IT Maintenance

Our external auditors commented on the authority that our CIO has in regards to maintenance changes and I wanted to see how others handle this. They recommended that we take away this authority; however, he needs that authority level to do his job. No other IT personnel really have the knowledge base to do this. We run with a pretty slim crew. We realize that we do have risk with this and he could maliciously go in and do some damage but we are struggling to come up with a good answer. We do have the audit logs that are reviewed but they are so voluminous it is really just an exercise. We are about a $1Billion shop.

What type of maintenance are you talking about? Network? Core System? We ran into a similiar problem, we are a small company and limited on staff. Many times it seems our duties overlap when in the perfect world, it would be segregated.

What the auditors are referring to is master file maintenance. Not change of address and such items but more system type changes. Any input on how others tackle this is greatly appreciated.

bump

At my last place most of the system maintenance / parameter changes was due to changes requested by departments. The department manager had to request the change in writing and then test the changes to verify that they were done correctly. The manager signed off that the request was completed. Electronic documention was saved which included all steps of the process.