S 2.26 Appointment of an Administrator and his Deputy

Initiation responsibility: Head of IT Section, IT Security Management, PBX officer

Implementation responsibility: -

To ensure the orderly operation of IT systems, Administrators must be appointed for all IT systems and networks. In addition to general administration work, Administrators are responsible, in particular, for user administration, including the administration of access rights. They are also responsible for the security aspects of all the IT systems they look after.

In larger organisations with a number of different IT systems and subnetworks, it is also necessary to ensure that the work is divided between the different Administrators in such a way that there are no problems regarding who is responsible for what, i.e. so that no two Administrators have overlapping responsibilities and all the tasks which need to be performed are assigned. In addition, communication between the different Administrators should function as smoothly as possible. It can be helpful to hold regular meetings of Administrators at which typical problems and solutions to problems encountered in everyday operations are discussed.

When use is made of logging, steps should be taken to ensure separation of the roles of administration and auditing. The extent to which this objective is supported by the IT systems must be checked in this context.

To ensure continuity of service when an Administrator is absent, a deputy must be appointed. Care must be taken here to ensure that the deputy is given his own Administrator ID (see also S 2.38 Division of Administrator Roles). Under no circumstances should the password simply be handed over to the stand-in because that is less trouble.

In order that such deputies can take over these functions, it is necessary to ensure that every Administrator and his deputy have sufficient time to carry out their tasks with due care. Training and further education of Administrators are also required in this regard.

Additional controls:

• Have all Administrators and their deputies been adequately trained?

• If responsibilities for administrative tasks have been changed, have the necessary training measures been initiated?