RE: Senior management really concerns about security?

["CISO" <CISO () EliteMail Org>]

Step 1: Document the risks and what they are attempting to do.
Step 2: Attain sign off on those risks by the senior management.
Step 3: If they do not sign off it is important to ensure you properly
document.
Step 4: Do what they ask anyway... which does not mean YOU accept the risk.
Step 5: Keep your job.

Information Security does not ABSORB the risk, we notify, document, and
pass.

Good Luck.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of acwang0048 () gmail com
Sent: Thursday, June 05, 2008 2:36 AM
To: security-basics () securityfocus com
Subject: Senior management really concerns about security?

Hi all,

Just want to ask whether you guys have encountered some unreasonable
requests from your senior management (e.g. ceo) whereby you as an IT
personnel understands the potential security risks involved. But then, when
you try to explain the security risks or consequence to them, they won't
listen and just tell you they need this because of business function. 

At the end, you can't do anything but to adhere what they request. But then,
this leads to so many exceptions created for senior management. 

Well, this is what I am currently facing!!!

Anyone has a better way to deal with this?

Cheers,
Wang