> -----Original Message----- > From: Trevor Cushen [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, October 09, 2002 10:06 AM > To: harley mcdonald > Cc: [EMAIL PROTECTED] > Subject: RE: Is SSH worth it?? > <snip> > The argument coming back to me then is even with the ssh and all the > work involved (months at least because of their other > commitments) they > are not really that better off. Is it worth it.
That's something only management can decide. Make sure they understand the risk, the likelihood, and the cost of not using encryption. It may very well be that it's not worth the money to take the time to implement it. More likely, they won't perceive that it's worth it, but will have to learn they're wrong the hard way, unless you can give them hard numbers otherwise. > That is what is coming back to me. You see now why I posted the > message??. It comes back to an earlier post of how do you implement a > policy if management say no need for it??? Honestly, you don't. You make sure you're covered by getting in writing a statement that they understand the risks and have decided to take them. A carefully worded email would do. Then, when bad things happen you are at least covered, and the people who made the bad decision have to live with it. > I know they need to go the more secure route but how do I fully > convience them. Yes I know a lot of you will say risk assemment and > costing etc, I went down the CISSP route too and am actually > waiting for > results (nerves are shot to pieces). But the customer > unfortunately has > not read through all the domains of CISSP and doesn't really > see the end > benefit. At the end of the day, it's the customer's decision. A wise friend of mine described this dilemma to me like this; It's your responsibility to make it clear to the customer that they're not going to like having the toilet installed on the ceiling, and to make sure they know all the problems. When they insist, "Put the toilet on the ceiling!" you need to do so; it's their decision, as bad of one as it may be. When it turns out to be awful, they can't say they didn't understand, and that they didn't get exactly what they asked for. Good luck; it sounds like you know what would be best, but until management agrees, you may have to live with a sub optimal situation. Lou Erickson IT Tools Developer, Ariba, Inc.
