Establishing Digital Trust: Don't Sacrifice Security for Convenience
Her supervisor had requested the password of a coworker who was out onextended sick leave. The supervisor said, ''Joe gave it to me before heleft, but I misplaced it. Just go ahead and give it to me again,please.''
The system administrator told me that at first she was going to just givethe password to her boss, but began to have second thoughts about it.
What was the right thing to do?https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i If it meant saying no, how was she supposed to do that without gettingfired?
It turned out that Joe's password wasn't available, and the systemadministrator didn't have to actually say no. But the situation raiseslarger questions, involving the ethical administration of corporateassets. Often the situation can be sidestepped with some creativesolutions. However, it can be tricky to face the situation in a mannerthat won't lead to the end of your career or a colleague's.
First, find out what your supervisor really wants.
It may be that Joe forgot to turn in the quarterly report, but left you acopy. It's possible the required information resides in more than onelocation. If your supervisor has authorization for administrative accesson the system, providing him with his own administrative-level passwordshould be sufficient.
Second, it's possible your supervisor is looking for evidence. It may notbe something he/she is allowed to discuss with you, or it may be theycan't articulate specifically what they're looking for. This presents adifferent ethical dilemma that can be examined from two differentstandpoints.
First, does explicit corporate policy exist regarding the use of companyassets for personal use? Are there awareness notifications? When youlogin, are you required to do something like click through a window withhuge letters saying something like:
The use of this system is restricted to authorized users and is forofficial use only. This computer system, including all related equipment,networks, and network devices (specifically including Internet access)may be monitored for all lawful purposes. Use of this computer system,authorized or unauthorized, constitutes consent to monitoring of thissystem. etc. etc.
Is this caveat enforced? Understand that I'm not a lawyer, and I don'tplay one on TV, but in HR terms, this is an unenforced corporate policywhich lends itself to a concept known as 'acceptable practice'. Havingunenforced corporate policies could leave an organization vulnerable tolitigation.
Here is an example of unenforced corporate policy and acceptablepractice. Let's say, a company policy states working hours are from 8a.m. to 7 p.m. with one hour for lunch. An individual or individualsconsistently arrive late, take an hour and 20 minutes for lunch or leave15 minutes early. This behavior is not documented and the individualsinvolved are not counseled or marked adversely on performanceevaluations. Thus, a standard of acceptable practice is set that thecompany must tolerate based on this previous behavior, or aggressivelypursue a re-education campaign that has clear requirements and consistentconsequences.
Even if the company spells out what is and isn't acceptable, if there isno accountability for inappropriate behavior, it is much more difficultto pursue disciplinary action.
The notion of acceptable behavior leads us to the second concept thatmust be examined.
Is there an expectation of privacy? Is it commonly understood andaccepted that private materials can be kept on a company workstation andwill be kept confidential or considered confidential by management?Litigation also is a possibility when dealing with matters that involvepersonal privacy in the workplace.
Let's look at one final consideration.
You and Joe are friends and you know he spends a good portion of his dayonline looking for stuff, chatting with pals, and surfing variousquestionable Web sites. Where should your loyalties lie? Your decisionmight seem more difficult because sometimes it's hard to identify with animpassive impersonal corporate entity, or you may disagree with corporatepolicy.
I look at it like this: Even if Joe is my friend, he causes more work forme and for others when he doesn't do his share. He lowers the value ofthe company by stealing time and services from the corporation. Thisplaces my job at greater risk. Finally, Joe has the audacity to put me,as system administrator, in an awkward position because I know whathappens on his computer, and NOW, my boss also is interested.
OK, let's get back to the system administrator who was asked to hand overa password.
I'm still personally unwilling to just give out the password. Dependingon the circumstances, suggest contacting the employee to retrieve thepassword. This is a reasonable option if you don't retain passwordrecords. An alternative would be to change the user's password (asadministrator), and then have the user change it again when he or shereturns.
Earlier we talked about administrative access. This method should be usedif at all possible. This is a reasonable option if you don't retainpassword records.
Remember that every set of circumstances is different and I can't giveyou the definitive answer on how to handle your specific situation.
Whatever you do, get the request in writing before you act on it. Askyour boss to send you email, print it, with the complete headers, signand date it and put it away. You don't ever want to be in a positionlater where your recollection and your boss's recollection differs.
If you believe your supervisor's request to be unlawful, against companypolicy or suspicious in some other way, tell them you are acting inprotest on their written request, and you will be documenting theexchange. You can then speak to your supervisor's boss, where you mightgain a better understanding of actions being taken. If you think it isappropriate, you also can speak to someone in HR, or if your organizationhas legal counsel, speak to them. Be aware they get paid by the companyas well, and you may find they have a conflict of interest.