General discussion


Work Review issue

By IH8Spyware ·
I'm a Network Security Guy (Analyst actually). I have a couple different security certifications, and believe that this training along with a voracious appetite for security research/reading, have given me the knowledge needed to make good security related decisions.

Early last year, while I was integrating several IDS sensors into our network, I told my management that in order to be successful with the IDS deployment, we would need good corporate wide policy to support it. I had been pitching the idea of a Security Policy for a couple years, with no results. So when they agreed to let me make a draft, I felt I was finally making some headway. I took about a month, used the SANS template for an Appropriate Use policy as a starting point, ran it through some peer reviews, and then submitted it to my management for their review. When I did this, I made sure to point out, that the document was a starting point and by no means final, but was based on best practice. I never got any feedback from them (and yes, I asked), although I know that it was made available to the CIO, who did not care for it. (This company has always treated "policy" like a four-letter-word.)

Jump ahead, several months. My annual review comes up. In this review, it is stated that the policies that I submitted were "short sighted" and inappropriate for the company. I was told by my boss, that both he and the head of the department had worked on this section. I was a bit miffed to put it mildly. I indicated that the policy I presented was based on best practice, and had input from numerous security practitioners. At that point I was told that they would re-write that section. I've since confirmed that this was never done.

Jump again; almost a year after I first submitted the Appropriate Use policy for management review. I've since given up on trying to write policy, although I still kept mentioning the need for it. Now, my boss suddenly requests a meeting with a colleague (also a "need for policy" supporter) and I, regarding Appropriate Use Policy he has been tasked with writting. In this meeting, he presents the policy document I presented as his baseline. The same one that he called short sighted, and inappropriate! He also indicates that he has apparently done some on-line searches, and much research and has found that the document I presented, was exactly what the company has needed. I was surprised at this admission, as it flew in the face of what he wrote in my review several months earlier.

Jump ahead again, to present day. I'm again due for my annual review. The policy document has had the wording changed, but the basic "feel" of the policy is still the same as the one I originally presented nearly a year and half prior.

My issue is this; My boss is going to get credit for getting this policy in place (someday). I'm actually fine with that, as A) I'm actively job searching, and B) at the end of the day, the goal is to improve the security posture of the company, which this document will help do. What is bothering me, is that this document is still largely my original submission, which is noted in my HR records as having been short sighted. Do I bring this up in this years review, or just let it go since my intent is to change jobs? I'm not adverse to staying with the company, just not with this department.

I appreciate any and all input on this.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Related Discussions

Related Forums