Home page logo

basics logo Security Basics mailing list archives

Re: Senior management really concerns about security?
From: "afam mbanefo" <afamm () willaf com>
Date: Fri, 6 Jun 2008 15:35:29 +0000

I will always send an email detailing the security issues and technical issue with any change and get a response from 
This way you are covered in case of any disaster.
This email will be copied to the guys responsible for decision making in the company before you get into the 
technicalities of change management and paperwork.



-----Original Message-----
From: "Adewale, Akin (IT Services - Infosec Team)" <Akin.Adewale () capita co uk>

Date: Thu, 5 Jun 2008 23:45:21 
To:<acwang0048 () gmail com>, <security-basics () securityfocus com>
Subject: RE: Senior management really concerns about security?


Create a risk register, highlight the risk and the likelihood and get
them to accept the risk, if they do then enter it in the register as
accepted risk, but always make sure they formally accept the risk, e.g.
by email and keep the record.

If you work in a medium - large enterprise, changes will always go
through change management process where someone has to assess the risk
and a management person has to approve the change, in this case you can
go one step further and enter the change reference number in your risk
register (this can even be a spreadsheet).

With the above, if anything happens as fallout from the change, you can
always produce hard evidence that they were informed and they accepted
the risk.

Akin Adewale

Akin Adewale

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of acwang0048 () gmail com
Sent: 05 June 2008 10:36
To: security-basics () securityfocus com
Subject: Senior management really concerns about security?

Hi all,

Just want to ask whether you guys have encountered some unreasonable
requests from your senior management (e.g. ceo) whereby you as an IT
personnel understands the potential security risks involved. But then,
when you try to explain the security risks or consequence to them, they
won't listen and just tell you they need this because of business

At the end, you can't do anything but to adhere what they request. But
then, this leads to so many exceptions created for senior management. 

Well, this is what I am currently facing!!!

Anyone has a better way to deal with this?


This email has been scanned for all viruses by the MessageLabs SkyScan

This email and any attachment are intended solely for the addressee, are strictly confidential and may be legally 
privileged. If you are not the intended recipient any reading, dissemination, copying or any other use or reliance is 
prohibited. If you have received this email in error please notify the sender immediately by email and then permanently 
delete the email. Copyright reserved.

All communications, incoming and outgoing, may be recorded and are monitored for legitimate business purposes. 

The security and reliability of email transmission cannot be guaranteed. It is the recipient’s responsibility to scan 
this e-mail and any attachment for the presence of viruses. 

The Capita Group plc and its subsidiaries (“Capita”) exclude all liability for any loss or damage whatsoever arising or 
resulting from the receipt, use or transmission of this email. 

Any views or opinions expressed in this email are those of the author only.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]