What Are You Doing Right Now

wirestyle22

@scottalanmiller said in What Are You Doing Right Now:

@wirestyle22 said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

@BRRABill said in What Are You Doing Right Now:

If the boss said "hey erase all the files on the network" I'd definitely question and fight, and perhaps ultimately never do it and quit first.

What employee logic leads to that?

What logic leads to employees having logic?

Given that that is the primary value in an IT employee....

Only if they listen to you. If they don't listen you have virtually no value

scottalanmiller

@BRRABill said in What Are You Doing Right Now:

In THAT particular situation, you are correct. I am arguing against the concept that IT should never question orders or raise concerns.

A security audit is a very specific thing. Trying to hold back security information from an audit... it's a bit ridiculous. There are concerns, but I addressed concerns. Now it is questioning the CEO's decision to question IT. That's quite the thing to question.

scottalanmiller

@wirestyle22 said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

@wirestyle22 said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

@BRRABill said in What Are You Doing Right Now:

If the boss said "hey erase all the files on the network" I'd definitely question and fight, and perhaps ultimately never do it and quit first.

What employee logic leads to that?

What logic leads to employees having logic?

Given that that is the primary value in an IT employee....

Only if they listen to you. If they don't listen you have virtually no value

Actually not quite. There is still value in employees that do their job. The issue here is that emotions can make IT not even do the job that they are required to do!

NerdyDad

Have to keep perspective that IT is to Support the Business, not be the Business. If there is a request by a 3rd party for additional security information, then all we can do is verify the request by the CEO. Anything else past that, and we're being insubordinate. We need to assume that the CEO has vetted the 3rd party and that the 3rd party will properly keep our information safe, secured, and not to use it maliciously.

EddieJennings

We had a curious situation of bringing in some auditor for accounting stuff, which included having to answer questions about our network (password policies, what applications are run on what servers, who supports them, NFTS permission settings). I was also given a template for the expected answers, which was basically answers from another company they've audited -- I can't remember whether or not the name of the company was on the template. I thought it was a bit odd to for that information to be needed, so I raised the question with the CEO. Once I knew the CEO was aware this information was being requested, I shut my trap and completed the documentation.

EddieJennings

@travisdh1 @scottalanmiller In restrospect, I could've probably been smoother in voicing my concern. I wasn't reprimanded, but it made me finally accept that my job really isn't to protect our network from the company, but rather do the company's bidding to the network.

RojoLoco

I think verifying with the CEO is important to IT because if the auditor does do something shady, like pwn your whole network, then IT gets to do the cleanup (and take the blame sometimes, because what CEO will admit they did something wrong?). I don't see any issue with making sure the C-levels are aware and on board before you just hand over info to some outsider.

scottalanmiller

@RojoLoco said in What Are You Doing Right Now:

I think verifying with the CEO is important to IT because if the auditor does do something shady, like pwn your whole network, then IT gets to do the cleanup (and take the blame sometimes, because what CEO will admit they did something wrong?). I don't see any issue with making sure the C-levels are aware and on board before you just hand over info to some outsider.

And I said that... that confirming that the audit was real and really authorized. I even mentioned handing the "hot potato" documents up the chain to be handed over to ensure that someone closer to the relationship did the hand over.

NerdyDad

@scottalanmiller said in What Are You Doing Right Now:

@RojoLoco said in What Are You Doing Right Now:

I think verifying with the CEO is important to IT because if the auditor does do something shady, like pwn your whole network, then IT gets to do the cleanup (and take the blame sometimes, because what CEO will admit they did something wrong?). I don't see any issue with making sure the C-levels are aware and on board before you just hand over info to some outsider.

And I said that... that confirming that the audit was real and really authorized. I even mentioned handing the "hot potato" documents up the chain to be handed over to ensure that someone closer to the relationship did the hand over.

At least to include the higher ups in the hand over, in something such as an email or a meeting or something.

Dashrender

If you are afraid of an audit, then you probably shouldn't work there.

DustinB3403

@Dashrender said in What Are You Doing Right Now:

If you are afraid of an audit, then you probably shouldn't work there.

That's kind of a bad mindset isn't it?

No one willfully wants to go through an audit, but people plan for it and do it.

Just because one is afraid of the audit, doesn't mean they are doing something wrong or illegal. Maybe they just have super poor documentation.

scottalanmiller

@Dashrender said in What Are You Doing Right Now:

If you are afraid of an audit, then you probably shouldn't work there.

I agree. Although the OP doesn't see to be afraid of the audit in a general sense. Just this one part of it. It's a weird part, IMHO. Like it feels like one of the most obvious things that they would need AND very benign.

scottalanmiller

@DustinB3403 said in What Are You Doing Right Now:

No one willfully wants to go through an audit, but people plan for it and do it.

Sure we do. Good departments should want audited.

President of Brasil literally demanded he be audited yesterday!

scottalanmiller

@DustinB3403 said in What Are You Doing Right Now:

Just because one is afraid of the audit, doesn't mean they are doing something wrong or illegal. Maybe they just have super poor documentation.

Isn't poor docs doing something wrong

DustinB3403

@scottalanmiller said in What Are You Doing Right Now:

Isn't poor docs doing something wrong

Not if you've just started with the business. I'm on a month at my new job, and would hate having to go through an audit right now as I'm working to get things cleaned up, organized and documented.

@scottalanmiller said in What Are You Doing Right Now:

Sure we do. Good departments should want audited.

President of Brasil literally demanded he be audited yesterday!

No you don't, you'll schedule it at will, not be blind sided by an audit. This is completely different than what is described.

EddieJennings

@Dashrender said in What Are You Doing Right Now:

If you are afraid of an audit, then you probably shouldn't work there.

I actually (despite my griping) liked having a SAM license engagement one time. It gave weight to my "f0 r3@lz, properly licensing software matters."

scottalanmiller

@DustinB3403 said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

Isn't poor docs doing something wrong

Not if you've just started with the business. I'm on a month at my new job, and would hate having to go through an audit right now as I'm working to get things cleaned up, organized and documented.

But in that case, you'd not care that you were audited, either.

scottalanmiller

@DustinB3403 said in What Are You Doing Right Now:

No you don't, you'll schedule it at will, not be blind sided by an audit. This is completely different than what is described.

Did he get blindsided? I didn't notice that part.

DustinB3403

@scottalanmiller said in What Are You Doing Right Now:

@DustinB3403 said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

Isn't poor docs doing something wrong

Not if you've just started with the business. I'm on a month at my new job, and would hate having to go through an audit right now as I'm working to get things cleaned up, organized and documented.

But in that case, you'd not care that you were audited, either.

While true, I still wouldn't want to have to go through an audit.

Dashrender

@DustinB3403 said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

Isn't poor docs doing something wrong

Not if you've just started with the business. I'm on a month at my new job, and would hate having to go through an audit right now as I'm working to get things cleaned up, organized and documented.

@scottalanmiller said in What Are You Doing Right Now:

Sure we do. Good departments should want audited.

President of Brasil literally demanded he be audited yesterday!

No you don't, you'll schedule it at will, not be blind sided by an audit. This is completely different than what is described.

in your case I would want an audit on day one. Someone else to show the bosses the state of the system before you took over. then audited again later to show how things have improved.