
	Home > Ask the Security Experts > Security Management Questions & Answers > Is it necessary to grant a full administrative privileges to a security administrator?

Ask The Security Expert: Questions & Answers

EMAIL THIS

Is it necessary to grant a full administrative privileges to a security administrator?

EXPERT RESPONSE FROM: Mike Rothman

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 09 May 2008
We recently hired an IT security administrator to oversee our systems. From a policy perspective, is it really necessary to grant him full administrative privileges on all the systems (Microsoft Windows servers & desktops) and network devices (routers, switches, firewalls, etc.)? I want to make sure I allow our IT security administrator to do his job properly, without granting him unnecessary rights.

EXPERT RESPONSE
Where to draw the line of administrative responsibility is a judgment call. In reality, a security administrator doesn't need access to much of anything. If the job is defined as setting policies and overseeing the security of systems via the enforcement of those policies, the security administrator could conceivably work through his or her peers that are responsible for the network and servers.

Of course, that clearly has an effect on the administrator's ability to enforce policy, so that may not be the best option.

Ultimately, I recommend a "trust, but verify" approach, which means gradually increasing levels of access to the administrator, as he/she proves trustworthy. First, provide access to firewalls and network devices, and then over time to servers and other devices that need to be managed. This is just one way to do it.

At the same time, I would implement a log management system, which pulls the logs from all the managed devices and stores them in a cryptographically sound fashion. I would provide read-only access to this information to all the company's administrators. Then, in the event of a compromise, the logs will help piece together what happened.

Having the logs stored in a separate environment also ensures that a bad actor can't tamper with them and hide the artifacts of the breach. Again, trust the administrator to do the right thing, but also be able pull the data that can verify it.

More information:

If segregation of duties isn't possible, learn about controls that can compensate.
Learn more about some of the misconceptions regarding security outsourcing.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Security Management
	What is the GISP certification and how does it compare to the CISSP certification?
	Would QSAs normally write up a PCI DSS report on compliance (ROC) and submit it to all issuing card brands?
	How can gap analysis be applied to the security system development life cycle?
	When should an enterprise consider low-cost security appliances vs. a bigger do-everything appliance?
	What are some tips on protecting my security budget in a tight economy?
	What value do research firms provide to enterprises that subscribe to their services?
	What certificate offers the best ROI for an IT project manager?
	Which is the biggest threat to data: Insider activity or outsider activity?
	What role does information security play in enterprise fraud-prevention activities?
	What is the difference between an SAS 70 data center and a Tier III data center?

Management Support for Information Security

IT security pros focus on internal threats during tough economy

IT security pros face challenge during economic crisis

What are some tips on protecting my security budget in a tight economy?

IT security not valued at many firms, study finds

How to get information security buy-in from the executive team

Initial virtualization costs could outweigh benefits

What's your advice for getting other business units to contribute to crafting an effective information security policy?

Will the new CERT security incident-response project benefit infosec pros?

CIO role could shift toward data quality, says IBM group

Results Chain for Information Security and Assurance

Creating and Managing Information Security Policies

Richard Mackey: Building a framework-based compliance program

Learning the language of global compliance

IT security pros face challenge during economic crisis

Interview: Chris Nickerson of TruTV's 'Tiger Team'

IT security not valued at many firms, study finds

What value do research firms provide to enterprises that subscribe to their services?

Sound compliance policies, practices reduce legal costs

Exploring Microsoft's Network Access Protection policy options

IAM best practices for employees with varying degrees of access to the same computer

How to avoid DLP implementation pitfalls

Creating and Managing Information Security Policies Research

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

defense in depth (SearchSecurity.com)

non-disclosure agreement (SearchSecurity.com)

security policy (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business
Targeted Security Channel Tips for Resellers, Integrators and Consultants

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2003 - 2008, TechTarget \| Read our Privacy Policy