Q

Is it necessary to grant a full administrative privileges to a security administrator?

Outsourcing security management can save time and money -- with the right security administrator. Learn how to manage security privileges to keep systems safe.

We recently hired an IT security administrator to oversee our systems. From a policy perspective, is it really necessary to grant him full administrative privileges on all the systems (Microsoft Windows servers & desktops) and network devices (routers, switches, firewalls, etc.)? I want to make sure I allow our IT security administrator to do his job properly, without granting him unnecessary rights.
Where to draw the line of administrative responsibility is a judgment call. In reality, a security administrator doesn't need access to much of anything. If the job is defined as setting policies and overseeing the security of systems via the enforcement of those policies, the security administrator could conceivably work through his or her peers that are responsible for the network and servers.

Of course, that clearly has an effect on the administrator's ability to enforce policy, so that may not be the best option.

Ultimately, I recommend a "trust, but verify" approach, which means gradually increasing levels of access to the administrator, as he/she proves trustworthy. First, provide access to firewalls and network devices, and then over time to servers and other devices that need to be managed. This is just one way to do it.

At the same time, I would implement a log management system, which pulls the logs from all the managed devices and stores them in a cryptographically sound fashion. I would provide read-only access to this information to all the company's administrators. Then, in the event of a compromise, the logs will help piece together what happened.

Having the logs stored in a separate environment also ensures that a bad actor can't tamper with them and hide the artifacts of the breach. Again, trust the administrator to do the right thing, but also be able pull the data that can verify it.

More information:

This was first published in May 2008

Dig deeper on Information Security Policies, Procedures and Guidelines

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close