On Tue, 22 Oct 2002, Duncan wrote: > Paul, > Thank you for your words. It helps to expand on these issues, to > better understand how different environments work. Thanks for "baring your soul" here, I'm really hoping that some folks get a chance to think about the pitfalls *before* they end up in them. > I don't know about others, but I found that being in the role of Firewall engineer, > or Sr. Network Engineer did not appear to lead ANY credeance to input into the > security policies of most of the companies I have worked for. I spent eight years at my last company, and when I wrote the policy, it was really the first "security" policy instead of HR-aimed usage document. I fuly believe that the person who's doing the job needs to *own* the policy, needs to negotiate its terms with executive management and negotiate enforcement with upper management and users' managers. In that organization, action based on something bad was normally up to the direct supervisor of the employee- so I just had the conversation with the manager about what I expected was acceptable use, and if I wasn't happy with their proposed remedy (as in "This won't happen again," not as in "I'm going to do Y to the employee") then I'd explain what it was going to take to get their segment reconnected to the greater intranetwork upon a repeat infraction. It was often up to them if I would even directly address the employee. I don't recall any repeat infractions, but politically my position was tenuos a lot of the time, and I had to be very careful about my interactions. Fortunately, from at least the Vice Chairman down- there was strong support for "doing the right thing," "protecting our investors," etc. So my direct line of reporting supported me and understood that I was "The guy who said No." I'd generally offer some alternatives, most of them requiring capital to implement, but I wasn't there to make people happy in my security role. In my network architecture role, that was a different story. > Yes I also spent many hours attempting to educate management into risks in > our networks based on examples. Too many responses have been of the > nature of: > > a: Well our users are not that technically knowledegeable. Devleopment departments are wonderful examples of how they are :) > b: No one really has the time or tools to sniff for packets on the network. > c: That sounds paranoid. "Of course it's paranoid, so is having a firewall, locking doors at night, etc." > d: Desktop support can't be expected to support that level of control over > user desktops. "Cool- lemme show you the new architecture that means they won't hafta worry." > The best one IMHO is: > > Well if you ever see that happening be sure to report it. With the obvious follow-up of "But he does his job *really* well, we couldn't possibly replace him!" > > First of all, policy *has* to have support from the highest levels, or > > it's going to be useless. Secondly, you must be able to articulate risk > > well to get a good policy and to get backing for enforcement. > > The source of one of these was the IT director of the Software company with signoff > from the CEO. I and one of my contractors supplied suggested changes to help > the process, but was otherwise ignored. Sometimes that's all you can do until you get to hand out the nice shiny new Itoldya awards. > My understanding of support for such policies is that if my management has the > ability to fire the offender then a its usually worth my effort. But otherwise > company politics takes over and its just trying to keep the damage under > control. I had a good portion of the immediate company under the impression that anything they did was being monitored and tallied up for later evaluation. It helped a lot, it hindered occasionally. > > > "XX. Internet usage is only for approved business purposes. Personal use > > > (access) is prohibited." > > > > In a lot of places, having a policy that's not enforced (and I've yet to > > be anywhere that had a prohibition rather than a few restrictions on > > personal usage) is worse than no policy at all. I'd have spent some time > > detailing the legal risks, then presented them in writing. > > > > The justification I have been given for this has been that it just makes > terminating a low performer eaiser. Otherwise its not enforced, nor did > management want to know where employees were surfing. That's how most places start out. If you want to own security, then you have to move them out of the early nineties or change jobs often. > My current employer has the same policy. :-( A chance to correct is a chance to win. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Tue Oct 22 2002 - 12:33:16 PDT