 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Thu, 03 Jul 2008 16:39:11 +0100, Invisible wrote:
> It just annoys me when some manager says "we should do X". And I
> carefully explain "X is a bad idea because of A, B, C, D, E and F". And
> the manager says "...yeah, well, I don't think those are problems". I
> mean, WTF can you say to that??
"Why don't you see those issues as problems?"
Then point-by-point, explain why A is a problem, B is a problem, and so
on. Discuss these points with them, don't just give up because they said
"I don't think that's a problem".
For example, if you point out A is a regulatory problem and they say it's
not, ask them how they would explain that to a government auditor,
because that's part of your job, so you need to be able to explain it -
and if you can't, you'll send the auditor to him instead. Not as a
threat, but because management identified it as a non-issue and you don't
understand why, so you'll have to refer the auditor to someone who *does*
understand why.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Thu, 03 Jul 2008 09:24:01 -0700, Darren New wrote:
>> Or when I say "I need to do X", and they say "nah, I don't think that's
>> necessary". Er, well actually, yes it is. But hey, they're not the ones
>> who are going to get screamed at when the auditors can. I am.
>
> Again, "isn't that part of the legal requirements outlined in section
> XYZ of the how-to-make-auditors-like-you manual?"
And then again, you can always take the auditor to them after explaining
to the auditor "Tom here in my management chain doesn't see this as an
issue - perhaps he can explain why better than I can.". Then take the
auditor to see Tom.
Next time, Tom is more likely to give an explanation. Of course, he may
also get mad because Andy brought the auditor to him in the first place,
at which point it's appropriate to say "you didn't answer my questions
about this well enough that I could explain it to the auditor, so how
could I answer the auditor's questions? I can't just make something up."
Maybe Andy should get a job with the auditors instead. <eg>
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> And then again, you can always take the auditor to them after explaining
> to the auditor "Tom here in my management chain doesn't see this as an
> issue - perhaps he can explain why better than I can.". Then take the
> auditor to see Tom.
Not easy when Tom lives on a different continent in a different time
zone. :-P
Auditors are always singularly unimpressed by "well X told me to do it
this way". They expect *me* to realise that this isn't good enough and
*force* the other person to understand this.
> Maybe Andy should get a job with the auditors instead. <eg>
Muhuhuhu!
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Poor decisions are one thing. When you carefully explain why a
>> dicision is bad, and you get a reply that says no it isn't - no
>> explaination, just "I think you're wrong" - it's rather irritating.
>
> You can always ask for an explanation.
Well we're not doing that at any other sites, so I don't think it's
necessary.
[Never mind that "other sites" have more than 1 member of IT staff...]
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Fri, 04 Jul 2008 09:10:42 +0100, Invisible wrote:
>> And then again, you can always take the auditor to them after
>> explaining to the auditor "Tom here in my management chain doesn't see
>> this as an issue - perhaps he can explain why better than I can.".
>> Then take the auditor to see Tom.
>
> Not easy when Tom lives on a different continent in a different time
> zone. :-P
That's what the phone is for. Or if it's the middle of the night (though
you have managed to call "Tom" in the middle of the night before), give
his number to the auditor along with the time zone offset.
> Auditors are always singularly unimpressed by "well X told me to do it
> this way". They expect *me* to realise that this isn't good enough and
> *force* the other person to understand this.
Auditors understand that often times the person they're talking to
doesn't have the authority to do things the way they want, and if the
orders are coming from above to do things in a way that's not compliant
with the regs, then that needs to be disclosed during the audit.
Otherwise it *is* your ass on the line. It's not about shifting blame,
it's about holding the decision makers responsible for their actions.
That's why audits happen.
>> Maybe Andy should get a job with the auditors instead. <eg>
>
> Muhuhuhu!
You laugh, but that might not be a bad option. You know the regs, you
know what should be done and how it should be done, and you know that it
isn't being done that way. You want your current management to listen to
you? Become *their* auditor.
BTW, you don't have to change jobs to do that. If making sure things are
done in compliance, then you put together a pre-audit audit that goes
over the checklist the auditors will, and do a "dry run". Ask the
questions of your management that the auditors are going to ask you.
Hold them accountable. Then take the results from your own internal
audit and compare to the results of the external audit, put them both in
a report, and send it up the chain and highlight the areas where the
audit result was what you predicted, and outline what needs to change in
order for things to become compliant.
I used to have to do license auditing when I was the customer - we had
auditors from Ernst & Young come in once a year to audit our license
usage for a couple products that I was responsible for. There were times
I was asked to "fudge" the numbers a bit because of a recent layoff (for
example); I did everything up front with the auditors, told them that we
had a layoff but our policy was to retain the user accounts in a disabled
state for 60 days, just in case the employee was rehired (as a means of
preserving their access to resources), but that the vast majority
wouldn't come back. We just couldn't predict which ones would be
rehired. Rather than hide those accounts from the audit, I asked for an
exception. And got it from the vendor.
The auditors commented every year that they appreciated our approach -
they were typically in and out in less than a day. Other customers they
had to spend 3 or 4 days trying to get the audit done, and it was like
pulling teeth. I always figured if I could facilitate the audit and make
it go smoothly, I could get the auditors out of our hair quickly, and I
was right. We never paid for users we weren't using, and everyone was
happy.
