Inappropriate behavior 2

[lespaul]

What would you do if you found that personnel in the IT department (your co-workers) have been using their access to the tables to enter falsified time clock entries?

The HR department is aware of some activities (within IT and in other departments) that have been taking place within the "Time Clock Supervisor" program. This program is designed to allow a supervisor to fix/add time entries. When these changes/additions are made to the table, the record stores who made the change.

However, a particular person, who also has inappropriate modifications made through the supervisor program and had made inappropriate modifications for others, has been told that no more changes can be made. Since (s)he has been restricted from the program, s(he) has started inserting records directly in the table unaware that it is obvious when looking directly at the table that these records were inserted out of order.

For instance:

EMPSSN      ClockDate         TimeIN         TimeType
123456789   20050330          700             IN
987654321   20050330          702             IN
456789123   20050330          704             IN
[b]258369147   20050329         1600            OUT
258369147   20050330          700             IN[/b]
147369258   20050330          706             IN

Now, I have considered this person to be my friend, but this is just WRONG! What would you do? I believe that I am not the only person in the department that realizes these activities are taking place, but don't know what the other who might know has done or said to anyone about the situation.

thanks for any insights.

les

 

[dkediger]

Man, the lunatics are running the asylum!

 

[Dollie]

a favorite of the head administrator and nothing is going to happen (at least at this point in time)

You may want to look into that qui tam website above....

Whistleblowing is neither dishonorable nor unethical. Imagine if fraudulent time accounting supported by administration were just the tip of the iceberg (as it seems it may be).

 

[SantaMufasa]

Also, Les, it appears to me that one of the very weak points for your system is that it is lacking fool-proof auditability. When dealing with a fiduciary system (such as payroll-related applications), you must be able to produce a verifiable audit trail of values.

If your current platform does not support the production of a verifiable audit trail, I highly recommend that your organisation consider migrating to such an environment. It may be true that your current system has a lower initial price tag than an environment that can automatically audit Who and When someone INSERTs, UPDATEs, and DELETEs What values from your business-critical tables, but what is the "business cost" (or in your case, "governmental cost") when someone is victimising your system and you cannot confirm When did Who did What to Whom?

If people can "sneak" into your systems and make data or programming changes without automatic recording of their actions, your systems are flawed and unreliable.

Mufasa
(aka Dave of Sandy, Utah, USA)

http://www.dasages.com

Do you use Oracle and live or work in Utah, USA?
Then click here to join Utah Oracle Users Group on Tek-Tips.

 

[lespaul]

It may be true that your current system has a lower initial price tag than an environment that can automatically audit

We have an AS400/iSeries (not really low-end price wise!), unfortunately there's no database administrator and the database has evolved over 20 years (search for Platypus, you'll find a very amusing thread on the evolution of this database). I'm sure that the AS400 has very advanced audit tracking, but I'm also sure that it has never been fully implemented.

I'll be sure to check out that site, thanks!

les

 

[SantaMufasa]

Les,

unfortunately there's no database administrator

Having no database administrator for a judicial database (and presumably having users manage the database) is like flying in an airplane where one of the passengers has been designated as the pilot, or using a bank that has no audit/operations staff, but the customers are in charge of running, "on their honor."

I'm sorry, but your state auditors, IMHO, are partially responsible for the sad state of affairs in which you find yourself. Auditors are the primary body responsible for ensuring that the inmates are not running the asylum.

Again, Les, this is becoming a thorougly fascinating case study for those of us who are fortunate enough to be your audience.

Mufasa
(aka Dave of Sandy, Utah, USA)

http://www.dasages.com

Do you use Oracle and live or work in Utah, USA?
Then click here to join Utah Oracle Users Group on Tek-Tips.

 

[flapeyre]

Les:

We also have AS/400s and we use triggers to audit our files. You can create a trigger program that you attach to the database file in question. In our case, we write the changed, added, and deleted records to an audit file with the same record format (plus a change code, a timestamp, the program that did the update, and the user profile).

It looks like you are between the proverbial rock and hard place. In a perfect world, those files would be locked down (as they are at my place of employment). My view is that a sensitive file like that should have *PUBLIC *EXCLUDE on it, and should be updatable only from a program that will not delete records from it (except a regular purge).

You may not have a DBA, but there's surely sombody who is in charge of security. If their hands are also dirty, you have to go one step above.

(BTW, it isn't at all unusual for an AS/400 shop to not have a DBA - the database does not need much in the way of performance tuning. However, it can lead to lax security, as we are seeing).



Me transmitte sursum, Caledoni!

 

[lespaul]

I'm aware of triggers, stored procedures and audit files and they are being incorporated in the new design. As far as the security goes, most users do have limited capabilities, in fact no one outside of IT would have a clue how to get to the data.

As far as someone being in charge of security, again, not really. I have finally recieved some IBM Redbooks on the AS400 and have also requested some training, but so far nothing's happened on that end.

