Welcome back. "...back after {an} exclusive three year tour of Europe, Scandinavia and the sub continent" (Cab Calloway in the Blues Brothers). Ok, not really, I never left the city for more that a week at a time and that was for training. However, you may be asking yourself, where has Skeeter been? Well, it is a long story. But the cliff note version is a new job, completing my Masters degree, and earning several certifications. Now I am back to pondering Information Security thoughts in my blog. Hopefully on a more regular basis.
Today's topic is local admin on workstations or maybe just the process of change. An organizaiton has allowed users to have local admin on their respective workstation forever. But the world has changed and security controls need to be implemented. So, why is it so hard to take local admin away? It shouldn't take months and months of planning and then talking, and going back an forth. Why doesn't management get it? Is it just that people don't like change?
It should be as easy as send out the change message to the stakeholders, let them know how it affects them, why it needs to change (and how it protects them by changing), what the exception process is, test what needs to be an exception, and then GO.
I figure that 80% won't know that they lost local admin privilges -- 20% to deal with. Of that 20%, half will want it back, but don't have a business justificaiton for having it and therefore won't have the balls to submit the exception request. That leave just 10%, they probably need it at some point and time, but maybe not all the time. For those that do need it all the time, I am ok with them keeping it (for now and until we address that in another project). For those that only need it occasionally, we have a technical solution developed for them to contact their desktop support person and get it for a limited time.
Thanks for listening to the rant and until next time...
~Skeeter
No comments:
Post a Comment