December 14, 2007 at 8:05 am
Posting this before I read the other replies...
First, how did I hear about this request from the CIO himself or via email?
If via email, I would be very suspicious and walk over to the CIO's office and ask him personally if he really did send me this email.
Secondly, I'd refer to my company's privacy policy. We have a VERY strict policy and I would need a legitmate reason from the CIO as to why he would need private information like SSNs and Credit Card numbers. Telling me he's working with Security isn't good enough. I'm too low on the totem pole to just send something like that without following company policy. If he can't give me a compelling reason for me to follow through with his instructions, I'd ask him for his contact with the security team. So I could find out why this security team member wanted private information.
Thing is, there is no reason as far as I can tell, for Security or the CIO to have this information. You can investigate security breaches without SSNs or Credit Card numbers. Names, I can see needing. Contact information (for notifying the customers), I can see needing.
But at my workplace, we can't send anything out on CD or Email without it being seriously encrypted, plus we actually need managerial sign off to send that type of data to anyone. So I would have to go through the security team, then my boss, his boss, and then the boss's boss before I could fulfill the CIO's request. Hence his reasoning of "don't tell anyone" wouldn't fly because I simply cannot comply with that request without reporting the request to security.
It's actually listed in our privacy policy that we have to report any strange sounding requests like that... Which is a good double-check mechanism as far as I can tell.
December 14, 2007 at 8:08 am
I'd give the CIO a report containing:
1) the sales data (plain)
2) The following data hashed so that it is NOT recognizable (to use to identify a specific customer) but remains a unique identifier:
- customer name
- SSN
- credit card data
Note: The hashed data would have to be hashed in such a way that the CIO could not figure out the hashing algorithm. 🙂
This way, the CIO could still do his/her analysis BUT would not be able to use the confidential data in such a way to steal someone's identity.
Norene Malaney
December 14, 2007 at 8:09 am
After giving the CIO a look like this: :ermm:, I'd follow up with our security director about the request. We've got forms to fill out when this kind of info is asked for.
Of course, if he asked me within the next year, I'd say "We don't store credit card info here anymore!"
December 14, 2007 at 8:10 am
Just finished reading everyone's responses. Everyone says they want it in writing, which is good, but my comment about the email request still stands.
Email is just too easy to spoof. If the CIO does send me an email request without talking to me verbally first, I simply can't trust that he didn't get some sort of trojan on his system that sends out the request with his name on the email.
So yes, if the request is verbal, get it in writing. But if you get it in writing without other notification, verify it first just to make sure it isn't some hack (instead of the CIO) trying to pull one over on the company.
December 14, 2007 at 8:54 am
Brandie Tarvin (12/14/2007)
But at my workplace, we can't send anything out on CD or Email without it being seriously encrypted, plus we actually need managerial sign off to send that type of data to anyone.
So you don't work in the UK for our Civil Service, then.....
Q. Listen, lads; I'm part of a completely different department to you. Can we have all 25 million of your records, please? Names and NI numbers'll do.
A. No problem. Want bank details with that?
Q. Nah. Just names and NI numbers, ta very much.
A. Actually, you can have the lot and pick out what you want. Too much hassle otherwise.
Q. OK. When can I have it?
A. Depends how quickly TNT can get it to you. Burned on a CD do you? Actually, scrub that. I'll need to use two. If they haven't arrived in a week or so, give me a shout and I'll burn some duplicates and send them to you the same way.
Q. Fine. What encryption are you using?
A Encryption? What's that? I'll password protect it, if you like.....
Oh, dear, oh very dear.
Semper in excretia, suus solum profundum variat
December 14, 2007 at 8:57 am
I have been in similar situations before. In all situations, lest one, I have held my ground and asked for an email stating the nature of the request and what data was asked for. Yes, I was threatened with 'sanctions' (termination, suspension, bad reviews etc.) but that really means nothing when as a production DBA your trustworthiness and reputation are truly everything.
