> This is something of a bureaucratic question for the policy wonks out there.
> Which, of course, brings me to my question:
> Do your responsibilities as 'the network guy' or 'the security
> guy' extend this far? Do you have the authority to deliver an
> administrative (read: personnel file) reprimand to users who
> ignore your policies/procedures?
> Should such authority be part of a developing firewall policy? It's
> often been said, in this forum, that the technology is only half the
> battle; the *people* are the other half. Frankly, I should want some
> sort of recourse for the person who insists on a clandestine modem,
> mucking with his config, et cetera...
In my experience, things are rarely cut and dried in the way you
describe them. Policy needs procedures, standards, and implementation
to back it up. These in turn require proper training, education,
testing, detection, and response in order to assure that the reality
meets the theory. In a properly set-up protection environment, these
sorts of events don't happen except in rare circumstances, and in those
rare cases, there is a management procedure developed to deal with it.
> Given that our responsibilities as 'network folks' span the bureaucratic
> maze, affecting virtually every department of our organizations, it would
> seem that we need some authority that crosses those borders.
In a well-designed organizatoinal environment, protection
management exists at the top levels of the organization, and there are
channels for crossing any boundaries.
> Of course, we could always just cut off that segment of the network until
> the recalcitrant user sees the light (or has it shown to him). 8)
That would work too, for a few minutes, and then you might get fired.
> Many people may fail at each step to some degree because they are working
> with inadequate budgets or dont know how to measure cost and price. They may
> also have inadequate authority.
For protection to be effective in an organization, it must be built-in to the
way the organization as a whole operates.
> The most common failing is in maintaining a system after it has installed.
> There are many possible reasons for this, but the most common one is that
> the person charged with the nominal responsibility does not have the time to
> monitor or the power to ENFORCE. In many cases that lack of personal power
> is made more dangerous because there is no clear reporting route to someone
> who does have the power.
In my personal experience, protection more often fails because the
person who manages the network got the job by being the person who did
backups of the server before the previous network administrator left.
My interpretation of both of these examples is a lack of adequate
understanding and attention by management. It seems pretty clear that
without adequate understanding and attention by management, any
component of an enterprise is likely to fail - whether it be information
protection or manufacturing. The solution is to help management better
understand the issues so that they can make more enlightened decisions.