Home > IT Answers > Security > IT Security Administrator privileges.
Help

Question

  Asked: Apr 16 2008   8:54 AM GMT
  Asked by: Tech halo

IT Security Administrator privileges.


Security Administrator, Security management, Security policies

Hi,

We recently hired an IT security administrator to oversee our systems & network security. And I would like to know whether it is really necessary to grant him full administrative privileges on all the systems (Microsoft windows servers & desktops) and network devices (routers, switches, firewalls, etc). Kindly recommend the best method of allowing our IT security administrator to do his job properly without granting him unnecessary rights.

Regards,
Tech.Halo.

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window
Help

Answer Wiki (Improve, edit or add to this answer)

IMPROVE THIS ANSWER
View History
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
Last Answered: Apr 16 2008  12:09 AM GMT  by Labnuke99




Wow, if I was your security admin I would be offended or wondering if I made a mistake by taking the job with this organization. What did you hire this guy to do if not to be an "Administrator" per the job title? Is the only thing he is permitted to do is to be in read-only mode like the rest of the user population? Seems like you may be unnecessarily tying this secadmin's hands if you want to be so restrictive. What does the organization do? What sensitive information needs this type of security?
  • AddThis Social Bookmark Button

Browse more Questions and Answers on Security.

Looking for relevant Security Whitepapers? Visit the SearchSecurity.com Research Library.


RSS - Discussions Help

Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register

Oakenman  |   Apr 16 2008  12:17PM GMT

My question to Tech.Halo. is what security was he hired to provide? Is he providing security for just the desktop and servers and not the total Network, (ie routers and switches too)? It’s a little tough to do one and not the other.

Sounds like your company is a mid size org. if so you’ll have to grant total access. If your company is much larger and you have seperate oranizations one for Networking one for desktops and one servervs then you should grant access accordingly. Although it’s been my experience that Network security is never hired locally in large coporations.

Clear as mud right?

 

Wrobinson  |   Apr 18 2008  3:01AM GMT

Limiting the permissions and privileges that administrators have access to protects the organization and the administrator. The first step to determining the appropriate level of access is to clearly define the roles and responsibilities of the job and then delegate only the permissions and privileges required to perform these functions.

 

DiegoDH  |   Apr 21 2008  1:07AM GMT

And I would add, log and monitor the administrator’s activies. Not that you don’t trust him/her (if the person was hired, then trust do exist at this point), but from an audit point of view it’s good practice to validate that key roles (as a security admin) do perform what is required from the role, nothing less or more.
Ideally the logs should be exported to a repository where this admin has no access to (maybe easier to say than to do).

Remember, IT/Security auditors always focus on critical roles, as a security admin is, even more if no Segregation of Duties is possible due to organizational issues.

Good luck!

 

Tuomoks  |   Apr 21 2008  4:27PM GMT

Just adding to the good answers you already got. It really depends on the role and skills of the security administrator and how your company works. For example, network has more sides than just security, so one change to enhance security may otherwise make your network not to work as it was supposed. Or vise versa.
The very good answer was, audit everything - not just for security auditors, etc but mistakes happen and it is much easier and faster to solve problems when you know what really happened. Too often the first answer is “we didn’t change anything” when you know that something has changed but can’t find what!
About trust - why would you hire anybody you don’t trust? Not always easy, not technical, not even background checks even they help, but it is in persons character and personality. And, yes, a security administrator even with limited access and responsibility, has to be trusted - anything else only will often create more problems than solve. A good administrator (operator, whatever) learns very fast how to circumvent the limitations - they have to if they want to be efficient and not calling help for each problem. Teach and let them learn how your company wants to handle security, not just in network, I assume that you have security and risk policies in place.