Now the one situation I alluded to earlier I actually took another track. I was asked by an outgoing Director (reported directly to the CIO) to go into the SQL database that tracked web access and delete his records for the last 30 days. I told him sure it was no problem. I waited 30 minutes and told him it had been completed. Well, during the 30 minutes of wait time I went to my manager and he took care of it for me (notifications of the proper management - I assume the CIO, CEO and HR) after stating that I had done the right thing. I never heard another thing about it and in less than 2 weeks the director was gone.
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
December 14, 2007 at 8:58 am
Yeah, I heard about that. (the UK data breach) OUCH!
December 14, 2007 at 9:06 am
Indeed, Brandie. It's difficult to post a humorous reply about that incident, because no matter how outrageously idiotic you try to make each step sound, it still seems to be remarkably sensible compared with the rank moronity of the actual facts.
@rse, both hands, map needed.
:shakes head and sighs despairingly:
Semper in excretia, suus solum profundum variat
December 14, 2007 at 9:25 am
I agree with most others on this topic. I would require the request in writing; and it MUST follow the current policies. If no policy is in effect to deter this action; then it comes down to a moral judgment. My judgment is quite simple; I would rather sacrifice myself than that of anyone else, rather it is another employee, customer or 1000’s of sensitive records.
A company that would rather jeopardize me and my reputation for their own gain is not a company I would want to continue working for. The next employer would ask why I was terminated, or what was my reason for seeking employment, I would be honest (without giving details) and say I was asked to do something that I deemed morally wrong and would compromise many people’s security, and I refused to do the action without proper authorization and/or documentation.
I know the prospective employer would find me to have high morals and trustworthy for having the willingness to lose my job over such a controversial and scrutinized matter; that it would dang nearly get me the job regardless of my past performance!
I say all of this because my current employer cares more about loyalty and accountability than performance, and to tell you the truth this has by far been the best company I have ever worked for and I can see myself staying until I retire.
Seems easiest to live by a simple philosophy: If it hurts more than it helps, then don’t do it!
Thanks,
James
~ Without obstacles, you cannot progress ~
http://sqln.blogspot.com/
December 14, 2007 at 9:35 am
Very eloquent James.
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
December 14, 2007 at 9:40 am
I would respond to the CIO that the nature of the request is a bit unusual, and based on the data being requested I would feel more comfortable to have it in writing. I would also ask to have verification from the the CEO or a member of the security team if possible. As a CIO I would not be offended by this request...actually I would be encouraged by the extra precaution with sensitive data.
December 14, 2007 at 10:11 am
I always notify my manager and I always tell the requestor that the manager will be informed. We have procedures for that.
Regards,Yelena Varsha
December 14, 2007 at 10:50 am
I agree with others, in writing the request will be. And not in an e-mail either because of the spoofing potential. I would also verifiy the request with security since he said he was working with them.
December 14, 2007 at 11:57 am
The request would have to be a signed physical document requesting the information, what it is to be used for, and by whom. Also, I would have to seriously consider a signed request also be supplied by the data owners or another non-IT group. Collaboration can and does occur all too often. I would also question why such a general list of information would be required. I would assume that in a fraud investigation, a sampling, or a target group of records, would be the first step.
If I did not take the appropriate steps to protect this data and do the right thing, I would suspect that losing my job might only be the start. It would be interesting to look into the law to find out exactly how much, if any, civil and/or criminal liability one could incur by being reckless with sensitive data?
December 14, 2007 at 11:59 am
Gee, that pretty much adds up to a consensus, which leads me to 2 observations.
One is that, unfortunately, we live in a world where we must question the activities and motives of those charged with managing the organizations we work for, at least in certain circumstances. That is not commentary on the people who occupy those upper positions. It is lamenting the state of the world we live in.
The second is applause for all who would be willing to risk personal damage rather than allow public damage to occur. I think the responses here do credit to those posting them and are a reflection of a very positive moral outlook toward the data we are supposed to be safeguarding. Cheers to all!
------------
Buy the ticket, take the ride. -- Hunter S. Thompson
Viewing 15 posts - 16 through 30 (of 33 total)
You must be logged in to reply to this topic. Login to reply