Search

Security

General discussion

Gravatar
Locked

What to do with an IS Officer who always says NO?

By nosense ·
"Availability vs Security" OR "Security vs Availability". To be or not to be... All or nothing...

Here is the dilemma: When everybody in an IT department is taken hostage by a single (!) junior (!) Information Security Officer (already a bad practice but let's admit it exists in many companies) decides to go wild and act as the sole responsible for approval (in fact disapproval) of each IT decision, interferes with the IT services and operations, starts policing all IT work, and knows only "NO" word, what do you do, what are your options? He indeed does his work "well" compared to the "poor performances" of his colleagues from the IT department! Furthermore, he reports directly to the company CEO!

Let's see who will take this challenge. Some good references are also welcome.

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
+ Follow this Discussion ·
| Thread display: Collapse - | Expand +

All Comments

gravatar
Collapse -

pull the

by Jaqui In reply to What to do with an IS Off ...

twit into a board meeting and point to him.
"this is the person that is causing the problems with network service, he won't let service happen for 'security' reasons, if you want the network to allow people to accomplish something, deal with this twit so the rest of the it staff can do what you are paying them to."

then walk out.

gravatar
Collapse -

Here we go, then..

by gadgetgirl In reply to What to do with an IS Off ...

First of all, yes, you?re right, there shouldn?t be one single JUNIOR officer, but it happens. So from the top, here goes?.

1. Why does he have sole responsibility for approval? Who gave him that remit? Is it in writing? Does it contravene any of the company policies? Does he have his own budget? (Here, he would technically be unable to have singular approval if not a budget holder)

2. Can he justify his disapproval? Do you get this in writing? Is it technically correct? (you can check this just by doing a bit of research, or asking on the Tech Q & A board)

3. Has it been explained to him (in words of one syllable) that he?s affecting operations? If so, what was his reply?

4. What gives him the right to police all IT work? Has this been delegated to him? Ask for proof again.

As for reporting directly to the CEO ? well, in certain (well justified) circumstances, that is feasible, but surely he should be reporting to at least his line manager as well (unless he?s related in some way to the CEO It has happened!

If he?s a junior member of staff, I?m very concerned that he will not be totally in tune with the legal side of what he?s doing, or may only have a brief overview. Here in the UK the laws are extremely strict on what you may or may not do as regards monitoring, and to collect evidence, you DEFINITELY have to know what you?re up against so as not to be thrown out of Court.

I?d definitely say your first stop is policies and procedures, because if he?s contravening any of those (i.e. Acting Up Procedure) you can successfully shoot him down in flames at the first hurdle.

If he?s the best worker in the IT department, I have to ask if by doing this he thinks he?s making himself indispensable??.

Comments, nosense?

GG

Back to Security Forum
2 total posts (Page 1 of 1)  

Start or search

Related Discussions

Related Forums