Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: Inactive - but disabled user accounts?

  1. #11
    My Experiences....

    Both Physical and IT Security Operate within the IT divison, reporting directly to the division head rather then within the infrastructure or applications branches.

    Originally Physical (corporate) security was part of a different divison - corporate division but they were brought together because of the reasons Gandalf mentioned about having the two security teams together so they can use each others knowledge.

    This works well for us, we are independent enough of the IT branches to be considered independent but we are close enough to have our fingers of the pulse of what is going on and what the IT areas are doing (I am in IT Security) which I think is important.

    My organisation is small enough to not have an audit/compliance department which IMHO is a good thing because IT Security would logically go in that bucket which would keep us away from IT and make it harder for us to know what is going on.

  2. #12
    Originally posted here by cabby80

    This works well for us, we are independent enough of the IT branches to be considered independent but we are close enough to have our fingers of the pulse of what is going on and what the IT areas are doing (I am in IT Security) which I think is important.
    Cabby80 has a good point here. I think independance is important. You need to be separate from the business process, because ultimately security is something that will detract from business. Often there is a good reason for it, and often if it wasn't there, the business would suffer anyway


    Originally posted here by GandalfTheGray[/i]

    It can work either way, but my experience is that the temptation to yield to users is often too strong in the production environment to allow for adequate security. It seems to be a fashion thing, sort of like wide ties. It might be useful to discuss experiences in one model or the other, upsides, downsides, etc.
    Often cases I find this is a pendulum swing. If an incident occurs, there is suddenly a renewed interest in security and budgets go up. If there hasn't been an incident (which you could say means that security is doing its job) it is something that is suddenly becomes a burden and a likely cost saving area.

    My $0.02 on the matter anyway. Just about to move into the security arena in my organisation. Be careful what you wish for comes to mind!

    TG

  3. #13
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003
    To return to the original question quickly the problem is more one of procedure than anything else. As is often the case in large oragnisations there is a procedure for the creation of user accounts but there is none for the deleation of accounts when the employee leaves. The IT departement is right in saying that for them the person is still in the company as they have not recieved a demand to delete the account. Of course it is up to the IT departement in to decide on how is wants to managed its user base. As for the reasons giving for keeping the accounts that just translates into :
    "We are too lazy to tidy up our mess."
    I have seen in a couple of places a risk managment departement. Normally it deals with all the different types of security risks in the Corporation from IT security to phsyical risks to fraud. Normally it is not only independant but also placed on a higher level on the organigrame than most other departements.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •