August 2, 2010 at 9:20 am
@Question Guy - I would hope that in cases where exorbitant salaries (e.g. Bell, CA) and other potential improprieties are exposed that the information used was obtained from public sources and not from an HR or other database containing protected information. Snooping is a serious enough offense - leaking sensitive data should be grounds for immediate termination at any company, and possibly worse. If you suspect something improper is happening, then great - find a way follow up on it. But don't abuse your position in order to do it.
I too am surprised and disappointed by the high percentage of IT 'professionals' who admit to snooping. As mentioned earlier in this thread though, not everyone defines snooping the same way. I do not consider data profiling - where we're simply interested in capturing the characteristics of the data and are not interested in individual values - to be the same as snooping. Don't know if differing definitions could have played into the results.
August 2, 2010 at 9:38 am
Question Guy (8/2/2010)
Does a person have a moral obligation to look into things on their own if they suspect something is up? .
Put like that, its a fair question. I do not have the authority to look into wrongdoings at my company, unless I have been assigned that task specifically. For example, I may have been asked to secure a particular item (table, row column, whatever) so that only certain people or groups of people can see it. If it comes to my knowlege that anyone outside that group has accessed it, then yes. That is a part of my job. If improper access is something I "suspect" I should certainly get permission from the owner of that data. But to look into it without that permission, is certainly a violation of my own duties, and exposes myself right along with any other wrongdoer. We are stewards, not owners of data.
Whisleblowing, if that is what you are referring to, is a different issue. You are not reporter, or a political hack, looking for a "scoop" to share with the world. I have worked in the Private and public sectors, and in the private sector, you do what you are hired to do, within the bounds of the law. In Government, there are specific procedures that are to be followed. Snooping for cheaters is not what we as professional stewards do.
The idea that 74% of data stewards, feel the urge, or desire to snoop falls far beyond any reasonable boundaries I can possibly think of. Its none of your business what anyone but you makes. Do your job. If there is supected impropriety, report it. One should never act alone. This should be an extremely rare instance, unless you happen to be living in a John Grisham novel. If someone is committing felonies, there are proper ways of dealing with that without exposing yourself to potential legal difficulties.
August 2, 2010 at 11:08 am
One of the things a developer with access to sensitive data is what I call a "trained forgettory". It is all too often the case that a problem _only_ manifests in the particular situation posed by live data. Case in point - I once had a problem where _some_ highly compensated employees were not being taxed correctly on the taxable part of their life insurance premiums. To figure this out, I needed to look at real data for employees with and without the problem, so I have seen most of the salaries paid to upper level employees here - including my own boss.
But my "trained forgettory" kicked in as soon as I resolved the problem - all I recall now is that all of these people make more than I do, which is only what anyone would know.
Anyone working with sensitive data - which is virtually anyone working with data, period - is well advised to train themselves to keep the data only in their current working memory, despite the inconvenience (I have to look up my own salary when I need to know it exactly).
August 2, 2010 at 1:08 pm
I have seen more problems and divisiveness caused in IT departments because people find out about a co-workers salary. I have even seen good people run out of companies over it. I personally think that people who leak that information out to people who do not have a need to know should be terminated, period.:-D
"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"
August 2, 2010 at 1:49 pm
Question Guy (8/2/2010)
I suppose it depends how snooping is used. If snooping is used to expose positions that are grossly overpaid, then its a good thing. (From time to time, I see government employees who show up in the news for being overpaid) Or if snooping is used to expose how little or unfairly an employee, perhaps a developer, is getting paid(while working overtime for free) vs how much commission a sales person is getting(again the developer working over time for free due to promises made by sales people), then I have a hard time saying snooping is bad if one party is being taken advantage of over what are shady business practices. 🙂Or you might just overhear the salesman say "the margin is great" while they are on their way to golf and you will be skipping dinner in a few hours. 🙂
This sounds like ad hoc justification. Every organization has people whose job it is to investigate problems and it's not up to every cowboy vigilante to pry into areas where they don't belong.
If you do legitimately stumble on something suspicious, then it's your job to forward those suspicions appropriately (company officers, or law enforcement), not launch your own investigation.
...
-- FORTRAN manual for Xerox Computers --
August 2, 2010 at 4:40 pm
Steve Jones - Editor (8/2/2010)
Dimbulbz (8/2/2010)
... I don't know where you have taken your sample from, but that is scary and perhaps I need to do my own polling where I'm working now.It's from a survey done of IT Professionals. I have to admit I was shocked as well.
The only thing I'm shocked about is how low that number is. My belief is that 74% admitted to it and the other 26% are lying on the survey. 😉
--Jeff Moden
Change is inevitable... Change for the better is not.
August 2, 2010 at 6:13 pm
Yes I could go through everyone' emails, payroll information, and revenue reports.
But then I have all these massive secrets I have to keep to myself or get fired.
Ignorance Is Bliss.
Any major company will have external auditors, let them do thier jobs and give them good assistance under thier direction if you have suspiscions (compared to the rest of us who want them dealt with and out of our hair so we can do our jobs).
If your not paid what your worth, then look elsewhere.
August 3, 2010 at 4:06 am
I agree with Jeff, above - I am surprised that it is as low as 74%. People who work in IT are (I would hope!) naturally curious. The key point is what you actually do with that information. If you use it outside of your day-to-day work, then that is an abuse of your position (even if it is acting as a vigilante to expose dirty dealings) and the person should lose their job.
