Dons Flameproof suit and lights blue touch paper
Since the US is essentially funding a terrorist state in Israel does your thinking not excuse all of Bin Laden and Al Qaeda's work so far? Walks away whistling
The only way to be secure against terror is to destroy it at its roots -- and that means seriously debilitating the governments that are paying for it. Since the US government were the backers of the Taliban and their far right fundamentalist Muslim freedom fighters in their war of terror against the invading Soviet army in Afghanistan does that not mean that the Pope would have an excuse for declaring a crusade against the US?
My point is that if it is not your responsibility or mandate to evaluate and deploy IT assets you alter the risk profile of your organisation when you do so. If nothing else you are increasing the risk that IT continue to invest in unsuitable technology and that incompentence is being rewarded.
Having said that, you may be altereding it in a positive or negative way. However too much either way is a bad thing, yes it is easy to say (if somewhat niavly)Apache is inherrently more secure than ISS, but are you wasting resource securing assets that the organisation does not value enough to warrent the investment. There is no such thing as complete security, it has to be a trade off, you obviously feel that the IT department trade easy of support and comfort with the familiar technology. In most organisations, possibly not yours, it is up to the executive to assess and manage risk, whether it be of an investment, of finacial mistatement or of IT security breach. Would they be happy knowing you are trading engineering effort (presumably what you are all paid to do) with managing IT solutions (which they presumably pay IT to do).
If investors want to be reassured, they should hire competent people, otherwise they are simply being given false assurances and that isn't good for anyone. I agree but simply bypassing them is not a viable longterm solution. Eventually in most cases it leads to the situations you describe were people are making decisions without understanding the implications. Compentecy is required at all levels, management, IT, engineering and in assurance (either internal or external).
To be honest it sounds to me like their is weak leadership in you department who are unable to present their case for better IT support to IT and upper management. Good luck, I have seen it several times before, the first time I was too slow to realise what was happening and ended up being made redundant, along with most of the rest of the engineering force. If nothing else someone should be explaining why IT is a cost centre and not a service centre to Snr Management
I think you are right to a degree, if I was your CIO I would fire you before someone gave you my job.
I do think you have introduced more risks (in terms of the number of risk rather than the aggregate risk overall) they may be lower risks than the ones your IT department expose the organisation to, and they may very well be risks that your company is willing to take.
For example: before you deployed your wiki (assuming, for the sake of argument, that it was the first thing deployed) what was the risk to your organisation of an apache vulnerability being discovered (assuming that it is not used by your IT department as you implied)? The answer is none, now the risk is that the sensitive information may be disclosed. You may even be managing the risk by patching it quickly and segmenting the network, but the risk is not eliminated.
My real issue however is that the owners of your company (either directly or through shareholders' abilities around appointing executive officers) have given a mandate to the IT department to manage IT assets and normally this includes management of IT risks. Either intuitively or through formal assessment the IT department has a view that the risk profile is based around their infrastructure, while you and your department are deploying technology outside of that. How are the owner's, investors and customers supposed get comfort that as an organisation risks are being managed appropriately?
I guess it is a question of whether two wrongs make a right.
You sound like you have an IT department that is run by the muppets (wrong 1)
Your team then go and implement IT solutions that are outside of your mandate and that do not follow corporate standards or processes (wrong 2)
Have you and your guys introduced more risk to the business because of your actions? Almost certainly, you are now using IT technology that is not supported in any way and will not be covered under any company wide security or business continuity function. Are these risk acceptabe? Possibly, however I doubt you can substantiate that without being part of a corporate risk assessment, which you cann't do when flying below the radar.
You example is slightly different because you are working in a network engineering company so your "users" would be slightly different from many organisations. The chances of one of you guys thinking that clicking on dodgyexploitedsite.com is quite low when compared to Marge in accounts at the local insurance company.
