Are there any quick ways to identify unethical behavior? 5

[telayla]

I am in a leadership position within my company, and have a strong IT background (managed an AS-400 when mainframes were still around) but no longer have the role of IT management (I have telecom and telecom integration).

The owners my organization are somewhat naive and trusting with regard to information security and I have some real concerns regarding the security and use of our corporate data.

The IT manager for our organization is an individual with very little formal training in the management of information. He learned networking from reading books, and building a network in his house and his hardware expertise is pretty good. Whenever you ask him a question about applications or networking or honestly anything... this person gets "diahrea of the mouth" and starts slinging around technical jargon emphasized by terms like "my network". Having over 15 years of industry expertise, however, I have learned "technogy as a second language" and speak and converse in it fluently. Much of what he says makes no sense at all and there is little logic to his statements. Quite frankly, I think I scare the crap out of this guy, and he won't let me anywhere near the network. He reports to the CFO of our company, who has absolutely no interest or knowledge of the IT field. Basically, there are no checks and balances, no reports, and no oversite with regard to how he uses the information, or what he does with it.

There have been periods of time when he and I have been at cross-purposes and my Outlook would change viewing methods overnight or my defaults would all be different the morning after I decided to close and lock my door. There was an occasion when I was on vacation last year, in the godforsaken jungle (with a coworker)that I received a read receipt for an e-mail sent to this coworker during the time we were away with nothing but monkeys to grant us access to e-mail. The last time I was away (this past March), he took it upon himself to copy my entire home directory to DVD, and delete it from the server. I do not have a DVD reader on my local PC. When I got in I could not access any of my data and when I asked when it would be made available to me (after several hours of NO response), he said he was eating and he would get to it after lunch (it was a really long lunch that lasted till 4:00PM). I spent four days exclusively trying to recover this data, but there were lots of recording errors and I have only been able to retrieve 30% of my data. In my opinion NO I.T. PERSON IN THE WORLD SHOULD HAVE THAT MUCH CONTROL or AUTONOMY!

He has VNC loaded on the network and it was loaded locally on my PC several months ago, but I removed it the same day it was installed.

His method of data security is to perform back-ups at midnight take that tape and put it into a firesafe (which is only safe up to one hour in a fire). He keeps the most current tapes on-site and after 7 days takes the tapes home to his house and he keeps them there for 6 months.

I AM VERY CONCERNED THAT THIS INDIVIDUAL IS IN CHARGE OF ALL THE DATA FOR MY ORGANIZATION. I NEED TO FIND A WAY TO DELIVER PROOF OF IMPROPIETY TO THE OWNERS OF MY COMPANY SO THEY WILL AGREE TO HIRE A SECURITY CONSULTING FIRM TO ASSESS OUR NETWORK. If I am wrong or severely paranoid, I will be happy to accept that, but I would rather be wrong than imagine the ramifications if I am right. Do you have any suggestions for me? Or are you all asleep from this book I wrote?

 

[dennisbbb]

Very interesting feedback.

The original question on "ways to identify unethical behaviors" of the Administrator is not answered so far in the disgussion. We're only analysing the intent of the Admin and concluded the ineptitude of the Admin, based on one user's viewpoint?

While Telayla mentioned the concerns he has regarding a proof of impropriety of the Admin, he did not mention that the Owner has the same concern. He is acting on behalf of the Owner. We'll so does the Admin.

Sure there are cases where a disgruntled admin can do a great deal of damage, but has he done any damage to the network?

A small company may not have a fully detailed policy in place, thus, there are no checks and balances, no reports, and no oversite with regard to how the Admin uses the information, or what he does with it. He acts according to the command of the CEO or the Owner of the company. Another word, he SHOULD HAVE THAT MUCH CONTROL or AUTONOMY!

If you want something done, draw up a policy and have the approval of management. For a small company, there are no tools for the user to identify unethical behavior of the Admin, but the Admin has the entire network infrastructure to find unethical behavior of the user.

Also, on CYA matters, unless you publicly display it in email or in print, other undisclosed CYA materials will cause arousal of conspiracy against the company. This is not favored by any CEO. I suggest any user to bring up the matter immediately instead of keeping them in multiple places.

 

[dkediger]

Granted, we don't know under what directions the admin is working.

