H
Hi - Some brief responses below:
a manager should have the authority to remove access or rights to and underling, or grant themselves the same level.
Agreed - Although, my earlier response was in light of where some Tech managers I’ve seen have been more ‘people’ oriented than experts knowledgeable of network or Operating Security itself. If there were a need to examine or change security for someone with ADMIN authority, they could certainly have the IT security department or another network technician physically perform the changes.
Therefore and IT Manager would have to be experienced in that field. the reply seems to say, there are not checks and balances for this … Now if the manager does not have authority over employees, what is to stop a different manager from getting to the underlings to do things that the IT manager is not aware of.
If the IT manager is experienced in network/OS security they can certainly check up on their team members. However, in large companies you might have several computing platforms, (e.g., IBM Mainframes, AS/400, UNIX, Windows Servers, etc.) and even a Technical Support manager can’t be an expert in all these.
SOX doesn’t make this an absolute requirement, as there are managers who might know in general concepts what their employees are doing, but not the detailed technical day-to-day inner workings.
In cases where more people oriented managers (rather than technical) exist (which is often), compensating controls can be established outside the direct manager-employee relationship.
This includes: IT security deparmental monitoring, audit logging on sensitive servers or events, etc. In fact, this type of monitoring approach would be more comprehensive than just the manager trying to keep up with their own work demands plus check up on everyone.
Violations detected would certainly be brought to the attention of the manager for more detailed analysis and possible disciplinary actions if warrented. The manager still has their role in the process, whether they personally found the security issues or not.
I don’t know, I remember reading something about the authoritative rights a couple years ago. The manager is supposed to be responsible and held accountable.
Yes, SOX 404 controls are a senior management responsibility for the company to set up comprehensive controls for automated IT systems, based on material risks. However, they are written in a generic high-level fashion as companies vary widely in their practices. They basically impose a real monitoring process for companies to ensure protection without getting into the ‘nitty gritty’ sometimes (and thus SOX 404 is critiqued for being too confusing or for companies going beyond what’s required due to misinterpretations).
Not all the security requirements a company may want to adopt to protect their IT resources are covered by SOX alone. There are general IT controls and many other requirements that might be mandated based on the industry a company is in. For financial systems, the required SOX should be seen as minimum baseline standards for Financial Systems primarily, and companies can always go much further.
Finally, I agree that managers are an important and critical control point over their areas and team members . However the ‘how to’ approaches and specifications for these controls will vary from company to company.