FW: One Card Manager Access to systems

["Sarazen, Daniel" <dsarazen () UMASSP EDU>]

Hi Penny,

You should submit this to the Educause list serve. You'll get plenty of IT advice from the security professionals there.

Did she say WHY she needs this access? Is the server housed in a central IT data center?

Mitigating controls might include:


*         Audit Logging enabled on the server to track changes to the audit log,

*         Does the CS Gold application track and report configuration changes, which might be reviewed independently?

*         Is the department escheating abandoned funds from the One Card accounts? If not, they could be vulnerable to 
theft and that may be your biggest risk.

I have many managers/administrators in our decentralized departments (where they are managing their own IT) who have 
the administrator rights to both their application and the server it runs on. I don't like it, but change here is slow.

Is there any chance you could share your change control and segregation of duties policies? We have neither here 
(Although we'll soon be adopting ISO 27002 for our IT governance, which includes these standards).

Thanks and Good Luck and feel free to call if you have any questions.


[cid:image001.gif@01CB2271.CE4AAB80]

:: Daniel Sarazen, CISSP, CISA
:: Senior Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 774-455-7558
:: 781-724-3377 Cell
:: 774-455-7550 Fax
:: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu>

University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : 
www.massachusetts.edu<http://www.massachusetts.edu/>






From: ACUA List [mailto:ACUA-L () LIST ACUA ORG] On Behalf Of Howard, Penelope
Sent: Tuesday, July 13, 2010 9:47 AM
To: ACUA-L () LIST ACUA ORG
Subject: [ACUA-L] One Card Manager Access to systems

Good Morning!

I have a question concerning the type of access your OneCard managers have to your IT resources.  We are currently 
using CS Gold to manage our OneCard and meal plan transactions.  We are still in the process of getting OneCard up and 
fully functional across campus and have recently hired a OneCard manager to make this happen.  She wants full local 
administrator rights to the server with CS Gold on it, which would make her both an infrastructure administrator and an 
application system administrator.  This would allow her to make major changes to the server to include security policy 
changes, OS updates, and software installs without any change control oversight by any other party.  She insists this 
is the kind of access she had at her last university and it is the kind of access all the schools give their OneCard 
managers.

I have a problem with giving this kind of access to a single person, but do not have enough experience in this area to 
know how big a risk it is for the university.  Aside from it violating our change control and segregation of duties 
policies, what are the other things I need to be concerned with by giving her this kind of access to this server?  Are 
there compensating controls I can suggest if IT decides to give it to her against our advice?  Any other suggested ways 
to deal with this level of access she "requires"?

Thanks for your help!

Penny

Penelope G. Howard
Director of Internal Audit
Longwood University
Farmville, Va  23909
(ph)434-395-2283

The information in this e-mail and any attachments may be confidential and privileged. Access to this e-mail by anyone 
other than the intended addressee is unauthorized. If you are not the intended recipient (or the employee or agent 
responsible for delivering this information to the intended recipient) please notify the sender by reply e-mail and 
immediately delete this e-mail and any copies from your computer and/or storage system. The sender does not authorize 
the use, distribution, disclosure or reproduction of this e-mail (or any part of its contents) by anyone other than the 
intended recipient(s).

No representation is made that this e-mail and any attachments are free of viruses. Virus scanning is recommended and 
is the responsibility of the recipient.


________________________________

To unsubscribe from the ACUA-L list, click the following link:
http://associationlists.com/scripts/wa.exe?TICKET=NzMzOTk2IGRzYXJhemVuQFVNQVNTUC5FRFUgQUNVQS1MIPdVPNo72/GO&c=SIGNOFF<http://associationlists.com/scripts/wa.exe?TICKET=NzMzOTk2IGRzYXJhemVuQFVNQVNTUC5FRFUgQUNVQS1MIPdVPNo72/GO&&c=SIGNOFF>