However, in a small company - and I've worked for several including at present - a single admin will by neccesity have that much control but should NOT have that much autonomy. As a CEO of a small company, if my admin came to me saying Joe was copying customer data and emailing it home - without a reason - I'm certainly having a serious discussion with Joe. But I am first having a serious discussion with my admin about how and when he came to discover this. Primarily because his job duties, as I've outlined them, DO NOT grant general snooping just for snooping's sake.

Again, we don't know what level of involvement the CEO in this case has.

As far as ineptitude, absolutely yes. This admin has deleted the information of a user in - as far as we know - good standing and was subsequently unable to restore it. That's at least 2 very basic IT tasks that this admin failed to complete.

 

[Dollie]

dennisbbb, you're not the admin in question are you? ;-)

Also, on CYA matters, unless you publicly display it in email or in print, other undisclosed CYA materials will cause arousal of conspiracy against the company

I think that's a *little* extreme. Many, many, many people keep hard copies of e-mail, memoranda, orders, IM's, etc. If it were a conspiracy, I wouldn't be keeping the info in a CYA folder nor admitting to it publicly! I would think it's much, much worse to let an admin run amok and not say a word about it to anyone.

but has he done any damage to the network?

Yes he has, he deleted a users folders, made a poor copy to DVD and let the user attempt to restore invalid, damaged files.

He acts according to the command of the CEO or the Owner of the company. Another word, he SHOULD HAVE THAT MUCH CONTROL or AUTONOMY!

Please re-read the original post. The admin in question reports to a CFO who doesn't know/care what said admin is doing. That in itself could indicate a much larger problem, but for a different discussion.

No admin, repeat, NO ADMIN, should be able to interfere with someone's job. If he is suspicious of what a person is doing, as he is NOT that person's supervisor, the admin should take it to HR or that person's boss. It is not up to a vigilante admin to handle personnel issues, erase e-mail, or damage work files.

That said, I think the OP's original indicators should be enough to go to someone with these issues about the admin. If you are questioning someone's ethics, especially now when ethics mean more to more people than it has in the past, then it should be enough to at least mention to a supervisor or manager.

 

[dennisbbb]

Seeing how a fellow Admin/IT Manager will be getting his back stabbed by a disgruntle user, is very frustrating.

Don't forget, Telaya is not this Admin/IT Manager's supervisor. The only thing he can do is consult with the CEO what had happened to his CYA files. But that's not gonna happen will it?

The truth is, Telaya is afraid of fact that the Admin has a copy of his email, his CYA files, and the unknown relationship between the CEO and the Admin.

Also, from the CEO's point of view, if the user has nothing to hide, the user should not be afraid if the Admin has tampered with his HomeDir or his email. After all, every file and email is the property of company, ultimately safeguarded by the Admin, who is entrusted by the CEO (privately owned company here). I'm sure every company has such policy in place. It is a given.

I don't understand why you guys side with the user (Telaya) when in fact the Admin has not performed anything drastic to cause attention from the CEO (his supervisor).

My belief is, if Telaya was to bring this up in front of both the CEO and the Admin, Telaya will have no grounds at all. In fact, he will collapse like a deck of cards when the Admin pull out the DVD full of CYA files, which can potentially bring major lawsuite to the CEO and company. He'll be fired on the spot. Will that happen to the Admin? I don't think so, because the network is still running and other users are still happy.

 

[telayla]

WOW! I didn't expect this much passion!

To clarify some issues, CYA was a minor minor minor piece of what was deleted and I don't care who sees or reads my e-mail, just don't delete it or modify it!

Anyone with any brains has a CYA file. That CYA file is just as Dollie stated, a record of FACT. When dealing with multiple personalities and motivations in any work situation, you must always stick with documented FACT. That's what a CYA file is and no CEO worth his salt would fire someone for having one. Unless of course the CEO has something to hide or is guilty of unethical behavior. BTW my organization DOES NOT HAVE A CEO.

To be clear, THE ONLY THING I WANT TO HAPPEN IS FOR A SECURITY AUDIT OF OUR NETWORK TO BE PERFORMED. What's wrong with that?

Why does Dennisdd think that I am a disgruntled user out to get our admin? I just want to make sure my company's data is safe and not used for personal gain or political leverage. If I were truly a disgruntled, unacceptable, firable worker, why would I be here? In most cases, I am the only SANE, professional and respectful individual in situations like these BECAUSE I WORK WITH FACT. I'm HERE to find the FACT.

Yes, I am in good standing. I have copies of my performance evaluations to prove it. BTW...I keep the copies... in my CYA file...

