RE: When IT Manager breaks rules

["April Carson" <ACarson () HNTB com>]

Although I cannot site specifics from the law, I know there is something
in SOX compliance guidelines that have to do with account creation
workflows that you could use to create your case.

We are fortunate as we have Oracle. HR keys in the data, it generates an
email to us indicating a batch file ran and created the account in AD,
when we get the go ahead from the Division Admin we enable the account.
HR backs this up, as does the technology. 

I hope this helped some.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of WALI
Sent: Wednesday, May 16, 2007 10:33 PM
To: security-basics () securityfocus com
Cc: security-basics () securityfocus com
Subject: When IT Manager breaks rules

Hi guys...an odd question here!! I am mad at my IT Manager, he is such a

sissy!!

Being a internal security analyst in-charge, I want to enforce a few 
policies at help desk. One of them is, not to create any user account 
unless an email arrives from HR to HelpDesk, informing of the user's
badge 
ID, the department he/she belongs to. The status of employment and all 
those things. The procedures are in place but sometimes it so happens
that 
some Head of the Dept. or executive management calls up our IT Manager
over 
the phone, or send him an email directly which is then forwarded to our 
Help Desk incharge who is then left with little options but to create
the 
account without due processes. All policy compliance guidelines get
thrown 
up in the air.

HelpDesk incharge is bound by his position to, not to defy IT manager
and 
he is scared to tell me (sometimes he does) that IT manager is forcing
him 
to dilute the AD account creation policy.

I don't want to confront IT manager based upon inputs by Helpdesk guys
but 
would rather put a mechanism in place, where I would automatically come
to 
know, that an account has been created and I can ask helpdesk to provide

proof of the email from HR arbitrarily and then confront the manager.

I know some Audit trails can be put and they would appear under Security

tab of Event manager ( or so I guess) but I need something more
automated 
that would land in my mailbox.

Is this possible through any automated solution in AD of Windows 2003? 
Probably MOM 2005 or the types?
In case I chose to confront  HR Admin/ managers with a plea to stop
sending 
such requests to our IT Manager and put their house in order, what all 
genuine risks of 'not doing so' can I highlight? Ours is fairly large 
corporation employing about a 1000 people.




This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or 
entity to whom they are addressed. If you are NOT the intended recipient or the person responsible for delivering the 
e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, 
dissemination, forwarding, printing or copying this e-mail is strictly prohibited.