Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Responsibility Without the Authority?

Posted by michael on from the fall-guy dept.

Slashdot reader jamie submits this story about security administration. If you have the responsibility for security without the authority to make changes, your only role is to be the fall guy when something goes wrong.

7 of 206 comments (clear)

  1. It all depends..... by Fantasio · · Score: 2, Informative

    ...on how much one can ask for being a scapegoat. Make me an offer I can't refuse and I'm your man ! (paid in advance, please...)

  2. civil legal matters by zogger · · Score: 2, Informative

    "From my perspective, if a corporation deliberately stores my personal information using a server OS that is known to have more security holes than the Moon has craters, when that info is stolen the people that made that decision should be up on charges of negligence or worse"

    If it is a company you do business with, send them a letter-snail mail, registered, notarized whatever, in advance to that effect. Not a threat, just a reminder that they have alternatives, and it's in their best interest business-wise and liability-wise to look at ALL the options. then they can't claim down the road that they "didn't know". Send an identical copy to their CEO, CFO and CIO/CTO. It's a +1 bonus if you can have several people on your side with simjilar viewpoints sign it as well, all customers of theirs.

    Another thing you can do is to buy stock in the company, that gives you an additional legal edge should something "go wrong", and also let's you offer suggestions and/or complain at shareholders meetings, or give you another avenue for a potential lawsuit.

  3. Re:On the other hand by zaffir · · Score: 2, Informative

    I work in the IT department of a small offshoot company of a larger corporation. For reasons that have never been explained to me, or anyone in our small company, all of our networking hardware is controlled by the IT department of our parent company. Due to some wonderful policy we aren't allowed access to any of our routers or switches. We're practically neutered when it comes to tracking down network issues.

    A while back we had a user bring in a sasser-infected machine from home and plug it into the network, grinding our operation to a hault. It took us a couple hours of trial and error to find the offending machine.

    Even after this incident, and other similar problems, we are still refused access to our own hardware.

    --
    "Upon attaching the waterblock to my penis, I began to notice that I know nothing about computers." -- JRockway
  4. Re:False priorities by Anonymous Coward · · Score: 1, Informative

    "Hey, boss, you know how you told me to improve security? I've can do that, as soon as I get the approval from Finance. I just wanted to ask you for some advice in requesting the necessary budget, as the Finance guys don't necessarily understand security like we do."

  5. Re:amazing how one person resigning causes FUD by Kludge · · Score: 2, Informative

    And your system is crap. I work in a mid-to-large size goverment program that implements policies such as the ones you outline and this is what happens:

    1. The process of getting applications approved is so slow and onerous that people just install the apps on local machines w/o the knowledge of IT. If they didn't, work would never get done.

    2. Their network 'accredited'. So it's like everyone else's. Big whoop. They block outgoing ports, like ssh 22. That's just a pain in the ass. So I have to run my sshd at home on port 21 as well.

    3. They install OS patches too, when they can. Of course everything is M$ (like I bet yours is), so sometimes those patches never appear or appear a year later. I laughed out loud when I got an email informing us that IE was vulnerable to certain web sites, so we should be careful about the web sites we visit
    and which emails we open. Now that's security!

    Real security is not DITSCAP, IAVA, or ACERT, or any other dumb-ass acronym. It's using only secure operating systems like Linux with a simple firewall that allows only secure connections, like ssh or virtual private networks.

  6. Re:This was the reason by mrchaotica · · Score: 3, Informative
    But what exactly does that get you?
    You misunderstood. "You" the company gets screwed, but "you" the manager or "you" the IT guy avoids getting fired. It's called putting your own best interests before those of the company.
    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  7. Re:On the other hand by Lumpy · · Score: 3, Informative

    Actually yes. He teamed up with a small company here in town and formed a IT security company that consults with business and contracts with them for "repairing" the problems.

    Funny part, I saw him here about 24 months later, we hired his company!

    As for the managers and executives, I do not know.. All we know is that about 30 days after the lawsuit their offices were empty.

    --
    Do not look at laser with remaining good eye.