From the desk of: Sam C. Chan

IT Dept. Access to External Accounts

Published: June 3, 2006 | Rev. 2.0 (expanded) Jan 1, 2015 | Last Updated: March 1, 2019

From time to time, I need to request/accept access to various external accounts, hosted by external vendors/authorities, in order to perform assigned tasks. e.g. access vendor's product-specific KB & deployment XML files, etc. They are subject to your firm's approval. Conversely, acceptance of such access is at Bravo's discretion, evaluated on the basis of necessity + responsibility/liability/commitment.

Don't conflate this with internally hosted operational data, with confidential client information. IF, due to architectural- and conceptual-level flaws of the software vendor, there is overlap, THEN it presents a dilemma, and triggers appropriate mitigation techniques.

This is but one of the many delegation/proxy/representation/authorization decisions, likened to a "reversed DiFA" topic, and must be deliberated, arriving at mutually acceptable decision, in explicit terms, and documented, with stipulations. Tacit acquiescence or avoidance would be counterproductive and downright harmful.

Over the 4 decades, I have already developed very comprehensive solutions in:
  • management scheme (strategic level)
  • management style (tactical level, complete with acting lessons, even screenplays)
  • canned validated scenario-based arrangements (logistical & procedural)
Along with documented ramifications, well-articulated justifications & rationale. Sensible. Palatable. Practicable. Defensible.
    • for Bravo internal reasons/principles
      • compensation would not commensurate with responsibility & exposure
      • would violate plausible deniability, hinder my role as trusted advisor
    • such representation violates external rules (gov/indus)
      • legality would trigger power of attorney
      • would constitute conflict of interest, breach of due diligence on the part of the firm, by ceding certain controls to non-officer/director unjustifiably
  2. AVOID -I actively work around needing it, prefer extra steps, etc.
  3. ACCEPT -if that's your preference, I go along
  4. REQUEST -would facilitate my tasks, improper to be without
  5. REQUIRE -otherwise, my tasks can't proceed, or incur $ + delay
  6. APPROVE by mgmt -as requested/required
  7. REJECT by mgmt -IT must work around, firm acquiesces to stated ramifications
  8. REVOKE by mgmt -subsequent non-renewal, disable (change password, etc.)

  • DiFA Designated In-house Facilitator/Administrator (1995/2000/2006 memo)
  • Protocol for Communication & Authorization (2009/2016 memo)

Copyright @2006-2019   Bravo Technology Center  *  Bravo:GO  *  Contact Us