Still if I was CIO / CSO I would fire your asses!:-)
Quote from the article:
According to Pew, 42 percent of Internet users download programs, 37 percent use instant messaging, 27 percent have used the Internet to share files, and 25 percent access the Internet through a wireless device. (And these numbers are all one or two years old. Rainie "would bet the ranch" that the current numbers are higher.) Quote from Vin Cerf:
...approximately 600 million computers are connected to the Internet, and that 150 million of them might be participants in a botnet--nearly all of them unwilling victims. (http://arstechnica.com/news.ars/post/20070125-870 7.html) Yep as a CIO / CSO I would really be an idiot not to let my users do exactly what they do at home would n't I!!
The simple fact is most users think they know what they are doing, but the lack the skills to adequately assess the risks of their actions. That is why they need to have rules around acceptable use and security policies to protect them from their own idiocy.
But as the games are on in the afternoon most people will not be able to simply watch it on TV or in a pub because they will be at work. And what is the best means of wasting time at work? The Internet hence why most people in Europe will be streaming the games. Especially since the BBC will be streaming it directly.
As for actually getting a ticket you are joking right? Do you think people can just nip over to Germany for the game, buy a ticket, watch the game and get back in time for tea?
Actually I think the first step is understanding what the problem is and the working out how you can fix it. If you have the right tools in place first it is normally down to luck. More time than not you end up with a hammer looking for a nail to bang in when a screw would work better.
You don't need a DMS for this, you just need to look at the spreadsheets, analyse the logic and lock down the cells with formulae in. Then you need to restrict the access to it, only allowing authorised people to save changes to the data part of it. It can all be done within Excel and Windows.
That is fine until someone in finance creates another spreadsheet in excel that contributes to the financial statement and they don't enter it into the version controlled document managment system. Then you are in trouble!
Here's why: Section 404 of The Sarbanes Oxley Act.
Requires each annual report of an issuer to contain an "internal control report", which shall:
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
Each issuer's auditor shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this section shall be in accordance with standards for attestation engagements issued or adopted by the Board. An attestation engagement shall not be the subject of a separate engagement.
In a nutshell if you are covered by the Act (basically you have any debt raised in the US or are listed on a US Exchange), you will need to have an external audit sign off on your internal controls around your finacial statement. This means you are asking an auditor (noramlly very risk adverse people) to say that you have a good set of internal control, including that your all your IT applications, including any spreadsheets you use. With a large ERP such as SAP you can create good controls, such as access controls like segregating duties, relatively easily. With a speadsheet this can be very hard. How do you have an good, testable control in this area? If you don't have a testable control how can you expect your auditor to sign off on it? If your auditor can't sign off on it then you are really in trouble!
If you did that nobody would be able to email from home unless they passed. As having a system turned into a bot could happen anytime this would have to be an ongoing process. I can't see how that would work in reality
abuse of salaried staff, poor medical coverage/leave for RSI-type injuries, crappy vacation plans with constant on-call status... (what do you mean you're at the beach? the server's down!!)
Here is a better solution than joining a union, find another job. One without the boss from office space. They do exist.
If your situation was unionised you would not be allowed to fix the server until Monday morning no matter if you wanted to or not. Everyone would wait until the union said it was ok and the company suffers.
A union artifically levels things because it based on the premise that all people are equal and so deserve equal reward. I don't agree with that, if I am better I want to do better, if I am worse then I should get less, until I find my place in the world.
Just becuase I am part of a union does not mean I won't get laid off. See the miner in the UK during the 80s. The union did not help them, their jobs were no longer needed so they had to go.
Why would I want the playing field artificially leveled? My playing field greatly favors me because I am better at my job than most people. A collective bargaining agreement would end that advantage. I could only do as well as anyone else.
Unions are great at representing manual workers who perform repetitive tasks and who have a very horizontal organisation structure. If there are 100 people on your production line reporting to one supervisor even if you churn out more gizmos than anyone else you do not stand much of a chance at becoming the supervisor. Hence why it is in your interest to bargain collectively and have all of your standards raised.
If on the other hand your job involves a high level of innovation and metal agility these attributes may well contribute to you rising through an organisation. Such organisations are often far more vertical in structure. In this case, it is unlikely that you would benefit from collective bargaining where the curve is straightened out.
From TFA "You shouldn't think in terms of competition; the only bad thing for the industry is a bad game."
I totally agree, if there are two great games released in a month I will buy two games that month, if all the games look rubbish I won't bother getting my money out. If only more of the entertainment industry would think like this everyone would be happier!
Slashdot Mirror
Dons Flameproof suit and lights blue touch paper
Since the US is essentially funding a terrorist state in Israel does your thinking not excuse all of Bin Laden and Al Qaeda's work so far?
Walks away whistling
Having said that, you may be altereding it in a positive or negative way. However too much either way is a bad thing, yes it is easy to say (if somewhat niavly)Apache is inherrently more secure than ISS, but are you wasting resource securing assets that the organisation does not value enough to warrent the investment. There is no such thing as complete security, it has to be a trade off, you obviously feel that the IT department trade easy of support and comfort with the familiar technology. In most organisations, possibly not yours, it is up to the executive to assess and manage risk, whether it be of an investment, of finacial mistatement or of IT security breach. Would they be happy knowing you are trading engineering effort (presumably what you are all paid to do) with managing IT solutions (which they presumably pay IT to do).
If investors want to be reassured, they should hire competent people, otherwise they are simply being given false assurances and that isn't good for anyone. I agree but simply bypassing them is not a viable longterm solution. Eventually in most cases it leads to the situations you describe were people are making decisions without understanding the implications. Compentecy is required at all levels, management, IT, engineering and in assurance (either internal or external).
To be honest it sounds to me like their is weak leadership in you department who are unable to present their case for better IT support to IT and upper management. Good luck, I have seen it several times before, the first time I was too slow to realise what was happening and ended up being made redundant, along with most of the rest of the engineering force. If nothing else someone should be explaining why IT is a cost centre and not a service centre to Snr Management
I think you are right to a degree, if I was your CIO I would fire you before someone gave you my job.
I do think you have introduced more risks (in terms of the number of risk rather than the aggregate risk overall) they may be lower risks than the ones your IT department expose the organisation to, and they may very well be risks that your company is willing to take.
For example: before you deployed your wiki (assuming, for the sake of argument, that it was the first thing deployed) what was the risk to your organisation of an apache vulnerability being discovered (assuming that it is not used by your IT department as you implied)? The answer is none, now the risk is that the sensitive information may be disclosed. You may even be managing the risk by patching it quickly and segmenting the network, but the risk is not eliminated.
My real issue however is that the owners of your company (either directly or through shareholders' abilities around appointing executive officers) have given a mandate to the IT department to manage IT assets and normally this includes management of IT risks. Either intuitively or through formal assessment the IT department has a view that the risk profile is based around their infrastructure, while you and your department are deploying technology outside of that. How are the owner's, investors and customers supposed get comfort that as an organisation risks are being managed appropriately?
I guess it is a question of whether two wrongs make a right.
:-)
You sound like you have an IT department that is run by the muppets (wrong 1)
Your team then go and implement IT solutions that are outside of your mandate and that do not follow corporate standards or processes (wrong 2)
Have you and your guys introduced more risk to the business because of your actions? Almost certainly, you are now using IT technology that is not supported in any way and will not be covered under any company wide security or business continuity function. Are these risk acceptabe? Possibly, however I doubt you can substantiate that without being part of a corporate risk assessment, which you cann't do when flying below the radar.
You example is slightly different because you are working in a network engineering company so your "users" would be slightly different from many organisations. The chances of one of you guys thinking that clicking on dodgyexploitedsite.com is quite low when compared to Marge in accounts at the local insurance company.
Still if I was CIO / CSO I would fire your asses!
...approximately 600 million computers are connected to the Internet, and that 150 million of them might be participants in a botnet--nearly all of them unwilling victims. (http://arstechnica.com/news.ars/post/20070125-87The simple fact is most users think they know what they are doing, but the lack the skills to adequately assess the risks of their actions. That is why they need to have rules around acceptable use and security policies to protect them from their own idiocy.
They tried moving about 70 years ago, did not go well.
But as the games are on in the afternoon most people will not be able to simply watch it on TV or in a pub because they will be at work. And what is the best means of wasting time at work? The Internet hence why most people in Europe will be streaming the games. Especially since the BBC will be streaming it directly.
As for actually getting a ticket you are joking right? Do you think people can just nip over to Germany for the game, buy a ticket, watch the game and get back in time for tea?
Becuase America is the only place that has this "Internet" right?
Oh Man, how did I miss that reference? Mod me as dumbass ;-)
Oh man, how did I miss that reference, mod me down as dumbass ;-)
So actually it is the rules and policies that are important not the software or the digital signatures you use.
Why can't they use a search engine?
Actually I think the first step is understanding what the problem is and the working out how you can fix it. If you have the right tools in place first it is normally down to luck. More time than not you end up with a hammer looking for a nail to bang in when a screw would work better.
You don't need a DMS for this, you just need to look at the spreadsheets, analyse the logic and lock down the cells with formulae in. Then you need to restrict the access to it, only allowing authorised people to save changes to the data part of it. It can all be done within Excel and Windows.
That is fine until someone in finance creates another spreadsheet in excel that contributes to the financial statement and they don't enter it into the version controlled document managment system. Then you are in trouble!
Here's why: Section 404 of The Sarbanes Oxley Act.
Requires each annual report of an issuer to contain an "internal control report", which shall:
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
Each issuer's auditor shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this section shall be in accordance with standards for attestation engagements issued or adopted by the Board. An attestation engagement shall not be the subject of a separate engagement.
In a nutshell if you are covered by the Act (basically you have any debt raised in the US or are listed on a US Exchange), you will need to have an external audit sign off on your internal controls around your finacial statement. This means you are asking an auditor (noramlly very risk adverse people) to say that you have a good set of internal control, including that your all your IT applications, including any spreadsheets you use. With a large ERP such as SAP you can create good controls, such as access controls like segregating duties, relatively easily. With a speadsheet this can be very hard. How do you have an good, testable control in this area? If you don't have a testable control how can you expect your auditor to sign off on it? If your auditor can't sign off on it then you are really in trouble!
If you did that nobody would be able to email from home unless they passed. As having a system turned into a bot could happen anytime this would have to be an ongoing process. I can't see how that would work in reality
Most are delusional. I am not a programmer though.
abuse of salaried staff, poor medical coverage/leave for RSI-type injuries, crappy vacation plans with constant on-call status... (what do you mean you're at the beach? the server's down!!)
Here is a better solution than joining a union, find another job. One without the boss from office space. They do exist.
If your situation was unionised you would not be allowed to fix the server until Monday morning no matter if you wanted to or not. Everyone would wait until the union said it was ok and the company suffers.
A union artifically levels things because it based on the premise that all people are equal and so deserve equal reward. I don't agree with that, if I am better I want to do better, if I am worse then I should get less, until I find my place in the world.
Just becuase I am part of a union does not mean I won't get laid off. See the miner in the UK during the 80s. The union did not help them, their jobs were no longer needed so they had to go.
Well said that poster
Why would I want the playing field artificially leveled? My playing field greatly favors me because I am better at my job than most people. A collective bargaining agreement would end that advantage. I could only do as well as anyone else.
Unions are great at representing manual workers who perform repetitive tasks and who have a very horizontal organisation structure. If there are 100 people on your production line reporting to one supervisor even if you churn out more gizmos than anyone else you do not stand much of a chance at becoming the supervisor. Hence why it is in your interest to bargain collectively and have all of your standards raised.
If on the other hand your job involves a high level of innovation and metal agility these attributes may well contribute to you rising through an organisation. Such organisations are often far more vertical in structure. In this case, it is unlikely that you would benefit from collective bargaining where the curve is straightened out.
FTFA: The plans include
the establishment of "Humanitarian Road Shows", which will talk up American support for democracy and freedom.
First stop Guantanamo Bay! For more info see http://web.amnesty.org/report2003/usa-summary-eng
How much does it cost? Or does the fact that I am asking mean I can't afford it.
From TFA "You shouldn't think in terms of competition; the only bad thing for the industry is a bad game."
I totally agree, if there are two great games released in a month I will buy two games that month, if all the games look rubbish I won't bother getting my money out. If only more of the entertainment industry would think like this everyone would be happier!