Sample questions I would ask if I was a security auditor, which I’m not.
Does Elez have anytime admin access, or for approved time blocks for specific tasks where there is no non-admin alternative?
Is his use of the system while using admin rights logged to a separate tamper proof record?
What data egress controls are in place on the workstation he uses to remotely access the system as an admin?
Is Elez security screened, not a spy, not vulnerable to blackmail?
Is Elez trained on secure practices?
Depending on the answers this could be done in a way that would pass an audit with no concerns, or it could be illegal, or something in between.
Avoiding further commentary that would be more political.
Technically anything that’s authorized by the right people will pass an audit. If you’re the right person or group, you can establish a set of practices and procedures that allows access with absolutely none of those things, and use the magic words “I accept the risk” if you’re questioned. That applies even when the rules are actually laws; it’s just that then the “right group” is a legislative body. The remedy for a policy maker accepting risks they shouldn’t isn’t really something an auditor gets into.
So the question for an auditor is whether the properly adopted practices and procedures legitimately allow for whatever he’s doing (they probably don’t). But even if somebody with appropriate authority has established policies and procedures that do allow it, the question to ask as a superior policy maker, which is really where citizens stand, is whether it was a sane system of practices and procedures to adopt.
The issues you’re raising would indeed be common and appropriate elements for a sane system. But you’re missing a more important question that a sane system would ask: whether he needs whatever kind of administrative access to this thing at all.
Since another almost universal element of a sane system is that software updates or configuration changes to critical systems like that have to go through a multi-person change approval process, and since there is absolutely no way whatever he’s doing would qualify for a sanely-adopted emergency exception, and since there are plenty of other people available who could apply any legitimately accepted change, the answer to that is realistically always going to be “no”.
I wasn’t intending to be comprehensive with my sample questions, and I agree with your additional questions. As others have noted, the takeover is similar to the Twitter takeover in style and effect. I don’t know if it is true that there are plenty of other people available to apply changes, given that many high-level employees have lost access or been removed.
To be clear, I think it’s okay to be more political. What I don’t want is “unreflectively partisanly political.” (Maybe try DMing what you had in mind to me and I’ll see if it feels productive)
Sample questions I would ask if I was a security auditor, which I’m not.
Does Elez have anytime admin access, or for approved time blocks for specific tasks where there is no non-admin alternative? Is his use of the system while using admin rights logged to a separate tamper proof record? What data egress controls are in place on the workstation he uses to remotely access the system as an admin? Is Elez security screened, not a spy, not vulnerable to blackmail? Is Elez trained on secure practices?
Depending on the answers this could be done in a way that would pass an audit with no concerns, or it could be illegal, or something in between.
Avoiding further commentary that would be more political.
Technically anything that’s authorized by the right people will pass an audit. If you’re the right person or group, you can establish a set of practices and procedures that allows access with absolutely none of those things, and use the magic words “I accept the risk” if you’re questioned. That applies even when the rules are actually laws; it’s just that then the “right group” is a legislative body. The remedy for a policy maker accepting risks they shouldn’t isn’t really something an auditor gets into.
So the question for an auditor is whether the properly adopted practices and procedures legitimately allow for whatever he’s doing (they probably don’t). But even if somebody with appropriate authority has established policies and procedures that do allow it, the question to ask as a superior policy maker, which is really where citizens stand, is whether it was a sane system of practices and procedures to adopt.
The issues you’re raising would indeed be common and appropriate elements for a sane system. But you’re missing a more important question that a sane system would ask: whether he needs whatever kind of administrative access to this thing at all.
Since another almost universal element of a sane system is that software updates or configuration changes to critical systems like that have to go through a multi-person change approval process, and since there is absolutely no way whatever he’s doing would qualify for a sanely-adopted emergency exception, and since there are plenty of other people available who could apply any legitimately accepted change, the answer to that is realistically always going to be “no”.
I wasn’t intending to be comprehensive with my sample questions, and I agree with your additional questions. As others have noted, the takeover is similar to the Twitter takeover in style and effect. I don’t know if it is true that there are plenty of other people available to apply changes, given that many high-level employees have lost access or been removed.
To be clear, I think it’s okay to be more political. What I don’t want is “unreflectively partisanly political.” (Maybe try DMing what you had in mind to me and I’ll see if it feels productive)