Forgot your password?
typodupeerror
Businesses IT

Ask Slashdot: IT Personnel As Ostriches? 246

Posted by Soulskill
from the head-in-the-sand dept.
MonOptIt writes: I'm a new IT professional, having recently switched from a different sci/tech field. My first gig is with a mid-size (50ish) nonprofit which includes a wide variety of departments and functions. I'm the sole on-site IT support, which means that I'm working with every employee/department regularly both at HQ and off-site locations. My questions for the seasoned pros are: Do you find yourself deliberately ignoring office politics, overheard conversations, open documents or emails, etc as you go about your work? If not, how do you preserve the impartiality/neutrality which seems (to my novice mind) necessary to be effective in this position? In either case: how do you deal with the possibility of accidentally learning something you're not supposed to know? E.g. troubleshooting a user's email program when they've left sensitive/eyes-only emails open on their workstation. Are there protections or policies that are standard, or is this a legal and professional gray-area?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: IT Personnel As Ostriches?

Comments Filter:
  • by Anonymous Coward on Saturday August 02, 2014 @01:55PM (#47589865)

    Yes

    IT has access to everything and should read nothing. The content is just that, content. It doesn't matter

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      That wasn't the question. What do you do when you did read something inadvertently? You can't unread "Irregularities in the pension fund". Do you pretend that you don't know? What if it's something illegal / against company policy / unethical?

      • by Raumkraut (518382) on Saturday August 02, 2014 @02:33PM (#47590051)

        Does your country have laws protecting corporate whistle-blowers?
        It's a lot easier to defend your position if it's the FBI asking you to make surreptitious copies of documents, after they called you following an "anonymous" tip-off...

      • by mysidia (191772) on Saturday August 02, 2014 @02:44PM (#47590099)

        Your best bet is to "forget" you read it; never acknowledge that you saw it, and assume the best.

        For example, just because someone wrote about supposed "irregularities in the pension fund"; doesn't mean there are irregularities in the pension fund, it may just be some ignorant person spouting out / jumping to wrong conclusions.

        There are also paranoid folks who will say such things, until it's proven that no, there was just some minor typographical mistake and everything's fine.

        Just like when a person tells you "I turned off the firewall," but it still gave me the error message. Doesn't mean they managed to break into the server room and replace the corporate firewall with a closed circuit ------ they haven't a clue what they just said.

        • Your ability to do your job requires trust. If they think you are spying on them they won't trust you. Ensure you don't say or do anything about anything you see, or your job will get harder.
        • by s.petry (762400) on Sunday August 03, 2014 @10:16AM (#47593697)

          I have designed, built, tested, audited, and supported security compliant environments for over 2 decades. A decade at a DOD site, and about the same time afterwards with PCI and HIPPA compliance. In many cases, you need to report seeing things you are not supposed to see. "Forget" is illegal in many cases, so claiming it's a viable answer is dangerous.

          That said, from TFA it does not appear to be a legal issue here. Just warning that it's not good advice in general.

          The biggest single thing to put into your debugging arsenal is test data. Need to debug mail, send test mail. Need to test encryption/decryption, make dummy files to encrypt and test. A user can't do something, provide them test data to work with that you know is clean. A user has a display problem, have them bring up the application with NO data loaded. These are extra steps, but worthwhile steps. If users complain about loading test data explain it to them.

          The second biggest thing for you to have handy is a big dose of honesty. If you open something confidential, make sure that someone knows you saw it (you report to someone as an IT professional, even if it's the CEO directly). If you have to access a users desktop, ask them to watch and make sure you don't open a file that they may not want you to see. If you have to open something you know is sensitive, get permission first (preferably in writing).

          There are surely exceptions (Edward Snowden), but that's a much longer discussion. Sysadmins by nature have access to more than any single person in the company. Good sysadmins don't flaunt or take advantage of that fact.

          • by JWSmythe (446288)

            I don't see how ignoring is a hard thing.

            I've had access to countless mailboxes, confidential files, and sat down at executive's computers to fix problems. The magic secret is, don't read it. If someone's mail isn't working, so I repair the problem and check it, I see that there are words. I don't read the words. It's nothing more than a passing glance.

            When I have been specifically (and legally) tasked with reading email, I can say that it is amazingly boring.

            Usually, just as you said, if I'm testin

      • You ignore it. Don't think about, don't gossip it around, pretend you did not see anything.
        • You ignore it. Don't think about, don't gossip it around, pretend you did not see anything.

          And start looking for another position if warranted.

