Bennett Todd wrote:
> >[...] if anybody is going to be held accountable IN ADDITION TO THE
> >CRACKER it should not be the sysadmin. It should be those in senior
> >management (or the equivalent for the military or other organizations).
> >It is rarely a matter of lazy sysadmins but lack of commitment of
> >resources and/or a lack of training to produce skilled people to be
> >responsible for implementing security mechanisms.
> I'd say instead that the burglar should be held accountable. So
> should the Systems Admin. Not to worry; that's the norm in ordinary
> organizations (though for all I know it may not be in e.g. the
> military). If my systems get broken in to I will be held responsible.
I agree to some extent. The sysadmin should be held responsible *for taking
precautions in line with current practices*. There's a tension here which
needs to be
On the one hand, we would like for IT professionals to truly be
"professional", which implies
that they should bear responsibility for the resources under their control.
On the other hand, we must recognize that many organizations - including
many who proudly
call their IT staff "professionals" - are not ready to treat them as such
and, in any event, must
also bear some responsiblity if only for selection of the front line
The real world compels us to also take notice that job mobility is neither
immediate nor perfect.
I would like to think that someone who takes the title "professional"
seriously would take
(drastic if necessary) steps to protect the assets of an organization or to
deselect himself from
that organization. Making a reasonable statement of responsibility for
sysadmins can encourage
this; making a blanket statement only puts them in a no-win situation.
fn: Mike Jones
org: Unified Technologies
email;internet: mike .
title: Senior Technology Advisor