Educause Security Discussion mailing list archives
Re: One Card Manager Access to systems
From: Paul Kendall <PKendall () ACCUDATASYSTEMS COM>
Date: Tue, 13 Jul 2010 09:35:01 -0500
Penny: I expect the manager got this access at the last university simply because no one really knew any better. Unfortunately, once someone thinks they need this type of access for their job, they tend to get very vocal about it. I would ask this individual to describe in detail why they need this access. Make them provide technical details and specifications as to why they need the access versus working through normal change control and SOD channels. I'd be willing to wager there is NOTHING they really need it for other than the fact that they had it at the last place they worked and truly believe they need it to do their job. When I was Global Security Director for a French manufacturing firm as well as CISO for a financial services firm in Dallas, I NEVER had anything other than user privileges. If I needed something, I worked through the processes we had in place. If you'd like to discuss further, email or call me. NO SALES PITCH given! Just throw some ideas around. Paul ======================================== Paul L. Kendall, PhD, CGEIT, CHS-III, DHS-CVI, CISM, CISSP, CSSLP PCI Qualified Security Assessor Senior Consultant Accudata Systems, Inc. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, Daniel Sent: Tuesday, July 13, 2010 9:01 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] FW: One Card Manager Access to systems Hi Penny, You should submit this to the Educause list serve. You'll get plenty of IT advice from the security professionals there. Did she say WHY she needs this access? Is the server housed in a central IT data center? Mitigating controls might include: * Audit Logging enabled on the server to track changes to the audit log, * Does the CS Gold application track and report configuration changes, which might be reviewed independently? * Is the department escheating abandoned funds from the One Card accounts? If not, they could be vulnerable to theft and that may be your biggest risk. I have many managers/administrators in our decentralized departments (where they are managing their own IT) who have the administrator rights to both their application and the server it runs on. I don't like it, but change here is slow. Is there any chance you could share your change control and segregation of duties policies? We have neither here (Although we'll soon be adopting ISO 27002 for our IT governance, which includes these standards). Thanks and Good Luck and feel free to call if you have any questions. [cid:image001.gif@01CB226E.AA66C580] :: Daniel Sarazen, CISSP, CISA :: Senior Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 774-455-7558 :: 781-724-3377 Cell :: 774-455-7550 Fax :: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu> University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu<http://www.massachusetts.edu/> From: ACUA List [mailto:ACUA-L () LIST ACUA ORG] On Behalf Of Howard, Penelope Sent: Tuesday, July 13, 2010 9:47 AM To: ACUA-L () LIST ACUA ORG Subject: [ACUA-L] One Card Manager Access to systems Good Morning! I have a question concerning the type of access your OneCard managers have to your IT resources. We are currently using CS Gold to manage our OneCard and meal plan transactions. We are still in the process of getting OneCard up and fully functional across campus and have recently hired a OneCard manager to make this happen. She wants full local administrator rights to the server with CS Gold on it, which would make her both an infrastructure administrator and an application system administrator. This would allow her to make major changes to the server to include security policy changes, OS updates, and software installs without any change control oversight by any other party. She insists this is the kind of access she had at her last university and it is the kind of access all the schools give their OneCard managers. I have a problem with giving this kind of access to a single person, but do not have enough experience in this area to know how big a risk it is for the university. Aside from it violating our change control and segregation of duties policies, what are the other things I need to be concerned with by giving her this kind of access to this server? Are there compensating controls I can suggest if IT decides to give it to her against our advice? Any other suggested ways to deal with this level of access she "requires"? Thanks for your help! Penny Penelope G. Howard Director of Internal Audit Longwood University Farmville, Va 23909 (ph)434-395-2283 The information in this e-mail and any attachments may be confidential and privileged. Access to this e-mail by anyone other than the intended addressee is unauthorized. If you are not the intended recipient (or the employee or agent responsible for delivering this information to the intended recipient) please notify the sender by reply e-mail and immediately delete this e-mail and any copies from your computer and/or storage system. The sender does not authorize the use, distribution, disclosure or reproduction of this e-mail (or any part of its contents) by anyone other than the intended recipient(s). No representation is made that this e-mail and any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. ________________________________ To unsubscribe from the ACUA-L list, click the following link: http://associationlists.com/scripts/wa.exe?TICKET=NzMzOTk2IGRzYXJhemVuQFVNQVNTUC5FRFUgQUNVQS1MIPdVPNo72/GO&c=SIGNOFF<http://associationlists.com/scripts/wa.exe?TICKET=NzMzOTk2IGRzYXJhemVuQFVNQVNTUC5FRFUgQUNVQS1MIPdVPNo72/GO&&c=SIGNOFF>
Current thread:
- FW: One Card Manager Access to systems Sarazen, Daniel (Jul 13)
- Re: One Card Manager Access to systems Paul Kendall (Jul 13)