that some Head of the Dept. or executive management calls up our IT Manager over the phone, or send him an email directly which is then forwarded to our Help Desk incharge who is then left with little options but to create the account without due processes. All policy compliance guidelines get thrown up in the air. HelpDesk incharge is bound by his position to, not to defy IT manager and he is scared to tell me (sometimes he does) that IT manager is forcing him to dilute the AD account creation policy. I don't want to confront IT manager based upon inputs by Helpdesk guys but would rather put a mechanism in place, where I would automatically come to know, that an account has been created and I can ask helpdesk to provide proof of the email from HR arbitrarily and then confront the manager. I know some Audit trails can be put and they would appear under Security tab of Event manager ( or so I guess) but I need something more automated that would land in my mailbox. Is this possible through any automated solution in AD of Windows 2003? Probably MOM 2005 or the types? In case I chose to confront HR Admin/ managers with a plea to stop sending such requests to our IT Manager and put their house in order, what all genuine risks of 'not doing so' can I highlight? Ours is fairly large corporation employing about a 1000 people.
Current thread:
- Re: Firewall Testing, (continued)
- Re: Firewall Testing MaddHatter (May 09)
- Re: Firewall Testing Michael Painter (May 09)
- Re: Firewall Testing Alex Bondarenko (May 14)
- Re: Firewall Testing Lyndon Barry (May 15)
- RE: Firewall Testing Al Saenz (May 09)
- Re: Firewall Testing Alex Bondarenko (May 15)
- Re: Firewall Testing Peter Koinange (May 16)
- When IT Manager breaks rules WALI (May 17)
- RE: When IT Manager breaks rules April Carson (May 18)
- Re: When IT Manager breaks rules Byron (Yahoo) (May 24)
- RE: When IT Manager breaks rules Trevor Greenfield (May 18)
- Re: When IT Manager breaks rules Pranay Kanwar (May 18)
- Re: When IT Manager breaks rules Shawn (May 18)
- Re: When IT Manager breaks rules Shawn (May 18)
- RE: When IT Manager breaks rules Robinson, Sonja (May 18)
- RE: When IT Manager breaks rules Shawn (May 18)
- Re: Firewall Testing Peter Koinange (May 16)
- Re: When IT Manager breaks rules Cam Fischer (May 22)
- Re: When IT Manager breaks rules Raoul Armfield (May 22)
- Re: When IT Manager breaks rules Toby Barrick (May 22)
- Message not available
- Fwd: When IT Manager breaks rules kevin fielder (May 23)
- RE: When IT Manager breaks rules Murda Mcloud (May 23)