top | item 40537736

(no title)

I'm not sure it does, perhaps it violates the spirit but not the letter.

You need a way to give your employees access to customer data; for support cases. So you build a "request access" form in your ITSM. Now you can tick off every box related to certification: There is a process. Only authorized persons have access. Every aspect of it can be audited.

Later, perhaps sales people (the 1000's of new joiners) start using it as well for lead generation. It's a lot easier to sell if you know how your product is used by other companies in the same industry.

Much later, someone's account is compromised, makes the same requests and it gets waved through. Why wouldn't it ? It is a valid request made by a current employee of the company. What other criteria would apply ? This is not a bank.

discuss

Keyframe|1 year ago

Aside all things stated that are wrong from security perspective - how about limit the qty and rate any such support account has access to? Breaching an account shouldn't give you access to dump everything out the gate. Even if that is the case, where are other measures alerting there's a stream of egress going on? This sounds like systemic issue which most certs are all about.

bpicolo|1 year ago

> What other criteria would apply?

Many companies have processes that require 2 or more humans in the loop for sensitive prod data.

White_Wolf|1 year ago

You're lucky if it's only 2 and the approval process takes less than months.