December 14, 2007 at 12:37 pm
The first big question is if the company has a policy regarding access to certain information. I have dealt with institutions that require certain people be notified any time certain information is accessed.
In absence of policy, the best thing would be to ask for the detailed list of requirements submitted through the project tracking system or e-mail or something similar. If the request is legit, you fulfill his request to keep it confidential, but you have documentation that it was requested by your superior should there be an investigation. Depending on the situation you can justify that request by company policy, by claiming a bad memory and this way you forget no details, or just by bluntly saying that you require requests for that type of information in writing. The last one is definitely politically dangerous, but a lot of bosses will understand your need to cover yourself, especially if it is already a part of a written policy, even if it is a policy you wrote and published yourself as the DBA.
Keep in mind that depending on your type of business, there are lots of legitimate reasons he may want the information and lots of legitimate reasons to keep the project on a need-to-know basis. If it is a legitimate need-to-know than the fact you are making inquiries by itself spreads information that should not be spread.
As a worst case scenario, you can insist on sending it to him by e-mail with the email detailing his exact request. At the minimum you then have a record that it was sent to the CIO, that the CIO did know about the records pull, and even if it is your own words you have a statement of what he requested with a timestamp on it.
If there is a true reason his request is other than legitimate(and his refusal to put it in writing would be a hint), then you can discreetly inform someone that you know would legitimately have a right to know so you are not release information improperly. Hopefully that person would also have some obligation to keep your confidence if it is legitimate. Again, depending on the nature of the organization, this may be the CIO's direct boss(probably the CEO) or perhaps there is a specific Internal Affairs/Inspector General/Ethics Representative/corporate legal counsel.
Asking around on your own is a bad idea since it gets you involved in a possibly sensitive area that you are probably best staying out of and it violates his trust by spreading the information. You can learn a lot about a situation based on the questions people ask. Definitely document, and if need be inform a proper and official channel, but unofficially checking is dangerous.
---
Timothy A Wiseman
SQL Blog: http://timothyawiseman.wordpress.com/
December 14, 2007 at 12:47 pm
Timothy,
You have a lot of good points. Unfortunately, per the privacy policy at my workplace, I have to inform X number of people to get the request signed off on, even if the CIO (god-like as he may be) has personally made the request of me not to tell anyone.
If anyone is in that kind of situation, where the privacy policy specifically dictates that the security team needs to know about such requests and that management has to sign off on them, any person asking you to do otherwise either hasn't read the policy or is definitely up to something odd (if not illegal).
December 14, 2007 at 2:38 pm
In our envirornment I am the DBA with full access to the database except for cc nums which are encrypted, our security adminstrator has access to the encryption and decryption tools but no access to the database until I grant it. So if anyone wants a report like that they have to get two people involved. Due to company requirements we would need to go to our manager to get authorization to give him this data. I have in the past when asked to so something that didn't feel right go up the chain of command and demand the request in writing. I told my boss that without it I would quit. He backed me and the request was reexamined and deemed unneeded.
January 2, 2008 at 3:33 pm
A long time ago I paid a visit to internal audit when I had a request of a similar flavor come my way. The auditor was able to confirm the validity of the request and life went on.
Viewing 4 posts - 31 through 33 (of 33 total)
You must be logged in to reply to this topic. Login to reply