          • by gweihir (88907)

            Exactly. You are not an enforcer. You will always get to see things like that with enough access, just too many human beings are scum. But unless you have the power to do bad things to people (and you want to do that), walk away.

      • by wisnoskij (1206448) on Saturday August 02, 2014 @03:33PM (#47590297) Homepage
        If it is actual evidence, and not just gossip, of real law breaking that is something only your conscience can decide. As for everything else, including things that are clearly breaking company policy, as long as it is nothing or little to do with your job ignore it. You are not paid to rat on your peers. And telling your boss that Bob in accounting steals office supplies is not going to earn you any promotions or friends.
      • by grcumb (781340) on Saturday August 02, 2014 @04:16PM (#47590445) Homepage Journal

        That wasn't the question. What do you do when you did read something inadvertently? You can't unread "Irregularities in the pension fund". Do you pretend that you don't know? What if it's something illegal / against company policy / unethical?

        We used to call it 'being trustworthy'. Not sure what the term is today.

        People need to know that they can rely on you under pretty much any circumstances, otherwise they'll stop calling and you won't be able to do your job. That means ignoring pretty much everything.

        I say pretty much, because there is a line past which you cannot remain silent. For me, it was child pornography on a customer's computer. I called the police and handed over the equipment.

        This was in a small town, and it ruined my life, by the way. The owner of the computer was a prominent citizen who immediately accused me of planting the material, then began a slur campaign against me. The town, as the saying goes, wasn't big enough for the both of us. After more than a year of this, I had to leave. I'd lost my job, and I'd lost half my friends.

        Some time later, I ran into an acquaintance from that town in an airport. His first bit of news that that the kiddie diddler had finally been convicted. His own smear campaign finally had the effect of bringing three adult victims of his out. They testified against him and put him away. The lesson I learned is that, sometimes, there is justice in this world. But it doesn't come free.

        So yes, you need to be - and you need to be seen to be - completely, implicitly trustworthy. How you do it is simple enough: Always be there, never be seen to be part of the gossip. Be open and obvious about everything you do, and never, ever work in someone's office with the door closed. Equally, though, you need to be seen to be the kind of person who will do the right thing. That's a little harder to do and, as I've recounted, sometimes comes at a cost.

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          As a sysadmin, there isn't the option of doing things the wrong way. Your job security and salary actually depend on you knowing "the right way", especially when everybody want to cut corners. This is why you always make sure you speak your mind, and if still the managers and leadership wants to do it their ass-backwards way, you get to say "I told you so".

          After a few years, most of the good ones will start listening to you, even if you're totally fresh in the role. THIS is why you never just bow your head

      • As you don't know the details you simply stop reading. There could be any number of "irregularities in the pension fund", maybe a transaction was reversed or a simple typo, it happens all the time. Unless you continue reading to know the full details such a headline means nothing. In reality pretty much no matter what you accidentally read, most "small snippets" are almost never accurate towards the full content.

      • by guruevi (827432)

        If I don't know any further details, I'll take it as if it were the best case scenario and someone found some irregularities and is fixing it. Irregularities doesn't mean something illegal happened, there are plenty of ways to siphon money out of a fund that don't break the law, that's what accountants are supposed to know and fix.

        If something is blatantly illegal, follow the corporate policy and report as necessary to superiors and if that fails or is not feasible, authorities. Remain as anonymous as possi

      • by gweihir (88907)

        Don't ever use that information (except to decide to resign your position _without_ giving honest reasons). While the moral thing might be to act on it, the practical thing is that you do not have the position/role to do so and it will always be to your detriment.

    • by khasim (1285) <brandioch.conner@gmail.com> on Saturday August 02, 2014 @02:27PM (#47590021)

      I prefer the term "professionally disinterested".

      If it is NOT evidence of a crime then you ignore it. Or you use that knowledge to avoid finding out anything more about the topic.

      If you have any questions then you bring those questions to HR.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      In my career I've had access to everything from HR data, payroll, ethics/legal investigations, etc... never really looked at it other than the few times I commented to the programming teams about them having debugging on in their code (in production), potentially spitting out private/sensitive information into the logs, etc (one time one team had company CC#'s with names, SSNs, etc). It is what it is - I just inform them they shouldn't do that, but don't really pay any attention to it.

      I have never, even th

  • by retchdog (1319261) on Saturday August 02, 2014 @01:55PM (#47589867) Journal

    why the fuck are you asking here, of all places, about office etiquette? haven't you noticed that over half of the people here are bitter, miserable burnouts and misfits?

    are you also asking on the christian abstinence forums about finding prostitutes?

