General discussion


IT losing status and security

By prudence.smith ·
I've been put in a rather awkward situation. My company has a new boss who is keen to put his mark on his new position. As a result IT has lost its offices and budget.
The new boss wants the servers to be located in central reception, I aired my concerns that security is now redundant if we proceed in this manner as anyone could just walk into the office, rip a disk out and run away. And that I cannot be expected to run a secure and up-to-date service unless a specific budget is allocated.
Due to the way that current law stands, as IT Manager, it is my responsibilty to ensure that my company is compliant, secure, and licensed. I have realised that I will have to get legal advice on how to proceed but I am pretty much in the dark as to what to do. Can anyone give me some advice please as to how to stop this situation getting any worse than it already is.
Morale is low
Many thanks

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Write a report

by LiamE In reply to IT losing status and secu ...

Write a report of the security and potential business issues issues associated with your boss' plan.

Submit it to your boss and the company owner/board with your recommendations as to why his plan is a non starter. Include a summary of current legislation as to why whoever takes responsibilty for this is leaving themselves open to prosecution. Suggest alternative strategies if at all possible.

If they fire you - or even reprimand you - for then refusing to do something that leaves you open to personal prosecution they wont have a legal leg to stand on. Constructive dismissal all the way.

If he is in fact the owner of the company get it in writing that he is doing this against your best advice before carrying out any work. Then look for another job.

Collapse -

I concur

by Jellimonsta In reply to Write a report

I agree with Liam. You should write a report on the proposed actions and why they are insufficient, both legally and functionally. As Liam stated, you should give alternative recommendations (or even multiple scenarios, one best practices, and one feasible practices with a limited budget). If you have it in writing and present it to the major decision makers stating why the proposed actions are illogical, then at the very least you have your butt covered.

Collapse -

Many options

by jdmercha In reply to IT losing status and secu ...

Which one you choose depends on your organization and the relavent regulations. Personlly I would (in order of preference):

1. The reverse Nike - Just don't do it. If it is not legal to do it, don't. I realize that this is much easier to say than it is to do. And it may put your job in jeopardy, as well as destroy any good relations with your new boss.

2. Write a report as previously posted.

3. Find an industry wite paper that deals with the subject

4. Get support from the rest of IT.

5. Does your company have an audit department? If so, get their support.

6. Does your company have a legal department? If so, get their support.

7. Go directly to your bosses boss. Again this is easier said than done. This too could put your job in jeopardy.

8. Quit. Or threaten to quit.

9. If you do it, don't sign anything. Get your boss to approve everything. Then report any violations the the appropriate agency.

Collapse -

This chump is not fit to be your boss

by Tony Hopkinson In reply to IT losing status and secu ...

Get everything in writing. Don't carry out any work without your bosses (not just him !) absolving you from all responsibility. Make sure it's water tight. Just going to these lengths should convince even the most stupid person that it's a serious issue.
Cover your bases, by looking for another job anyway, personally I'd have my sights set on this fool's position.

Collapse -

All really helpful

by prudence.smith In reply to IT losing status and secu ...

Dear all, thank you so much for your comments, I have started the report as suggested. I agree totally that the tactics being implemented by the new boss are totally inadequate and could land my in serious dodo. So does anyone have idea's as to what UK laws I should mention, or should I just get some legal advice and get him/her to do it for me? If he doesn't sign then I have certainly grounds for dismissal I'm sure. The comments on get a new job made me laugh - that's exactly what I need to do.

Collapse -

Data protection act is the main one

by LiamE In reply to All really helpful

You have a duty to protect any 'personnal' information held on computer. You are liable if you fail to do this and any 'data subject' is caused distress. And yes data on other businesses need to be considered as 'data subjects.'

Moving the servers from a safe area into a public area would be considered wilful negligence at best should anything get knicked. And that includes data theft by your own campany's employee.

Having a chat with a solicitor will be a good idea. Your local CAB will point you in the right direction.

What would be the cost to the business if these servers got stolen or say there was an altercation with a member of the public who decides to empty a fire extinguisher over them? Other than the kitchen or toilets I really cant think of a worse place to site servers than a reception area.

Siting servers in a public area flies so far in the face of best practice as to be laughable.

Collapse -

If it makes you feel any better...

by TomSal In reply to All really helpful

I know exactly what position you are in as its not so unlike the dealio here either. Our "server room" was built fully ignoring the advice and guidance of myself or the other tech. The head of the company knows nothing about technology, he wanted the cheapest server room he could buy. He disagreed with our well thought out, documented and diagramed server room layout -- why? Because there is a small window in the server room door and he wanted the room set up so you could see the "blinking lights" through the window because it looks "neat". I wish I was kidding, but I'm not. Then he ordered that any equipment or supplies our department has are to be stored in the server room. So now we call it our "storage closet with computers". Btw, for nearly a year pre-construction we told them in writing and verbally the requirements for a sound server room, documented we had storage concerns, etc.

They were all ignored. If you saw our server room you'd laugh yourself silly.

You even have to climb over power cords to get to the back of the switches. Its wholly inadequate.

So I hear you loud and clear with the mentality you are dealing with.

Good luck!

Collapse -

Legal advice

by DC_GUY In reply to All really helpful

The laws are different over there (I decided you were British based on only one identifiable clue: the way you use "redundant") but the way you have to deal with them is the same. Pay for professional legal advice. Don't settle for advice on a BBS from people who aren't even in the legal profession, especially for something that could have serious consequences.

Collapse -

UK ?

by Tony Hopkinson In reply to All really helpful

Data protection act.
Financial Audit
ISO .....
BS ....
The business's Insurers
depends on what certifications and accreditations you've got there.
Get a professional legal opinion.
I can't imagine how you'd lose in front of an Industrial Tribunal, but even if there was chance the company would lose far more even if they won.
I work where they've got TickIT, ISO9001 and BS3111, without them our customers would have to refuse to to do business with us if they wanted to keep theirs. So neglecting the safety of your core business data isn't even an issue.
Go on take the guy's job, he doesn't deserve it.

Collapse -

I'll move forward

by prudence.smith In reply to IT losing status and secu ...

Cheers everybody, you've all given me a great deal of information to digest and investigate, and for helping me with UK laws. I'll contact the BCS for legal advice as to how this will legally infringe on my work without me ending up in jail, or worse. I'll continue the report with info on the data protection act, financial implications, BS, ISO, Insurers, TickIT (never heard of), and whatever else was mentioned (FoI act must come into this as well). It's all a lot of unnecessary work in my opinion. There should be a database of bosses who act in such a way, so at least we are warned that the job won't be much fun.

TomSal I feel for you, you've had to do the same but by the sounds of it you've far.

Thanks all again, I feel slightly better knowing I have the law on my side even if the boss isn't.

Related Discussions

Related Forums