Esther,

Thank you for this article. I can add one more tip to your very useful list: get CFO in your camp. The article talks about connecting root access to the budget. I would push it a bit further and prepare an entire list of risks together with their probability and severity. Then I would attach the time and money related to every risk (both damage and recovery), and state that if root access is granted the recovery procedures will be budgeted from the department where the person (or people) belongs. I would then take this list, which must be outlined in layman words, to the CFO office and explained to her the real financial hardship that WILL be associated (not “would be”, because it’s just a matter of time) with giving root access to anyone without special skills, knowledge and experience.

Will this work? Usually CFO is a very strong ally. However, your article is very adequately titled. It’s all about politics, and we in IT are not the best politicians...

I would extend this conversation to cover other areas where people insist on something harmful for the company without understanding of what they are doing. The list can be rather long:
• Hiring their own IT specialists (usually substandard)
• Getting network access for visitors
• Installing potentially harmful software on their box or the corporate network
• Building amateurish application and requesting their access to the corporate data
• Signing deals that would require IT involvement without IT consent or even knowledge

I shouldn’t bother to continue. Any CIO can make as long list as you want as quickly as you want.

Eugene Nizker,
Evident Point

PS. There is one more aspect of the issue: removing root access from those beyond sysadmin room who already got it. This may be even more interesting..

From the article: "Put reasonable access policies in place before someone asks for unreasonable access."

Most public companies will have policies surrounding such uber-access; enforcement is usually by Compliance, Finance or HR. Ultimately, anyone signing public documents would get the heebie-jeebies if they were asked to sign any of these documents without understanding who had this type of access in specific areas of the business infrastructure.

From the article: "If formal policies are a pipe-dream, at least create a sign-off procedure."

I add the VP, HR for the simple reason that they're fastidious about access to confidential information. A simple conversation with the appropriate HR leader describing the type of information that this person would collaterally receive if the grant were approved would end many of these political conversations before they got started. i.e. "Sure Bill, here's the form that needs to be filed with Finance and HR when we grant this type of access. Please collect the appropriate signatures and we'll turn your access on immediately upon receipt of the completed form."

The key is to force an INFORMED DECISION by those who have ACTUAL accountability for information security in an organization, be it implicit or explicit. This is as relevant in an SMB as it is to the largest of public companies... perhaps even more-so since the SMB is likely less resilient to the damages caused by a breach.

Simple, and admittedly trivialized for brevity here, but surely doable and certainly effective.