  • by GeekFreak (202351) on Saturday August 02, 2014 @02:01PM (#47589897)

    I treat everyone's email the same: I don't read it. I may see subject lines but I don't see the technical reason requiring you to read them. If it's a temptation, might want to re-evaluate your own professionalism.

    The same with politics and gossip: keep it to yourself; do not participate. If asked a question, smile and decline to comment. Be polite and cordial but trust no one.

    Basically: do your job and stfu.

    • by mysidia (191772)

      I treat everyone's email the same: I don't read it. I may see subject lines but I don't see the technical reason requiring you to read them.

      What happens when you get a request from management to help them identify/bring to their attention people potentially 'abusing' the e-mail system, such as by e-mailing sensitive information out of the organization, or by identifying employee(s) sending e-mail that are obscene, abusive, harrassing, or contain inappropriate language?

      • I treat everyone's email the same: I don't read it. I may see subject lines but I don't see the technical reason requiring you to read them.

        What happens when you get a request from management to help them identify/bring to their attention people potentially 'abusing' the e-mail system, such as by e-mailing sensitive information out of the organization, or by identifying employee(s) sending e-mail that are obscene, abusive, harrassing, or contain inappropriate language?

        That's an official request from management and is part of your job at that point even if it wasn't before. Inform HR of what you've been asked to do and if there's a conflict let them hash it out. Document everything and keep a personal copy of the documentation in a safe offline place. If you get fired for doing your job you either have enough documentation to take legal action (if you can afford it) or enough to clear your name if it becomes necessary.

      • Well of course unless it goes strongly against your conscience or the law you do what you are asked.
    • by X0563511 (793323)

      Don't just decline to comment, that's far to open to interpretation.

      Play dumb instead.

    • by ruir (2709173)
      I dont have them time to read their emails, I dont want to, and frankly, I dont give a shit about their emails.
  • Just keep the guy who does your yearly reviews happy and make him look good. Also, make his boss look good. If you're like me and have multiple bosses, develop your relationship with the one you think will hold that position longest. Don't burn any bridges unless you have to in order to keep your job. Every company has different standards of security, and an even wider variation of enforcement. Don't intentionally be a butt-head to anyone, and if you see anything that's off policy or could get someone f
  • by Zero__Kelvin (151819) on Saturday August 02, 2014 @02:04PM (#47589909) Homepage
    Always remember that you are dealing, in your case where your internal customers are not IT savvy, that there is a reason why we refer to them as lusers:

    1) They have no idea how to do what you do, and need you to help them perform even the simplest of tasks
    2) What you do is so simple any moron can do it
    3) Their son / brother-in-law / uncle, etc. is much more of an expert then you. They re-install Windows for them every six months, and made their system much faster by upgrading from a 512GB drive to a Terabyte drive as well as much safer by installing three, count them three different Antivirus products!
    4)You are some kind of idiot, because you haven't done what their expert relative has done

    I wish I was kidding. The reality regarding your question is that as an IT professional you will have access to said sensitive information. It will only make you jaded if there is good reason to be jaded. If there is good reason to be jaded, run don't walk to a better gig.
    • by gnasher719 (869701) on Saturday August 02, 2014 @02:35PM (#47590061)

      Always remember that you are dealing, in your case where your internal customers are not IT savvy, that there is a reason why we refer to them as lusers:

      If I ever hear any IT professional at a place where I work referring to end users as "lusers", I can promise you that the shit will hit the fan.

      • by Kuroji (990107)

        Local user, you twit. It doesn't mean 'loser'.

        The fact that the end users tend to look at IT as utterly useless except when something goes wrong, in which case it should have been fixed and prevented from going wrong even when it was the end user's fault, does however tend to promote such an attitude. But the IT guys would have to be idiots to use that term openly.

        • by Belial6 (794905)
          BS. the term 'luser' is specifically juvenile IT people thinking that they are being witty. They are not, and the lame excuse of 'local user' doesn't make their openly hostile attitude OK. The fact that you recognize one would need to be an idiot to use that term openly shows that you know full well that it is intended to be a double entendre.

          Any IT person that uses that term should immediately look for a different career path.
          • by epyT-R (613989)

            My aren't we feeling superior today.

          • by Ol Olsoc (1175323)

            BS. the term 'luser' is specifically juvenile IT people thinking that they are being witty. They are not, and the.

            And how! The real term is "looser.'

