What Would You Do?

  • Comments posted to this topic are about the item What Would You Do?

  • Not sure I'd go that far. I think all I'd check for is corroboration from one other party. I'd probably also ask her for the name of the person who could provide that info, too. It's obviously possible for collaboration, but in the real world I'm after minimising risks, not eliminating them altogether, and getting two people to say the same thing will, to my mind, bring the likelihood of fraud down to acceptably small limits.

    Semper in excretia, suus solum profundum variat

  • To my mind, it does not matter who asks for the information - CIO, senior VP, Queen of England or anyone else you can think of. With confidential data, you have procedures you must follow (erm, well, ok, that isn't true for all the places I've worked, but the theory holds). You cannot get into trouble for following the procedures. Tough luck on the CIO if it ruins his investigation.

    Plus, if you did secretly copy the data for the CIO, you should then fall under suspicion for being untrustworthy, even if your actions were "loyal".

  • Hi,

    Point them in the direction of the companies fraud investigation policy that clearly states all requests must be in submitted via e-mail with a counter signed hardcopy by whomever the policy states is the counter signatory. Job done. Get coffee. Sleep easy.


  • There are advantages to working for the government. Fraud awareness training is mandatory for all staff and there is a dedicated fraud department who can be called openly or anonymously if fraud is suspected. I think I'd be inclined to consult the senior security officer or call the fraud team for advice.

  • Steve Jones - Editor (12/13/2007)

    So do you take a chance that you'll be fired if the CIO finds out and it's a legitimate use?

    If a company fires me for not taking any chances with security and privacy, then I'll probably figure (after the first, more emotional reaction), that I'm better off not working for that company anyway.

    Hugo Kornelis, SQL Server/Data Platform MVP (2006-2016)
    Visit my SQL Server blog: https://sqlserverfast.com/blog/
    SQL Server Execution Plan Reference: https://sqlserverfast.com/epr/

  • As a minimum I'd ask for the request via email.

    This stuff is going to happen to us sooner or later, we'll be faced with a moral/ethical decision due to the lack of criminal/civil/corporate rules for us to fall back on.

  • I agree with Andy. I need the request written down in some fashion. If there is a policy in place and this violates it, I'm going to fall back on the policy and the CIO be damned. If I get fired... I get fired.

    "The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
    - Theodore Roosevelt

    Author of:
    SQL Server Execution Plans
    SQL Server Query Performance Tuning

  • Publicly owned companies in the US are subject to Sarbanes-Oxley legislation. One might reasonably argue that this information could have a financial impact on the company (as described by SOX) and therefore require documentation to fulfill the request. That requirement either deters a fraudulent request or covers the posterior of the person responding to the request.

    In some ways the fact that the request came may not be unusual at all. Some C* managers don't delegate well (read:micro-manage) and this might fit with the standard M.O., so it would be easy to be taken in. One must consider more than the request. One must consider the person asking for it and their reputation.

    In our company, our compliance policy guarantees that reporting of questionable actions is anonymous and not actionable against the reporter. And it requires the reporter to act if they observe activities that potentially violate the policy. I haven't tested the policy, but I'd like to think that the representation is accurate AND that other companies have adopted similar policies.

    Buy the ticket, take the ride. -- Hunter S. Thompson

  • I concur. Give me that in writing. On the banking side of the house i have been provided documents with information i needed along with names and account numbers from our customers which i have destroyed and asked them to resubmit just what i asked for. Half the time they don't even realize what they are doing when they have the information in a spreadsheet sent around the world which is why I ask only for what i need to complete the task at hand.

    This issue really could go a couple of ways. It can be ignorance or fraud (I hope neither on a CIO's part). I like documentation for any data i am to gather as it a. covers my butt and b. makes sure we are all on the same page with the same expectations no matter how small. I agree that I like to minimize work and not repeat something because our expectations were different.

  • Whatever I do, I'd make sure that all transactions are in writing. I'd tell the CIO to give me the request in writing first. Then I'd have to defer to company policy. If a company is going to fire me for following their policy but erring on the side of caution, then I'm better off not there.

  • Like others, I'd make sure I had the request in writing, and that it followed standard policy. I'd also consider the person making the request. If happy with both of those factors, I'd probably comply with the request.

    Property of The Thread

    "Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon

  • I'm guessing this question is framed assuming the CIO does not normally have access to this data. If he did already have all the access himself, I'd just fill the request. If not, I'd tell him I need to confirm it with (pick logical person).

    The other thing to bear in mind is if the CIO isn't your direct supervisor, you'd probably need to tell your supervisor so you didn't get into trouble for slacking off.


  • I hadn't mentioned writing, but it is something I'd ask for if it's an unusual request. Thanks for mentioning and glad that people are thinking of it. I'd also note the times of the requests and what I did in a confirmation email or note in case someone asked as well as the query. Not sure I'd save the data, but possibly if I could secure it.

    Documenting things has saved me many times in the past when things have gone wrong.

  • If it was something that wasn't usually requested or accessed by the CIO, I'd get him to tell me who in security I would need to ship the data to. Of course - get the request in writing.

    I'd also keep full records (offline, locked up and encrypted somewhere) of what was sent, so that I could substantiate what was done and why it was done.

    Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?

Viewing 15 posts - 1 through 15 (of 33 total)

You must be logged in to reply to this topic. Login to reply