Re: Conflict of interests

[Adam Pal <pal_adam () gmx net>]

Hi,

From my point of view, you need a functional access right, delegated
by (eventualy) general manager.
Domain admin right is not needed since it is not the task to perform
AD-operations, this right remains for the IT-department.
As a security guy you can request the needed logs and tools or perform
a validation of the tools.
I dont consider security as executive part, the execution is to be
performed by the IT.

Just my 2 cents.




-- 
Best regards,
 Adam Pal   

Monday, May 4, 2009, 8:16:45 PM, you wrote:

<==============Original message text===============
syc> As a security guy, not part of the IT department, I require a
syc> level of access in order to perform my job. Certain types of
syc> tools require privileged access in order to work. Like having
syc> domain admin access and/or similar privileged access for unix and
syc> linux systems. Is it reasonable to request this type of access
syc> without causing any type of conflict of interest that internal
syc> auditors might question? I guess audit trails would come in handy here.
syc> Thanks for the feedback.

syc> ------------------------------------------------------------------------
syc> This list is sponsored by: InfoSec Institute

syc> Learn all of the latest penetration testing techniques in
syc> InfoSec Institute's Ethical Hacking class. 
syc> Totally hands-on course with evening Capture The Flag (CTF)
syc> exercises, Certified Ethical Hacker and Certified Penetration
syc> Tester exams, taught by an expert with years of real pen testing experience.

syc> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
syc> ------------------------------------------------------------------------

<===========End of original message text===========

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature