A final brief note to the discussion of IT security policies is to encourage the writers of policies to do something which could be seen as making a rod for their own backs - introducing specific, contractual penalties for infosec staff who fail to abide by the terms of the security policy by doing quick favours. Quick favours are generally requested by senior managers, are frequently for things which would not be allowed under the security policy anyway and are easily overlooked when they should be tidied up.
Saying to a (non-IT) manager that they cannot be given the password to a user account because that is poor practice won't be terribly effective - saying that giving them a password would result in automatic written warning is much more persuasive. Having a concrete example of a downside for IT staff can be a real advantage when it comes to negotiating with power.
Saying to a (non-IT) manager that they cannot be given the password to a user account because that is poor practice won't be terribly effective - saying that giving them a password would result in automatic written warning is much more persuasive. Having a concrete example of a downside for IT staff can be a real advantage when it comes to negotiating with power.
0 comments:
Post a Comment