RE: Senior management really concerns about security?

["Adewale, Akin (IT Services - Infosec Team)" <Akin.Adewale () capita co uk>]

Hi, 

Create a risk register, highlight the risk and the likelihood and get
them to accept the risk, if they do then enter it in the register as
accepted risk, but always make sure they formally accept the risk, e.g.
by email and keep the record.

If you work in a medium - large enterprise, changes will always go
through change management process where someone has to assess the risk
and a management person has to approve the change, in this case you can
go one step further and enter the change reference number in your risk
register (this can even be a spreadsheet).

With the above, if anything happens as fallout from the change, you can
always produce hard evidence that they were informed and they accepted
the risk.



Akin Adewale

Akin Adewale


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of acwang0048 () gmail com
Sent: 05 June 2008 10:36
To: security-basics () securityfocus com
Subject: Senior management really concerns about security?

Hi all,

Just want to ask whether you guys have encountered some unreasonable
requests from your senior management (e.g. ceo) whereby you as an IT
personnel understands the potential security risks involved. But then,
when you try to explain the security risks or consequence to them, they
won't listen and just tell you they need this because of business
function. 

At the end, you can't do anything but to adhere what they request. But
then, this leads to so many exceptions created for senior management. 

Well, this is what I am currently facing!!!

Anyone has a better way to deal with this?

Cheers,
Wang

This email has been scanned for all viruses by the MessageLabs SkyScan
service.

This email and any attachment are intended solely for the addressee, are strictly confidential and may be legally 
privileged. If you are not the intended recipient any reading, dissemination, copying or any other use or reliance is 
prohibited. If you have received this email in error please notify the sender immediately by email and then permanently 
delete the email. Copyright reserved.

All communications, incoming and outgoing, may be recorded and are monitored for legitimate business purposes. 

The security and reliability of email transmission cannot be guaranteed. It is the recipient’s responsibility to scan 
this e-mail and any attachment for the presence of viruses. 

The Capita Group plc and its subsidiaries (“Capita”) exclude all liability for any loss or damage whatsoever arising or 
resulting from the receipt, use or transmission of this email. 

Any views or opinions expressed in this email are those of the author only.