Dear A Question, If you are in a situation where you do not have a security policy in place AND you are lacking the support of your upper management, you should consider leaving.
Any situation where you have hostile upper management and no policies is employment suicide. See if you are allowed to create a policy regarding the typical situations (a.k.a. acceptable use, remote access, etc...). Get HR buy-in on the issue prior to moving forward. Also involve your direct bosses. Get them to believe that the idea for policies was THEIR idea. Trust me, people tend to be much more accepting of ideas that they believe they came up with than if you just get in their face and tell them that they're morons, and that they need to do things your way... If they have basic issues like changes of words, and not blanket rejection of the security policy, then you have a common ground, and a place that you can work from. Work together with HR and your boss to get the policies accepted. If you get the CIO believing that the policies are HIS/HER ideas, and you'll get them shoved through so fast your head will spin. Here's a link to the sample security policies that I've used in the past. Like I said, you must have a policy in place before you can move forward on any security issues. Once you have those policies, you can then use them to leverage security solutions. But YOU MUST HAVE SUPPORT IN UPPER MANAGEMENT. This is true at every job I've EVER worked at. http://www.sans.org/newlook/resources/policies/policies.htm <<<< Warning! Advice Follows! It's free, and you get what you pay for!>>>>> If you are completely rejected on the security policy issues, then quietly walk away, and search for a job on your off hours. Get a WRITTEN recommendation from someone at that job one week prior to giving your two week notice, and ask them to sign and date it. Make sure that you are financially prepared to not be working those last two weeks that you anticipated being employed. Also, make sure to get your resignation signed and date stamped by a third party so that you can state that you resigned, as some companies tend to say to other companies that they fired you with cause, a big nasty blemish on your record. Get a copy of your last review, and save it. Give a COPY of the resignation to your HR person prior to your actual boss. Then IMMEDIATELY go talk to your boss and give him a COPY as well. Don't give them the original. DO NOT be belligerent. Ask for an exit interview with HR only. You can then tell the HR person what you believed (in a calm manner) the reasoning was behind your wanting to leave, back it up with documented emails or copies of documents, and then leave. Please, do not be rude to anyone on the way out. Don't say anything except "It was nice working with you all" and "Goodbye." Any time you've ever left a job, take a deep breath... and leave it behind. Don't write them unless they write you first, and even then, I'd make sure I sent a copy of the original email and your response to a lawyer that is a friend of yours (yes, some lawyers have friends...). Don't go to their IP address range. Don't think about how you could have made a difference, or how you could have changed what you did. Don't even dream about them. Just walk away, and don't mention them in any news group, email message, or conversation. If you have anything that you have gotten from the job (keycards, laptops, computers, software, books, a list of EVERY account that you created there), return it in a box from UPS or Fed Ex, with EVERYTHING inside labeled and notarized by a notary public. Keep the tracking number for the next 10 years, along with a copy of the notarized list. Maybe that sounds completely paranoid. But I've had an issue in the past with a hostile upper management issue, and all the things I've mentioned above got the case dismissed in court, and me another job without hassle from the previous employer (the written recommendation was from my direct boss, who was VERY pleased with the work I'd done). <<<< Advice ends here!!>>>>>>> It's sad to leave a job. But it's best to walk away from impossible situations, and enjoy life then it is to suffer through days and days of issues. Seamus Hartmann Everything expressed within this email message is the personal opinion of the author, and does not reflect the opinon of Fuji Film eSystems. This email message has been scanned for viruses prior to exiting the Fuji Film eSystems network. This email is considered a private message between the sender and the recipients. -----Original Message----- From: A Question [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 01, 2002 3:38 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Is it bad enough to resign? Greetings, Beg your parden for sending, but I could use your advice. I have been reading this list for some time and have benefited from it. There are some good minds on this list, and a lot of experience, so I submit my question to you seeking your perspective. Before I begin, I want to tell you that I have already made up my mind weather to resign or not, what I am needing is perspective as the company I work for is the only one I have worked at as a Systems Administrator, and the only one that I have been responsible for securing the system. The security for the network and servers I administer is NON-EXISTENT. This is not only fine with my superiors, but I have been told to not work on security anymore, as it is "un-important". The CEO thinks that it is secure because my CIO lies and tells him that it is. Here is some background. We have approx. 14,000 IP's in a stub network (only one way in or out on the router). Since those IP's are mostly used to host virtual hosts, there is over 100,000 total paying customers that depend on our systems being secure. We tell customers and the CEO that we have a firewall - it's a lie. * WE HAVE NO FIREWALL ON OUR ENTIRE NETWORK. * WE HAVE NO INTRUSION DETECTION ON OUR SYSTEM We use Linux and Windows. Windows is even more pathetic as we depend on hotfixes and Service Packs as our ONLY form of Windows security. They won't let me put Snort on it, and they won't buy Black Ice, or anything else. To top this off, the CIO refused to let me apply Service Pack 2 to Windows for months after the release. I brought it up every week at our management meeting. Finally, several Windows machines were compromised so that the cracker had admin level access for weeks before it was even detected. This would have been prevented if they would have only let me apply SP2! The CIO kept saying that he could hear me saying "I told you so". The CIO lied to the CEO and said that it was not a Admin level intrusion, but merely a rouge FTP account used for Warez. The cracker could have formatted the drives with data at any time! It gets even worse than this, but you get the idea. I prevented Nimda and Code Red attacks even while everyone else was wondering what they are. Do they promote me? Reward me? No. Apparently, they are too embarrassed as my CIO and Managers that they are incompetent in security (they setup up the systems this way, after all), and seeking to keep me quiet, they demoted me so that I wouldn't be responsible for security anymore. As far as I can tell, the only reason I was promoted to Security Manager was so that they could have a fall-guy when things went wrong "How did they do that? Weren't you doing your job?". But when their scheme backfired and I actually did such a good job that their position in front of the CEO was threatened, they decided to keep me quiet. Am I being paranoid? Am I overacting? Your perspective from your experience would be greatly appreciated. Also, after I leave, should I send a letter to the CEO about this? Thanks