Policies and paper trails — our new best friends

Credit to Author: Sharky| Date: Fri, 19 Oct 2018 03:00:00 -0700

This IT pilot fish works with lots of sensitive data — and that means really sensitive, such as child abuse investigations.

“Until a few years ago, I had access to all that data, so I could write ad-hoc reports against it,” says fish. “We ‘systems’ people were given access to everything, so we could troubleshoot application problems for the users.

“Then one day I was called into the CEO’s office. He told me that according to the logs, I did a search against the Child Welfare data for a particular family on a date and time six months earlier — and wanted to know why I did the search.”

As best fish can recall, he was doing the search to troubleshoot a particular report that one caseworker was trying to run. To do that, he used his own workstation to duplicate the steps that the caseworker took to get to the error.

Trouble is, fish has no documentation of that event. And though fish wasn’t violating any existing agency security or privacy policy when he accessed the data, the CEO decides to level charges against him for inappropriate use of confidential data — and suspend him for 30 days.

Fish points out he didn’t release any confidential data into the wild, or use his access to the data for any personal benefit. All he was doing was his job — helping the users do their jobs.

The CEO is unmoved.

“If it weren’t for my union, I’d have lost my house due to this arbitrary, capricious and ill-advised decision on the part of the CEO,” fish says. “As it was, the union local president ‘plea bargained’ me down to a one-day suspension, and that was that.

“And while what I did wasn’t a violation of policy at the time, after the initial meeting with the CEO and before the charges letter, the VP and I created a new policy. Now we ‘systems’ people don’t have access to any of the systems of record, and if we need it for troubleshooting, there’s a form to fill out.”

Sharky always files off the identifying marks from your true tales of IT life. So send me your story at sharky@computerworld.com. You can also comment on today’s tale at Sharky’s Google+ community, and read thousands of great old tales in the Sharkives.

Get Sharky’s outtakes from the IT Theater of the Absurd delivered directly to your Inbox. Subscribe now to the Daily Shark Newsletter.

http://www.computerworld.com/category/security/index.rss