Network Administrator Ethics 4

[wmichael]

Folks;

I have not yet searched through the threads here to see about any related topics, but wanted to see if anyone has any thoughts on the following situation;

I had a network administrator who was technically competent, yet seemed to think he had free reign of the network, and had the right to access any files regardless of who owned them. A specific example is that he wanted to use a marketing image and, instead of asking the marketing guru, went ahead and rifled through their home directory on the network to retrieve it. This was done without any prior communication to myself or the person whose files he went through.

My take was that this, among other actions, had nothing to do with his job. I hired him to ensure the performance, security and growth of our Windows environment. While he certainly has access to all files on the server, the authority to enter a users home directory for any reason other than network-related tasks was not given to this individual.

The odd thing is that for all the training classes one can take, it is very difficult to find an ethics course. You can learn how to administer a network, but there is still that line that can be easily crossed by someone who is confused about what some may consider common sense ethics. There are quite a few gray areas.

Any thoughts on the specifics, or on the broader issue of such ethics?

Thanks in advance.

~wmichael

"small change can often be found under seat cushions

 

[MasterRacker]

Excellent topic. You don't see much in the way of ethics courses. I agree that many of us see things like this as "common sense" but as we all know common sense is not really all that common.

All too many admins seems to think that everything on their network is their private playground. I think everyone here would agree that despite any language in acceptable usage documents stating "all files are the property of the company", "all communications may be monitored", etc. - the admin still can't randomly look into others files. It's no different than digging into the payroll system to see what the CEO makes.

I've heard of ethics classes in business curriculums and you would hope that there would be at least one ethics class in a college level IT degree program, but what happens when you are hiring an admin with purely technical certifications?

I don't know that there's a good answer.


Jeff
The future is already here - it's just not widely distributed yet...

 

[fredericofonseca]

No he has no right to do so.

Doing so is abusing is position, and on many companies would lead to immediate dismissal.

As you said his role was to maintain security/integrity and work on the development of your network. The only thing he should do with other users files is to monitor their number/sizes, and this because of performance/space issues, and eventually licensing issues. Nothing else.


Don't know if this is the case but in most companies I have worked/had contacts with, and that were big enough to have a network/system admin, they had all type of confidentiality clauses on their contract(s).

I as an independent consultant have that on my own standard contract, and still get to sign my customers disclosure/confidentially ones, and it would look very bad if I was found digging through the files. (there are exceptions to this e.g. working with production data as a programmer).


Regards

Frederico Fonseca
SysSoft Integrated Ltd

http://www.syssoft-int.com

 

[wmichael]

fredericofonseca and MasterRacker;

Good points. In the specific case I mentioned, the abuse did lead to immediate termination. The employee followed up later and asked for a written copy of the policy he violated. That was a squirrley one, and I am fortunate that the state I work in has an 'employment at will' law, so am covered. However, if I had to produce such a document, or prove that he had been to training (on the company's dime) that covered ethics, I would have been scramblnig around a bit.

Love the comments so far.... keep 'em coming.

~wmichael

"small change can often be found under seat cushions

 

[sleipnir214]

wmichael:
You might also take a look at SAGE and their Code of Ethics

That, at least, will give you a starting point for dealing with this problem proactively.


Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[Tarwn]

[offtopic]
Hmm, proactive approach to a problem that has aleady occurred once in the past...[/offtopic]

Sorry, couldn't resist

 

[sleipnir214]

[offtopic]
Tarwn:
I take it, then, that you're assuming that once someone has hired and fired one Peeping Tom sysadmin, he is somehow innoculated against ever doing it again?
[/offtopic]


Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[wmichael]

sleipnir214;

The code of ethics you directed me to looks great. In terms of being proactive, I have each person in my organization be aware of and sign various confidential access documents, but it seemed to end there. Honestly, I was quite blindsided by this (my fault, I know).

Does your organization, or anyone else's, have a similar ethics statement or agreement? While it's all fine and good to post such a document, it does little good at my workplace (perhaps others as well?) unless such a document is a) part of a broader company policy and b) acknowledged in writing by the incumbent and c) has supporting programs, formally or not, to reiterate and enforce.

Thanks again...

~wmichael

"small change can often be found under seat cushions

 

[rosieb]

This is a really useful thread.

We have an email and internet policy, that you have to sign up to and pass a test on, before getting access to either.

Network snooping is covered by other, more general, policies - but I can see a good reason for spelling them out for IT staff, sleipnir214's example looks like a really good start point.

Unfortunately, it is common that IT staff just don't see the rules as applying to them.

Rosie
"Never express yourself more clearly than you think" (Niels Bohr)

 

[wmichael]

rosieb

Your statement "Unfortunately, it is common that IT staff just don't see the rules as applying to them." brings a tear to my eye.

