June 11, 2003 at 12:57 am
Hi all,
for some monitoring reasons I think it is a good idea to trace who and how long someone uses a db. Maybe also what he is doing there. I know how to set this up, but I am wondering if this can be considered an intrusion in the privacy of the users.
How do you handle this?
Do you tell your users when you trace their activities?
Cheers,
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url]
June 12, 2003 at 6:59 am
The database users should expect to having their work load and activities traced. i think that it is always a good idea to keep a track of what is going on within a database. I guess the real question is what do you do with your findings? You may make yourself very unpopular with other employees is this kind of data is used against them.
June 12, 2003 at 9:25 am
They surrender some privacy when they connect to the db. Think of banking - would you want a banking system that didn't trace every access/change? Or healthcare? Profiling is just another way (and a good one) to maintain an audit trail. I don't see much point in discussing this with users unless they cause a problem, in which case it depends on the type of problem whether its appropriate for the DBA to address it. You see someone running selects against the salary table, probably time to call HR (and spiff up the resume for letting it happen!).
Andy
June 12, 2003 at 10:31 am
Your company should have some policy spelled out, probably for email, that all activities may be monitored, blah, blah, blah. I suspec that this would cover profiler.
Of course, IANAL.
Steve Jones
June 13, 2003 at 12:07 am
Hi Andy,
I sometimes think I surrender my privacy when I enter office building.
I certainly don't want to discuss this with the users!
But in a way even this is the problem. Do you intentionally keep the users 'stupid' (not always a bad idea ). Or do you tell them, what you are able to do, and maybe will do in case you need to.
Well, now comes Steve into play.
Hello Steve,
from what I know about labor law, protection of data privacy and other legal stuff, the best idea is to implement this in company policy. We do not have something like this for emails. Only for internet activity. That seems to be the way to go without losing myself within jurisprudence. I'll delegate this to our legal and human ressources dapartments.
Thanks to all for answering!
BTW, are those 'monitoring policies' for email, internet, db.... something quite common for you?
Cheers,
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url]
June 13, 2003 at 12:09 am
Hi Steve,
quote:
Of course, IANAL.
bear with me!
What is IANAL?
Cheers,
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url]
June 13, 2003 at 7:34 am
The users should not have an expectation of privacy if they use a company database. As mentioned before, I assume that my transactions are logged when I use an ATM machine.
Although I wouldn't hesitate to yell if I found that they were using the information in a way I did not expect. For example, if they printed the logs, and then used the paper for scrap paper in the office. That would be bad.
Company policies and procedures are the criteria with which you and the company will be judged. If your company's policies and procedures are more stringent than the law which standard will your company be held accountable? The company's policies and procedures.
It would be a damaging piece of evidence at a trial if the other side could stand there and say "If they had only followed their own P & P they would not be here today".
Patrick
Quand on parle du loup, on en voit la queue
June 13, 2003 at 7:56 am
Hi Patrick,
quote:
Although I wouldn't hesitate to yell if I found that they were using the information in a way I did not expect. For example, if they printed the logs, and then used the paper for scrap paper in the office. That would be bad.
what do you expect???
You knew that they were logging and tracing, so why yell?
Understand me, that's my problem. It like Pandora's box!
quote:
Company policies and procedures are the criteria with which you and the company will be judged. If your company's policies and procedures are more stringent than the law which standard will your company be held accountable? The company's policies and procedures.
Stop!!! While being a candidate in the CFA programm I was tought always to adhere to the more restrictive rules.
I decided to delegate this to the lawyers in our human resources department. This is their job!
Cheers,
Frank
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url]
June 13, 2003 at 10:15 am
IANAL - I am not a lawyer.
I searched out our security people and they said that the info sec policy that we agree to says that you do not have an expectation of privacy on the company network. If it transits the network, it can be read, which includes email. This covers the NOC folks who sniff traffic as well as Profiler.
Steve Jones
June 13, 2003 at 10:19 am
Laughing. It is Pandora's box. But we know what happens on a database.
I had a client who had written requirement that the administrator would not have access to private data. I explained that the administrator would have access, whether he looked at it or not was his choice. That the sysadmin has access to everything.
Back in the late '70's or early '80's there was a department store that had its own charge card. The head office decided to use the backs of the used charges as scrap paper. This was back in the day when you had carbon paper and copies of charges. Seriously. Someone in management decided not to waste paper. Eventually some of those charge slips ended up on the floor of the store. Customers noticed that their "old" charges were left laying around - with personal information. And, yes, there was some yelling.
bonne chance!
Patrick
Quand on parle du loup, on en voit la queue
June 13, 2003 at 10:48 am
the sa/god problem is one that most people are concerned about, but a sysadmin has to be trusted with access. Of course, you should also be fired/sued if you abuse the privledge, same as any other area.
Steve Jones
Viewing 11 posts - 1 through 10 (of 10 total)
You must be logged in to reply to this topic. Login to reply