Re: The value of 'least privilege'

["Basgen, Brian" <bbasgen () PIMA EDU>]

 Well said Randy. The question is invariably tied to business process: the longer IT response time is, the more likely 
user's will need greater privileges. Security, particularly in higher ed, is often contextually driven. 

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
Office: 520-206-4873


> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy marchany
> Sent: Tuesday, March 30, 2010 7:47 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] The value of 'least privilege'
>
> While I agree that limiting administrative rights is a good thing,
> sites need to answer accurately the following questions:
>
> 1. How long does it take your IT staff to install software that an end
> user needs?
> 2. How long does it take your IT staff to check such software for
> security issues? Presumably, this is the real reason why end user
> aren't allowed to install software. If your IT staff doesn't check
> software for security issues, they can make the same mistake. Do your
> admins even check for security problems with vendor software? I
> suspect it's not a thorough check.
>
> If the answers to the above questions are "long" and an end user needs
> the software ASAP (who doesn't?), then the end user will find ways to
> bypass this restriction in order to get the job done. Having a timely
> software installation process is critical to the success of this
> security solution. No sysadmin can anticipate what software is needed
> at any given point in time.
>
> I'm curious to see what the answers are to the above questions. My
> informal survey answers range from 1 day (ok) to 2 weeks (not ok).
>
> -Randy Marchany
> VA Tech IT Security Office