RE: When IT Manager breaks rules

[WALI <hkhasgiwale () gmail com>]

Currently, I have written a security policy and got it signed by the CEO. 
That first release of policy manual (if I may call it), did not contain any 
clause mandating such a rule. Going by the fact that Security Polices are 
living documents, I have currently called this clause as a guideline with 
an aim to include it in the next release of my policy manual.

Now tell me, how should I word my so called 'bitch slap' clause. What would 
be the limitations?

By the way, I was wondering, how often in a year should I take my policy 
amendments to the CEO for his/her signatures? Are they required every time 
I add/edit a clause? It's only the first year and I don't think we can 
start with all the things included to start with in the first version of 
policy manual.


At 11:25 AM 5/23/2007 +1000, you wrote:
> And get that 'bitch slap' clause included in the security policy. I want one
> of those too.
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of Toby Barrick
> Sent: Wednesday, May 23, 2007 6:04 AM
> To: armfield () amnh org
> Cc: WALI; security-basics () securityfocus com
> Subject: Re: When IT Manager breaks rules
>
> I have been reading this thread for a while and there seems to be a lot
> of solutions but no correct answers to your specific question. If your
> IT manager is side stepping "rules" what are they? Are they company
> mandated rules, Gov't regulations or what. Are the rules accepted and
> promoted by "the company" as LAW, or just suggestions.
>
> If they are accepted as the law - - then bitch slap the guy and escalate
> as high as it takes to get his compliance. If the "rules" are just
> suggestions, I would recommend quitting your job since you are the
> security dude "in charge" and appear to have no enforcement capability.
> A very bad spot to be in. You will be held accountable for ALL security
> infractions be it by an IT manager, or Joe Blow visitor to your
> establishment.
>
> Just my two cents.
>
> Toby
>
> Raoul Armfield wrote:
> > We use a solution similar to what CAM Fischer is talking about. We use
> > Microsoft Identity Integration Service (MIIS).  This reads an export
> > from the HR database and creates accounts and places them in the
> > appropriate OU.
> >
> > Raoul
> >
> > WALI wrote, On 5/16/2007 11:33 PM:
> >> Hi guys...an odd question here!! I am mad at my IT Manager, he is
> >> such a sissy!!
> >>
> >> Being a internal security analyst in-charge, I want to enforce a few
> >> policies at help desk. One of them is, not to create any user account
> >> unless an email arrives from HR to HelpDesk, informing of the user's
> >> badge ID, the department he/she belongs to. The status of employment
> >> and all those things. The procedures are in place but sometimes it so
> >> happens that some Head of the Dept. or executive management calls up
> >> our IT Manager over the phone, or send him an email directly which is
> >> then forwarded to our Help Desk incharge who is then left with little
> >> options but to create the account without due processes. All policy
> >> compliance guidelines get thrown up in the air.
> >>
> >> HelpDesk incharge is bound by his position to, not to defy IT manager
> >> and he is scared to tell me (sometimes he does) that IT manager is
> >> forcing him to dilute the AD account creation policy.
> >>
> >> I don't want to confront IT manager based upon inputs by Helpdesk
> >> guys but would rather put a mechanism in place, where I would
> >> automatically come to know, that an account has been created and I
> >> can ask helpdesk to provide proof of the email from HR arbitrarily
> >> and then confront the manager.
> >>
> >> I know some Audit trails can be put and they would appear under
> >> Security tab of Event manager ( or so I guess) but I need something
> >> more automated that would land in my mailbox.
> >>
> >> Is this possible through any automated solution in AD of Windows
> >> 2003? Probably MOM 2005 or the types?
> >> In case I chose to confront  HR Admin/ managers with a plea to stop
> >> sending such requests to our IT Manager and put their house in order,
> >> what all genuine risks of 'not doing so' can I highlight? Ours is
> >> fairly large corporation employing about a 1000 people.
> >>
> >>
> >>
> >>
> >
> >