Re: IT Separation of Duties question

[Jamie Schademan <Jamie.Schademan () CWU EDU>]

Good point Randy thank you.
Jamie

Jamie Schademan
CISM, MSIT, MSCS
Chief Information Security Officer
Information Security Services
Central Washington University
Jamie.Schademan () cwu edu<mailto:Jamie.Schademan () cwu edu>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of randy
Sent: Thursday, July 23, 2020 11:31 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] IT Separation of Duties question

Caution: This email originated from outside the university.
Do not click on links, open attachments, or reply unless you recognize the sender and know the content is safe. If you 
consider this email as phishing or spam please use the Report Message 
Button<https://cwu.teamdynamix.com/TDClient/2015/Portal/KB/ArticleDet?ID=78311> in Outlook to inform both the CWU 
Service Desk and Microsoft.



If you're going to give people admin privileges on any machine, they need to be properly trained.  I use the analogy of 
a piece of construction equipment. Just because I know how to drive a stick shift vehicle doesn't mean I can drive a 
big construction shovel machine.  As a former sysadmin (25yrs), I shudder hearing developers are going to be admins w/o 
training AND developers would feel the same if a bunch of admins were told to be developers.

Poorly trained technical staff (admin, dev, user) is a greater threat to an org than any hacker.  So, if your mgt wants 
to fund training for devs to be admins, then prove it by paying for the training.

-Randy Marchany
VA Tech IT Security Office and Lab

On Thu, Jul 23, 2020 at 1:35 PM Jamie Schademan <Jamie.Schademan () cwu edu<mailto:Jamie.Schademan () cwu edu>> wrote:
Hello,

Because of a turnover in our System Administrator position for PeopleSoft (patching, upgrade, moves to production), we 
(security) are being asked to allow a number of our PeopleSoft developers to have access to do the admin job function.  
I have provided information to leadership about the violation of Segregation of Duties, the ISACA SoD in IT Matrix, and 
other arguments for not doing this.

For reference we have an application group of approximately 23 people.  My recommendation has been to provide someone 
with the opportunity to upgrade into the PeopleSoft System Admin role, but that has not been well received.  They would 
just like to just have developers also do system admin work.

Can I get your input and experiences on this?

Thank you,
Jamie

Jamie Schademan
CISM, MSIT, MSCS
Chief Information Security Officer
Information Security Services
Central Washington University

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community