Systems staff policy guidelines

TYSON@Warbucks.AI.SRI.COM (Mabry Tyson) Tue, 10 April 1990 17:42 UTC

Received: from Warbucks.AI.SRI.COM by cert.sei.cmu.edu (5.61/2.2) id AA17310; Tue, 10 Apr 90 13:42:04 -0400
Received: from ELCAPITAN.AI.SRI.COM by Warbucks.AI.SRI.COM with INTERNET ; Tue, 10 Apr 90 10:41:23 PDT
Date: Tue, 10 Apr 90 10:41 PDT
From: TYSON@Warbucks.AI.SRI.COM (Mabry Tyson)
Subject: Systems staff policy guidelines
To: ssphwg@cert.sei.cmu.edu
Message-Id: <19900410174132.7.TYSON@ELCAPITAN.AI.SRI.COM>

We just had an incident here where one systems staff person from one
group accessed a machine of another group improperly.  This was
accomplished because he had physical access to the machine.

This brought up an important point that I admit I've not really
considered before.  Systems people often have the knowledge of how to
break into systems.  They have the privileges to, say, spy on mail or
other usage.  They could create accounts for friends.  They could
manipulate the accounting information to hide particular types of usage.

Some systems staff such as operators may have a relatively high turnover
rate.  There often are new or temporary staff at a site.

The person that did the access at our site apparently didn't think he
was doing something that improper.  I find that hard to believe but then
I have to admit that I don't have a set of guidelines for my system
staff (and myself!) as to what is proper behavior and what isn't.

As a result of this incident, we may sit down and write some guidelines
for the systems people.  This would then be something to be given to
each new systems person (for him to sign for our records, but also a
copy for him).  [I haven't discussed this with the personnel or legal
departments.]

Do other sites have something like this?  If so, I'd appreciate seeing
what you have.  I also think the recommendation of having written
guidelines (and maybe some examples) would be something to go into the
site security policy handbook.