General discussion


DOWNLOAD:When IT needs access to sensitive data, create a policy with teeth

By JodyGilbert ·

After you take a look at this download, please post your feedback, ideas for improvements, or further thoughts on this topic.

--The TechRepublic Downloads Team

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

clear and concise

by djjwrights In reply to DOWNLOAD:When IT needs ac ...
Collapse -

by ngreed In reply to clear and concise

Good Policy, clearly states the point

Collapse -

Confidentiallity policy

by Joanne Lowery In reply to DOWNLOAD:When IT needs ac ...

While this policy is certainly concise, it may not protect the IT staffer if the data kept confidential could be considered illegal. For example, obscene publications, child pornography, illegal activities such as money laundering or drugs. Under NZ legislation activities such as child porn must be reported to authorities. The policy should allow for information such as the above to be reported with no ramification against the IT staffer.

Collapse -

No Substitute for Management

by trl In reply to DOWNLOAD:When IT needs ac ...

Policies are no substitute for management. I worked a long, long, time ago for a famous chemical company headquartered in St. Louis that had just this sort of policy. Fortunately, there were a couple of actual managers mixed in with all the yellow-bellied buereaucrats.

The company had just installed VM/CMS on an IBM 370 Model 155 I think it was. Users could request a physical tape drive be atttached to a virtual machine, and any tape mounted. I was reading at the time Brown's Blue JCL Book, and studying the layout of mag tapes. Using CMS commands, I could move the tape around, and dump contents for examination. I asked for a drive and a scratch tape. About ten minutes later, the SYSOP notified me it was ready to go.

After figuring out how that tape was laid-out by reading its (old) labels, I dumped a bunch of blocks. That proved I had interpreted the labels correctly.

I thought it looked like social security numbers, names, and several packed decimal data items that seemed to be salary information. At least the numbers had the right kind of magnitude.

I went and told the superintendent I reported to what I had found, and that I figured it wasn't a good thing to be able to find it. I showed him a couple of blocks -- maybe 20 records. "See this, Ron? I think its a problem."

I found out about a year later that the IT director wanted to have me fired, and it had gone up to the corporate VP level because I had seen confidential data and told someone about it. The VP of engineering, it turns out, kept me from being fired. If it was its such a d*mn big deal, he had said, the IT guys should've foreseen the possibility and done something about it. Well, all of a sudden it became a medium sized technical problem instead of a huge management problem to be solved by firing an engineering aide.

And at the time, I didn't know any of it was going on. The technical problem was solved by having the SYSOP erase any scratch tape mounted on VM/CMS. I didn't tell them I could do the same thing to a tape mounted on OS/MVS with a utility program provided by Big Blue -- that would've blown their little pin-heads clean off.

Bottom line for me is we deal all the time with strictly confidential data, and with company confidential data in the course of our work. Managers have a duty to point out what sort of data is which, and it is common sense that an employee or contractor should respect the level of confidentiality. Blanket policies like this allow managers to shirk this duty, but claim (quite falsely) that they have "protected" the confidential information.

Who did more to protect the confidential information in this case? The peon beginner techie (i.e. me) or the dweeb waving the policy around and calling for my head? I say the policy and piece of paper is not needed.


Collapse -


by GSG In reply to DOWNLOAD:When IT needs ac ...

For a good policy, I'd do a search on HIPAA and download a confidentiality policy that healthcare uses. I'm in healthcare, and I have full access to all health and financial info of our patients, so I practically have to promise that I'll cut off a leg if something gets out. Just take out the healthcare specific stuff, and you will have a fairly airtight policy.

Related Discussions

Related Forums