Slashdot Mirror
Getting Company Owners To Follow Their Own Rules?
techmage writes "Recently we had an issue at our small company that resulted in the loss of a lot of important data. To prevent it from happening again, we created a company-wide policy that all computers would return to IT to have their contents backed up, and the computers would be formatted and reloaded for the next user. Consistently the owners of the company break this and other policies we set up to prevent data loss, theft, etc. How do I get through to the bosses that when they break with the policies, they are potentially shooting the company in the foot?"
Explain the risks, if they choose to ignore it document that they have not returned the laptop to be backed up so that they can't try and blame you if it goes wrong and data loss does occur.
I'd ask anyone who routinely overrides your authority in the data-protection sphere to sign a form indicating something to the effect that they've been informed of these policies and the potential risks and if it all comes crashing down because they don't listen to you, it's not your fault.
The World Wide Web is dying. Soon, we shall have only the Internet.
If they do -- shut up and work around it.
So you're going to take my laptop, back it up, reload it and give it to the next guy? I in turn will get someone else's formatted laptop?
Or are you just trying to say, "we lost a lot of data when someone's laptop failed without proper backup processes in place. So we've decided that everyone needs to regularly connect to the company network and back up their laptop. The owner's of the company never back up their laptop"?
Quite simply, you don't. I've worked at large banks that do not follow their own rules. IT cannot drive policy if C level executives do not want to follow the policy. If you can get auditors or examiners to force the policy to be followed, then it can work. Otherwise, IT cannot do anything. They will only be seen as chicken little and IT will lose what little standing they have at the company already.
See if you can assign a value to the data already lost because of their failure to follow the rules. We did a variation of this at Xerox ASD in the 70's and locked Charles Simonyi (yes, that Charles) out of "his" own source code.
It's funny, every year we prepare for auditors, and all we have to do is show them that we have a policy, not that we actually follow the policy. It's really quite hilarious and yet sad at the same time. For instance, we have to show them that we are doing scans of our network looking for vulnerabilities, but all they want is a log with someones name and a date on it. They don't care what was found or that anything was done with the information that we found. They could care less. The sad thing is, the company doing the audit is a very large company. The truth is that most management could care less about policies. Password complexity? Sure, just don't assign it to the management. Screensaver locks after 10 minutes? There better be an exceptions group for the CEO and her secretary. It's really quite sickening really. It's amazing what you can get people to do for you when you're the network admin's boss' boss' boss.
You've created a policy and don't have the owner-level execs onboard?
That's failure #1 right there. Good policy making for security purposes isn't "And IT saith THUS!". Operating in this kind of vacuum gets your enforcement NO PLACE. Fast!
You have to involve these people pretty much from the get-go. This way they understand why the policy is in place and have less self-provided incentive to circumvent it.
And yes, as others have said, a small amount of "horror story" can go a long way too. But only DURING the policy creation process. Afterwards, they look at it as simple justification of an arbitrary policy.
Right now you guys haven't got a leg to stand on.
Chas - The one, the only.
THANK GOD!!!
I mean you can't make the owners do anything. They own it, it is theirs to do with as they please. They could close up shop tomorrow for no reason if they wanted. So you can't force them to do as they should. Likewise, nagging them could be a bad career move. So the best thing is a CYA. Have something that says they understand the risks of not following the policy more or less. Then, if shit does break you should be covered. They'll either realize that they made a mistake and be fine, or they'll come looking to blame you and you can pull out the document and say "We made sure to inform you of the risks and you signed off saying you understood them and that it was up to you if you chose not to follow them."
That's the best you can do.
1) Thank you for trying to save me money. Your recommendations are welcome as I'm paying you for your expertise and opinions.
2) If you're going to try to have me sign something like that I'm going to have a talk with you about bureaucracy and how we can't afford a BS cover your ass mentality in a small company. You may rest assured that if I don't back up and there's a crash there are two possible results: If I'm a bad manager I'm going to come back at you and no little piece of paper will stop me from firing you (though I'd expect you would receive unemployment as it's not really for cause). If I'm a good manager I'm going to write the check to cover the damages, feel foolish and accept your recommendation going forward.
3) If it's a dumbass relative that thinks they can ignore the rules because they're family working in a family business (and they don't sign the checks) then I expect to see their name (and possibly mine if I'm doing it too) on the report of IT security scofflaws that you periodically (though infrequently) prepare for me.
In a company controlled by a single or few owners it is reasonable to recommend, cajole, suggest or encourage proper owner behavior, but if you dictate it and attempt to threaten (for instance by saying in a confrontational manner 'ok, but I'm not taking responsibility then') you are writing checks that your expertise may not be able to cash. As an owner it's important that my IT works right, but it's absolutely imperative that I don't lose control of the company. Don't make me think that you're trying to take it away from me or lord your technical expertise over me unless you have a VERY secure position.
I fully agree. Employers don't generally win unemployment compensation hearings, even when they are correct. In many cases, the employer has a policy to appeal ANY unemployment claim, just to set up a few additional hoops for the employee to jump through. Most of the time, the employers don't even show up for the hearing. As a result, the state labor department deals with a LOT of junk appeals. Even when the employer shows up, the burden of proof is upon THEM and most of the time, they aren't up to the task.
I know of a guy who was thrown out during some kind of bizarre purge. The company had a change in management and this guy was clearly not part of the plan. So the company tried to cobble together some sort of justification. However, their schedule for firing him did not allow for collecting enough excuses. The purge worked in such a way that the guy's boss had already been let go, so actual facts of the employee's performance were in short supply. What little they had was wrong.
So of course, the employer appeals the unemployment claim. The hearing is held and the employer is absent. After losing by default, THEN the employer appeals to re-open the case. The employee's witnesses are subpoenaed and the day of the second hearing arrives. By this time, the employer has engaged some kind of unemployment compensation management firm to try and win the case. Upon seeing the employee's counter claim and witness list, the consultant tells the judge, "Upon review, this case does not rise to the standard necessary to establish termination for cause. We withdraw our appeal."
Considering how routine these shenanigans are, is it any wonder the employers usually lose?