[Owasp-board] Access Granted.- Research Follow up

Andrew van der Stock vanderaj at owasp.org
Mon Nov 17 09:05:21 UTC 2014


I don't know why Tom has asked these questions, but regular reviews of
privileged access is absolutely standard operating practice in any ISO
27002 compliant organisation. I would be surprised if it wasn't part of the
BAU processes here; we should be doing it, and we should be doing it at an
above average standard considering our mission.

Periodic reviews of administrative roles and privileges is an important
control to ensure the right people have the privileges necessary to perform
their jobs (and no more).

With many organisations losing control of their domains and websites due to
the lack of what I would consider baseline security practices for system
administrators, it's important for an organisation such as OWASP to protect
its reputation and core assets by practicing what it preaches in relation
to identity and access management, and to avoid damage to the brand in case
of any breach. We are the keymasters to a lot of folk's identities, and
with that is an implied level of trust and due care on our part to protect
our users and our data.


On Mon, Nov 17, 2014 at 12:34 PM, Paul Ritchie <paul.ritchie at owasp.org>

> Hi Tom....thanks for  your question & inquiry.
> With this email, I'm asking Kate H. to research and summarize our current
> status in the spirit of transparency and shared information.  Give us a day
> or so to research the facts.
> Could you also articulate your desired objective, and perhaps a common
> policy that you would like the balance of the "board" list to agree upon,
> so those of us on staff have an organizational policy to act on, rather
> than an idea or question by an individual BoD member.
> Thanks, Paul
> Best Regards, Paul Ritchie
> OWASP Interim Executive Director
> paul.ritchie at owasp.org
> On Sat, Nov 15, 2014 at 10:14 AM, Tom Brennan <tomb at owasp.org> wrote:
>> Paul,
>> Who are the Super Administrators, Administrators of OWASP Google Apps
>> and associated privileged users as of today.
>> Reference: https://support.google.com/a/answer/2405986?hl=en
>> Of those users, who is using two-factor authentication and if anyone is
>> not WHY.
>> Thank you in advance for the list of authorized users and there
>> associated permission levels.
>> As part of a internal audit, the inventory of all systems including:
>> Salesforce, Rackspace, Akamai, SimplyVoting, Facebook, LinkedIn,
>> Twitter, PRNewswire, NING, Meet-Up,  etc..etc.. should be documented
>> and provided at the next board meeting.
>> Tom Brennan
>> Global Board of Directors, Vice Chairman
>> Direct: 973-202-0122
>> OWASP Foundation | www.owasp.org
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141117/cffe1c50/attachment.html>

More information about the Owasp-board mailing list