Home Forums SQLServerCentral.com Editorials Privacy and Data RE: Privacy and Data

  • March 21, 2014 at 4:26 am

    #1699015

    Steve Jones - SSC Editor (3/20/2014)

    Jim Youmans-439383 (3/20/2014)

    I use to want to know how my data was secured and make sure it was not being put at risk. Use to being the key phase here.

    I was actually reprimanded (actual HR sit down and note put in my employee file) for "not being a team player" and for "refusing to follow instructions" because I would not copy sensitive personal information (including SSN and some CC numbers, all in clear text) from our production system to several development systems.

    My boss told me that my job was to do as I was told and keep the servers running. Let Data Security worry about the security.

    The sad truth is that being a DBA does not make you a "data professional" in most companies. It makes you a data monkey that had better do as you are told. If you put up a fuss, you will either get reprimanded or fired.

    I left that company soon afterwards, but I have found the same attitude in most other companies that I have worked for.

    In my 18 years or experience, the DBA "data professional" that you speak of, with any kind of real decision making power is a myth.

    I wouldn't refuse, and I'd say the note was justified. It's a bad idea, but don't confuse your rights/responsibilities with the company's. I wouldn't copy the data unless my boss had given me a document saying I needed to do this, and I'd have notified him this was a potential issue.

    At the end of the day, this isn't the same as some illegal activity. My job is to get work done and inform the company of potential issues with the process. If they still want it done and assume responsibility, I'm OK with that.

    I had a similar issue recently with a member of my team at the time being continually asked to do things which required them being given details which they shouldn't have access to in order to perform a different team's job. I raised this with the architectural team (which had the companies Security Architect and responsibilities for such things). I said that we were happy to do the task even though it wasn't our responsibilities but were concerned that we shouldn't be doing it as not only should we not have the information and also development teams are transient so eventually we would not be around to do it.

    It believe that it ruffled a few feathers but my "reasonable" approach meant that no-one could say I was being obstructive. In fact someone said by raising the security breach that the lost all plausible deniability i.e. something had to be done otherwise it was their neck for the chopping block.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!