Re: httport 3snf

[Paul Robertson <proberts () patriot net>]

On Tue, 22 Oct 2002, Duncan wrote:

> Paul,
>     Thank you for your words. It helps to expand on these issues, to
>     better understand how different environments work.

Thanks for "baring your soul" here, I'm really hoping that some folks get 
a chance to think about the pitfalls *before* they end up in them.

> I don't know about others, but I found that being in the role of Firewall engineer,
> or Sr. Network Engineer did not appear to lead ANY credeance to input into the
> security policies of most of the companies I have worked for.

I spent eight years at my last company, and when I wrote the policy, it 
was really the first "security" policy instead of HR-aimed usage document.  
I fuly believe that the person who's doing the job needs to *own* the 
policy, needs to negotiate its terms with executive management and 
negotiate enforcement with upper management and users' managers.  In that 
organization, action based on something bad was normally up to the direct 
supervisor of the employee- so I just had the conversation with the 
manager about what I expected was acceptable use, and if I wasn't happy 
with their proposed remedy (as in "This won't happen again," not as in 
"I'm going to do Y to the employee") then I'd explain what it was going to 
take to get their segment reconnected to the greater intranetwork upon a 
repeat infraction.  It was often up to them if I would even directly 
address the employee.  

I don't recall any repeat infractions, but politically my position was 
tenuos a lot of the time, and I had to be very careful about my 
interactions.  Fortunately, from at least the Vice Chairman down- there 
was strong support for "doing the right thing," "protecting our 
investors," etc.  So my direct line of reporting supported me and 
understood that I was "The guy who said No."  I'd generally offer some 
alternatives, most of them requiring capital to implement, but I wasn't 
there to make people happy in my security role.  In my network 
architecture role, that was a different story. 

> Yes I also spent many hours attempting to educate management into risks in
> our networks based on examples. Too many responses have been of the
> nature of:
>
>     a: Well our users are not that technically knowledegeable.

Devleopment departments are wonderful examples of how they are :)

>     b: No one really has the time or tools to sniff for packets on the network.
>     c: That sounds paranoid.

"Of course it's paranoid, so is having a firewall, locking doors at night, 
etc."  

>     d: Desktop support can't be expected to support that level of control over
>         user desktops.

"Cool- lemme show you the new architecture that means they won't hafta 
worry."

> The best one IMHO is:
>
>     Well if you ever see that happening be sure to report it.

With the obvious follow-up of "But he does his job *really* well, we 
couldn't possibly replace him!"

> > First of all, policy *has* to have support from the highest levels, or
> > it's going to be useless.  Secondly, you must be able to articulate risk
> > well to get a good policy and to get backing for enforcement.
>
> The source of one of these was the IT director of the Software company with signoff
> from the CEO. I and one of my contractors supplied suggested changes to help
> the process, but was otherwise ignored.

Sometimes that's all you can do until you get to hand out the nice shiny 
new Itoldya awards.

> My understanding of support for such policies is that if my management has the
> ability to fire the offender then a its usually worth my effort. But otherwise
> company politics takes over and its just trying to keep the damage under
> control.

I had a good portion of the immediate company under the impression that 
anything they did was being monitored and tallied up for later evaluation.  
It helped a lot, it hindered occasionally.

> > >     "XX. Internet usage is only for approved business purposes. Personal use
> > >         (access) is prohibited."
> >
> > In a lot of places, having a policy that's not enforced (and I've yet to
> > be anywhere that had a prohibition rather than a few restrictions on
> > personal usage) is worse than no policy at all.  I'd have spent some time
> > detailing the legal risks, then presented them in writing.
>
> The justification I have been given for this has been that it just makes
> terminating a low performer eaiser. Otherwise its not enforced, nor did
> management want to know where employees were surfing.

That's how most places start out.  If you want to own security, then you 
have to move them out of the early nineties or change jobs often.

> My current employer has the same policy. :-(

A chance to correct is a chance to win.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards