Re: Re: When IT Manager breaks rules

[danogh () gmail com]

It is important that your security processes havent just come out of a vacuum - even a well informed vacuum.
At the very least you need management support for the basic principle "this is how new user accounts are created" and 
that usually comes from appraising them of the threats and risks before putting the policy in place.

Part of the supported policy would, of course, include the scope for monitoring and incident response that would allow 
you some latitude to deal with critical incidents without going though management approval processes.

I would vary the previous poster's comment to say that if you are the security dude working in an environment where 
there is no timely way for you to get management support for security policy, get out quick.

A security professional has no leverage if they do not have the clear and unambiguous support of the people responsible 
for accepting security risk for the organisation and part of maintaining that support is not ambushing them with policy 
- and if you dont support for the policy you know you are going to have buckleys chance of getting anywhere with 
enforcement.