      • Any decent software developer will tell you that your if conditional results in a Code can't be reached compiler warning :-)
      • Everyone who has worked in end-user support thinks of lusers. Some of them say it, some have the social awareness not to utter the word, but they all think it or something to that effect. There are websites devoted to swapping stories of luser ignorance.

        My personal favorite is the user I met who used to manage all her documents by running word, going to save-as and dragging files around in the little save dialog, right-clicking to make folders and delete things. In her years of using a computer, she never f

        • Everyone who has worked in end-user support thinks of lusers. Some of them say it, some have the social awareness not to utter the word, but they all think it or something to that effect. There are websites devoted to swapping stories of luser ignorance.

          My personal favorite is the user I met who used to manage all her documents by running word, going to save-as and dragging files around in the little save dialog, right-clicking to make folders and delete things. In her years of using a computer, she never figured out that you could go to start->documents.

          Either we've met the same person, or that method is now taught in college.

          • by dbIII (701233)

            or that method is now taught in college

            Seems frequent enough. I've had to populate desktops with icons for people who seem scared of the "start" menu.

  • by David E. Smith (4570) on Saturday August 02, 2014 @02:08PM (#47589949)

    Read the System Administrators' Code of Ethics [usenix.org] and take it to heart. Even if your job title doesn't include the words "system" or "administrator."

    It's actually pretty easy to ignore the content of an email if you're focused on the email delivery process (mail server logs, the headers of forged/spam mails, things like that). Similarly, if you're doing FTP hosting or file drops for customers, you rarely need to dig into the content of the files themselves to troubleshoot upload/download problems. There are rarely reasons to dig into the content of whatever you're working on. It does come up, if (for instance) some piece of email has wacky malformed content that keep crashing the mail client, but IME those situations are uncommon.

    I used to work at a mom-and-pop ISP, in a small town. Our customers included the local police and fire departments, City Hall, and most of the larger law offices and accountants' offices. Since we provided email and Web hosting (among other services), I certainly could have made some locals' lives very interesting. Hell, I had access to the email of everyone in my company, including that of the owners to whom I reported. I'll admit to having been tempted once or twice, but I'm proud to say I never abused my privilege.

    • by sjames (1099)

      I prefer to avoid seeing (or at least actually reading and comprehending) stuff on other people's PCs. Not just for legal liabilities and such, but there are some things they might be emailing about that are perfectly legal but might send me running for the brain bleach. I'd rather avoid that and the subsequent awkwardness.

  • Just ignore it (Score:2, Insightful)

    by Anonymous Coward

    Whether I'm working in IT or another area, I try to ignore what is on people's screens. I consider this a simple matter of manners, not an IT issue. You don't read over other people's sholders, do you? Do you feel the need to act on every piece of overheard gossip or twitter/facebook post? Dealing with other people's computers should be treated much the same way you treat overheard snippets of conversation on the street. Ignore it and move on.

  • by neiras (723124) on Saturday August 02, 2014 @02:14PM (#47589975)

    You can never ignore office politics. You don't have to play the game actively, but you do need to be aware of what's going on around you, who is in what camp, what the major conflicts are. You have to cross battle lines regularly to do your job; you can't afford to be seen as a member of the 'enemy camp' by *anyone*.

    As an IT guy you need people to trust you, which means you need to be ethical. If you see something you shouldn't know, don't go chattering about it.That kind of thing does get around, and you'll lose trust instantly.

    Nothing's stopping you from making personal career decisions based on the information that you come across in your daily work. For instance, if you see that the company is about to be liquidated and you don't want to be around for the mess, by all means polish your resume and start interviewing. Just don't assume that just because you saw something you have the whole picture. You could end up feeling stupid when the private email you saw turns out to be a deliberate test of your trustworthiness. It does happen.

    Keep your mouth shut about the things you see. Look after your career and reputation. Be aware of politics, but abstain from participating wherever possible. After a few years when you have trust and credibility, you can consider climbing the ladder a bit and playing the game - you'll have capital to spend.

    • by KevMar (471257)

      In IT we have access to everything and that means that our trust and integrity means everything. We will see things that are very personal, we will know things that are very sensitive, and people will trust us.

      If they question our integrity, our trust worthiness, or even our respect for authority then we lose our value to the organization. Once they start to question that, then you won't be able to get it back.

      But if you maintain high standards in IT and gain absolute trust from your coworkers and administr

    • > As an IT guy you need people to trust you, which means you need to be ethical.

      You need to _appear_ to be ethical to gain trust of co-workers, and to improve your position. I'm afraid to say that this is orthogonal to doing a good job at IT. It's often much, much easier and safer to appear trustworthy by being clear, honest, and open. It reduces the complexities of maintaining various approaches to various people.