 

[telayla]

Having re-read Dennisbbb's posts, I can (kind of) understand where he is coming from and appreciate a different perspective. The manner in which I stated my question/issue, suggests that it is personal.

Instead of going back and forth with perception and assumptions, I am going to ask five questions...

1. What are the ABSOLUTE ethical guidelines that an IT administrator must adhere to?

2. What "checks and balances" need to be in place to ensure #1?

3. Who's responsibility is it to report suspicion of impropriety?

4. What should happen to the person who suspected inappropriate access and usage, and DIDN'T report it?

5. What should the consequences be for violating #1?

OH, and to further clarify things...I'm a ................ S H E!

 

[SantaMufasa]

Among the ABSOLUTE ethical guidelines that an IT administrator must adhere to is...
...not presuming that all IT people are males. Right, Telayla?

Mufasa
(aka Dave of Sandy, Utah, USA)

http://www.dasages.com

Do you use Oracle and live or work in Utah, USA?
Then click here to join Utah Oracle Users Group on Tek-Tips.

 

[svanels]

It the folder is named CYA or Cover_My_Own_Ass its inviting snoopers.

If it is the administrators job to safeguard the data, and he fails, that is his boss headache. If you have a hard case that he failed to do this, you can bring it to CEO, big boss whatever. Did the company stop working, was there down time, angry customers, law suits etc.?

If you are trying to prove that he is incompetent, based on suspicions then I would think:
1) You want his job, and if you have openly showed him what you think of his education, the way he learned the technology etc, he would be an idiot not to keeping an eye on you.

2) You have been at the technical side on things, in a manager position right now, what does this manager function comprehends? Doing the job yourself, or let others work (the manager sits relaxed, others work, everyboddy happy , no problems)

3) Maybe you are getting too much in details, and loosing the helicopter view a manager is supposed to have, and if it is an area outside your jurisdiction it will give problems.

Just some thoughts, nothing personal

Steven

 

[lionelhill]

Thinking about this, it's always easiest to get progress if the situation is less tense and potentially confrontational; but it's very difficult not to be tense when you've been messed about by someone's incompetence.

What you want is a security audit, and you want it done by an external expert.

Could this be proposed to the company senior management in a way that also includes the miscreant in his role as IT manager, using your role as admin manger (if I'm understanding correctly?), i.e. as non-threatening as possible, and without going outside your role?

A possible approach might be to say to management, openly, that you think modern business administration requirements suggest that an external audit of IT security would be a normal part of good office management in any good company. Could the IT manager be commissioned to arrange it for you, and help you in implementing the recommendations of the external experts (downside is it will have to be a joint project, which may cause you some headaches).

Put correctly, this will give your miscreant IT-manager very little alternative but to cooperate, but it won't make him look an idiot: it gives him a face-saving way out. And when the external consultants point out many of his failing practices, you will be able to influence the creation of better things.

It will also be easier for him to say "well, we used to do it that way but the experts I commissioned have given us better practices" than "my rival and coworker showed me I don't know my job" - you'll never get him to say that!

Just a thought: good luck!

 

[Thadeus]

I am pretty shocked to see how many little details that have nothing to do with the actual issues have made big splashes in this discussion.

CYA- We send out a list of installed inventory (located at the customer site) to our Sales people at the beginning of the month and ask them to validate that these are indeed the machines whose performance stats should appear on the month's reports... They often reply within 30 secs of the outgoing email with "Validated". I know they didn't read through the list of 1,500 machines before "validating" it, so I keep a copy of my email with my instructions and their email telling me the list is validated....

How is that a conspiracy? How have I put the CEO or company at risk for a lawsuit?

Isn't keeping good records of conversations the point of taking minutes at a meeting? When those who are meeting assign action items and the meeting rolls around again and those action items haven't been implemented, isn't it time to check the minutes to see if they were indeed assigned?

Telaya - There are no hard and fast (read absolute) rules of ethics... That's the nature of ethics. It sounds as though you have a genuine interest in not standing around and waiting for what you seem to think is inevitable. A boss doesn't need to understand technology to understand what you are concerned about... Go to him/her and address your concerns in a forthright and honest manner.

BTW, be sure to only address your concerns for the business. Keep all personal anecdotes out of the conversation... While it may seem that these anecdotes are your best arguments, you will actually gain more credibility, if you stick to company matters and not personal ones.

