General discussion


HR Records on network

By Banner ·
We have recently purchased our first actual server (It took me a year to convince the CEO to give up the cash). Now we are running into some security problems..

The CEO wants to put personel records on the network, but does not want anyone, including myself (the supposed admin) to be able to see them. I informed him thats not possible.. and asked a few friends how their company handles information such as the personel records. Every one stated that those are completely off the network and handled strictly by the HR dept. I was curious if anyone else has run into this problem?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -


by robert In reply to HR Records on network

Normally the Administrator can set permissions to only allow the select few people that need access to those folders to view them. In addition you can set it where a person can either read, or read and write access. But you will always need accessbecause you are the Administrator, not because you want to see whats there. Your manager may request that you have some kind of agreement that you'll keep the info confediential. Just tell him thats how it is.

Good Luck

Collapse -

I have never been in a place that didn't

by Sr Manager In reply to normally

In all the locations I have worked, all inforamation was available via the intranet and (of course) stored on a database that was actually on or referenced by a network connection. With the appropriate policies security, and fault tolerance with backup in place, this is the best place to put all customer, product, and employee information. In addition, trust has to be inherent in the IS positions (DBA, Network Admin, Programmers, etc.). Most of these positions have access to all corporate information in one form or another.

Collapse -

Trust is needed ...

by buttwobbler In reply to I have never been in a pl ...

I subscribe to ur CEO's point of view simply because I beleive all data HAS to be the network simply for backup purposes. Then again ... IT staff will always have access to company info one way or another. U cannot have anything with no access to it... wots the point of it then? This is where trust comes in ... they have to trust u simply because without u being able to access it .. later on if something needs to be done to it they are stuffed!! U cud have some kind of agreement about confidentiality but at the end of the day .. hey ... if we can't control servers that we are responsible for ... wot are we doing?
U cud have it locally on users machine but the risks are way too high!!
IT Manager

Collapse -

Shift the responsibility...

by carib In reply to Trust is needed ...

I once had an issue similar to this and the only way it can be done is if the data is held within a database that has it's own security (that locks/passwords the database) sure it can be done...but all administration of the data and application belongs to the users in HR. Absolve yourself of any responsibility in whole or in part for corruption or restoration (short of a backup done to your tapes at night)

Asst. Dir. MIS

Collapse -

Relax people

by workinboy In reply to Shift the responsibility. ...

I'm not sure why I'm participating in this... it seems like a heated discussion over nothing.

As a network admin, generally you should be trusted not to get into anything. I know at my company, I'm the IT Director of a 3,000 employee company, and while our issue isn't with HR records, they have expressed concerns about financial records... I was totally honest with them about it, in saying that "I did not grant myself rights... which means I'm not going to map that drive every day, but I still have access... As part of my job and my responsibilities, I'm required to have access to everything on the system... whether it be the files on the drives or people's e-mail boxes. I value my job and the trust in entails, and I'm not going to violate that and risk my job or reputation by accessing data that's of no real concern to me anyways. If [they] don't trust me that much, I shouldn't be working here."

That seemed to work, and they've developed more trust over time, to where they'll send me files to relay for them that I can't see... they trust me enough to not open the files - and I don't. If, however, you're in a position where they won't display that amount of trust, maybe get them a Network Attached Storage device, and don't grant yourself rights, or something like that. You'll have to grant rights to the backup device, and they don't need to know that you could easily add yourself to the backup-operators group, or something like that. This way, they feel safer, and you can still do your job. Besides, if they knew enough to know that you can still get in, then they should know that they're request and paranoia is unwarranted. Going overboard with the over-done encryption and really taking away your rights for good is just asking for trouble... and puts you in a position where you can no longer administer the space or help when they begin losing files or screwing up the rights.

Collapse -

System Security

by jester357 In reply to Trust is needed ...

Ask your CEO if he would like you to print up
all his personal information and you transfer it to 40 point type and place it all over his circle of influence. Then explain what "Hackers" do on the internet and
see how he feels about that. Nuff Said?

Collapse -

That's the way it is.

by rdstaley In reply to Trust is needed ...

While I agree that the pool of people that have access to much of the information kept by a company (i.e. Personnel, P&L...etc).
It is not possable to secure that from people like us (System Admins, DBA's).
I would suggest that you talk to your boss about it and let them know that while you have access. That does not mean that you will use it. This is the very reason that we are trusted within an organization.


Collapse -

Trust = Job Accountability

by benwong In reply to Trust is needed ...

When a person is employed in an organization, one is given a Job description. It is an employee responsibility to ensure that he/she is accountable for all that is listed in that JD, e.g. Network Administrator. In terms of security, the NA is accountable for all secured access. The NA must implement several measures to demonstrate to his CEO that an audit trail can be in place to track access to data or folder.
The data/folder can also be restricted to specific personnel in two ways. I must assume that this data is accessed by an Application. First level is "access to the folder" and second, "ensure that you need a password to view/edit the data/info". In the first level, even the NA can be restricted to access the folder(Windows NT environment).
The CEO may demand to view the audit trial log, to ensure that there are no abuse at anytime. Problems of trust normally occur when the subject is unclear or what security measures can be implemented by the Network Operating System.

Network Administrator
Ben Wong
Sabah Energy Corporation

Collapse -

How Far do You want to Go!

by jgruhler In reply to normally

As I stated in my previous post (which is farther down on the list) Encryption is a good option but many have suggested that pass words are easy to crack although I don,t think there are many who could, but if your concerned about it then make it harder.
1st set up a directory tree with several levels.Example:"RootCEO\CEO\CEO\CEO\Private"
Then give the CEO sole ownership of the "RootCEO" directory. Now have the CEO drill down to the "Private" directory and assign a password to it. Then havehim assign a different password to each directory above it all the way up to the "RootCEO" directory. Now He can put the private files in the "Private" folder and it will take in this example 5 seperate passwords to access the files. If they are also encrypted then thats another level of security.
Another easy solution (sounds dumb but it works)would be to set up a second computer and a hub in his office. Have him store the files there and unplug the network cable from the hub to secure the files or plug it back in to share them. Add to this the directory tree example above to protect the files in the event someone gets into his office.
If thats not enough for him then tell him he needs to spend a few bucks on some older computers and firewall routers. Or dig up whatever you can to work with. Now set up a string of subnets with the firewalls between each machine and install them in his private office. Set them up with no network shares and have him use the last in the string to store and access his private files from his office. If he needs to share the files with another dept he can temporarily assign shares to those who need it and then remove them again when they are finished. Again add to this the directory tree example. Of course now he will have to be responsible for maintenance (plus a lot more work for him to access and share)or give you limited access when needed. He can't have it both ways.

Collapse -

restricted file access

by mjohannsen In reply to normally

Most everyone states that the administrator needs to have access to everything to be able to operate, including me. However you can still setup a folder structure which restricts even the administrator. Create the folder structure with the person who needs access to be the ownern and remove all other access. This should have the desired effect, allowing only that person to have access. If the person gets into a tight spot you as the administrator can alway retake ownership of the folder and access it as nessacary.

Related Discussions

Related Forums