September 10, 2007 at 3:07 pm
I see your points (about the wouldn't have worked and about the cold-hearted).
But for certain places, such as healthcare and law enforcement, coldhearted can save lives, so I can accept those techniques for problem employees who are soon to be gone, if not for employees in good standing who somehow get shown the door.
I suppose there is not much that can be done just before or just after a poor review, though, since the person is not being terminated at that time.
But I wonder if there is some kind of emergency procedure that can take effect where after a bad review (in particular where the employee is explicitly on some probation), the company can direct the DBA to put backups into a "dropbox" where they are then copied to a place he can't get to. Then someone else can verify the backups daily (that they are being put in the dropbox and that they are restoring properly).
I know this probably seems more coldhearted than the first approach, given that the employee is being micromanaged that way while still employed (akin to digging his own grave), but it may be an option when someone has evidence of an employee who might sabotage the company.
The other option, I suppose, is to try to secretly back up data without the DBA's knowledge, but that seems unethical itself and would likely provoke the employee to more sabotage if and when they find out they are being shadowed.
This is a very thorny issue - and of course, it is not necessarily limited to DBAs if there are other employees who are savvy enough or have social engineered enough people to be capable of getting unauthorized access indirectly.
webrunner
-------------------
A SQL query walks into a bar and sees two tables. He walks up to them and asks, "Can I join you?"
Ref.: http://tkyte.blogspot.com/2009/02/sql-joke.html
September 10, 2007 at 3:22 pm
Backdoors or not the engineer is not totally to blame. The healthcare provider will be paying for their misfeasance with regard to HIPPA for a minimum of 3 years. This is not to mention the bad PR. The only saving grace is that they were a not-for-profit. All the same it is a very, very sad situation.
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
September 10, 2007 at 4:20 pm
This story is not the other side of the coin, but more like life on the edge of the coin:
This is one reason I won't take backups off site in my personal care and I don't have any Hippa concerns either.
I have dealt with terminated employees the same as several have mentioned. Somewhat a floating rule depending on the reason for the termination.
But a determined individual can achieve his goal if so inclined. Smaller business cannot afford all the required security (at least until its too late) nor the staff to monitor it all. Being lax is easy and not being is hard when you know all the employees by face. IT is all too often put into the position of being the network "cop" or enforcer.
It's a hard problem trying to balance total lockout and the ability for the user to function at the same time.
September 10, 2007 at 6:34 pm
I hate to say it again, but shame on the healthcare provider again ... HIPAA covers just what had happened to them <period> It is unfortunate that the employees were terminated. My guess is that they were not the management that was required to create the policies locally at their facility - they are the real individuals culpable for this situation. Below ae just a few of well publicized links within the healthcare industry:
http://www.cms.hhs.gov/HIPAAGenInfo/
http://www.cms.hhs.gov/SecurityStandard/
and the most damning of all (which covers media):
http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
Viewing 4 posts - 16 through 18 (of 18 total)
You must be logged in to reply to this topic. Login to reply