I spend a great deal of my free time working for a small, local, all-volunteer non-profit. There are maybe twenty people that make up the core volunteers. I fill several different roles within the organization including the default “IS/IT” guy simply because of my background. Nobody else in the organization has a technology background so over the years, as we’ve needed things, people have looked to me to set those things up. I don’t have analysts to define user stories and requirements so along the way, I’ve had to just decide security myself. It definitely is something I always am thinking about and I try to get as many people involved (access-wise) in as many things as I can so the burden sits with me as little as possible.<p>One of our board members has decided everyone on the board should have complete, unrestricted access to everything. From the combination to the lock on the little cabinet that houses the modem and gateway router and the passwords for those devices, to full-administrator privileges on all of our software “systems” (Google Workspace, Mailchimp, Square, Azure, etc.)<p>Another board member is now rallying with that board member so it is going to be an entire discussion point at our next board meeting.<p>Part of me wants to just go ahead and do it. Everyone can start sending newsletters through Mailchimp (we have just one person who coordinates them all now) and we won’t have any standards on formatting, frequency, etc. Everyone can setup new groups and users in Google Workspace and create shared drives like they are folders. Why not?<p>I want to explain that less access means less exposure to systems being compromised. It means not having the person who does a function different from yours digging into your projects randomly and deciding to “help.” It means you won’t end up locked out later because somebody else in a few years decides tightened security is needed and starts arbitrarily making decisions about that.<p>Are there any other good reasons I should give these particular board members why this is a bad idea? Or, is this just me being too overly protective of the work I’ve been doing for years?<p>Any feedback or questions are welcome.
Board members are legally liable for things. It might be interesting for them to sit down with a lawyer and understand what responsibilities they may be taking on by getting into the weeds like that. And to talk to their directors' insurance provider and see if it's kosher.
This is a tough one. Unless you are 5 minutes away from giving the double-finger salute (which it sounds like you are not), you're going to have to figure out what they actually need.<p>I hear this frequently when someone needs X to be done, but so far have received no advice other than, "only person A" can do that. The response is often some version of, "why not?" followed with, "I don't know, only person A has access to it"<p>The initial request usually comes from higher in the food chain. Usually the requester is used to dispatching responsibilies to (organizationally) nearby people and having their requirements carried out.<p>This doesn't mean that such people actually want (in this case) to actually remove all access control. They want thing X and they want to move on with their bits of the process feeling like thing X is handled and will be delivered forthwith.<p>Rather than start with the Why This Is a Bad Idea list, meet with them towards figuring out what X actually is and what needs to be changed to support bringing it about. If they push back, mention how data security affects public perception of your kind of NP. I mean, no one wants to give their PPI to an outfit that is known for ignoring the safe-keeping of their clients' data.<p>I have found that going into such a meeting with technical guns blazing can overwhelm the bandwidth of (often management) those you need information from.<p>Make it about X and the people that need X. What do they need to accomplish? What are their timelines? What has broken down such that this issue has arisen? Is person A available to assist?<p>If you do it right, the requestor will see a scenario where the initial advice was merely incomplete and that you were the person to see about it the entire time.<p>You might need to make a short-term adjustment for an instance of X to happen (that's all very well and good, but this was supposed to go put yesterday!) but the org managers might start seeing you as someone to engage ahead of someone up-top making uninformed decisions that could have unfortunate long-term consequences.
I try to run things on all my computers with the lowest possible rights, eg I can be root/admin on all my machines but run with those super powers as little of the time as possible to reduce the damage from fumble-fingering something.<p>I could have kept all my deposits as cash on the kitchen table for all the interest that they've been earning.<p>I spent over a decade as a governor of a local school and avoided ever having access to the WiFi, etc, etc.<p>In general it is safest and easiest to manage potentially troublesome rights if you keep those to a small known group.<p>And that's assuming that no one has a latent gambling addiction or whatever.