S 3.10 Selection of a trustworthy administrator and his substitute

Initiation responsibility: Head of Personnel, Head of IT, Top Management, IT Security Officer

Implementation responsibility: Head of IT, Head of Personnel

The operators of IT systems and telecommunication systems must be able to place a lot of trust in the system administrators and their substitutes. Depending on the system used, the administrators will have extensive and often all possible authorisations. Administrators and their substitutes are able to access and possibly even change all data stored and to allocate authorisations in such a way that serious misuse is possible.

Administrators of IT systems and their substitutes must be selected carefully. They must be reminded regularly that the authorisations they possess may only be used to perform the required administration tasks.

Since the administrator plays a key role in maintaining the operability of the hardware and software used, it must also be ensured that the administrator's tasks are performed even when he or she is absent. In order for an appointed substitute to be able to perform these tasks, the current status of the system configuration must be available and the substitute needs access to the passwords, keys, and security tokens needed for administration.

If a company or government agency employs several administrators with comparable knowledge of the IT systems, they can substitute for each other when necessary if they have enough free capacity. In all areas where there is only one primary administrator responsible for managing the IT systems, two substitutes should be trained, because experience has shown that when there is only one substitute and the administrator is absent for a longer period of time, the substitute will not always be available for the administration tasks either.

To guarantee the operability of the IT systems used, and especially if there are pending personnel changes or changes to the organisational structure, it is necessary to check if the appointed administrators and their substitutes are able to handle the required administration tasks.

When relocating, the workload of the administrator increases significantly because of the additional administration tasks to be performed at the new location. It must also be ensured in such cases that productive operations at the previous location are not impaired until the move is completed.

Review questions:

• Are the administrators for IT systems and their substitutes selected carefully?
• Do the substitutes have the required know-how for administrating the IT systems?
• In the event of upcoming changes: Is there a test as to whether sufficient resources are available for the required administration activities?