      But don't mistake such approaches with technical competence or business success.

  • by msobkow (48369) on Saturday August 02, 2014 @02:32PM (#47590049) Homepage Journal

    As an IT professional, you will have access to data that regular employees don't. You keep your mouth shut and you don't snoop. Period. You only look at as much as you have to diagnose and fix problems; the details are irrelevant.

    It's called "being professional."

    Think of it as the equivalent of lawyer-client or doctor-patient relationships.

  • by Vip (11172) on Saturday August 02, 2014 @02:45PM (#47590107)

    Never get involved with reading others' emails, documents, etc., that you are not required to be privy to.

    Never ever let the temptation allow you to see others' performance reviews, salaries, politics. I've seen how it leads to telling someone else and then they become the go to person for information. And if the information is bad and they didn't share it, even though they had no idea, well, they didnt' say that there was a problem, the @$$#013! Hell, I've seen someone with access to the HR database pull up salaries of EVERYONE and share it out. "Oh, can you tell me how much Jason Mcboogerhead is making? What?!? I'm making $1k less?! WTF, time to march off to the manager!!!" [A manager who was stunned at the level of knowledge! AFAIK, no info was given out about how the salary info was found. I found out later when it was offered to me.]

    Ignore any overheard conversations, it'll only be a couple of people talking, who knows the truth and what really is going on? You must throw out any info you "accidentally" pick up too. The obvious is the missing context of the info. As a manager, I've had other directors and managers openly talk about staffing, budget, bonuses, performance or lack thereof, in front of me. In all cases I threw away what I heard, after all, all I'm hearing is a snippet of a longer discussion. It's not my business to try to save John's job if he's pissed someone off, so I'm better off not worrying about it.

    Sometimes I received a list of users to be locked out of their accounts. The only reasons to receive such a list is that they are being laid-off/let-go or in a heap of trouble. I never shared such a list with anyone. It was given to me, as a manager, in confidence. Keep that confidence. Even after the firing, I still didn't tell anyone, there's no point or net positive to be gained.

    In another instance I was at a company that changed their HR such that you logged into a page, and it told you your salary, OT rates, etc. You could print your confirmation of employment for loans and such there too. But there was a bug. This bug allowed me to view everyone's salary, their bank account info and some other stuff in a nice neat chart. I immediately picked up the phone and called head office IT Security and talked them through the bug. They fixed it, phoned me back to test with me on the phone, thanked me and sent off a thank you cc'd to my manager, director, etc., praising my immediate response and "help" in fixing it.

    What I didn't do was say, "Hey everybody, look at this!" and print it off, etc. Nor did I read further than a few lines and then remove it from my screen. To this day, I run into some of the higher-ups from then from time to time, they still remember me, who I was, only because of that email and that to them I was trustworthy.

    It's not up to you to solve office politics, who said what to whom, or anything else. You are there to do IT. So do it and maintain your dignity and professionalism and just don't even think of looking.

    You, and hopefully everyone else, will hopefully see that you are in a position of trust. You are trusted by many to keep secrets. If you can do that, it only helps your reputation. If someone can actually say you are trustworthy in your IT job then you've accomplished a lot and it only helps down the road when you want to switch jobs.

    Vip

  • Just for fun, answer this question and quickly move on to reading the rest of my post. Explanation at the end.

    "HOW MANY animals of EACH KIND did Moses take on the Ark?"

    The mind is a dangerous thing when presented with incomplete information -- it just extrapolates it, sometimes even substituting the incomplete original version with the extrapolated raw version. You might *think* you saw something noteworthy, but it was only your mind showing you a rabbit on the moon.

    This is one of the chief values of privac

  • If you were not officially told then ignore it.

    Don't backstab anyone. Don't read anything without permission. Don't get involved in anyone's infighting. Do your best to help all your customers, even if they are trying to undermine you. Play politics only as much as you have to, people will try to play you. You have to be aware of it and respond tactfully.

    Your duty to report serious criminality overrides these rules. Your duty to report gross immorality may override these rules, you have to decide that one b

    • by gweihir (88907)

      Typically, there is no duty to to report serious crimes or any crimes at all, except for police officers. (They are not human beings in that regard, just functional elements. Their personal morality has been removed.) Some limitations apply, especially in states with fascistic tendencies. But there basically is no way to commit a serious crime via email or files, so in most cases you have zero obligations to report anything even if you know. Of course, it is better not to know ad the very act of snooping co

  • by Trepidity (597) <delirium-slashdot@@@hackish...org> on Saturday August 02, 2014 @03:23PM (#47590255)

    Other animals that IT personnel may impersonate include canaries and guinea pigs.

