What, this is not a daily occurrence within your company?
I thought it was normal operating procedure for all places.
The trick is working within this environment and still being able to
implement the appropriate security.
You need to write up a document that details the following:
- Company security polices
- Current environment
- Identify the vulnerability or the risk
- Show the gap between the actual environment and the policies
- List the quantitative and qualitative impact
- Identify any alternate solutions
- Identify the owner of the data and systems effected and have the highest
level of management for those areas sign-off with their John Hancock and
make very clear in your document at their signature location that you state
"Acceptance of Risk". Since you do not own the data or systems, you can not
accept the risk.
Hopefully, this helps. It ain't fun.
Robert R. Vail
-----Original Message-----
From: Bill Husler [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 14, 2000 10:57 AM
Cc: [EMAIL PROTECTED]
Subject: Off Topic: Upper Management decision making
Has anyone here had occasion to face the situation where Upper Management
decides
to move forward in a direction against to the recommendations of the group
responsible for data security disregarding their concerns? If so, what did
you do
about it? Did you write it up and ask them to formally acknowledge their
acceptance of the exposure? What form would this document take? Any
examples?
Bill
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
