> -----Original Message-----
> From: John Raymond [mailto:john.raymondsafecu.org]
> Sent: Friday, October 12, 2001 12:05 PM
> To: focus-mssecurityfocus.com
> Subject: Security Recommendation--Anyone?

...snip...
> Current thought is to give the directors administrator level access so
they are able to
> perform all the functions they may require. The directors will be using
their
> systems not only to perform board member duties but also for personal use
> as well. I proposed Power User access but I'm not sure exactly what
> limitations that places upon them on their individual machines(I'm
currently
> researching this so if anyone can provide me any links or tips please feel
free).

Give them the absolute bare minimum they need to perform specific tasks that
they have stated they will need to be able to perform. Should they need more
access down the road, they can be added on as needed. This may seem like it
won't get past anybody, but read on.

...snip...
> I'm sure someone else has experienced this kind of problem
> and was wondering how they handled it. I'm not only concerned about the
> potential security threat involved but also of any possible legal
liability
> issues that may be present. I've read about situations where officers of a

> company have been or could possibly be sued for negligence or other
issues. If we
> knowingly allow a situation like this to occur that contradicts an
industry
> standard do we open ourselves not only to a possible hack or other
security
> threat but also to a potential lawsuit as well? Any help or guidance would
be greatly
> appreciated. Thanks.

You have two different areas of concern here. Company liability and personal
liability. Create the strictest possible plan, in writing with reasons given
for the denial of access to each denied service. Explain both the technical
and legal ramifications of not adopting each point of your plan (make sure
you don't actually refer to it as YOUR plan).

Now, your plan will not be adopted but this will help you in two ways.

First, should the powers that be decide that the board gets full rights and
a member of the board gets nailed picking up teenage girls online, or
whatever, you are vindicated. You made it clear, in writing and far in
advance, that the concept of giving these rights to board members put the
company in rough legal waters and your hands will be as legally clean as
possible.

Second, it will cushion the blow to the company that board members should
not be able to do anything they want across the network. They will still
probably not go for the first plan but they might be willing to take a
slightly less restrictive plan. You'll need to negotiate.

Make sure that you have a few other plans, each one slightly less
restrictive than the preceding one but present them anywhere from a half day
to a full day apart.

Now, the chances that a board member will get caught surfing for sex videos
with farm animals is very small but you are fairly well protected against
it. Plus, you can be confident that you have taken every possible step to
secure your network against this intrusion.

From there, it's grit your teeth and pray to your god.

Adam

P.S. This may seem kind of reactionary but, if you put forth the first plan
and they say they want full access and you put forth a second plan with the
same results and a third and a fourth, start looking for another place to
work. One way or another, that place is doomed.

P.P.S. Where did I come up with this stuff? Experience.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]