"Paul D. Robertson" wrote:
Paul,
Thank you for your words. It helps to expand on these issues, to
better understand how different environments work.
> On Mon, 21 Oct 2002, Duncan wrote:
>
>
> >
> > But if a developer had a need (or made a request) to open FW ports, or gain
> > IM access, "no" was not acceptable, but rather how fast the request
> > was completed. As most developers realize, tying a deadline to any
> > request is the best way around restrictions or "policies".
> > You may just find yourself on the receiving end of a written reprimand
> > from your CIO directed at you from the CEO of the company.
>
> I had my CIO approve my security policy. This meant spending *lots* of
> time educating him about Internet risk. When he understood the policy
> from his perspective, he also understood the fact that enough exceptions
> to policy were going to kill _having_ the policy. I had folks attempting to
> tie requests to advertising deadlines for newspapers. They often declined
> the "get out of your chair, and walk over to the machine in the corner
> that's isolated on the DMZ" option though- amazing how an uncomfortable
> option changes the priority and necessity of a request sometimes.
>
I don't know about others, but I found that being in the role of Firewall engineer,
or Sr. Network Engineer did not appear to lead ANY credeance to input into the
security policies of most of the companies I have worked for.
Yes I also spent many hours attempting to educate management into risks in
our networks based on examples. Too many responses have been of the
nature of:
a: Well our users are not that technically knowledegeable.
b: No one really has the time or tools to sniff for packets on the network.
c: That sounds paranoid.
d: Desktop support can't be expected to support that level of control over
user desktops.
The best one IMHO is:
Well if you ever see that happening be sure to report it.
> > At least in these two companies the policy only went so far as to
> > interfere with some claimed business need, and we had a exception.
> >
> > Working for smaller companies (<500 employees) policies are usually
> > a after thought, and may have been written by some manager in IT dealing
> > only with abuse of the desktop itself. I have been at 3 Tech. companies
> > where each has the following section in their policies:
>
> First of all, policy *has* to have support from the highest levels, or
> it's going to be useless. Secondly, you must be able to articulate risk
> well to get a good policy and to get backing for enforcement.
The source of one of these was the IT director of the Software company with signoff
from the CEO. I and one of my contractors supplied suggested changes to help
the process, but was otherwise ignored.
My understanding of support for such policies is that if my management has the
ability to fire the offender then a its usually worth my effort. But otherwise
company politics takes over and its just trying to keep the damage under
control.
>
>
> > "XX. Internet usage is only for approved business purposes. Personal use
> > (access) is prohibited."
>
> In a lot of places, having a policy that's not enforced (and I've yet to
> be anywhere that had a prohibition rather than a few restrictions on
> personal usage) is worse than no policy at all. I'd have spent some time
> detailing the legal risks, then presented them in writing.
>
The justification I have been given for this has been that it just makes
terminating a low performer eaiser. Otherwise its not enforced, nor did
management want to know where employees were surfing.
My current employer has the same policy. :-(
Yours,
Duncan Sharp
_______________________________________________
firewall-wizards mailing list
firewall-wizardsat_private
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Tue Oct 22 2002 - 11:53:48 PDT