IT Dept. Access to External
Accounts
Published:
June 3, 2006 | Rev. 2.0 (expanded) Jan 1, 2015 | Last Updated: March 1, 2019
From time to time, I need to request/accept access to various external
accounts, hosted by external vendors/authorities, in order to perform
assigned tasks. e.g. access vendor's product-specific KB & deployment XML files, etc. They are subject to your firm's
approval.
Conversely, acceptance
of such access is at
Bravo's discretion, evaluated on the basis of necessity +
responsibility/liability/commitment.
Don't conflate this with internally hosted operational data, with confidential client information. IF, due to architectural- and conceptual-level flaws of the software vendor, there is overlap, THEN it presents a dilemma, and triggers appropriate mitigation techniques.
This is but one of the many
delegation/proxy/representation/authorization decisions, likened to a
"reversed DiFA" topic, and must be deliberated, arriving at mutually
acceptable decision, in explicit terms, and documented, with
stipulations. Tacit acquiescence or avoidance would be
counterproductive and downright harmful.
Over the 4 decades, I have already developed very comprehensive solutions in:
- management scheme (strategic level)
- management style (tactical level, complete with acting lessons, even screenplays)
- canned validated scenario-based arrangements (logistical & procedural)
Along
with documented ramifications, well-articulated justifications &
rationale. Sensible. Palatable. Practicable. Defensible.
- REFUSE/DECLINE by BTC
- for Bravo internal
reasons/principles
- compensation would not commensurate with
responsibility
& exposure
- would violate plausible deniability, hinder
my role as
trusted advisor
- such representation violates
external
rules (gov/indus)
- legality would trigger power of attorney
- would
constitute conflict of interest, breach of due diligence on the part
of the firm, by ceding certain controls to non-officer/director
unjustifiably
- AVOID -I actively work around needing it,
prefer extra steps,
etc.
- ACCEPT -if that's your preference, I go along
- REQUEST -would facilitate my tasks, improper to
be without
- REQUIRE -otherwise, my tasks can't
proceed, or incur
$ + delay
- APPROVE
by
mgmt -as requested/required
- REJECT
by
mgmt -IT must work around, firm acquiesces to stated
ramifications
- REVOKE
by
mgmt -subsequent non-renewal, disable (change password,
etc.)
SEE ALSO
- DiFA Designated In-house Facilitator/Administrator (1995/2000/2006 memo)
- Protocol for Communication & Authorization (2009/2016 memo)
|