IT Security Administrator privileges.
Hi,
We recently hired an IT security administrator to oversee our systems & network security. And I would like to know whether it is really necessary to grant him full administrative privileges on all the systems (Microsoft windows servers & desktops) and network devices (routers, switches, firewalls, etc). Kindly recommend the best method of allowing our IT security administrator to do his job properly without granting him unnecessary rights.
Regards,
Tech.Halo.
Software/Hardware used:
Software/Hardware used:
ASKED:
April 16, 2008 8:54 AM
UPDATED:
April 21, 2008 4:27 PM
Answer Wiki:
Wow, if I was your security admin I would be offended or wondering if I made a mistake by taking the job with this organization. What did you hire this guy to do if not to be an "Administrator" per the job title? Is the only thing he is permitted to do is to be in read-only mode like the rest of the user population? Seems like you may be unnecessarily tying this secadmin's hands if you want to be so restrictive. What does the organization do? What sensitive information needs this type of security?
To see all answers submitted to the Answer Wiki: View Answer History.
My question to Tech.Halo. is what security was he hired to provide? Is he providing security for just the desktop and servers and not the total Network, (ie routers and switches too)? It’s a little tough to do one and not the other.
Sounds like your company is a mid size org. if so you’ll have to grant total access. If your company is much larger and you have seperate oranizations one for Networking one for desktops and one servervs then you should grant access accordingly. Although it’s been my experience that Network security is never hired locally in large coporations.
Clear as mud right?
Limiting the permissions and privileges that administrators have access to protects the organization and the administrator. The first step to determining the appropriate level of access is to clearly define the roles and responsibilities of the job and then delegate only the permissions and privileges required to perform these functions.
And I would add, log and monitor the administrator’s activies. Not that you don’t trust him/her (if the person was hired, then trust do exist at this point), but from an audit point of view it’s good practice to validate that key roles (as a security admin) do perform what is required from the role, nothing less or more.
Ideally the logs should be exported to a repository where this admin has no access to (maybe easier to say than to do).
Remember, IT/Security auditors always focus on critical roles, as a security admin is, even more if no Segregation of Duties is possible due to organizational issues.
Good luck!
Just adding to the good answers you already got. It really depends on the role and skills of the security administrator and how your company works. For example, network has more sides than just security, so one change to enhance security may otherwise make your network not to work as it was supposed. Or vise versa.
The very good answer was, audit everything – not just for security auditors, etc but mistakes happen and it is much easier and faster to solve problems when you know what really happened. Too often the first answer is “we didn’t change anything” when you know that something has changed but can’t find what!
About trust – why would you hire anybody you don’t trust? Not always easy, not technical, not even background checks even they help, but it is in persons character and personality. And, yes, a security administrator even with limited access and responsibility, has to be trusted – anything else only will often create more problems than solve. A good administrator (operator, whatever) learns very fast how to circumvent the limitations – they have to if they want to be efficient and not calling help for each problem. Teach and let them learn how your company wants to handle security, not just in network, I assume that you have security and risk policies in place.