In truth, I see that the IT department has a more stringent obligation to uphold the rules than most other folks. In my organization, what may be a minor infraction from the standard user would be a serious offense for an IT person. Is that fair, I wonder?

~wmichael

"small change can often be found under seat cushions

 

[fredericofonseca]

I also agree with Rosieb in that many IT guys think rules are for the others.

But there are rules and there are rules.

There are the ones that should apply to normal users and the ones that should apply to IT guys.

Some will be more flexible to the IT guys, but others will be more restrictive to the same IT guys.

E.g. on a big organization with development teams I expect, and I have forced it, that the developers have full Access to their machines, and access to commands that would not normally be accessible to normal users.
Not doing this can lead to big delays on the developers work, and in some cases it may even lead to a lack of interest from the same developer.

On the other hand I have also implemented a very strict policy on IT guys deal with their PC's and their documentation.
I don't care if a user has lost his documents because he did not save them on the network, but I have created mayhem because some developers did not do this.
And even though I allowed full admin access to their own machines they were completely prohibited from installing any type of wall paper, screen protection and the likes.




Regards

Frederico Fonseca
SysSoft Integrated Ltd

http://www.syssoft-int.com

 

[rosieb]

You're completely right, in my view IT Staff have an obligation to behave professionally, unfortunately it doesn't always happen. And when it doesn't, a very severe smack is in order.

Rosie
"Never express yourself more clearly than you think" (Niels Bohr)

 

[Dollie]

A few thoughts....

What was he doing looking for an image? Did someone ask him to produce it because the person in charge was not available? Was he asked to do work outside of his normal activities? Did the person in charge forget where it was and won't own up to it?

As far as files being private, that true to a certain extent. If the administrator is to administrate properly, and if the hiring company acted properly, then a privacy policy is involved. I'm not sure of the size of the company, but in small companies, sometimes the sys admin is the only one who knows where all the files are no matter how simple the directory structure. My company has private files that are in a hidden directory. I have access to that directory for backup purposes and to view a listing of the files, but no access to read, execute or write to that directory.

Maybe a bit of education to those in charge may be in order as well? Maybe a bit of permission tightening? Maybe something on paper stating "You can't do this" instead of deciding it was an offense worthy of termination? It almost seems to me someone jumped the gun and the admin is left wondering "Wha....?"

Sorry, I always tend to look at things from the other side, just half of my $.02.

 

[CreamCake]

I too have done the exact same thing, but in a more roundabout way.
We have an in-house "creative media services manager", who doesn't want to do anything. Our IT dept. asked if he could produce an corporate header for our email.
He had no idea where the files where, and after several weeks of bugging him for them, he just could not produce any images, even after we told him we would assemble it ourselves if he could give us the source files.
No.. instead he would have to create them completely from scratch for us.

A couple more weeks go by, and he still hasn't started...

So I scanned the whole company's user directory for a specific file - companyname.*(tiff/jpeg/bmp etc.)
Lo and behold.. there they were in the "manager's" root of his user directory.
I told our IT director where I found them when he asked, and he didn't seem to mind in the least.

I think we all end up on the wrong folder occasionally, but IT has to police itself to an extent and not abuse our power to poke around.
I had no problem telling my IT director where I found the stuff, because he was really getting pressure from the exec's to provide a working template and art would not lift a finger. And it was a search, not rooting around where I didn't belong. Besides, given the age of the docs in the directory, I'd say the user had probably forgotton he had that directory to back stuff up to..(he was a mac guy who was convinced his mac would never crash, so he didn't need to back anything up :þ)
Another admin here was fired recently for rooting around people's personal documets on their local machines via the network, and for using his admin priveleges to read their email. He was also using documents from the HR manager's personal folder to spread dissent by exposing executives and other key employee's salaries.
I don't consider what I did to be anywhere in that class of bad. In fact, I was glad to see the guy escorted out, as I didn't want him looking at my personal documents or reading my email either.

 

[wmichael]

Dollie

Interesting comments, and in fact the discharged resources' reaction waas basically "I didn't do anything wrong..."

'Those in charge' -- namely me -- are educated in this matter, though want a feel for what other folks view as ethical and non-ethical behavior.

The employees here in IT all have confidentialty access parameters as part of their job descriptions, etc.

A more complete explanation would be this; The discharged person was looking for an image for a non-sanctioned, non-documented, non-requested project that entailed re-branding one our web presences. To whit, something way over that person's head and authority.

Instead of asking the user who had these materials for access to the materials, the person just went ahead and rifled through files using administrative authority.

I would be just as adament if I gave someone the keys to my home so they can feed my cat, then found out they rifled through my drawers. Do I give someone the keys and ask they stay out of my personal stuff? Do I instead give them the keys and show them where they are to go to perform their tasks?

