Audit and Assurance

Expand all | Collapse all

Providing access to IT administrator for temporary basis to production enviornment

  • 1.  Providing access to IT administrator for temporary basis to production enviornment

    Posted 31 Aug, 2019 12:13
    Dear Folks,

    If i need to provide a temperory access to IT administrator to production enviornment.
    (A specified ticket is sent to provide the temperoray access and a ticket is enables).

    However, could you please explain under what policy does it fail when we provide such temporary access ?

    - Does it follow change management procedures ? since we add a user to the production enviornment/ adding a user the table of administators, so is it considered a change management request ?

    - Does it follow the access management policy? where we send a ticket to provide an access to an employee. But my concern, when you add the IT admin you do changes in the tables of databases, so maybe it is change management ?

    Please advise

    ------------------------------
    Marat Kaisseov
    ------------------------------


  • 2.  RE: Providing access to IT administrator for temporary basis to production enviornment

    Posted 01 Sep, 2019 01:43
    If i need to provide a temperory access to IT administrator to production enviornment.
    (A specified ticket is sent to provide the temperoray access and a ticket is enables).

    ok.


    However, could you please explain under what policy does it fail when we provide such temporary access ?

    None. Giving an administrator access to production is a normal course of business. Especially if you do it temporarily. Seems like best practice to me. This is a concept called principle of least privilege where the admin has temp access only when needed.

    - Does it follow change management procedures ? since we add a user to the production enviornment/ adding a user the table of administators, so is it considered a change management request ?

    Technically it is a change yes. But it is up to the stakeholders to decide if they consider it a change management change, or a change that falls under access management. Most of the time it would be an access management item.


    - Does it follow the access management policy? where we send a ticket to provide an access to an employee. But my concern, when you add the IT admin you do changes in the tables of databases, so maybe it is change management ?

    That depends on the technology that you use. You need to ask the people you are auditing this question. Either way of it's documented then you are good.


    ------------------------------
    Igor Yezhov
    Manager
    ------------------------------



  • 3.  RE: Providing access to IT administrator for temporary basis to production enviornment

    Online Forum Topic Leader
    Posted 01 Sep, 2019 04:49
    Hi Marat,

    If there is a need to provide IT administrator with temporary access to the production, it should follow the policies management have approved. The appropriate business rationale should be document, the name of user, specific identification, how long it will be given for and accessed removed. There should be proper approval in the ticket of this is the company process of requesting access rights.

    Every company may have tailored change management procedures and access management policies; however, management to ensure that the functions do not conflict with segregation of duties and there are proper review and oversight over the inputs and updates to changes in the system.

    Best regards,
    Yolanda

    ------------------------------
    Yolanda Theophilus
    2019 Online Forum Topic Leader
    Risk and Audit Consultant, CPA, MBA, CISA
    ------------------------------



  • 4.  RE: Providing access to IT administrator for temporary basis to production enviornment

    Posted 02 Sep, 2019 07:16
    Normally I would see this as two separate user accounts.
    1. Admin account with elevated permissions that is approved by senior management and has all appropriate logging/monitoring and restrictions, such as only authenticate from this terminal during these times. Auth expires after x days.
    2. User account with standard access to ensure if the admin doesn't need to log in as an admin, then they use a normal/restricted user account.

    ------------------------------
    James Arnold
    EIS Third-Party Cyber Risk Manager
    ------------------------------



  • 5.  RE: Providing access to IT administrator for temporary basis to production enviornment

    Posted 04 Sep, 2019 17:59
    Edited by Marino Mata 04 Sep, 2019 18:00

    This falls under Access Management as this risks that not all changes to production data done by the IT guy may be authorized or monitored.  I would assume that when you use the term Change Management, you were referring to program development/changes, rather than access to data.

    I would be concerned about which type of access was granted, as this should be restricted only to what is required to complete the task at hand (e.g., update master data, etc.).  



    ------------------------------
    Marino Mata, CISA, CPA
    ------------------------------