  • First, I wouldn't say a "50ish" people company is "mid-sized" :) But that isn't really your question.

    I can only speak for myself- I can and do see things that are confidential. It is pretty much impossible for me not to. I deal with it by focusing only on my work. Most of the time I don't even really "see" what it is I am looking at... intentionally glancing away or closing things that are not part of the scope of my assistance. Unfortunately that doesn't always work and am exposed to things that get "

  • Well most of us are introverts, maybe thats why we end up with these roles. So yes.

  • Don't read it even if you inadvertently see it. Don't repeat things you may have overheard or seen. Testicles, Spectacles, Wallet and Watch all apply.

  • There is a lot of good advice here, so let me add a cautionary tale. I used to work for a local government as their “computer guy”. I got a call from a user who was unable to watch some video he had on a thumb drive. As part of diagnosing the problem, I logged in to his computer using my own account, copied the contents of the thumb drive to the hard disk, and played it from there. It turned out that playing the video worked from the hard drive and the rear USB connector, but not from the fr

  • The problem with reading an e-mail that's incriminating is that it may be out of context. If you do not have the knowledge required to fully understand the implications of the data, then there really is nothing you can do.

    For example, at one job I have access to medical files, but I am not the doctor treating the patient and I am not in a position to judge anything about a patient no matter what information I might see. A man could be prescribed Viagra because of a heart condition, or a woman the pill bec

  • We have an awfully lot of boy-scouts in this discussion, and while I only believe about 10% of them, they do actually give the right answer if for the wrong reasons.

    The real problem with knowing things you shouldn't comes from your (in)ability to act on them, and the risk of accidentally letting something slip at the worst possible time.

    Consider the best possible case - You find out about a major organizational change, and have some ability to position yourself to exploit it. That happens once a decade
    • by Krishnoid (984597)

      Option 1) The FDA approves it, you make a fortune, and the SEC immediately starts breathing down your neck.

      It's ok, Martha, I still think they just like persecuting individuals instead of corporations. Plus I continue to use your decorating tips.

  • Professionalism. (Score:5, Interesting)

    by ledow (319597) on Saturday August 02, 2014 @04:43PM (#47590543) Homepage

    In my field, education, it's quite common for the IT guy to be the one with absolute access to more things than anyone else. Nobody else, not even the data-protection officer, or the people on the senior management team, or the people ultimately in charge of the school (the heads and governors) has as much access to information as the IT guy.

    Senior-management team files, HR databases, etc. are part and parcel of the job. The web filter logs are generally very revealing and, hence, why I anonymise them by default (Usually squid logs - which only contain source IP addresses, which can only be correlated to a machine using the DHCP logs, which can only be correlated to a user using the Windows event logs on the AD servers - NOT something you can do accidentally, but also allows you to analyse, spot trends and find dodgy things without immediately revealing the source. When I come upon something that worries me, I go to my boss, ask permission to de-anonymise those records, provide them with my results. I've had to do it a couple of times and it turned out to be nothing, but I've also worked with colleagues who've spotted a paedophile on the staff that way and got them prosecuted).

    Despite all that data access, tou don't look. It's that simple. If I'm asked to work on a confidential file or database, that's what you do. It's just data. What you see is just numbers and letters and then forgotten. You do not dig. Not only are there alerts and warnings for digging into certain things (and I don't want to KNOW what triggers those alerts or warnings necessarily, but I know that they are in place on the MIS databases, for example - I only trigger them when it's been part of my job to go into that part of the databases), but it's a matter of professionalism.

    If I become "exposed" to salary details, or witness protection details (children in schools rarely have as simple a home life as they might at first appear to have), or that some child's father is a Colonel in the Army who's asked for his address details to be maintained private, or whatever... that's what you do. You're not there to suck up data, you just treat it like anything else and move on.

    If I suspect illegal activity - there's a lot of activity you CANNOT ignore in a school - I'd go through the proper channels and report it however I'm supposed to. It came up as part of my job, it's not like I was snooping for it.

    I *STILL*, fifteen years into my career, look away when I ask people to set their passwords. I don't WANT to know. I want the deniability if someone gets into their account to say "There is no way I could know their password, without triggering a reset of their account, which would lock them out and inform them immediately anyway". My boss keeps trying to tell me his password "to save time". I don't want it. With it, I could - in theory - change my own salary, or modify any amount of details. Chances are it would get picked up eventually but if you were clever enough, you could get away with an awful lot very quickly, or very discretely.

