I'm glad I decided to take a close look at CROS. Going with this outsourced monitoring and management service made sense for us, given our need for an expedited rollout and our own dearth of people to manage the technology. I didn't like the first thing I saw: To use CROS, we need to provide a group of technicians employed by Cisco with access to our IP telephony infrastructure. You'd expect that, of course, but there are more than 50 technicians who will at various times be responsible for monitoring and attending to issues related to our deployment.

The more questions I asked about this setup, the more my eyes burned with disbelief. Those 50-plus Cisco employees will use a single account to access our Call Manager and Unity servers. Not only that, but they'll also need access to the routers, switches and gateways that encompass our IP telephony deployment. A single account with so much access makes me very uncomfortable. Not only is it difficult to track activity when more than one person shares the same account, but we're also essentially providing a level of access that a criminal technician could use to "own" our company's critical network resources. The same routers that will route phone traffic also route e-mail, financial data and a ton of other sensitive and private data that should never be allowed to leave the company.

When I told the Cisco account representative about my misgivings, he acted as if it was no big deal and even said that other customers didn't seem to have a problem with such arrangements. Can I be the only one who sees this as a real problem?

All of these and other issues will go into a report for executive management. In a report like this, I always explain the issue, spell out the risks that attend it and then make recommendations. In some cases, all you can do is to make sure that the risks are thoroughly understood and then recommend that "executive management will accept the risk."

What do you think?