ner, Thor : dd, has required us to provide admin/root attesds ta all components of the Notify. gov system. ¥ be able to view all personally identifiable information (Pil) moving through the Notify system, including phone num 47s of the public. This information exists in our Ul, cloud gov-managed resources, and AWS resources. 5 woul pd Store this data without anybody else receiving a notification. B= id be able to fully manage the access of others, including granting the same access to others or removing It from existing access would, of course. grant the same ability to view and download Pil. — ot received a justification for this request, which makes it difficult to suggest alternative approaches that would accomplish Thomas 2a [being protective of Pil for members of the public. We have made clear to Thomas that this level of permission wae d allow access to ested altematives, such as read-only access, Thomas has continued to request full admin) root access. = z eve that is fevel of access for somebody outside of the product team is not contemplated by the system's authority tor operas b ftom operty update the SSPP to 3dd this sort of access using our established ATO processes, we have been instricied to ski ace je system in non-compliance until the access is remediated. ee eve that | can operate a program and system without the ability to manage access to Pll. As a result, | have submitted my resignat il be my last —— E ——
https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/026/578/810/043/080/original/e6f6b6d7e4e67313.png
Joseph Cox
All GNU social JP content and data are available under the 