Where do you draw the line ......

**TykeMerc** · 7 August 2008, 09:15

Write an email to the requesting manager with the following sections.

1. Replay his request and request clear clarification that it's exactly what he wants
2. Outline what the infrastructure was developed and built for in clear and simple terms
3. Outline the implications of the change request, be factual and not emotional.
4. Request confirmation that the change request is in fact what is required given section 3.

It's the clients infrastructure and if he puts in writing exactly what he wants then you will have your arse covered from any bites when things go all silly.

**LittlestHobbo** · 7 August 2008, 09:17

Get them to sign away any liability from you. If someone hacks in you could be liable for their losses..

When I get into those sought of waters thats what I usually suggest, the manager then sees that signing something makes him culpable and backs off...

**HairyArsedBloke** · 7 August 2008, 09:18

The beauty of e-mail is that it provides an audit trail.

Compose an e-mail where you state, in clear terms, the options and their implications and request formal instruction before you can proceed. Send this to the client co manager, but, more importantly, copy this to the manager at the level above.

Once you have done this, do whatever you are told and count the money.

**DimPrawn** · 7 August 2008, 09:23

stand on your cubicle chair and repeatedly shout "are you ******* mad!?!" at the top of your voice, until a very senior manager comes over, then hand over a printout of the daft request whilst openly weeping at his feet.

**Old Greg** · 7 August 2008, 09:24

What they all said. Or you could walk if you don't want to be a part of it (but do it with grace if you do).

**LittlestHobbo** · 7 August 2008, 09:26

You could also say that you've spoken to the providers of your proffessional indemnity insurance, who have stipulated that you must have some documentation of the client request and your advise againt it.

Should sharpen their minds a little...

if the sh*t hit the fan I think you'd need evidence that you'd advised them against it as a consultant.
They could otherwise argue that you just did what they asked and didn't advise against, again making you liable for loss possibly

**zathras** · 7 August 2008, 09:28

Originally posted by NetworkNinja View Post

Ok, here's the situation. Contracting to a large outsourcing company supporting one of their customers. For one of the projects I designed a multi tiered dmz infrastructure for a new fancy web channel. All nice and as secure as it could be on the given budget. The end client co has now made requests to accesss said server infrastructure in non-secure (and very stupid) ways that will turn my nice secure setup into a colander. Accessible from everywhere inside client co and from remote VPN connections without restrictions.

This is something I know is stupid, the people here know its stupid, even some of the managers at the client co know its stupid but still they are persisting. The manager in question doesn't want the bother of hoping from another controlled (jump off) server (apparently that takes too long !!!!!!)

Hence my question in the title .... Where do you draw the line?

Do you refuse to do the work and argue till your blue in the face (aren't we supposed to be the experts??) or just simple go ahead and do something you know will no doubt come back to bite you in a matter of weeks.

Do the work, but outline your issues in an email sent to the requester and BCC it to your own email account. In this way you can turn around and say I told you so when they inevitable go into rear-end posterior covering mode.

It is also worth working out a rollback plan so you can remove the changes when the other managers turn on tw*t when they find that their jobs are on the line because of tw*t.

**oracleslave** · 7 August 2008, 09:33

Originally posted by DimPrawn View Post

stand on your cubicle chair and repeatedly shout "are you ******* mad!?!" at the top of your voice, until a very senior manager comes over, then hand over a printout of the daft request whilst openly weeping at his feet.

**Advocate** · 7 August 2008, 09:39

Repeat after me, all together now "Security is a business decision" as much as we hate to hear it. As long as you've made the risks very clear to the client and they still accept then that's fine. I've found that if you require the manager to formally accept the risk (i.e. assign it to his name and get a signature) they suddenly take them a little more seriously when they realise they're the ones in tulip when it all goes wrong!

Where do you draw the line ......