No exceptions? I wish
I read Chief’s posting about policy exceptions yesterday and it really struck a cord with me. I wish it really was as easy as just saying no, but the reality is, business unit managers usually get what they want, unless you can prove that it’s a danger. And even then, many businesses are willing to take risks they don’t fully understand in order to get the job done.
Several years ago I was working at a large business helping implement the IDS installation. We’d installed a set of Snort boxes and were getting good data when the company had a nasty virus outbreak. We tried to contain it, but every time we thought we had it under control, a new set of systems would become infected. Every system that we had control over was patched, but somehow the malicious traffic continued to escalate.
Eventually we tracked down the responsible machines, a set of systems that were disignated to print and process checks. The systems were maintained by a third party and not only didn’t have the required anti-virus, they were more than a few patch cycles out of date. They had been installed, despite warnings from secuity, and this was the result. We had to take them off the network for several days while this was straightened out. If you’ve ever worked for a company that processes thousands of checks a day, you know this is not something you want to have to tell senior management.
I hate playing cleanup for other people’s mistakes and I hate having to say “I told you so”. But too often that’s the position we’re placed in as security professionals. I think we’re getting better at explaining the risks overall, but we still have room to improve.
Technorati Tags: security, mckeay