~Thadeus

 

[svanels]

By the way, reading through all this posts, I ask myself what the perception/definition is of the term manager

Steven

 

[Dollie]

It seems that the first thing that needs to happen is a Computer Use Policy needs to be created. There are many examples out on the internet. Computer usage policies usually include administrators. I'm the admin, but being in a small office, I also handle a lot of other things. I've had to sign several policies including computer usage, privacy, and ethics policies. These policies apply directly to me and my co-workers. If I were to run rampant and start deleting directories, e-mail, and interfering with my co-workers' jobs, I would definitely be held accountable for my actions.

I'm glad I've got a boss who believes in ethics policies. It maintains a standard, and it's a standard that all companies in my niche industry should uphold. Just because we've only got 25 people in the office doesn't mean we can't operate without rules, procedures and policies.

The main word in "I.T." is information. Admins protect information, maintain information, create information. They do not delete, damage or hide information arbitrarily. Basic rules and ethics should always be in place, and always placed before anger.

 

[gurner]

A Computer use policy is definatley the best route, it re-inforces some of what some people would consider unethical things we as IT people are asked to do by upper management.

and by 'some people would consider unethical' i mean most people seem to think it a right to send personal emails using a coporate mail system, but when during thier induction they are told by one of us about the email policys, such as the retention of every inbound and outbound email and its availablity to the CEO, Owner, e.t.c. and the Proxy caching and logging of all browsing. Most are fine, because they know.

IM is not strictly enforced either as far as stopping it, it is monitered, but can be stopped easily, tho is not that widely used which is fine by us.

Other still try getting around systems in place, and from our perspective, we see it, always, but usually let it pass based on the level of percieved risk or abuse to the company based on written rules.

For example, if some was logged as browsing a porn site, if it were logged as less than 10 seconds then, whats the chances it was a popup? recently a user mis-spelt Google and got lots of disturbing popups, but something like that gets quickly ignored.

but if an attempt at bypassing the proxy was attempted, there are systems to pick this up as well, and would be treated very differently.

all this in place, and no one actively sits watching any of it tho, that is near to deathly boring as it gets, but it is warned it can be called apon. and we are all quite adept at PC Forensics as well, so any hobbyist or fiddlers can get found out as well.

there is no hard feeling to IT by anyone, because everyone is made aware of these issues by a comprehensive policy and training. and they know we do it only when asked to.

Backups need to be sorted as well, it is unbelievable how poor many backup plans are. Ours is daily full backups, with an additional monthly one, performed by IT, but tapes taken home by the CEO or a nominated individual of his or the IT Managers choosing. All logged, based on tape name (Monday 1,2,3,4, Tuesday 1,2,3,4 e.t.c.) 1st creation date (amazing how often this catches people out, try and do a restore in ArcServe, it doesn't ask for Mondays tape, it asks for 19:35 02/05/02!) in a book dating back 5 years!

I guess as a technology provider we have become good at making our system pretty autonomous, were as there are few issues and it pretty much runs itself, leaving us to sort other peoples messes where their system goes bad, which they invariably do because of bad or no planning. the offer is always there to consult on better practises, but its rarely taken up for budget reasons, and the lack of understanding ofits importance.

that'll do for now, ha

Gurner

http://www.divineparadox.co.uk

 

[gurner]

i know my post didn't really re-inforce the ethics question, it was more of a recommendation down the policy route.

You never know, you could suggest a usage policy and generalise the reasons rather than point any fingers at particular individuals. And in the process incorporate into the suggestions, actions or policies regarding the area effecting your experiances of the particular individual.

?


Gurner

http://www.divineparadox.co.uk

 

[EBGreen]

There was an occasion when I was on vacation last year, in the godforsaken jungle (with a coworker)that I received a read receipt for an e-mail sent to this coworker during the time we were away with nothing but monkeys to grant us access to e-mail.

This makes it sound like someone sent email as Telayla if that is the case, imo that goes beyond normal admin duties with regard to monitoring and protecting email.

[red]"... isn't sanity really just a one trick pony anyway?! I mean, all you get is one trick, rational thinking, but when you are good and crazy, oooh, oooh, oooh, the sky is the limit!" - The Tick[/red]

 

[edfair]

Would have been best to look at the email itself to see if it really was as described, or spoofed.
But then there is the question, was the coworker on an autoreesponder? Shouldn't have given a read receipt.

I could see somebody doing some testing using existing accounts that are known to be inactive for a while, I've done it myself, but I've always explained beforehand and given notice when through.