    Hence, I don't WANT to know those things. I choose to forget them, unless there is a reason to immediately report them. I suggest you get into the habit of doing the same.

  • by hey! (33014) on Saturday August 02, 2014 @04:47PM (#47590557) Homepage Journal

    Long, long ago, early in my career, I spent about fifteen years in the non-profit sector.

    You don't ignore office politics, but you don't take sides either unless there is a crisis brewing -- something illegal, highly unethical, or financially dangerous. When you work in IT, you're in a "support" position, rather than a "line" position. Your job is to support. So when there's a big pissing match between two line functions, your job is to support *both* sides.

    Often this means documenting business processes that sort of evolved via the lava flow antipattern; 50ish is the size where things start to get out of hand, because it's the size where the amateurishly hacked-together processes that keep the organization running start to break down because everyone can't be aware of everything that's going on in detail, in real-time. Make it your business to understand what business systems (not necessarily computer systems) *accomplish*. That puts you in a position to offer a third way, the one that emerges as obvious to everyone once somebody has figured out what's actually going on.

    It's supposedly hard to implement changes in non-profits because of the consensus-driven decision making processes, but I found that I could make that process work for me. Lack of understanding is a vacuum; presented with a clear picture people usually line up behind the obvious solution quickly. But you do have to do your homework. Never surprise anyone with anything in a meeting. Bring people up to speed with things you're going to say about their work *before* the meeting so they don't feel blind-sided.

    In a crisis be prepared to do the right thing. If you're in a non-profit they're paying you below market rates, so you can do better elsewhere. There is no call for getting yourself sucked into something that offends your self-respect. I resigned one job because my superior (the COO) was doing things that were financially reckless and improper (spending without proper authorization). I informed the CEO in my exit interview. That was my solution to the problem of not getting drawn into a persistent pattern of dysfunction.

    When you handle sensitive information, just ask yourself what is the professional thing to do? Be discreet. Resist the temptation to peek at data, and when you *do* accidentally learn something you're not supposed to know, disclose that to the responsible parties. Be trustworthy, and present a trustworthy face.

    Finally, don't let them pay you far below the market rate for your services, and expect a really good benefits package, including 1.5x to 2x the vacation you'd get in a for-profit. Insist on the respect due a professional. Non-profits are full of young people who haven't learned that the IT guy isn't there to be kicked around when they're frustrated, and the fact that you're in a support position rather than a more glamorous line position doesn't make your work any less important.

  • by Chas (5144)

    As an IT worker, your job is to see that the company assets you are assigned are functional and delivering proper service to end users.

    It is NOT your job to audit the company's books.
    It is NOT your job to Big Brother company e-mail (unless it is).
    It is NOT your job to run the company.
    It is NOT your job to set business policy for the company.

    This is what they have financial wonks, sales wonks and managerial types for.

    You never know when something you see "accidentally" is:

    A) Blown out of proportion
    B) A test

  • Secretaries (Score:5, Insightful)

    by patabongo (842730) on Saturday August 02, 2014 @05:03PM (#47590593) Homepage

    If a secretary with no professional qualifications can take minutes in a senior management meeting and maintain confidentiality about what was said there's no reason you, as a theoretically highly-educated IT worker, can't do the same about the content of emails you happen to read in the course of doing your job.

  • by scorp1us (235526) on Saturday August 02, 2014 @05:28PM (#47590681) Journal

    I started out all full of piss and vinegar and eventually learned to relax.

    You will only make enemies if you play politics. Only play in politics that involve you directly. Let everything else go. It's not your job to know it though you have the ability to. You won't be faulted for not disclosing something that your privileges allowed you to know, but declined to know.

    Be everyone's friend. I made friends and gained people's trust by being fair. They told me even more. I could go around uninstalling their games and stuff... But I didn't because it's just piss them off. So I just told them I saw the game and if something starts behaving weirdly, I'm going to blame the game first, and that they should uninstall it before I came back. That seemed to be enough to cover my ass in the event someone else found it and reported it to the head of IT. It kept me from making enemies. Exercising restraint is the key to success. If no one likes you, they won't put in the good word.

