General discussion

Locked

Pro's and Con's of VPN at home for Employees.

By CSRPhoto ·
Ok, I'm in need of some advice, so here's the situation. I work for a County Sheriff's Department that is has it's own IT Department, as opposed to the County's IT department. The County has recently decided to offer to it's employee's (including those of us at the Sheriff's Dept.) the ability to print our paycheck stubs via the intra-net instead of receiving them in the mail as in the past. For the County Employee's, this is completely optional (as it should be) and people that want to continue receiving their stubs in the mail can do so. However, some of the Sheriff's higher brass has made an executive decision to force all of the Sheriff employees to only be able to receive their stubs on-line (supposedly saving the Department $11,000 annually in printing and mailing fees). Because of this, the upper management has also decided that IT will set up any and all users home PC's with VPN access (potentially up to 1500 people) just so they can log on to our network, to get access to the county's network so they can print their pay stubs at home.

So now the IT staff is to support these users home PC's as well as the Departments network (oh, and by the way we also support several of the outer-lying smaller Police Departments agencies). The IT Staff has expressed concerns with this and I am wondering what information or concerns anyone else out there might suggest we look into. Here is what we have tried to bring to the attention of upper-management:

1) more man hours to support home PC's
2) home PC's may not be up to par with Department standards
3) After hours support (which is extremely expensive to the department) will dramatically increase
4) Potentially opening up our network to more exposure to viruses, trojans, and hacking.
5) Many users may not have PC's at home and will want access from public PC's (such as at Kinko's).
6) VPN support will turn into PC support for issues unrelated to Sheriff's Department.

Further concerns amongst the department are whether or not forcing the employees to print their own stubs is even legal. It appears that some institutions that require a paycheck stub for for accreditation (eg credit checks) won't accept the home printed stubs as valid. Has anyone ever heard of a situation like this before?

This conversation is currently closed to new comments.

38 total posts (Page 1 of 4)   01 | 02 | 03 | 04   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Unbelievable. But I do believe it.

by stress junkie In reply to Pro's and Con's of VPN at ...

I think your last two point are the most important ones. Is this legal? Are employer printed paycheck stubs considered a legal document that they are REQUIRED to provide?

Is it legal? I suspect that the IRS would have some answers about the employer's obligation to provide the information on paycheck stubs.

Banks won't accept home printed stubs? You could ask any bank about it. They should be able to refer you to appropriate laws that govern their behavior.

It also seems to me that if the above research shows that the employer is required to provide a paycheck stub but is allowed to require employees to print them at home then the employer should be required to provide an appropriate computer and printer to all employees. I don't see how you can shift this cost off onto employees.

Nevertheless there are probably laws governing all of these issues. The county must have a legal department. Ask them what they think.

Then there is the issue raised in the title of your post, the VPN. There are numerous software products that can be used separately or together to create a VPN. The first consideration is to remember that SECURITY IS JUST AN ILLUSION. Therefore you could argue, as I would do, that a VPN is not and cannot be secure enough to be a responsible part of your computing environment.

I suspect that if you research the Federal and state tax requirements, the bank requirements, and the state's requirements placed on employers you will be able to find some answers.

If those routes don't work then tell the management that there is no such thing as a secure VPN. The fact that the VPN has to be implemented on machines that are in the employees' homes is going to be a problem for both security and for maintenance. What if the home computer has a virus? It could then have access to the employer's network. What if the home computer is reconfigured by the employee? They would either lose their connection which then requires maintenance or they could compromise the security of the employer's network. You can't very well tell people that they can't do what they want on their home machines. If they mess up the VPN settings then that is the IT department's problem.

Good luck. :-)

Collapse -

Union involvement

by CSRPhoto In reply to Unbelievable. But I do be ...

As far as the legality of the issue, I think the Union will get involved if that is the case.

I guess my concern is to look more into the ramifications of expenditures from a Technologies perspective.

I think our biggest concern ought to be the security issue of allowing Sheriff employee's (which includes both civilians and correctional officers in addition to the deputized peace officers) access to network that public safety is dependent on.

Collapse -

Forget the VPN

by eric.peckham In reply to Unbelievable. But I do be ...

If they really want to give employess access to this then a VPN is definitely the wrong way to go about it. Just give your employees access to a password-protected page on the web that they can get their pay stubs from. Good grief, if that's secure enough for banks it ought to be secure enough for you. The real question is if the development cost of the web site is worth the paltry savings you quoted in printing and mailing costs?

Collapse -

Web Access Denied

by CSRPhoto In reply to Forget the VPN

This was our first though too, but becuase the payroll software resides on the county's network (as opposed to the Sheriff Dept. network) we have no say or control as to putting it on the website. That would be up to the County to decide, which they already have. They decided not to do so becuase they are allowing their employees to have the option of printing their stubs or recieve them in the mail.

The county's view is that since it's the Sheriff's Dept that doesn't want to comply, it's the Sheriff's Dept's problem.

Collapse -

Regarding banks

by stress junkie In reply to Forget the VPN

"...if that's secure enough for banks it ought to be secure enough for you."

I don't agree that the adoption by banks is proof of security for the following reasons.

Banks are run by nontechnical people. These people make decisions that are based on market demand rather than on security. Bank managers look to Federal regulation for their list of do's and don'ts. These managers will be happy to implement some feature to make them more competetive if the Federal government allows it even if it is not completely safe.

