At the March meeting of the Grand Rapids ISSA the topic of accountability was raised. The idea being that InfoSec professionals and most IT staff have a lot of access/permissions/etc. A necessity to a degree, but in small/medium shops which is where I've spent most of my working life so far the fact is that there isn't much in the way of firm policy and procedures around checking on other IT staff or other employees within the organization.
No easy answers here, and there is a basic degree of trust required in any org for anything to get done. I am not at all pro micro management but at the same time it seems there needs to be some intentional attention given to keeping each other (i.e. IT dept peers) on the right track. Just because I have access to sensitive information such as payroll (how much does that guy make?) and HR documents (did she get written up for that one thing) does not mean I should give into my own curiosity. Least privilege is a wonderful thing but seldom do smaller departments take this to the degree that is needed, and it is a real PITA managing perms when roles and needs change. Most stuff is more open then it perhaps needs to be simply b/c everyone is spread thin and fire fighting the majority of time.
This one made me go hmm a few times in the last couple weeks.
Well, the sun is shining and it is time to get some fresh air. Then head to the library to start writing a paper for my DU class.
No comments:
Post a Comment