Educause Security Discussion mailing list archives

Re: IT Separation of Duties question

From: randy <marchany () VT EDU>
Date: Thu, 23 Jul 2020 14:30:58 -0400

If you're going to give people admin privileges on any machine, they need
to be properly trained.  I use the analogy of a piece of construction
equipment. Just because I know how to drive a stick shift vehicle doesn't
mean I can drive a big construction shovel machine.  As a former sysadmin
(25yrs), I shudder hearing developers are going to be admins w/o training
AND developers would feel the same if a bunch of admins were told to be
developers.

Poorly trained technical staff (admin, dev, user) is a greater threat to an
org than any hacker.  So, if your mgt wants to fund training for devs to be
admins, then prove it by paying for the training.

-Randy Marchany
VA Tech IT Security Office and Lab

On Thu, Jul 23, 2020 at 1:35 PM Jamie Schademan <Jamie.Schademan () cwu edu>
wrote:

Hello,



Because of a turnover in our System Administrator position for PeopleSoft
(patching, upgrade, moves to production), we (security) are being asked to
allow a number of our PeopleSoft developers to have access to do the admin
job function.  I have provided information to leadership about the
violation of Segregation of Duties, the ISACA SoD in IT Matrix, and other
arguments for not doing this.



For reference we have an application group of approximately 23 people.  My
recommendation has been to provide someone with the opportunity to upgrade
into the PeopleSoft System Admin role, but that has not been well
received.  They would just like to just have developers also do system
admin work.



Can I get your input and experiences on this?



Thank you,

Jamie



Jamie Schademan

CISM, MSIT, MSCS

Chief Information Security Officer

Information Security Services

Central Washington University

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

IT Separation of Duties question Jamie Schademan (Jul 23)
- Re: IT Separation of Duties question Jones, Mark B (Jul 23)
- Re: IT Separation of Duties question randy (Jul 23)
  - Re: IT Separation of Duties question Jamie Schademan (Jul 23)