The other day, I posted a blog entry that asked readers how they would respond to a real world security problem and presented five options. In short, the scenario revolved around the failure of an end-user to secure a list of passwords that could be used to access an organization's ERP system; the password list was left in plain sight on the person's desk. The five options I presented were:What would you do?
- 1. Find the person and point out the folly of leaving a password list out in the open.
- 2. Find the person's manager and point out the error.
- 3. Go into the person's office and put the list in a drawer or under something else and send the person an email message indicating that you took this step.
- 4. Go into the person's office, take the list, and turn it into the CIO for further action.
- 5. Something else. What would you do?
TechRepublic readers didn't disappoint! There were a wide range of views on how to handle this particular situation. I'll present some of the views in this posting and then tell you how I handled this particular situation in my own shop.
Security trumps all
Quite a few readers indicated that security trumps all when it comes to dealing with these kinds of situations. One reader indicated that he would immediately change the user's password and require the person's manager to request it to be reset. Another indicated that the password list would be immediately shredded without notification to the user. A third commented that every IT staffer is a part of the overall security team and indicated that any IT staff person should have the authority to go into the person's office and remove the infringing information. Reader Boris the Bold pointed out that he works in a site where clearance is required. He indicated that, in his situation, there are no rooms for error.
It was also pointed out that the IT department, or security office, or whatever it is in this organization, is ultimately responsible if something happens as a result of this breach. At the end of the day, the user might be upset about the invasion of space, but security will be tighter and the person will get over the hurt feelings.
Not so fast...
A number of other readers took a slightly different tact. Reader Rabs pointed out that the appropriate action really depends on a number of factors, including what level of access is provided by the credentials and whether or not the company has a formal security policy in place. He also indicated that he would first turn the paper over before finding the person responsible and having a private chat. For a second offense, Rabs would go to the person's manager to explain the seriousness of the offense. User Glenn Martin agreed, but would include the person's manager in the first conversation and follow up by changing the affected passwords.
Michael Kassner, another TechRepublic reader, pointed out that the person handling the incident should first consider the organizational rank of the person whose space they're entering. After all, if your CEO's office is generally off limits, he probably won't be pleased when he's informed that IT took something off his desk without letting him know. Whether or not IT was right in doing so probably won't matter!
TechRepublic reader Saigman took a thoughtful approach to the problem. Rather than simply take action, he would turn the paper over and place a note on it indicating that the information should be secured. At the same time, he'd get a list of the credentials written on the paper and make sure that they had not been used. If they had, he would bring the list to the attention of the security officer for further action and forensics to make sure that information was not compromised.
Tony Hopkinson, however, nailed it. His solution: "Give myself a damn good slap round the head for creating situation where they guy had to write his passwords down in the first place."
I'll tell you right up front that I'm not inclined to give a serious smack down on a first offense. Hence, some of the, as one reader put it, more abrasive or harsher solutions that were put forward would not appeal to me, unless I was in an environment that absolutely demanded it. I prefer an approach that understands that everyone is human, at least for a first offense. Maintaining employee morale across the organization is important and, quite frankly, I don't think that the rank of "IT staffer" is enough to take drastic action. Instead, I would prefer a low key discussion with the person for a first offense. After that, if the person continues the offending behavior, it is appropriate to take further disciplinary action. I like the idea of simply turning the paper over or putting it in a drawer and finding the person later on. If the person isn't available, going to his or her manager would be appropriate.
This is not to say that I don't feel that security is important. Quite to the contrary, I realize that my neck is on the line in the event of a major breach. However, whether we like it or not, the golden rule always applies... do unto others. People deserve at least some leeway for a first offense. Again, if I was in an extremely sensitive environment, my thoughts would be different. Either way, changing the possibly breached passwords is a good step.
What I did
I encountered this exact situation in my CIO career literally two weeks after I started working in that particular organization. One of my staff people brought me a piece of paper with some passwords listed and told me that she had taken this from another employee. At the time, I told the IT staffer that it was inappropriate to take information from another employee's office without at least finding the person or the person's manager. If she was not sure how to handle the situation, I preferred that I become involved in order to ease any tensions that might arise. I simply don't want IT to be seen as draconian or somehow above other people in the organization.
I personally spoke to the offending non-IT employee about the password list and explained why it was a bad idea (not to mention against policy) and also apologized for taking something from her desk. Since then, we've made other changes that negate the need for these kinds of lists, too.
A few months later, three of my staff challenged me on that decision and said "IT should be able to do anything they want when it comes to security." I was also told that "the executive team darn well better do what IT tells them to do when it comes to security." This was said to me in almost those exact words. Sorry... we're a part of the overall organization. We're one cog that makes the business run. There is a point at which security efforts become something more; something that isn't necessarily about security, but that is about power, and that's where I draw the line. That said, as I've stated, some situations will call for the maximum disciplinary action for a first offense. This is where a judgment needs to be made for each circumstance.
If this employee were to infringe this policy again, I'd handle the situation differently, however. Like I said, everyone deserves a chance, if the environment allows it. For a second offense, I would involve the person's manager and possibly take further disciplinary action.
Do you have other real world situations that might make for an interesting discussion? Write to me and we'll work out the details!
Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive with CampusWorks, Inc. Scott is available for consulting, writing, and speaking engagements and can be reached at firstname.lastname@example.org.