For me personally, I feel it is important as a DBA to understand not just the structure of the databases you look after, but the data stored within. Not only does it help with problem solving should the need arise, but it helps you offer a better service to the business as you can gain more of an understanding of how they use the data and how you can help them. It comes down to integrity. And a non-disclosure agreement signed by employees, of course!!! 😉
August 3, 2010 at 8:12 am
In data warehouse development looking at a source system's data is encouraged. Not just column properties and NULL counts, but actually looking at values held within a column that don't fall within the data definitions. They call this data profiling.
There's a fine line between snooping and profiling. And naturally there are plenty of sensitive columns that we don't need to delve into such as credit card numbers for instance. But I challenge anyone who has worked with older source systems and their unvalidated free text fields to resolve the numerous data anomalies without 'snooping'.
I agree with another poster here that the organisation conducting this survey probably had an interest in inflating the claims they are making. 'Snooping' seems to be a strong word and should be reserved for those seeking information for malicious purposes.
Kindest Regards,
Frank Bazan
August 3, 2010 at 9:20 am
Take the moral high road by not snooping and you'll end up in front of some executive committee explaining how the pirated software/porn/viruses ended up on your system and resulted in your company being sued/charged/hacked. There are nosy sysadmins and there are unemployed sysadmins.
As for the question of root/superuser access, why not have a 'two key' system like in nuclear missle silos? Two administrator user ids/passwords have to be entered in order to gain superuser access and both are responsible for any misuse.
At a minimum, read access should be logged for everyone, including system administrators. I haven't actually looked, but I assume somebody's figured out a way to use hashes to make log files relatively tamperproof?
Robb
August 3, 2010 at 12:04 pm
What do they specifically mean by "snooping?" I assumed we are all talking about the same thing and obviously we are not.
"Snooping" in my book, is searching through data for specific information out of personal curiosity, or to fulfill some non-work related motivation. If you dont want your supervisors to see you doing it, and cannot justify it by your job description, then its snooping. If you are responsible for keeping porn or other unwanted intrusions off your system, searching for it and other intrusions.... ITS NOT SNOOPING. If you want to find out how old one of your workers is, so you can legally date her(or him - whatever floats your boat)... its snooping.
I cant imagine the legitimacy of an article dealing with people who are looking at data that they are entitled to look at, and calling that "snooping", so lets all get on the same page.
Reading these posts, I've worked with some of you before, clearly, you think its your secret moral duty to know what everyone else is doing. There is a reason why I dont work with you. I honestly think you need counseling.
I have databases where I can track every query - because its a requirement to know what is being accessed and by whom. Tracking failed attempts at data access is also a part of my job. If we have a test data platform, the sensitive data is secured or scrambled. That is a standard security practice. But just opening up a query window in production and browsing down social security numbers or any other secured information, saying you are looking for "porn violations" (???) or whatever your justification is, is what we're talking about here.
The key is, Know the boundaries of your job and stay in them. going outside that on your own is, in my own opinion, grounds for termination - if not prosecution. anyone trying to justify this, I think should be put in charge of one thing only, thier own ego, and thats about it. Preferably as far away from my company as possible.
August 3, 2010 at 12:19 pm
Tracking login attempts and web history is auditing, However. Looking at individual employee information like age,salary,etc. is snooping. Big difference IMHO. The first is concerned with company securty, and a need to know, the latter is just plain personal curiosity on the behalf of the snooper and is none of their business anyway, and if caught should be a terminable offense, if for no other reason that the havoc it causes in most IT departments.:-D
"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"
August 3, 2010 at 12:27 pm
Uh oh. Somebody got out of the cranky side of bed this morning.
In my experience, unless you're in a union shop you really can't afford to be that literal about your job description. If my job description includes keeping servers running, then that includes identifying any possible threats, which means snooping if necessary.
Obviously this requires good judgement and discretion. The contents of an age field doesn't pose any credible threat so I would have no justification for viewing them, but an encoded Word document might well pose a threat.
You've got to be flexible and take some initiative. Sorry if you think that's being egotistical. I call it doing a good job.
August 3, 2010 at 12:34 pm
The contents of an age field doesn't pose any credible threat so I would have no justification for viewing them
I don't have an issue with personnel with a need to know viewing, as much as the obvious temptation to spread this information about, There are plenty of Age Discrimination lawsuits out there right now that the information got out just this way. That is personal info and should be protected at all times from disclosing it as general knowledge. particularly in this litiginous society we live in. 😀
"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"
August 3, 2010 at 12:35 pm
Robert.Smith-1001156 (8/3/2010)
Uh oh. Somebody got out of the cranky side of bed this morning..... but an encoded Word document might well pose a threat.
Perhaps it's encoded precisely because it's sensitive material and not your business. Someone who decides on his own to try to view information which is obviously protected sounds like a security threat to me.
I guess a litmus test would be: can you tell your boss, or your boss's boss, with a straight face that you've been looking at that info. If 'yes' then it is apparently part of your job, if 'no' then you have no business there.
...
-- FORTRAN manual for Xerox Computers --
Viewing 15 posts - 16 through 30 (of 31 total)
You must be logged in to reply to this topic. Login to reply