Scott Lowe describes a hypothetical situation in which a user is guilty of a security lapse. How do you strike a balance between overreacting and maintaining tight security?
This is a short posting to ask what you would do in a specific situation. I will follow up on this posting with a summary of the answers and see if there is any correlation between the answers and the organization type.
Maintaining an appropriate level of IT security is important in any organization. IT leaders need to balance the need to maintain a secure computing environment with usability. Likewise, an IT organization that is... overzealous... in its security mission might be seen as rigid or, they may be seen as saviors. It depends on the organization.
Consider the following hypothetical scenario:
An IT staffer walks by the office of an employee that belongs to a different department. The employee is not in his office. The IT person notices a sheet with some passwords is sitting out on the person's desk and there are some interns working in the office that should not have access to these systems. The credentials allow access to the organization's ERP system. The organization is not in an industry, such as healthcare, that demands a high level of privacy for all information, but is in a market that requires a reasonable level of privacy for its information.
What would you do?
- Find the person and point out the folly of leaving a password list out in the open.
- Find the person's manager and point out the error.
- Go into the person's office and put the list in a drawer or under something else and send the person an email message indicating that you took this step.
- Go into the person's office, take the list, and turn it into the CIO for further action.
- Something else. What would you do?
For those of you that provide an answer to this question, please indicate both your answer and the type of organization in which you work.