Jesus,
Your solution is not a technical one, its a political one. Presently, you have
a treasured software developer that believes he is above the fray, primarily
because he gets management sponsorship. This is the issue - do not focus on
the individual, but focus on his means of support. Now of course there are
several avenues to be taken here, but I initially would try removing the legs
from the stool he is standing on.
Now it sounds like HR is unwilling to help, unless it is something glaring
(typical HR... wingless flies if you ask me), so you need to provide the
catalyst to set this in motion.
First, establish - in real dollars, what it cost to make your corrections to
date, including the software required to defend against his escapades - see if
that can be charged against his manager's P/L.
Second, since he's new, find out how treasured he really is - talk to the other
Leaders/manaagers, even the CIO, slip it to the CFO if necessary - but don't
talk in terns of an individual - use the dept.'s name - i.,e., Marketing group
is the cause of unwarranted expnse and risk, i.e., security ( this holds dept.
manager's feet to the fire and requires an accountability response. This is
important - don't make it a individual vs. individual (it will then be viewed
as a rivalry) instead make it policy vs. practice and will wash you from any
allegations of personality conflict. Explain that the current policy is
inneffective without any visible support from executive leadership. Wrap
yourself in the company flag and express your concern for company assets
production system exposures associated with downloading underground (adjetives
suggesting unlawful, or at least non-company behavior) hacking software on your
network, not to mention the potential hazard of disgruntled employee, as well
as, the cost (they understand cost) of thwarting this individual's effort not
to mention the future exposures associated with downloading unscreened software
(real dollars +- 20%).
Third, disallow access to production servers, i.e., punish the dept. as a
whole, until compliance is awarded. Let them police themselves. If he has
done something - like introduced a virus - you can point to that and submarine
him.
Let's suppose this doesn't work, or you don't have the relationships necessary
to pull this off. Publish don't perish. Initiate your own security audit on
the merits of determining company asset exposure and identify the exposure,
ramifications, and hazards associated with your discoveries - in particular the
offending dept. If this manager is oblivious to your scrutiny, see how he
holds up to the entire executive staff's scrutiny.
Good luck,
Jennifer
Jesus Gonzalez wrote:
> Hi All,
> please excuse this message since it's a bit off topic, but I could use your
> expert opinions to give me some backup.
>
> There is a programmer in our company who seems to think that he is above all
> of our policies and procedures. Yes, he is a new guy but has endeared
> himself to his manager (as the Director of IT, I report to someone else
> entirely). He's continusouly installing applications on his machine and the
> servers because he says he needs them, even though policy clearly states
> that only IT is allowed to install authorized applications on all
> workstations, and certainly the servers. He even changed the local admin
> password and refused to give it to us, and he's password protected his bios.
> That stunt earned him a fresh image and a CMOS clear and OUR password in the
> bios.
> So we finally had no choice but to lock his system down (a Win2K box) and
> not give him the local admin password so he can't install anything.
> Naturally we were well aware of programs like l0phtcrack and others to break
> the admin password, but never though he'd resort to it. Sure enough, he's
> downloaded it, and while he's been out of town, he's yet to use it. He's
> also downloaded the Win2K high encryption pack, my guess is that he intends
> to crack and change the local admin password, then install the HE pack in
> hopes of preventing us from doing what he just did (can you say REimage).
> It's stupid, I know. And I can't believe I'm having this battle.
>
> I would like to know what policies people have in place for users who
> attempt to crack passwords using such tools? When I spoke to HR and spoke
> in general terms, the Director said she would fire anyone who did that.
> When I told her who it was, she backed off and said 'oh, that will be
> tough'. I guess I'm just looking for others who have dealt with this, or
> who have clear and tested policies in place so that I may have something to
> back me up when push comes to shove.
>
> Thanks in advance!
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