Bank computer systems are run by technical people. However there is a wide range of technical skill in this group. It is entirely possible to find situations where a system administrator is told to implement something that he/she is not skilled in doing.

It is also probable that a bank system administrator may be ordered to implement a system which they know is not secure.

It is also demonstrable that some bank system administrators are more quality oriented than others. In other words some system administrators are just not interested in the quality of their own work. I recently worked at a mutual fund company. I can tell you that there were system administrators working there that were not sufficiently skilled nor were they particularly interested in the quality of their own work to merit their custodial and fuduciary responsibilities inherent in their position.

All of these facts undermine the argument that if banks are using this system then it must be acceptably secure.

Plus, one difference between banks using this technology and the situation described in the original post is that banks in my area do not force this technology on their customers. Bank customers have got to go through extra steps when setting up a bank account before it can be accessed over the Internet. In the original post the employer wants to force this onto their employees.

I wouldn't completely trust bank managers or the regulations governing banks to always make good decisions. Mistakes are always possible. So using banks to justify the quality or security of the technology isn't enough proof to persuade me.

Collapse -

Concur

by FirstPeter In reply to Unbelievable. But I do be ...

I couldn't even begin to comment on the legal side so I won't (although I will say that having a law like that is obnoxious enough that it probably IS on the book somewhere...).

However, with the VPN you could at least take some prevenatative measures. I'm speaking theoretically here, but I believe ISA Server 2004 has a "Quarantine" feature that will enable VPN connections, but stick computers in a limited access pool until they "validate" credentials and up-to-date software (like all Windows patches, virus signatures, etc.). Pretty slick.

That doesn't help the fact that if someone's computer doesn't meet those requirements that you're probably stuck fixing it or making some exception, but at least it's a start.

And Stress is right - security is pretty much shot. Even if you DO have those things in place someone connecting at a Kinko's is at high risk for getting their password stolen and who knows what. For that matter the risk is at home, as well.

Collapse -

Unbelievably Bad Idea

by BlueGiant In reply to Pro's and Con's of VPN at ...

Wow! Talk about your nightmare IT situation! Setting up and maintaining up to 1500 VPN connections will be difficult, time consuming, and expensive. We only have a few dozen people who VPN in from home or the road and keeping them happy is tough enough.

In my situation, I get my paystubs through the companies HR website. I have my own user profile to access the HR site through the internet. One of the options available is to print my paystub. I can't give you any details on the setup or implementation because this function has been outsourced (I work for a small subsidiary of a huge company.)

The way we get around having to set up and maintain individual home PC's (so that people have access to their paystubs) is to have a few PC's around the facility that people can use for this purpose. This may be an option in your situation. Have a few PC's set up where needed that are locked down and used only for accessing and printing paystubs (and any other business related things deemed necessary.) This way you have control of the equipment, security risks and legal issues are minimized, costs are low, and your users have help handy if necessary.

I sure hope you can talk them out of that insane plan.

Mark

Collapse -

maintain individual home PC's

by ip_fresh In reply to Unbelievably Bad Idea

The way we get around having to set up and maintain individual home PC's (so that people have access to their paystubs) is to have a few PC's around the facility that people can use for this purpose. This may be an option in your situation. Have a few PC's set up where needed that are locked down and used only for accessing and printing paystubs (and any other business related things deemed necessary.) This way you have control of the equipment, security risks and legal issues are minimized, costs are low, and your users have help handy if necessary.

Davis,
http://www.my-credit-cards.co.uk/

Collapse -

It get's better...

by CSRPhoto In reply to Unbelievably Bad Idea

Ideally we would have the paystubs printable from the website, but here enlies the problem. Becuase the County IT department and the Sheriff's IT Department are two completley different entities, and becuase the payroll software is on the County's network it is there responsability to service and maintain it. However, they don't see a need to provide the paycheck stubs over the internet becuase the County is giving their users a choice to print it out or to continue recieving it in the mail.

Now the Sheriff employee's are technically County employees (which is why we recieve our paystubs from the county), but the upper-brass has determined for all it's staff that we are not to recieve our paycheck in the mail (saving the Sheriff Dept. a small chunk of change). But they do want the users to be able to print their stubbs at home...the only way to do that (since County IT won't) is to for us to provide VPN access from home for these users.

Allthough we do have several spare/training PC's that people can use, they also have their regular PC's they can use (they do this to fill out their time cards online already anyways). So I don't understand why it's so important for the users to be able to print from home (other than maybe save the department cost from the users printing on Department printers and department paper).

Collapse -

You Have Precedence For Solution

by sfaiswl In reply to It get's better...

You say everybody(?) logs-on a PC to fill out a timecard?
Is this always at work? If so, then that's just the flip-side of the payroll process from the paystub, so logging on the same place to get the paystub at the other side of the payroll process a is reasonable requirement.
If everybody is allowed or expected to fill out the timecard from home, then that's precedence for the paystub issue, and the existing security for data entry is obviously(?) acceptable for data viewing.
Either way, the suggestion from petev@... that you institute a "pilot" program is a great suggestion.

Back to IT Employment Forum
38 total posts (Page 1 of 4)   01 | 02 | 03 | 04   Next

Related Discussions

Related Forums