Re: One Card Manager Access to systems

[Paul Kendall <PKendall () ACCUDATASYSTEMS COM>]

Penny:

I expect the manager got this access at the last university simply because no one really knew any better. 
Unfortunately, once someone thinks they need this type of access for their job, they tend to get very vocal about it.

I would ask this individual to describe in detail why they need this access. Make them provide technical details and 
specifications as to why they need the access versus working through normal change control and SOD channels.

I'd be willing to wager there is NOTHING they really need it for other than the fact that they had it at the last place 
they worked and truly believe they need it to do their job.

When I was Global Security Director for a French manufacturing firm as well as CISO for a financial services firm in 
Dallas, I NEVER had anything other than user privileges. If I needed something, I worked through the processes we had 
in place.

If you'd like to discuss further, email or call me. NO SALES PITCH given! Just throw some ideas around.

Paul
========================================
Paul L. Kendall, PhD, CGEIT, CHS-III, DHS-CVI, CISM, CISSP, CSSLP
PCI Qualified Security Assessor
Senior Consultant
Accudata Systems, Inc.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, 
Daniel
Sent: Tuesday, July 13, 2010 9:01 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] FW: One Card Manager Access to systems

Hi Penny,

You should submit this to the Educause list serve. You'll get plenty of IT advice from the security professionals there.

Did she say WHY she needs this access? Is the server housed in a central IT data center?

Mitigating controls might include:


*         Audit Logging enabled on the server to track changes to the audit log,

*         Does the CS Gold application track and report configuration changes, which might be reviewed independently?

*         Is the department escheating abandoned funds from the One Card accounts? If not, they could be vulnerable to 
theft and that may be your biggest risk.

I have many managers/administrators in our decentralized departments (where they are managing their own IT) who have 
the administrator rights to both their application and the server it runs on. I don't like it, but change here is slow.

Is there any chance you could share your change control and segregation of duties policies? We have neither here 
(Although we'll soon be adopting ISO 27002 for our IT governance, which includes these standards).

Thanks and Good Luck and feel free to call if you have any questions.


[cid:image001.gif@01CB226E.AA66C580]

:: Daniel Sarazen, CISSP, CISA
:: Senior Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 774-455-7558
:: 781-724-3377 Cell
:: 774-455-7550 Fax
:: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu>

University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : 
www.massachusetts.edu<http://www.massachusetts.edu/>






From: ACUA List [mailto:ACUA-L () LIST ACUA ORG] On Behalf Of Howard, Penelope
Sent: Tuesday, July 13, 2010 9:47 AM
To: ACUA-L () LIST ACUA ORG
Subject: [ACUA-L] One Card Manager Access to systems

Good Morning!

I have a question concerning the type of access your OneCard managers have to your IT resources.  We are currently 
using CS Gold to manage our OneCard and meal plan transactions.  We are still in the process of getting OneCard up and 
fully functional across campus and have recently hired a OneCard manager to make this happen.  She wants full local 
administrator rights to the server with CS Gold on it, which would make her both an infrastructure administrator and an 
application system administrator.  This would allow her to make major changes to the server to include security policy 
changes, OS updates, and software installs without any change control oversight by any other party.  She insists this 
is the kind of access she had at her last university and it is the kind of access all the schools give their OneCard 
managers.

I have a problem with giving this kind of access to a single person, but do not have enough experience in this area to 
know how big a risk it is for the university.  Aside from it violating our change control and segregation of duties 
policies, what are the other things I need to be concerned with by giving her this kind of access to this server?  Are 
there compensating controls I can suggest if IT decides to give it to her against our advice?  Any other suggested ways 
to deal with this level of access she "requires"?

Thanks for your help!

Penny

Penelope G. Howard
Director of Internal Audit
Longwood University
Farmville, Va  23909
(ph)434-395-2283

The information in this e-mail and any attachments may be confidential and privileged. Access to this e-mail by anyone 
other than the intended addressee is unauthorized. If you are not the intended recipient (or the employee or agent 
responsible for delivering this information to the intended recipient) please notify the sender by reply e-mail and 
immediately delete this e-mail and any copies from your computer and/or storage system. The sender does not authorize 
the use, distribution, disclosure or reproduction of this e-mail (or any part of its contents) by anyone other than the 
intended recipient(s).

No representation is made that this e-mail and any attachments are free of viruses. Virus scanning is recommended and 
is the responsibility of the recipient.


________________________________

To unsubscribe from the ACUA-L list, click the following link:
http://associationlists.com/scripts/wa.exe?TICKET=NzMzOTk2IGRzYXJhemVuQFVNQVNTUC5FRFUgQUNVQS1MIPdVPNo72/GO&c=SIGNOFF<http://associationlists.com/scripts/wa.exe?TICKET=NzMzOTk2IGRzYXJhemVuQFVNQVNTUC5FRFUgQUNVQS1MIPdVPNo72/GO&&c=SIGNOFF>