In a closed discussion group to which I belong, a member posed the following interesting problem. The participant has very kindly allowed me to publish the conversation with some details changed to preserve anonymity.

The member started the discussion as follows:

* * *

In the past I have asked how information assurance (IA) in positioned within your organization. In some, IA is a part of operations, in some it is the same people doing both IA and operations, some organizations have IA teams that act as internal consultants to operations, and some have IA operations that work alongside production operations.

I have a question in a similar vein. For those security functions that require administrator privileges, do your IA personnel have either Local or Domain Administrator accounts? We are debating a philosophical issue here where our requests to be granted local admin privileges on servers are denied, but the subsequent requests we make of the people that have admin privileges to do the work we are unable to perform go unanswered. Essentially we are in a position of not being able to perform certain tasks related to security, and we are not getting cooperation from the production support teams. We wonder if security personnel at other organizations are given administrator accounts or not.

* * *

I responded:

* * *

I think the critical element here is as follows:

“[O]ur requests to be granted local admin privileges on servers are denied, but the subsequent requests we make of the people that have admin privileges to do the work we are unable to perform go unanswered.”

In a production environment, distributing administrator privileges may disrupt production controls, so I can understand the desire to centralize the administrator functions to a group of people who work closely with others within the production team.

However, assigning responsibilities without authority is never good.

I think that you should explore and analyze the roots of this breakdown in communication between your group and the production team that is supposed to be (but isn't) supporting you. Has the rift developed recently or is it historical? Are there specific personal conflicts that may account for this division between the teams? Are their conflicts between the managers of these groups? Do the obstructive personnel understand the requests and their urgency? Are they perhaps overworked and therefore assigning lower priority than they ought to in scheduling responses to specific requests?

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.