Administrating Systems

A System Administrator is often in a powerful position because they normally set the user access criteria for all systems. This raises a range of Information Security issues. The System Administrator must receive an adequate level of training on the system within their area of responsibility. The System Administrator must also be familiar with the Information Security risks associated with the system administration function.

To view the related Policy click      

  • Any system or network changes implemented by the System Administrator are likely to be far-reaching; errors can threaten the entire network's operation.

  • The System Administrator should only ever consider acting on confirmed and legitimate instructions.
  • Even legitimate and confirmed instructions may have security implications that are not immediately obvious. The System Administrator should analyse all such instructions received and advise management accordingly.
  • Dual control of certain duties increases security and reduces the risk of error.
  • Running both live systems and test / development systems on the same computer is extremely dangerous because a program crash on the test system could impact the live (production) environment.

  • Always separate live systems (and data) from any test systems.
  • Issue separate user IDs for test and development and ensure that these cannot be used on the live system.
  • Employees with a grievance pose a serious risk because they know what information of value exists and they may be able to circumvent security controls.

  • Review and monitor access control and privileges of aggrieved employees.
  • Upon the authority of HR, suspend their access to system.
  • As a matter of course, Human Resources should rapidly advise the Security Officer of any employee with a possible grievance who will instruct the System Administrator as appropriate.
  • Where users' access rights and privileges are not documented, Information Security may be compromised.

  • Record user security profiles for every single system user, including access details together with application and file privileges.
  • Ensure that all 'test' accounts set up when the system was commissioned are deleted so they cannot give anyone 'back door entry' to the live system.
  • 'Super User' or 'Power User' status, must only be granted in exceptional circumstances. Regularly review this privilege.
  • Spot check users access privileges periodically to ensure accuracy of records.
Previous PageTop of this pageNext Page


Information Security Policies from US$595

 From
 US$595

Use of the guidance contained within RUSecure™ is subject to the End User Licence Agreement
This site created with EasyHTMLHelp(tm) for MS Word

 

Next PageUpPrevious Page