Requiring techs to report observed violations 2

[TeeJayWA]

The IT Manager for my workgroup sent this out to us:
"Anytime you observe someone doing something that is an ethical violation or a violation of the rules that govern the operation of company computer systems you need to advise the individuals what they are doing is wrong and they should cease that activity. I don't expect you to police offices looking for people who might be doing something wrong but you have contact with the individuals on a daily basis and might come across something out of the ordinary. A reminder of the rules is sometimes all we need to jolt peoples memory of what is expected. Once you've talked with the individual it's up to you to decide whether or not to elevate this any further up the chain. The issue may end right there and nothing more needs to be said and I think you've done due diligence in letting the person know that they are violating the rules. On the other hand, if you do see something that is being done wrong and you choose not to say anything to that person or that person's supervisor and it later comes out that you had knowledge of what was going on then you should expect to be scrutinized as part of that investigation."

In other words, report what is seen or face the consequences of guilt by acquiescence. I don't like the idea of the technicians having to report suspected problems otherwise face scrutiny themselves. The mandate begs the question of whether the techs should report other work issues, such as sleeping at work, excessive personal use of phones, etc. Shouldn't the department manager be looking for suspected abuse and let the tech concentrate on fixing the equipment?

I appreciate comments on the issue.

 

[CajunCenturion]

==> The mandate begs the question of whether the techs should report other work issues, such as sleeping at work, excessive personal use of phones, etc.
No, the mandate suggest nothing of the sort. The mandate calls for you to act when and if you observe an "ethical violation or a violation of the rules that govern the operation of company computer systems", nothing more, nothing less. If it's not an ethical violation of company computer systems, or rules violation of the same, then it's not your concern. Don't read more into the mandate than is there, and I would strongly suggest that you refrain from any attempt to extend the mandate beyond it's limits in hopes of shooting it down. That will raise red flags about you.

The problem that I have with the policy as it reads in your post, is that it leads to two he said / she said situations. The first is how would the company know you were aware of the violation and yet kept silent? The obvious answer is that someone claimed that you, as a representative of IT, gave tacit approval of the violation by looking the other way while being aware of the violation. Your response is simply, "I didn't know what he or she was doing". He said / she said.

The second area is how will the company know that you've talked to the individual? The accused party will say that you never said anything, but you of course, say you did. He said / she said.

My advice is that you follow the policy and if and when you encounter a rules or ethical violation, you inform the guilty party of the rule without any mention of the incident. I would send a simply send a written note something along the lines of, "just in case you weren't aware, company computer systems cannot be used to do <whatever> ...". I would make no mention of the specific incident in question; therefore, you're not making an accusation. But you're in full compliance of the mandate, and you have the documentation to defend yourself against either he said / she said situation.


--------------
Good Luck
To get the most from your Tek-Tips experience, please read
FAQ181-2886
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[kmcferrin]

The bigger problem I see is that most techs aren't really particularly senior members of the organization, though they may be dealing with support issues from more senior members (VPs, managers, etc). In those cases it is very difficult to tell someone who may hold a more senior position that what they are doing is unacceptable.

Those sorts of cases make it even more important that you act in an advisory role ("FYI, doing X is not permitted...I'm just saying") rather than an enforcement role. I think that in most cases I would probably either plead ignorance of the infractions OR hand them off to my manager to pursue and not say anything to the user. What they're really talking about is a disciplinary/HR issue anyway.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCSE:Security 2003
MCITP:Enterprise Administrator

 

[mbalent]

Play the game to a certain extent.

Assuming you and your co-worker are not playing WOW on the company's assets, stick to the simple stuff like 'you forgot to lock your workstation when you left your desk' or 'you didn't turn off your monitor when you went home' or some other such inconsequential thing.

Anything else forget it (but you have to maintain plausible deny ability).

Matt

"Nature forges everything on the anvil of time

 

[lionelhill]

This is really two different situations.

At the level of "trivial" matters, writing passwords on post-it pads, failing to do back-ups, downloading Christmas gimicky .exe files, looking at facebook, most of us reasonable users are not going to get upset if we get the occasional reminder ("while I was fixing your PC, I noticed you have a lot of stuff that's not backed up. You ought to get it backed up somewhere ASAP. If you need help, let us know"). If in doubt, it can be reported to the boss in general terms: "I notice a lot of people are using Facebook quite a bit. Is it time we blocked it, or at least sent round a reminder about private internet use?"

