Dave,
Here's new topic we could discuss.
Top down versus bottom up management in the field of information security.
I had one success with a Fortune 500 company (sort of). I worked there
Security Admin. for corporate IT. I was concerned that they did not have
adequate wireless security. I talked and talked, even wrote papers
explaining why we needed to have a WPA with EAP TLSor TTLS, a Wi-Fi IDS/IPS,
centralized management of the APs and warning banner for WiFi users who
assocaiated or attempted to associate to our airspace. Static WEP is not
enough.
Naturally I was ignored. Then one day a systems engineer found a rogue peer
to peer session broadcasting in our airspace on the wing opposite mine and
notified management. After that, the VP of IT allowed me to begin
implementation of my reccomendations. :>
I am sure there are many interesting stories that can be told by CISSPs and
security professionals who were listened to or ignored.
I also had a major failure with this same company when I tried to get them
to institute pro-active, scheduled, in-house external/internal vulnerability
assessments.
Later, while studying for my CISSP, I read that Security Management is
supposed to be championed by Senior Management. Oops! Now I know why what I
was doing (bottom-up security evangelism) felt like I was banging my head
against a brick wall.
Live and learn.
Henry
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/CISSP-Discuss/
<*> To unsubscribe from this group, send an email to:
CISSP-Discuss-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
