Modernizing Authentication — What It Takes to Transform Secure Access
Her supervisor had requested the password of a coworker who was out on extended sick leave. The supervisor said, ''Joe gave it to me before he left, but I misplaced it. Just go ahead and give it to me again, please.''
The system administrator told me that at first she was going to just give the password to her boss, but began to have second thoughts about it.
What was the right thing to do?
It turned out that Joe's password wasn't available, and the system administrator didn't have to actually say no. But the situation raises larger questions, involving the ethical administration of corporate assets. Often the situation can be sidestepped with some creative solutions. However, it can be tricky to face the situation in a manner that won't lead to the end of your career or a colleague's.
First, find out what your supervisor really wants.
It may be that Joe forgot to turn in the quarterly report, but left you a copy. It's possible the required information resides in more than one location. If your supervisor has authorization for administrative access on the system, providing him with his own administrative-level password should be sufficient.
Second, it's possible your supervisor is looking for evidence. It may not be something he/she is allowed to discuss with you, or it may be they can't articulate specifically what they're looking for. This presents a different ethical dilemma that can be examined from two different standpoints.
First, does explicit corporate policy exist regarding the use of company
assets for personal use? Are there awareness notifications? When you
login, are you required to do something like click through a window with
huge letters saying something like:
The use of this system is restricted to authorized users and is for official use only. This computer system, including all related equipment, networks, and network devices (specifically including Internet access) may be monitored for all lawful purposes. Use of this computer system, authorized or unauthorized, constitutes consent to monitoring of this system. etc. etc.
Is this caveat enforced? Understand that I'm not a lawyer, and I don't play one on TV, but in HR terms, this is an unenforced corporate policy which lends itself to a concept known as 'acceptable practice'. Having unenforced corporate policies could leave an organization vulnerable to litigation.
Here is an example of unenforced corporate policy and acceptable practice. Let's say, a company policy states working hours are from 8 a.m. to 7 p.m. with one hour for lunch. An individual or individuals consistently arrive late, take an hour and 20 minutes for lunch or leave 15 minutes early. This behavior is not documented and the individuals involved are not counseled or marked adversely on performance evaluations. Thus, a standard of acceptable practice is set that the company must tolerate based on this previous behavior, or aggressively pursue a re-education campaign that has clear requirements and consistent consequences.
Even if the company spells out what is and isn't acceptable, if there is no accountability for inappropriate behavior, it is much more difficult to pursue disciplinary action.
The notion of acceptable behavior leads us to the second concept that must be examined.
Is there an expectation of privacy? Is it commonly understood and accepted that private materials can be kept on a company workstation and will be kept confidential or considered confidential by management? Litigation also is a possibility when dealing with matters that involve personal privacy in the workplace.
Let's look at one final consideration.
You and Joe are friends and you know he spends a good portion of his day online looking for stuff, chatting with pals, and surfing various questionable Web sites. Where should your loyalties lie? Your decision might seem more difficult because sometimes it's hard to identify with an impassive impersonal corporate entity, or you may disagree with corporate policy.
I look at it like this: Even if Joe is my friend, he causes more work for me and for others when he doesn't do his share. He lowers the value of the company by stealing time and services from the corporation. This places my job at greater risk. Finally, Joe has the audacity to put me, as system administrator, in an awkward position because I know what happens on his computer, and NOW, my boss also is interested.
OK, let's get back to the system administrator who was asked to hand over a password.
I'm still personally unwilling to just give out the password. Depending on the circumstances, suggest contacting the employee to retrieve the password. This is a reasonable option if you don't retain password records. An alternative would be to change the user's password (as administrator), and then have the user change it again when he or she returns.
Earlier we talked about administrative access. This method should be used if at all possible. This is a reasonable option if you don't retain password records.
Remember that every set of circumstances is different and I can't give you the definitive answer on how to handle your specific situation.
Whatever you do, get the request in writing before you act on it. Ask your boss to send you email, print it, with the complete headers, sign and date it and put it away. You don't ever want to be in a position later where your recollection and your boss's recollection differs.
If you believe your supervisor's request to be unlawful, against company policy or suspicious in some other way, tell them you are acting in protest on their written request, and you will be documenting the exchange. You can then speak to your supervisor's boss, where you might gain a better understanding of actions being taken. If you think it is appropriate, you also can speak to someone in HR, or if your organization has legal counsel, speak to them. Be aware they get paid by the company as well, and you may find they have a conflict of interest.