Lax security within department 2

[jellybeenz]

I recently began working for a mid-sized company as a programmer/analyst. My duties also include some system administration and my boss, who is the controller, has indicated that eventually I would be put in charge of all technical aspects of the IT department. The other IT staff consists of the MIS manager who is self-taught and is not really up to speed on security best practices. I don't report to him, but I do need to work with him. My problem is this: There are several security holes, including default user passwords and users with *ALLOBJ authority. I need to inform my boss of these issues in order to begin making some necessary changes. How do I do this without looking like I'm running this other guy down? He doesn't really have an IT background and is doing his best, he just is not very cognizant of security.

 

[SgtB]

Inform this other mgr of the holes, and most importantly, educate him on the subject.
Then go to the big wig, and say "MIS mgr guy and myself have been discussing some issues here on the network, and would like to make these changes."
________________________________________
Check out

http://www.security-forums.com

 

[pansophic]

You need to be ready to help this MIS mgr implement the changes as well. Frequently I run into mgrs who won't implement security changes because a) they don't know what affect it may have, and b) they don't have enough time to find out.

Be willing to help him define roles, so that people get access to the areas that they need, while blocking the *ALLOBJ access. And have reasonable guidelines for password construction rules, and be willing to show the mgr how to implement them.

Sometimes, if you are willing to share the burden of troubleshooting issues with the implementation, people are willing to listen a little harder.
pansophic