Ed Fair
Give the wrong symptoms, get the wrong solutions.

 

[telayla]

Thank you for your comments, they have been very helpful. Unless someone wants to answer the five questions, it's probably time to move on. I appreciate the support of some of you and truly value the perspective offered by those who don't share my point of view. It's been educational and I've enjoyed talking to all of you immensely.

Take Care,
Layla

 

[svanels]

Your welcome Telaya,
but Thadeus this CYA:

CYA- We send out a list of installed inventory (located at the customer site) to our Sales people at the beginning of the month and ask them to validate that these are indeed the machines whose performance stats should appear on the month's reports... They often reply within 30 secs of the outgoing email with "Validated". I know they didn't read through the list of 1,500 machines before "validating" it, so I keep a copy of my email with my instructions and their email telling me the list is validated....

I think you would need another way to get this data if I was in sales and had to validate the list
I would personally take care of verifying that these 1500 computers existed, if you wanted my signature.
Check rate: 5 computers/day, or worse recruite some new employees with the function computer-counter. Would be nice with the other wel known function: bean counter

Steven

 

[Dollie]

Telayla

Unless someone wants to answer the five questions, it's probably time to move on.

Sorry we didn't address your issues....

1. What are the ABSOLUTE ethical guidelines that an IT administrator must adhere to?

There is no oath taken when you become an admin, but there should be corporate standards that your company must enforce (policies). Nothing is absolute unless there are corporate policies. Otherwise, the admin will pretty much do what he/she wants. There are many examples online of ethics policies as well as computer usage and privacy policies.

2. What "checks and balances" need to be in place to ensure #1?

There should be a person, other than the admin, to enforce the policies. This along with random audits ensures the policies are doing the job they should.

3. Who's responsibility is it to report suspicion of impropriety?

The person who suspects it should report it immediately and employees should NEVER EVER be discouraged from doing so (meaning, their job should not be threatened by reporting it)

4. What should happen to the person who suspected inappropriate access and usage, and DIDN'T report it?

This is a call that should be made by the supervisor or HR department and not something I can recommend. However, if I saw it happen and know that the person who discovered the impropriety kept it covered up, they'd have to deal with The Wrath Of Dollie.

5. What should the consequences be for violating #1?

Again, this is something the company needs to determine. 50 lashes at the whipping post would be my suggestion, but that's not legal in some states.

There is quite a bit of information in this thread for you. If you haven't already done so, I recommend you report this immediately. Policy recommendations should also be made, as quickly as possible.

 

[dkediger]

Sorry as well, I wanted to take a day to really think and reflect, as they are very good questions.

1. IT systems most times seem to nearly be living, breathing things of their own, so in a broad sense the Hippocratic "First Do No Harm" is a good place to start. It can be viewed from several angles: the systems as they relate to the organization, the admin as they relate to the system, and the admin as they relate to the users/consumers. The last viewpoint - the user as a consumer - is particularly important. Is what I'm doing as an admin being a good "vendor" to the user as a "consumer" and the organization as a "consumer?"

2. Larger shops get checks and balances built in as multiple admins and/or an IT department will be somewhat self-policing. In a small, single person shop, constant and consistant communication with users and the supervising person is critical. IT actions are best communicated to the organization under the voice of top management. Otherwise, if the admin is seen as acting independently, user mistrust of the admin roots and grows exponentially.

3. Ideally, anyone would be capable of reporting suspicion of any kind. The HR person/department and someone's supervisor should be approachable in regards to any concerns; IT misuse, funds misuse, harassment. In no case should an admin respond to any request for investigation from someone NOT in their supervision chain.

4. Depends somewhat on what intent can be discerned about not reporting. If its to cover for the other person, action should be severe appropriate to the misuse. If its due to a sense of intimidation of HR/supervisors, then that's another case.

5. I'll consider this one again in light of single vs multiple admin shops. In a multiple admin shop, depending on the severity of the issue, its pretty easy and justifiable to terminate. If the org is large enough, getting busted to help desk could be a worse punishment.
In a single admin shop, it becomes dicier. No admin is ir-replaceable, but small orgs have wierd dynamics and might be critically dependent on the admin's knowledge of the network.

This kind of goes back full circle to the "Do No Harm" precept. One of my unstated goals as a previous admin and now admin/manager is to try to work myself out of a job. By that I mean, the systems and processes I implement are documented enough, transparent enough, and logical to the organization that someone else could pick them up tomorrow if needed without much angst.