Bill Husler wrote:
>
> Has anyone here had occasion to face the situation where Upper Management
> decides to move forward in a direction against to the recommendations of
> the group responsible for data security disregarding their concerns? If
> so, what did you do about it? Did you write it up and ask them to formally
> acknowledge their acceptance of the exposure? What form would this document
> take? Any examples?
You might find some material on the Society for Risk Analysis (SRA)
pages. There's a page on their site listing private sector risk
analysis sites <http://www.sra.org/privsct2.htm> which may have some
material of help.
Others have suggested quantifying the cost of both accepting and not
accepting the risk, as best you can. From a management perspective,
your supervisors will be looking for a high level, bullet-pointed
very terse list of the risks you believe exist. I would also
prepare a more-detailed white paper outlining the costs of the risks
and the reasons you believe the company may benefit from your
approach. (Focus on benefits to the company of doing things one
way, not on risks of -not- doing something, especially if the "doing
something" costs cash up front.)
If possible, try to get both actual case studies and anecdotal
reports from people in your field who have encountered the risk
situation you are facing, and what it cost them to repair the dike.
One frustrating thing to me, when I was reporting to management and
not a member of the management team, was learning that management
had previous reports from other sources on which they'd based their
judgment; in other words, -someone else- had done a risk assessment
prior to the word going down to change to a new method of business.
Try to find out, if you can, what information they have used to make
their decision. Ask for a copy of any reports that exist, and tell
them this will help you make an informed decision.
Once you've assembled your material, made your bullet-pointed
presentation, and presented the more-detailed report if requested,
-drop it-. Don't back management into a corner. You've made your
concerns part of the record.
Sorry I can't offer more advice. Feel free to write to me off the
list if any of this is of value and you want to pursue it
separately.
-- LJM
> Bill
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