I guess the picture can be painted in any number of ways by both sides. The 'employment at will' law made the decision easier to execute, but not easier to contemplate. Though I do not doubt my decision, it's interesting to note the different opinions.






~wmichael

"small change can often be found under seat cushions

 

[SQLSister]

Weighing in on this, network admins have access to the entire network and everything on it for a reason. They can't do their legitimate work without it.

Because they have such extraodinary access, it is critical that they follow the ethical guidelines and be stomped on aggressively if they do not. Someone who will rifle through the HR records just because they can and have no legitimate need to know can also not be trusted to keep the network operating properly. Will they also put in a program which will kill the network or destroy information if they are let go? Network people should understand that the slightest ethical transaction can result in dismissal becasue no company can afford a network person who has no ethical scruples.

All network people should be asked to formally sign a document requiring them to keep confidential data confidental and that they understand that they are not to look in files unless specifially asked to do so by management or if needed to solve a specific work problem they have been assigned to address. It should specify that any unathorized access to files can result in termination. This does not mean they can't look in files for a specific work-related reason, simply that they should not look in them to satisfy their personal curiousity or to perform an unauthorised action. If they have a need to look at the details of something they normally do not look in so they can fix a problem, such as the HR database, then they are under the same obligation that HR people have to not reveal personal information. If in the course of searching for something for a legitimate task, they run across something inappropriate, they should report it to management.

All users should be asked to sign a document that they understand there are no private files on their computers and that everything they have on their computer or network drives is subject to review by management or IT people at the request of management.



Questions about posting. See faq183-874

 

[lullysing]

I dunno. If it was just to get the image for a work related thing, i don't think it's that bad. It's not like you got a full blown BOFH reading user email for blackmail material here.

And don't forget the golden thing that i have learned in this profession : a lot of people can talk the talk, but when it comes to actually doing work and fixinig stuff, you'dd be amazed by the number of "qualified"admins that will ask for a consultant to do it, all the while managers having no idea what's going on.

So you got someone actually qualified. Think about it before you do take your decision.

_____________________________
when someone asks for your username and password, and much *clickely clickely* is happening in the background, know enough that you should be worried.

 

[sleipnir214]

lullysing:
While I agree that there are too many people who claim to be sysadmins but who don't possess the necessary skills, possession of the necessary skills is nowhere near enough to qualify to be a professional system administrator.

I have worked from time to time with a person who has magnificient sysadmin technical skills. Whether it's a Win32, Linux, HP-UX, or Unix-based system, he has figured out how to fix any issue that I've ever seen thrown at him. He will work whatever hours necessary to fix whatever problem he faces, and his ability to climb learning curves of new material is astonishing.

But under no circumstances will I ever let him touch without very close supervision a network for which I am responsible. And it's because of his professional ethics. Although he is good about respecting the necessary privacy of data on a network and does not indulge monkey curiosity, he treats any network he touches as though it were his own personal system. He will, without supervision, choose to implement the most convoluted of a possible set of solutions to a problem simply because that presents the greatest challenge. Unless directly ordered to do so at pain of not being paid, he frankly refuses to document anything he has done -- his first response is, "It should be obvious", but he does not quite get that everyone's mind doesn't work like his. And since solving a network admin problem does not, in his mind, necessarily include actually implementing the solution, he often leaves work undone.

I'd hire the guy has a contractual brain extension, but there is no way I would hire him to be responsible to run a network.


Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[rosieb]

I think it's a question of setting a precedent, hunting for a graphic isn't too bad. But if that's OK, next time maybe hunting for a report is also OK, then a document, then snooping personnel files....

Just because you can, doesn't mean you should.

I'd trust my IT colleagues not to ferret around in my handbag when I'm out of the office, I should be able to expect them to treat my network folders in exactly the same way.

On a purely practical note, if you scavenge for a graphic (or whatever), how do you know it's the current version? That in itself could cause problems.

Rosie
"Never express yourself more clearly than you think" (Niels Bohr)

 

[Onyxpurr]

I will occasionally scavenge the network for a file, but usually it's at the request of another and I ensure that I let them know, "I'm not sure if we have that, but I'll go do a search on the network for it." I don't look in personal files either.

However I agree with most here. Confidentiality and ethical standards are part of the job responsibilities for any IT person. However one shouldn't assume the employee inherently knows where the line is drawn at work. A specific document should be drawn up that specifies the company's expectations as far as ethical standards are for the company. What may deemed appropriate at one company may not be at another, regardless of what may seem as common sense.

And if nothing else, simply tell your employees, "If what you are considering may be questionable, ask me first before deciding to do it.