I know your audits aren't license audits, so things are a bit different,
but if you work to make it non-confrontational with the auditors, they'll
appreciate it and make your life easier, generally speaking.
Of course there are pricks in every field, and auditing is no different
in that respect.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Fri, 04 Jul 2008 09:12:01 +0100, Invisible wrote:
> Well we're not doing that at any other sites, so I don't think it's
> necessary.
"Well, regulation 10.3.723 subsection b, paragraph 6 says it is required
when there's only one IT staffer at the site. Since I'm that person
here, we need to meet that requirement, unless there's an IT staff member
I'm not aware of here - and I don't think that's the case, because I'd
know. Either way, the auditors are going to be looking for compliance
with this regulation, so how do you suggest I answer their questions
about why we're not compliant?"
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Well we're not doing that at any other sites, so I don't think it's
>> necessary.
>
> "Well, regulation 10.3.723 subsection b, paragraph 6 says it is required
If only.
The regulations only say that backups have to be taken every day.
If I make too much of a fuss about it, the head IT people will probably
just nominate some random person and promote them to be a member of IT.
(Despite the fact they have no clue what they're doing.) And then I'll
have solved one medium problem and created a large problem...
This is always the worry - rather than do the simple and easy thing that
completely solves the problem, they always want to do something more
complicated that generates new problems. I really hate it!
Still, with a little unauthorised access to centralised systems, I was
able to sort this particular problem out without their help. "The"
sysadmin may be God, but when you have several of them things start to
get... interesting.
(Wasn't there a Pratchey book gooded "small gods" or something?)
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Fri, 04 Jul 2008 10:42:33 +0100, Invisible wrote:
>>> Well we're not doing that at any other sites, so I don't think it's
>>> necessary.
>>
>> "Well, regulation 10.3.723 subsection b, paragraph 6 says it is
>> required
>
> If only.
>
> The regulations only say that backups have to be taken every day.
>
> If I make too much of a fuss about it, the head IT people will probably
> just nominate some random person and promote them to be a member of IT.
> (Despite the fact they have no clue what they're doing.) And then I'll
> have solved one medium problem and created a large problem...
So then you step up pointing out the issue. Has the person been properly
trained? Do the regs require any specific training for the additional
person? What is the financial exposure to the company if the audit is
failed because of inadequate training, or if the backups fail and
critical data is lost?
> This is always the worry - rather than do the simple and easy thing that
> completely solves the problem, they always want to do something more
> complicated that generates new problems. I really hate it!
It's sometimes hard to do, but don't worry about what might be. You can
spend years thinking up worst-case "what if" scenarios and let that
prevent you from solving an immediate problem. Deal with the problems
you have, not with the problems that might be.
And on that note (and pardon the total non-sequitor here), I realise I
have to take my own advice here so I *can* get some sleep. (Without
getting into details, I learned about a potential really really bad
health issue today in my family, but there hasn't been a diagnosis yet,
but I've been worried absolutely sick about it all night = dealing with a
problem that *might* be, rather than waiting for a diagnosis to be made
by a qualified doctor. Yes, it's time I take my own advice on this one.)
> Still, with a little unauthorised access to centralised systems, I was
> able to sort this particular problem out without their help. "The"
> sysadmin may be God, but when you have several of them things start to
> get... interesting.
Yep, they do. Especially in a distributed environment. There are
certain operations that require centralised control. The trick is in
knowing which ones are.
Be careful about using unauthorised access, though - it can bite you in
the ass if things go wrong.
> (Wasn't there a Pratchey book gooded "small gods" or something?)
Might've been.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Invisible wrote:
> It just annoys me when some manager says "we should do X". And I
> carefully explain "X is a bad idea because of A, B, C, D, E and F". And
> the manager says "...yeah, well, I don't think those are problems". I
> mean, WTF can you say to that??
>
> Poor decisions are one thing. When you carefully explain why a dicision
> is bad, and you get a reply that says no it isn't - no explaination,
> just "I think you're wrong" - it's rather irritating.
>
> Or when I say "I need to do X", and they say "nah, I don't think that's
> necessary". Er, well actually, yes it is. But hey, they're not the ones
> who are going to get screamed at when the auditors can. I am.
>
As I read the posts it occurred to me that there is another aspect of
the situation.
How are you perceived at being able to do your job?
This isn't about your actual capabilities, it is what you are able to
project to the manager.
If your manager sees you as young, immature, or unconfident, he may
dismiss your expert views.
If your manager sees you as smart and confidant your wildest suggestions
may be taken without question.
I know I struggle with this.
Tom
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Tom Austin wrote:
> How are you perceived at being able to do your job?
>
> This isn't about your actual capabilities, it is what you are able to
> project to the manager.
That's probably it, you know.
The current set of IT managers are less egocentric than their
predecessors, but still tend to ignore any outside input - I kind of
"I'm the expert, I know best" attitude. Who knows, maybe that's how they
got to be put at the top? Non-experts can't tell how good they "really"
are, only how confident they seem...
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