At the level of serious offences, I don't see what anyone can do except report it up one level. The user is going to be very upset that someone has found out they are looking at indecent websites, but you don't have to deal with it personally. If the vice principal is indulging in a little vice, the top boss can decide whether he/she is so good at their job it's worth turning a blind eye; they shouldn't hold it against you for noticing. The VP themselves will never know who shopped them.

The real problem is that if you don't do it, who will? IT problems are going to be seen by IT staff, and not necessarily local managers.

 

[DonQuichote]

I don't see why techs are so special. If you see unethical behaviour, I can see you should discuss it (not all cases are clear unethical) and report it if deliberately unethical. But that should not even be needed to be mentioned in any company policy. I don't think techs are more ethical than others. or less.

Just curious: are you supposed to check management as well? Who do you report to in such a case?

+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)

 

[gbaughma]

I have worked for companies that had "Compliance Hotlines" and "Ethics Committees".

Turning a blind eye can backfire on you, certainly. Say, for example, someone is fired for looking at inappropriate videos; you turned a blind eye. As they're being walked out the door, they say something like "Well, Greg didn't say anything about it when he saw me doing it...."

Companies will say that everyone is responsible for holding everyone accountable. However, that can also get you targeted. The best way (if you are a tech) is to report it to YOUR supervisor, and let him/her take it to that person, or that person's supervisor.

If you ARE the supervisor over the techs, then inform the techs to bring those issues to you, instead of getting into a conflict. Remember, lower-on-the-totem-pole employees aren't always aware of the "Big Picture", and what may be seen as unethical behavior may be part of a larger situation.

From a company standpoint, they can be held personally liable for non-compliant or unethical behavior. For example, if someone is falsely billing an insurance company for treatment not received, the company can be fined, lose its license, etc. etc. Should it be up to a Tech to confront the unethical billing person about that? I don't think so... it should be up to the Tech to bring it to their supervisor and/or senior management.

Another situation is that companies occasionally "give employees enough rope to hang themselves". They're aware of the situation already; and waiting for the proper opportunity to act on it. Perhaps it's something that involves a union or any other number of factors.

So, to summarize:
1) Yes, I believe that every employee should be on the lookout for unethical behavior.
2) Yes, I believe that the behavior should be reported, because not reporting it automatically makes you an accomplice.
3) I do *NOT* believe that it's up to a tech to confront an employee on perceived unethical behavior.
4) I believe that it should be reported to management.

Play the game to a certain extent.

That's called being passive-agressive. That's not the route to a win-win solution.



Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg

http://parallel.tzo.com

 

[PCmad]

I can see nothing wrong with being asked to report any security issues you see, and even pointing out to people they shouldn't be doing this and the reason why. If however people argue you need someone else to report issues to like an IT Security Manager. The IT security Manager should then take speak to the individual and if need be speak to HR. You should be left out of this process. An example, you see an employee downloading a movie file, so you say you shouldn't be doing this and the reason why. You don't get into an argument or debate you point out the section in the IT policy that says what you can and cannot do or refer the person to this document. You then report the issue to your IT security manager or you line manager and you leave them to sort this out with HR.

 

[rosieb]

I think that you need to apply common sense.

If it's a minor infraction, like leaving a workstation unlocked, a gentle reminder to the person concerned should be enough - though you should make sure that you do it privately. If it seems that they are an habitual offender, and they ignore your hint, then escalate it to your manager.

Anything serious should go straight to your manager.

You have to decide where to draw the line, based on your company's policies. As an employee, you have a duty to ensure that company policies are observed.

I'd avoid the "advising via email" route, it can be seen as threatening.

Rosie
"It doesn't matter how beautiful your theory is, it doesn't matter how smart you are. If it doesn't agree with experiment, it's wrong." Richard Feynman

 

[gbaughma]

Mmm. When I left my workstation unlocked during a training and went to lunch, the trainer walked up and sent me an e-mail (From myself) reminding me to lock my workstation, and pointing out that she *could* have sent a nasty e-mail to my boss under my name.

It worked for me. lol



Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg

http://parallel.tzo.com

 

[dennisbbb]

I wish my company has this type of policy on ethical violation or a violation of the rules that govern the operation of company computer systems. Too bad nobody cares enough to listens here.

 

[AndrewTait]

I have to agree with much of the advice here - If it is a minor incedent, have a quiet word with the offending person, and write it down in your diary/outlook calender etc. That way, when it gets beyond a joke, and you escalate it, you can say to whoever you are escalating it to that you have reminded them of the policy on these dates.

It proves that you are not just saying that you reminded them, and stops such a person saying "Well Fred knew about it".

=======================================
I got to the edge of sanity....then i fell off
======================================