Re: SYSADM and Security

[Theresa M Rowe <rowe () OAKLAND EDU>]

Agree on that - we have split sys admin and DBA functions.  Both of these 
functions report to an architecture manager.  We also put all the administrative 
application development and support on a separate team reporting to a different 
manager.  Security review and audit is the responsibility of a third team and 
manager.  We've also outsourced DBA work on a regular monthly contract and 
we expect there to be some review of work on both sides.  
Theresa

---- Original message ----
> Date: Thu, 4 Jan 2007 10:42:58 +1100
> From: Allan Williams <allan.williams () ANU EDU AU>  
> Subject: Re: [SECURITY] SYSADM and Security  
> To: SECURITY () LISTSERV EDUCAUSE EDU
>
>   G'day,
>   We have a similar situation but have tried to
>   mitigate the risk though the separation of
>   duties.  We have a syadmin and a DBA team each
>   responsible for agreed specific tasks.  Getting
>   them to work together and respect the
>   virtual boundaries took a little work as the
>   desired expertise for some tasks lay with the other
>   group.  It's not perfect and still relies on a
>   level of trust but seems to work. 
>   Regards,
>   Allan
>   On 04/01/2007, at 7:48 AM, Mark Staples wrote:
>
>     I've been wondering what other institutions are
>     doing about system accounts (i.e. sysadm with
>     PeopleSoft) that have full administrative access
>     and can be used by any DBA, which then impacts
>     effective monitoring and accountability.
>      
>     I'm being told that there is no way around the
>     regular use of these type of accounts and I need
>     to accept the risk and trust our DBAs.  While I
>     "believe" what I'm being told, I'd like to find
>     out what other institutions are doing to address
>     the use of system accounts.
>      
>     Thanks!
>     Mark
>      
>      
>     -----
>     Mark Staples
>     Director of Information Security/Chief Information
>     Security Officer
>     IT Research Liaison
>     Medical College of Georgia
>     Office: 706-721-1577
>     FAX: 706-721-7296
>     mstaples () mcg edu
>
>     --------
>
>     All information in the communication, including
>     attachments, is strictly confidential and intended
>     solely for delivery to the addressee(s) identified
>     above (ie, To/cc/bc), and may contain privileged,
>     confidential, proprietary and /or intellectual
>     property entitled to protection from disclosure
>     under applicable law.  If you are not the
>     intended recipient, please take note that any use,
>     distribution or copying of this communication is
>     unauthorized and may be unlawful.  If you have
>     received this communication in error, please
>     notify the sender, delete this correspondence from
>     your computer, and destroy any printed copies of
>     this communication.
>     <Staples-MCG.vcf>
>
>   ==================================
>   Allan Williams
>   Division of Information
>   R.G. Menzies Building
>   Building 2
>   The Australian National University
>   Canberra ACT 0200
>   T: +61 2 6125 8404
>   M: 0400 480 144
>   www.anu.edu.au
>   CRICOS Provider #00120C
>   ==================================