Access to IT room where Governement equipment is located 828

  • To whom it may concern,
    I work for the Government as an IT Specialist responsible for IT equipment and system. One of my site i service will not provide us a key to the room where our Government equipment is located. I had an incident where i had to wait for a security person for 45 minutes to open the room so i can reboot our router and test the new system i am installing. If our Government equipment fail, over 60 user will be out of service and cannot fuction. Waiting for any length of time is not acceptable. Is this the intent of this Sarbanes-Oxley? Below is the part of the email i received from them explaining why they cannot provide a key for us to acces the room to service our Government equipment immediately as needed.
    ‘… has an obligation to protect the data, network and systems under our care in compliance with our own policies and with industry best practices. The consistent execution of these duties is reportable under Sarbanes-Oxley legislation.’
    ‘In this case, the physical security of the network and telecommunication services used to transport financial data, the proprietary data of Raytheon and its global customers, and emergency communications is at question. Access must be restricted to a minimum set of those required to perform daily maintenance. Others who may need periodic access are to be escorted on an as needed basis.’
    By the way i am also responsible for 4 more sites (contractor) plus 13 remote user spread out through Los Angeles area. All major contractor i service have provided a key or a badge for my access when required.

  • SOX was not intended to stop the business or hold up providing IT support in any significant way.
    Good physical security controls do need to be in place.
    If the company you are providing support to is unwilling or unable to provide you a badge, then they need to fully understand the consequences of it. They should also have a provision in the policies/procedures where you can be ‘signed in’, escorted, monitored, etc. in a timely fashion…45 minutes is too long to wait. This type of stuff happens when policies/procedures are tightened up with good intentions. sometimes you hit a snag… a situation comes up where they didn’t think about how to handle all of it entirely. This provides the opportunity to revisit it.
    Ask if you can see a copy of the policy/procedure to determine if there are other things you need to be aware of as a contractor. Also, discuss with the manager that hired your services. I’m sure something can be worked out even if it is a temporary access badge issued each day.

  • the proprietary data of Raytheon
    Military = sensitive

  • Lito,

    1. Information Security
      Perhaps you can start by working within your chain of command without revealing the security practices of that organization.
      Government-related organizations tend to like things like ‘response times’ in thier areas of operation to not be spread-out for all to read on websites.
    2. Segregation of Duties
      I would not want all of my clients to have access to my lab. Sure it’s their data, but it is better that they contact me first and request access so I can ensure they have supervised access to only thier assets and noone else’s.
    3. Outage Times
      Forty Five minutes is too long to wait. Fifteen minute response time is reasonable. Perhaps your team should evaluate a configuration change for secure controlled remote access to your assets.

Log in to reply