Open IT Forum: Segregation of duties versus full access for sys admins?

6345 pts.
Tags:
Open IT Forum
Security
Systems administration
Systems administrators
We had a question in the forums recently that brought up an interesting dilemma: In sensitive roles such as systems administrators, do you believe in granting full access or employing a segregation of duties to minimize risk? We'd love to hear how your company deals with these executive decisions and how that's succeeded (or failed). As usual, we're reserving 200 knowledge points for the best story! Don't want to leave your answer in the discussion area? Feel free to email me at Melanie@ITKnowledgeExchange.com.

Answer Wiki

Thanks. We'll let you know when a new response is added.

We grant the administrator full access and then it is the internal IT auditor that watches the people with full access by requesting and running different audit reports to make sure that changes to programs are only done through the proper change control programs and that the change control adminstrator does not push though changes. We also monitor all super user accounts on the systems and what the person does while having super user access. We are required to produce and monitor the reports each quarter for SOX compliance and that is often enough for the auditors to review all the systems.

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Denny Cherry
    Someone has to have full rights to everything. Those people are the systems admins. Even if the systems admins don't have rights to a folder (for example), they always have a way to grant themselves rights to that folder. The systems admins will also have the password to the account which the backup software uses to backup the data within that folder and that account will have rights to that data. Because of the level of access that systems admins have, the systems admins must be very trusted people. If you don't trust your systems admins to have the keys to the kingdom then you may have the wrong people in those positions. Usually a systems admin who has been doing the work for 10 or 20 years can be trusted without issue to have these kinds of rights as they understand that with the rights comes the responsibility to use the rights correctly. Segregation of duties is great keeping people that develop away from production, and keeping the person that handles the backups from doing restores over the live data, but eventually someone has to be trusted or nothing is going to get done.
    66,290 pointsBadges:
    report
  • Lovemyi
    Mrdenny, Well said. Lovemyi
    2,310 pointsBadges:
    report
  • MelanieYarbrough
    I agree, well said to both of you. Mrdenny, Are there certain checks you’d recommend or compliance policies to keep these sorts of roles in check? I agree with finding someone who’s trustworthy with a good track record, but it seems there should be something in place to make sure things are being executed as they should just in case a bad apple slips through. I’d love to hear what you think! Melanie
    6,345 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following