Educause Security Discussion mailing list archives
FW: One Card Manager Access to systems
From: "Sarazen, Daniel" <dsarazen () UMASSP EDU>
Date: Tue, 13 Jul 2010 10:00:45 -0400
Hi Penny, You should submit this to the Educause list serve. You'll get plenty of IT advice from the security professionals there. Did she say WHY she needs this access? Is the server housed in a central IT data center? Mitigating controls might include: * Audit Logging enabled on the server to track changes to the audit log, * Does the CS Gold application track and report configuration changes, which might be reviewed independently? * Is the department escheating abandoned funds from the One Card accounts? If not, they could be vulnerable to theft and that may be your biggest risk. I have many managers/administrators in our decentralized departments (where they are managing their own IT) who have the administrator rights to both their application and the server it runs on. I don't like it, but change here is slow. Is there any chance you could share your change control and segregation of duties policies? We have neither here (Although we'll soon be adopting ISO 27002 for our IT governance, which includes these standards). Thanks and Good Luck and feel free to call if you have any questions. [cid:image001.gif@01CB2271.CE4AAB80] :: Daniel Sarazen, CISSP, CISA :: Senior Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 774-455-7558 :: 781-724-3377 Cell :: 774-455-7550 Fax :: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu> University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu<http://www.massachusetts.edu/> From: ACUA List [mailto:ACUA-L () LIST ACUA ORG] On Behalf Of Howard, Penelope Sent: Tuesday, July 13, 2010 9:47 AM To: ACUA-L () LIST ACUA ORG Subject: [ACUA-L] One Card Manager Access to systems Good Morning! I have a question concerning the type of access your OneCard managers have to your IT resources. We are currently using CS Gold to manage our OneCard and meal plan transactions. We are still in the process of getting OneCard up and fully functional across campus and have recently hired a OneCard manager to make this happen. She wants full local administrator rights to the server with CS Gold on it, which would make her both an infrastructure administrator and an application system administrator. This would allow her to make major changes to the server to include security policy changes, OS updates, and software installs without any change control oversight by any other party. She insists this is the kind of access she had at her last university and it is the kind of access all the schools give their OneCard managers. I have a problem with giving this kind of access to a single person, but do not have enough experience in this area to know how big a risk it is for the university. Aside from it violating our change control and segregation of duties policies, what are the other things I need to be concerned with by giving her this kind of access to this server? Are there compensating controls I can suggest if IT decides to give it to her against our advice? Any other suggested ways to deal with this level of access she "requires"? Thanks for your help! Penny Penelope G. Howard Director of Internal Audit Longwood University Farmville, Va 23909 (ph)434-395-2283 The information in this e-mail and any attachments may be confidential and privileged. Access to this e-mail by anyone other than the intended addressee is unauthorized. If you are not the intended recipient (or the employee or agent responsible for delivering this information to the intended recipient) please notify the sender by reply e-mail and immediately delete this e-mail and any copies from your computer and/or storage system. The sender does not authorize the use, distribution, disclosure or reproduction of this e-mail (or any part of its contents) by anyone other than the intended recipient(s). No representation is made that this e-mail and any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. ________________________________ To unsubscribe from the ACUA-L list, click the following link: http://associationlists.com/scripts/wa.exe?TICKET=NzMzOTk2IGRzYXJhemVuQFVNQVNTUC5FRFUgQUNVQS1MIPdVPNo72/GO&c=SIGNOFF<http://associationlists.com/scripts/wa.exe?TICKET=NzMzOTk2IGRzYXJhemVuQFVNQVNTUC5FRFUgQUNVQS1MIPdVPNo72/GO&&c=SIGNOFF>
Current thread:
- FW: One Card Manager Access to systems Sarazen, Daniel (Jul 13)
- Re: One Card Manager Access to systems Paul Kendall (Jul 13)