Any organisation with an IT department normally will have a series of
profile/passwords which give an individual unlimited access to any
system or systems.

My question is this? What is the current thinking ( i.e. Conventional wisdom)
on who and how many people in a large organisation (typically a Fortune 500
organisation) should have this level of computer access?

 Please note my question is not a technical question but more a
management /security question.
 to further clarify: Should a few people in IT have this access (or possibly
 one designated as the Security Officier) ?
Or is it better that many people in IT have this sort of access?
Should non IT people have this type of access?
Is it necessary that the CEO/CFO and/or CIO have access to the
security officier passwords?
Should a select group of techies in IT only have access to the security passwords?
Or should it be a rotating group of people?
and if one or more areas of IT are outsourced should it be the responsibility 
of the oursourcing to know the security passwords? Or should it be shared between 
customer organisation and the outsourcing organisation?

Kind Regards

Mongolia

> Any organisation with an IT department normally will have a series of
> profile/passwords which give an individual unlimited access to any
> system or systems.

You refer to "any system" without being clear whether you mean "all systems".

Giving unlimited access (e.g. "root" in Unix) to large numbers of
people is a bad idea and leads to systems that are not under control. 
 Giving a small number of people that access to ALL your equipment is
also a bad idea as it may encourage them to take advantage of that
power.  This suggests your infrastructure should be divided into parts
where a small group of techies has control over each part.   Making
specific people responsible for specific things  increases
accountability and either leads to higher standards of work or better
evidence of inadequacy in a certain post.

C*Os and the like should be able to ask for what they want but would
not normally have the technical inclination (or patience) to get it
directly.

There's a case for having offsite backups tested by independent people
since if one of your techies is going to damage you badly this is the
place.

There are situations in which you can give a "limited form of
unlimited access" - see "sudo", "op" and the like.   Most of the IT
"requirement" (much abused word) for high-power access can be met this
way.

On outsourcing: I think for monitoring and rare recovery events
outsourcing might make sense but for continual management that needs
those passwords it does not.  Making that distinction in the kind of
work outsourced means you aren't forced to decide whether to disclose
the passwords anyway.

Putting the above into practice requires a management attitude that is
not found everywhere (to say the least). It is easily derailed by
careless choice and configuration of multiple remote management tools,
each of which has effectively complete access and increases the number
of people you must trust.  The default installation of much s/w is
truly dreadful and standard contract terms should include a clause for
"product must comply with our security standard (available on request)
or we get our money back".

On the technical front; access is not gainedor kept solely by
passwords.  List the other ways to access the assets you need to
protect.

"Any organisation with an IT department normally will have a series of
profile/passwords which give an individual unlimited access to any
system or systems."

I have not seen this in the organizations which I have worked.

Unlimited access implies unaccountable access and this is just asking
for trouble. I pretty much agree with bozo99... with the added point
that C-level employees tend to need access to objects with higher
confidential ratings but they essential never need access to system
custodial objects.

"Should a few people in IT have this access (or possibly one
designated as the Security Officier)?":
High assurance systems define a ISO/ISSO (Information Security
Officer/Information Systems Security Officer) user, but this is not a
traditional "legally able to speak for the company" type of Officer.
Merely just another custodial role only able to access security
configuration related objects. Ideally you'll want only a few people
having this type of access and this type of access should be
controlled in a manner that the user cannot also modify auditing
objects (usually controlled by the System Operator role) and cannot
grant themselves additional rights.

"Or is it better that many people in IT have this sort of access?":
No. Everyone in the organization should have exactly the access
required for their job title and NOTHING more. Bozo made a good point
about "requirements" being an abused term, so this part can be tricky.
Having a finely grained Role Based Access Control policy is a good
thing for most organizations. This ensures users never need sweeping
powers, tempting abuse. (Read below about IT people at all having this
power)

"Should non IT people have this type of access?":
No. Non-IT people should never under any circumstances have access to
custodial objects.

"Is it necessary that the CEO/CFO and/or CIO have access to the
security officier passwords?":
No. As I said about C-level users do not need access to custodial
objects either. In fact, a good organizational policy is that ever
user should have only one password and each password should be secret.
Unfortunately this sometimes seems to be a utopia, but it is the right
direction.

"Should a select group of techies in IT only have access to the
security passwords?":
Again, this should be done on a role basis, not a password basis.
Appropriate members of Information Security should have this access.
Information Security should NOT fall under Information Technology.
Otherwise this leaves the auditor in a subordinate position to the
audited and nothing gets fixed or likely even reported.

"Or should it be a rotating group of people?":
Role rotation is a good thing, but if not applicable, mandatory
vacation allows simple oversight as well.

"and if one or more areas of IT are outsourced should it be the responsibility 
of the oursourcing to know the security passwords?":
It is very unlikely that you'd ever want outsourced personnel
accessing / altering custodial objects.

"Or should it be shared between customer organisation and the
outsourcing organisation?":
Why would these organizations have access to custodial objects? More
likely they merely need access to data objects and access on those can
be set accordingly.

Hope this is useful.

cheers,

catch

For a single system, say one server with one mirror then it is likely
that only the IT person will use the root passwords often. But those
passwords must be located in a place where others get get hold of it
if the IT person is incapacitated. For a situation like that then the
passwords in an envelope in the company safe, but also at a directors
home would cover those situations.

Even with a small setup it is likely that they is a support system for
when the IT person is away. For example the support companies LinuxIT
and Waverley can both get into my works systems.

As a system and number of departments grow then so must the number of
first-line computer 'aids'. These don't have to know all IT functions,
but should be capable of handling printer problems, restoring
individual files from back ups and other areas that tend to clog up IT
time. A volunteer from each departmental area, though sometimes you
have to encourage them to volunteer.

Then as the system grows further you eventually come to the point of
needing more qualified IT staff. For this I am a firm believer in not
allowing any of these IT staff to build an area that belongs to
themselves. I'm sure many here have experienced an IT person
particularly good in some area, so he/she looked after that thing on
their own, only to find when they left the company no one else was
able to take over. Each IT person must be able to step into any
job/project on the network so that they is always full cover for all
areas. I don't have a team at the place I currently work, but when I
have in the past I rotated every regular job around is all, plus any
odd jobs, such as unexpected server down time, was handled in a
seperate rotation system. I wanted all staff to be confident they
could meet any challenge. As it happens I know that system is still in
place.

This next part will make many an IT person squirm because in my work I
visit enough systems to know that relatively few are truely prepared
for disaster.

In my early days in IT I have been very close to losing every bit of
data the company had. So I learned to be disiplined. Then I came to
this current company only to find that although they put the backup
tapes into the machine every night, no one had heard of cleaning
tapes. They had no backups at all.

So I make sure what ever system I am in charge of has a route out of
any disaster that might occur. As often as you probably do a fire
drill, I get the directors and a couple of computer confident staff
together, have one of them point at any server or piece of equipment
in the computer room and we unplug it. (stop squirming you lot). That
piece of equipment or server cab bot be turned on as part of the
recovery process.

Of cause I would know exactly how to recover, so they must do it by
following the disaster recovery instructions.

We have done this for three years at this company now and only once
have they failed to solve it. But as it happened that was my fault
because I missed a step in the instructions. But then the process is
as much to test me as it does them.

So, how many of you IT people reading this would dare have someone go
and unplug any random piece of equipment in your computer room?