With Kerm's permission, I have posted his private reply to me below my message which you may want to read first, which is rather long (sorry). I was hoping to either get some more comments/questions on this thread, or maybe even help someone along the way. Sharing information is something we do not always do a great job at in security. I agree with you whole heartedly. If you are with an organization that will not stand behind IT (Heck even trusting IT would be great in some organizations) or give them the resources to do what they need to do, again, that is on some IT wish lists too. The nice thing I am starting to see help us is corporate governance and other standards (Sarbanes-Oxley, GLB, HIPPA, ISO 9001, Etc.) which is forcing corporations and the privately held companies who they outsource to, to become compliant. Passing an audit to meet these requirements is one thing, how about when the rubber meets the road? My last job was as an IT consultant and I can tell you that having an outdated DR Plan/Incident Handling Policy is better than a kick in the pants. When a company starts with IT and the people of IT as a valuable asset and resource and not just a bunch of bunny slipper wearing geeks who are disposable, you have a different environment. This is something that starts from your senior management at the very beginning stages of the company's growth. As time goes on and corporate governance and regulations are enforced, you will most likely see companies have IT decisions tightly integrated with the business process, rather than as an after thought. Let me pose this with a slightly different angle, how do you get your executive management to trust IT to do the right things and give them the tools to do that? I don't expect anyone's answer because this is for you to personally evaluate, but how do you and others in IT/R&D professionally appear to the executive team? Are you wearing blue jeans and Nike shirts, or are you wearing slacks and button up shirts? Is your team acting professionally or does your team enjoy playing jokes on the dumb end user that frustrates them or wastes someone's time (and you are complaining about resources)? If you are acting and looking like a guy who works in the warehouse (no offense warehouse guys), how do you expect to be treated, however if you act and dress like a professional within your company how are you going to be treated? As much as nobody in IT would like to admit this (so it seems), we should act just like someone in Finance or Sales, you show up to work, ready to work, act pro! fessionally and be treated professionally. I find it funny that guys making a good salary complain because they are not getting the support they want from their company. How would you feel if you were a CEO and you were paying someone a decent salary and you wouldn't dare take that person out in public? Do you think you could trust them to make the right decisions? I know I am on my soap box a little bit, but it is something I see and hear about quite often. Getting management buy off is another big thing. The best solution I know of, document, document, document. If it is a conversation, follow it up with an email to recap, this will always cover you if you have a problem with management later. I don't think it starts with top management, I think it starts with the lead IT strategist (CIO, Director, or lead Sys Admin) to inform the senior management that they need this, why they need it and most importantly why they can't live without it. The senior management does not know everything and they need to be informed from time to time about best practices. By not informing senior management if you know there is a problem, then that is a problem that you are responsible for. If you have notified them and they have chosen to do nothing about it, then you have done your part. However, I would not stop at the first no, you usually have to make many stabs at it and sometimes you just have to plant the seed and let it grow on its own. For example, the first time you have someone surfing porn and another employee sees it and they are offended and they threaten to sue the company because it is not forbidden, they may listen to you about policies and procedures before the next ! lawsuit comes around. You need to be vigilant about it, but be careful not to be "chicken little". Once you are successful, your life will become easier, especially when your senior management enforces or acts on a policy. Keeping these up to date is a pain for anybody and it can be hard. Again, it is communicating this to your senior managers and informing them of the resources that are needed, or what projects will not be completed on time because these have to be updated. If your managers push it off, then you know what the company's priorities are and you may want to document that. Nick Murphy MCSE, GCIH Director of Information Technology EthicsPoint, Inc. 13221 SW 68th Parkway, Suite 120 Portland, OR 97223 971-250-4112 (direct) ________________________________________ From: Kerm Jensen [mailto:kjensen@private] Sent: Wednesday, March 30, 2005 3:53 PM To: Nick Murphy Subject: RE: CRIME New Category of Computer Crime Nick, There is no item on your list that I take issue with, nor do I fault the overall composition or intent. That being said, I look at another layer of administration, support, decision making and wonder how this can be honestly and capably accomplished. In the large organization that can afford the cost, I've never seen anything similar adequately communicated, maintained or understood. In the small organization, it just won't happen. You as a professional are obviously familiar with the requirements for this forensics task. You know what needs to be done and how quickly the evidence can evaporate. I, as an administrator of a small operation, know that we are already way beyond generating any capacity to perform this task or maintain it over time. I don't think there has been a time since the "forensic" tools required were a pen and pocket notebook. It starts with top management. "Access to the DR plan"? What DR plan? Page numbered notebook? I have some scratch pads made out of spoiled printer paper cut in quarters. It's not quite the same thing. I'm not trying to perform a rant. I am trying to get a focus on how significant tasks can be put in place in a way that they will survive until they are to be executed. Management understanding over long periods of time are required, yet management commitment has a half-life of days. Communication of policy, reiterated, is required. Initial conflicts, changes that cause conflicts, questions of authority as organizations change all need attention. I remember training I received in how to shut off the sprinkler system in the warehouse many years ago. Then the fire marshal required 5/8" proof chain to assure the shutoff's could not be activated "accidentally". So we bought chain cutters so we could free the chains and shut off the damage to warehouse contents when the fire was out. They weighed 65 lbs each. Try swinging that over your head while standing atop a 20 foot ladder. Doesn't matter. They were stolen within a month. The organizational/political/long-term aspects are often more important than designing the task and tooling up for it. The devil's in the details? Oh yes.
This archive was generated by hypermail 2.1.3 : Wed Mar 30 2005 - 22:42:55 PST