[unisog] Separation of Duties

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Jul 9 18:23:03 GMT 2007


On Mon, 09 Jul 2007 11:23:18 MDT, Trevor Odonnal said:
> 4.	Once a server, platform, or application has been fully tested
> and placed into production, all security functions and access control
> will be managed solely by the Operations Security and Account Management
> groups.

Make *really* sure that the procedure that gets put into place takes into
account the sort of issues that arise at 3AM.  It's basically a CLM for you if
it ever comes to "Engineering had a fix for the outage but we couldn't deploy
it for 6 hours because of the policy".

Also, be prepared for food fights about whether it's Engineering or Operations
that moves things from staging into production - sooner or later, you'll
discover that Engineering configured things one way, Operations did it
differently (quite possibly by accident - a typo or something, or differing
patch levels of some software component), and the fingerpointing begins...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20070709/a6be1def/attachment-0001.bin 


More information about the unisog mailing list