Like systems administrators, information security professionals generally have access to a great deal of data and information. Even if they don't have direct access, they generally know how to obtain it by exploiting a weakness (like hackers, but with the opposite intent) or by simply giving themselves elevated privileges.
In our small shop, the systems administrators, help desk workers and security people all have a great deal of access. This past week, some issues arose that caused me to go back to some best practices regarding access. One is called separation of duties, and the other is called the principle of least privilege.
Raising the bar
It all started when a co-worker told me he suspected that one of my staffers was snooping around on employee computers. Over the past year, I had heard similar complaints from various managers, but the staffers who had been
the cause of those earlier concerns are no longer employed here, and I thought that it was a dead issue.