  • I spent about twelve years as an IT director. I had access to every email account and every document created including financials. I discovered that most of my co-workers where doing their absolute best to stab each other in the back. The lies were rampant. Management was also lying to the employees (leading from the top down?) about company finances. It made me very unhappy to know about all the horrible things they were doing to each other. I think I would have been much happier not knowing all of those t
  • I was the IT manager of a hospital. The HIPAA rules apply. You can't repeat what you hear and you can't read what you weren't supposed to see. Seriously, learn to not even focus your eyes on private information. However, there is nothing wrong with using what you hear to help you make decisions about what you should do, such as leaving a business that is in financial trouble or setting aside some server space for that expansion someone is planning but didn't think to consult with IT about.

  • ...it stops with you. I saw many embarrassing/absurd/job threatening/demeaning things while servicing employee computers. One of them belonged to the company president. None ever appeared to be criminally illegal and did not go beyond me. Part of the job.
    • by gweihir (88907)

      Even if it is criminal (or rather looks criminal), look the other way. You are not a cop. Except for rare exceptions in some fascistoid states, you are not required to report crimes. If you think you need to report something, consult a lawyer first. Really, do it, and not the company lawyer. Pay for one yourself.

  • You are in an excellent position to learn, you are forced to as you are alone. Stay away from politics, learn a lot, prioritize your work, study a lot on your free time. In 1.5 or 2 years, leave this job for a better place.
  • Anything you learn during the course of your duties should never be discussed. What you learn around the coffee machine should be not talked about either lest people jump to the wrong conclusion.

  • You can pretty much ignore everything around you that doesn't violate company policies. Except child pornography. I did a PC refresh project at a local hospital when my coworker came across child pornography on a workstation. He reported it to our supervisor. Together they reported it security. They each had separate meetings with the security chief and the hospital attorney.

    The worker -- a high-level administrator -- freaked out when he didn't get a new computer and his old computer sat on his desk without

  • I remember the first time an employer realized that I had access to everything . She froze for a few seconds while she processed the idea, shrugged, and went on with her request.

    You're going to learn things you don't want to know and see things people don't expect you to see. My least favorite experience was someone who had an email stuck in their outbox. "Subject Re: Re: Re: Re: Re: My widdle wuvvy bear From: Not His Wife" And thank you so much, preview line, for confirming the content. So, with a s

  • by CaptainDork (3678879) on Saturday August 02, 2014 @09:47PM (#47591685)

    We have the same job and I've been at it 18 years.

    The first thing to bring up to management is a Technology Administration Policy.

    In there provide the expectations of the Firm, and include any prohibitions regarding use of social media, games, personal email accounts, and other productivity-related issues.

    State that all of the Firm's technology, and the products of that technology (documents, spreadsheets, emails, etc.) are owned by the Firm and WILL be inspected as management directs.

    In the Policy inform all employees that they are to report violations, or suspected violations of the Technology Administration Policy to you.

    There are other issues you can cover in there like password rules, prohibitions for using business email for personal use. Get management to work with you so everybody's on board.

    Here's some other stuff:

    Don't snoop. Ever. Tell management point blank that you are not snooping, and will not snoop unless management tells you to. When they tell you to take a look-see, especially if they are concerned about abuse of one person, snoop and report on several others. This covers you and management later, if questioned.

    For some systems like financials, payroll, time card, etc. tell management you don't want entry passwords. You'll work with the individuals responsible for those systems and have those operators log in for you and THEN do your work.

    If something odd happens in there, you want to be the first eliminated.

    I see stuff I shouldn't a lot. If it's a violation on the part of a co-worker, I work it out with them. You want to have a good working relationship with all of your people. If they fight you, remind them that they are actually fighting the Firm. If things get nasty, take them to management.

    When I see stuff I'm not supposed to on management computers, I just keep my mouth shut. NEVER gossip about that stuff. It WILL get back to the wrong people.

    Your job and mine are atypical in that everyone is our boss. Make recommendations via email so you have a trail and let management do informed risk assessment. Remember that you are on the wrong side of the ledger. You are a cost center. Most times when you meet with management, it will be about spending money. That means everyone in the Firm will have to swim a little harder.

    Make life easier for yourself by adopting the right attitude BEFORE you make contact with a coworker: They are absolutely right, and you agree with them. You are on their side, always. It's not you vs them. It's you and them vs the problem.

    Last tip: You're gonna get yelled at. People have apologized to me afterwards. I tell them it's OK. I understand. I'm the guy to yell at because I'm the only one who will fix it, " ... and thanks for the apology. It means a lot to me that you want to clear things up."

    If you and I are professional, we will get past each incident without anyone getting pissed.

    Good luck.

If God had a beard, he'd be a UNIX programmer.

Working...