RE: Controlling access to servers

["David Gillett" <gillettdavid () fhda edu>]

  Consider a situation where IT Dept is forbidden to touch some
machines because the information they contain is "too sensitive".

  How do we manage security in such a case?

Answer (98 times out of 100):  The most critical information in 
the enterprise winds up on the least secure machines in the 
enterprise.

David Gillett


> -----Original Message-----
> From: sf_mail_sbm () yahoo com [mailto:sf_mail_sbm () yahoo com]
> Sent: Tuesday, November 30, 2004 4:10 AM
> To: security-basics () securityfocus com
> Subject: Controlling access to servers
>
>
>
>
> Hi List,
>
> Consider a situation where IT Dept has full access and 
> control over all servers
>
> How do we manage security in such a case? i.e. how can we put 
> control measures to prevent IT Admins to do whatever they 
> want on the system without going through a proper control & 
> approval process
>
> One solution might be to give the admin passwords to the IT 
> Security Section or the IT Audit, in this way, Admins will 
> have to request them to log in the machine for all interventions
>
> Of course this solution has lots of drawbacks!
>
> I would be glad to know how other companies manage to control 
> changes being done on IT systems, particularly in large organisations
>
> Thanks for your comments
>
> Ronish