Home page logo

basics logo Security Basics mailing list archives

Re: Senior management really concerns about security?
From: "Shawn A. Corrello" <shawnc () legolas sinnerz us>
Date: Thu, 5 Jun 2008 11:21:43 -0400 (EDT)

Document in writing each "exception" you create at the request of senior management. Include with your documentation your argument against said "exception", including the full explanation of the risk involved which you presented to senior management. Also include their reasoning, if any, for applying the exception against your judgement. Retain this documentation and make it known and available.

This may seem harsh, but to be blunt, this is your "get out of jail free card" to some extent; should one of the vulnerabilities you create at their demand be exploited, you may be able to save your job (or worse: career) by presenting convincing evidence that you were aware of the risk and attempted to firmly oppose it.

Good luck. This is an uncomfortable situation that we all deal with regularly.


On Thu, 5 Jun 2008, acwang0048 () gmail com wrote:

Hi all,

Just want to ask whether you guys have encountered some unreasonable requests from your senior management (e.g. ceo) 
whereby you as an IT personnel understands the potential security risks involved. But then, when you try to explain the 
security risks or consequence to them, they won?t listen and just tell you they need this because of business function.

At the end, you can?t do anything but to adhere what they request. But then, this leads to so many exceptions created 
for senior management.

Well, this is what I am currently facing!!!

Anyone has a better way to deal with this?


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]