Systems staff policy guidelines
TYSON@Warbucks.AI.SRI.COM (Mabry Tyson) Tue, 10 April 1990 17:42 UTC
Received: from Warbucks.AI.SRI.COM by cert.sei.cmu.edu (5.61/2.2) id AA17310; Tue, 10 Apr 90 13:42:04 -0400
Received: from ELCAPITAN.AI.SRI.COM by Warbucks.AI.SRI.COM with INTERNET ; Tue, 10 Apr 90 10:41:23 PDT
Date: Tue, 10 Apr 1990 10:41:00 -0700
From: TYSON@Warbucks.AI.SRI.COM
Subject: Systems staff policy guidelines
To: ssphwg@cert.sei.cmu.edu
Message-Id: <19900410174132.7.TYSON@ELCAPITAN.AI.SRI.COM>
We just had an incident here where one systems staff person from one group accessed a machine of another group improperly. This was accomplished because he had physical access to the machine. This brought up an important point that I admit I've not really considered before. Systems people often have the knowledge of how to break into systems. They have the privileges to, say, spy on mail or other usage. They could create accounts for friends. They could manipulate the accounting information to hide particular types of usage. Some systems staff such as operators may have a relatively high turnover rate. There often are new or temporary staff at a site. The person that did the access at our site apparently didn't think he was doing something that improper. I find that hard to believe but then I have to admit that I don't have a set of guidelines for my system staff (and myself!) as to what is proper behavior and what isn't. As a result of this incident, we may sit down and write some guidelines for the systems people. This would then be something to be given to each new systems person (for him to sign for our records, but also a copy for him). [I haven't discussed this with the personnel or legal departments.] Do other sites have something like this? If so, I'd appreciate seeing what you have. I also think the recommendation of having written guidelines (and maybe some examples) would be something to go into the site security policy handbook.
- Systems staff policy guidelines Mabry Tyson
- re: Systems staff policy guidelines Bryan Koch
- Re: Systems staff policy guidelines Eliot