I'm pretty sure that my boss has tipped this person off that HR is looking into things (my part is hopefully still unknown) because since Monday there hasn't been a single out of order time entry. (almost daily sometimes more than once, they spend a lot of time in the boss' office with the door closed; this is usually puncuated with much laughter that can be heard in my area. Monday morning's discussion didn't include much laughing and things have been very subdued since then)

 

[flapeyre]

Les:

That's good. I have to add that now, with Sarbanes-Oxley breathing down our necks, nobody (not even a programmer) can change a file on production outside of using a program to do it (all the programs are owned by QSECOFR and sre USRPRF(*OWNER) ).

One more suggestion (which you may have already considered): revoke QPGMR authority to any file the trigger program writes to. That way, they can't cover their tracks.

If you really want to be devious, get the trigger program to e-mail somebody when a record gets changed.

Me transmitte sursum, Caledoni!

 

[audiopro]

Depending on your friend's IT ability there are simpler ways of doing this. I am not familiar with this particular DB but most follow a similar operation pattern.
If you wrote the data to a duplicate table at the same time and direct the maain program to the dupe table rather than the one that your 'friend' knows how to alter, your 'live' table would tell the truth.
Where it goes from there I don't know.
My solution would be for a memo from management asking people to make sure they log in properly as we have noted a few logging errors. These errors could affect your wage.
Give them an instruction leaflet to tell them how to do it properly and then everyone is aware that we know something is happening.

Keith

http://www.studiosoft.co.uk

 

[willir]

Hi Leslie

Another great thread you have started...

no one outside of IT would have a clue how to get to the data.

I have seen co-op university and high school students hire to work in non-IT related areas who proved to be very resourceful. Even met a couple who knew a bit about the AS/400's.

Ready to wear a AS/400 system admin hat on top of your other duties? What about a technical consultant coming in and setting up security.

Mufasa has offerred some very bitter-but-good-for-you medicine. I had never heard of the term "fiduciary system", but I agree with him that these types of system are critical. Not just because of the value they add to a business, but because of the liability risk they present.

 

[lespaul]

Richard! Nice to see you again! I noticed you were MIA for a while, no problems? Any good reading these days? I'm still waiting on "the next one" (several next ones!)!!

you're right, there are "regular" people out there who could have that information, but 80% of our employees are clerks who graduated from highschool 10 - 20 years ago, started working for the court and know how to do their job. Barely literate in anything other than the green screen RPG programs!! Granted there are a few who know a little more than that, but that just means they're the ones who know how to use Word & Excel without help!

Ready to wear a AS/400 system admin hat on top of your other duties?

Funny you should say that! The Administrative Office of the Courts (the AOC) is currently studying all the IT personnel within the judiciary as part of a reclassification process (that drama would deserve its own thread!). My requested reclassification is for the Database Administrator position, more so for my involvement in the new database design and my interest in that aspect of IT than because I actually am performing those duties at this time.

What about a technical consultant coming in and setting up security.

That's a great idea and something I'll have to check into!

 

[Kaycek]

Wow, after reading all of this, I wish I could say it sounds like something that one of us in IT would make up -- unfortunately, I think we all know that isn't true. Lespaul, we in IT have to be ethical. Unfortunately, every now and then we run across someone who isn't. IMHO, this is fraud, purely and simply. As an ethical IT person, you are under no obligation to tell the person committing the fraud it has been discovered, in fact, I believe that is known as 'aiding and abetting', which could end up with you losing your job, and even spending some time in Uncle Sam's hotel, or if it were my home state of Indiana, Uncle Mitch's motel. If this person is willing to change the time database, how long before they go from that to picking up Social Security Numbers, and go into Identity Theft? Speaking from personal experience, I have had two, and it isn't pretty.

How do you know that the person isn't trying to find a way to set you up to take the fall? this person is 'best buds' with the boss, it wouldn't be the first time it happened to someone.

I would very strongly suggest that you run, don't walk to the attorney general's office, or in actuality the State Police, if you are afraid to talk to the AG. I would also recommend that you make sure you are keeping a record of your sign-in and sign-out times -- a printed one from the system, and take them home with you.

If you haven't been keeping records, go back in Lotus Notes, if that's what you're using and print all of your time sheets ASAP. Take them home, put them in a brown envelope, seal them and put a piece of scotch tape over them. Then have someone, outside your family sign the back across the tape and the envelope, store it in a fireproof place away from the office. this way your fanny is covered. if you can get copies of the records which have been tampered with, get them after you have protected your self and turn them over to the state police, or the AG. chances are, the AG or police will have to bring in the FBI computer crime division to investigate, as from what I understand there aren't many people who know about the computers.

What ever you do, don't mention it to anyone again, esp since everything has gotten so "hush hush" in the office. it wouldn't be the first time that an honest person got backstabbed by a guilty party. The story of Erin Brockavich is a good indication of what can happen to "whistleblowers"

I personally would report the supposed guilty party to someone outside your office whom can get an inside investigation going. there is an old quote of some sort that says something about "if it looks like a duck, walks like a duck and quack like a duck, then it must be a duck" well, we can change that to if it looks like a time card changer... it probably is.

Good luck, I have been in your shoes, and I've never been sorry. I can't say it was easy either.



Kaycek, A+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Keep trying no matter how hard it seems it will get easier