All too often, IT managers find themselves in the extremely uncomfortable position of being the IT police, prosecutor, and judge. The moment it becomes known that IT has either reported a user for violating an IT policy, read users' personal e-mail, or attempted to take action against a violator, IT runs the risk of doing irreparable damage to the already difficult relationship between IT professionals and computer users.
One IT manager recently faced just such a difficult situation. This manager felt he had to choose between policy enforcement and maintaining a productive relationship with his users, and he asked for your advice on how he should proceed. In this particular incident, the violation consisted of the use of company e-mail for sharing pornography, made more complex by a difference in religion between the IT manager and the users in question. At all costs, the manager did not want to be accused of victimizing a particular religious group.
The majority of the advice for the manager fell into one of three categories:
- The manager should report the violation to the users' manager/s and have no more involvement in the incident.
- The manager should report the violation to HR and let them handle it according to company policy.
- The manager should approach the violators directly with his findings and give them the opportunity to cease and desist.
A small number of members felt that regardless of company policy, the manager had violated the privacy of the users by reading their e-mail and should take no action.
Readers explain choices
Regular discussion contributor Ken Hilving presented a compelling case for the first position: "There should be no issue regarding which manager has responsibility. It has to be the manager in the employee's chain of command. For this to shift to IT is extremely risky behavior." Member kschall elaborated on this point, saying, "If the policy is a company one, then the resolution should already be defined in the policy. IT management should not be the judge and jury, but more the investigator who gathers evidence in support of the case."
Regardless of whether it is the responsibility of HR or the unit manager to enforce the policy, two additional points were raised:
- IT polices should exist at the company-level, not the IT department-level.
- The steps to be taken in the event of a violation need to be specified as part of the policy.
Some members felt that, in the interest of maintaining a good working relationship with the users, the manager should deal with the violation by approaching the offenders directly. Member Joaquin.Llorente suggested that "before taking any other action, speak to the people involved, individually and in confidence, and let them know that their use of e-mail COULD BE in breach of the policy. Explain to them the specific part of the policy, and let them know that e-mail is being monitored for inappropriate use and what will happen if they continue to ignore the policy."
Member paulyvee shared this point of view, saying: "I would speak to the individuals concerned, advising them that I was aware of their infractions and ensure that they were aware of policy. They would then be given the opportunity to clear their mailbox. I would warn that any repeat [offense] would have to be reported and dealt with by the relevant company authority."
The need to enforce
Regardless of the preferred method of enforcement, most members stressed the importance of taking some action regardless of the race, religion, and gender of the people involved. Member andrewb made the important point that, "If a policy is not enforced completely, it becomes unenforceable." Member GSG shared this opinion, saying, "The point is that if the policy supports it, and you have the documentation, religious preferences should not come into it."
Member mrs_helm suggested that this particular incident could have been avoided by using e-mail filtering: "While there are always ways for users to get around the filters (substituting characters, etc.), most users won't bother because it is so clear their actions would be against policy...and anyone who did and got caught would no longer have the 'I was just forwarding this' or 'I didn't think it was offensive' defense."
Regardless of the differences in opinion as to the steps the IT manager should have taken, it is clear that the majority of members involved in the discussion felt that to avoid involvement in future incidents, the manager needs to take whatever steps are necessary to get all IT policies implemented at the company-level, and to make it clear that no one in the IT department is to be involved in the handling of policy violation.