(no subject)
Jul. 13th, 2005 06:09 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
jjjiii posting in ![[community profile]](https://www.dreamwidth.org/img/silk/identity/community.png){kind=small}
techrecoveryCustomer service != giving the customer whatever they want, just to keep them happy.
Security, especially information security, should not be driven by a customer service ethic.
Another way to put this is, from a security standpoint, customer service is best delivered when security 'best practices' are followed. Not when broken, loose security policies are implemented in order to appease worries of customers thinking about extreme what-if scenarios that affect the immediate availability of their information.
When policy mandates that a sysadmin must deny access to a user, it may be done in a polite fashion. This is the correct implementation of customer service-oriented security. A polite deny, and a reference to the proper channel to obtain clearance is first class customer service-oriented security.
If they persist, and still have not gone through the proper channels, a firm no may be appropriate. Wasting the IT Professional's valuable time detracts from their ability to deliver value to the customer in other respects.
The unavailability of the proper channel is not the problem of the system administrator, nor is it a hole in the security policy.
Customer service values do NOT dictate that you grant access to an unauthorized user because they say they need it and "it's an emergency". That's a possible vector for social engineering exploits and thus not a security "best practice".
- Customers often ask for contradictory things.
- Customers often don't know whats best for them. That's why they hire someone else to do it.
- If you do everything a customer wants, you'll go out of business. Customers want everything, and they want it for free.
Security, especially information security, should not be driven by a customer service ethic.
Another way to put this is, from a security standpoint, customer service is best delivered when security 'best practices' are followed. Not when broken, loose security policies are implemented in order to appease worries of customers thinking about extreme what-if scenarios that affect the immediate availability of their information.
When policy mandates that a sysadmin must deny access to a user, it may be done in a polite fashion. This is the correct implementation of customer service-oriented security. A polite deny, and a reference to the proper channel to obtain clearance is first class customer service-oriented security.
If they persist, and still have not gone through the proper channels, a firm no may be appropriate. Wasting the IT Professional's valuable time detracts from their ability to deliver value to the customer in other respects.
The unavailability of the proper channel is not the problem of the system administrator, nor is it a hole in the security policy.
Customer service values do NOT dictate that you grant access to an unauthorized user because they say they need it and "it's an emergency". That's a possible vector for social engineering exploits and thus not a security "best practice".
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2005-07-14 05:15 pm (UTC)Just today, I was asked to follow up on a request by my caller. It was a request to automatically forward e-mail addressed to one user's mailbox (out on medical leave) to another user's mailbox who was filling in for them.
1. Company policy expressly forbids auto-forwarding of e-mail to ANYWHERE.
B. Company policy expressly forbids accessing another user's account/e-mail unless a security waiver has been filed by said employee's manager.
The really stupid part of this wholly laughable and ridiculous scenario? A "seasoned" help desk analyst actually opened the request! Assigned it to the e-mail team. I told the client this was never going to happen, cancelled the request, and politely referred her to the aforementioned waiver form. And I had to apologize for the incompetence of my "peer."
People suck.
People who can't do their jobs properly suck more.
People who can't do their jobs properly, forcing me to clean up after them time and again, making me and my organization look bad, and exposing us to security breaches get a one-way ticket to the House of Pain with a glowing imprint of my booted foot in their ass.