Sorry Jason, I'll have to disagree with you on this one. The principles of the company are responsible to the stockholders (the owners) for the operation and profitability of the company. You as an employee can give them your best advice but they must ultimately make the decisions. If they choose to ignore your recommendations and accept the risks associated with the venture, that is their choice to make.
If something goes wrong then it falls on their shoulders to demonstrate that they exercise due diligence in making the decision. It is your job to make sure you cover your butt! Keep copies of all your reports, meeting notes and presentations. This can come in very handly if they take any action against you. Implement the system as instructed and then be diligent to watch it for problems, report them and keep good records of those reports and the problems.
If you can't live with the idea that your company does respect your advice, give mine a call. We're always looking for good security consultants!
-- Bill Stackpole, CISSP
| Jason Wilcox <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 04/14/00 12:14 PM
|
To: "'Bill Husler '" <[EMAIL PROTECTED]> cc: "'[EMAIL PROTECTED] '" <[EMAIL PROTECTED]> Subject: RE: Off Topic: Upper Management decision making |
Bill this isn't just a question of someone taking responsiblity and
acknowledging their risks, it is a matter of your prinicipals and your
belief in what you do.
I too was recently faced with this decision and followed the advice of some
to make sure that they understood the risk that they were taking. They
claimed they understood the risks, and felt that it was worth the potential
gain. My job was to secure their resources and that made it impossible to do
that. In the end I realized that I couldn't compromise what I believed was
right and resigned based on the fact that they were creating a risk that I
could no longer effectively manage.
I am not saying that you should quit and leave, and I don't advocate leaving
your job because someone doesn't agree with you. However, there is a point
at which you cannot cross the line, you cannot compromise your principles.
No matter what someone signs saying they accept the risk, your the one who
is still responsible for managing that risk on a daily basis.
Jason P. Wilcox
-----Original Message-----
From: Bill Husler
Cc: [EMAIL PROTECTED]
Sent: 4/14/00 9:57 AM
Subject: Off Topic: Upper Management decision making
Has anyone here had occasion to face the situation where Upper
Management decides
to move forward in a direction against to the recommendations of the
group
responsible for data security disregarding their concerns? If so, what
did you do
about it? Did you write it up and ask them to formally acknowledge their
acceptance of the exposure? What form would this document take? Any
examples?
Bill
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
