IT Privacy at work help (CEO wants all admin staff user passes) Security issue

[paynecasey]

My CEO, which no one trusts, just put out an email that said this to the admin staff (5 members):

"We never know when we might be hit by a bus… meaning, who and how would RHCA pick up where you left off should you suddenly no longer be available? So, we all need to write down our log ins, passwords, account numbers, key contacts, etc., for the various systems and programs and entities that you conduct business with. Put your information in a sealed envelope and send them to me. We’ll secure the envelopes and hope we never have to use them. Please get your envelope to me COB on April 25th. [Joseph… can you get yours done before you leave for training?]

OK… names, passwords, phone numbers etc. change. So, we’ll probably do this exercise periodically."

None of us trust him and feel he is fire happy. Isn't this an IT security violation? Any know where I can site something to block this? Thinking of giving old passwords.

 

[ElscottHavoc]

He's the CEO of the company and the information he's requesting is company information. I see no problem with it. He's not asking for personal information, just passwords for accounts that he as a CEO ought to have access to anyway. Plus, the envelope idea (if locked in safe) is smart really.

Posted via Topify on Android

 

[offroadkarter]

Thats a huge security risk for sure. If someone "got hit by a bus" and access was needed to his account, the IT staff could just reset his password and log in themselves.

At my last job not even the CEO had unlimited access to everything in the company. You never know who or what has some intentions that could jeopardize the company.

 

[xenodragon]

My CEO, which no one trusts, just put out an email that said this to:

"We never know when we might be hit by a bus… meaning, who and how would RHCA pick up where you left off should you suddenly no longer be available? So, we all need to write down our log ins, passwords, account numbers, key contacts, etc., for the various systems and programs and entities that you conduct business with. Put your information in a sealed envelope and send them to me. We’ll secure the envelopes and hope we never have to use them. Please get your envelope to me COB on April 25th. [Joseph… can you get yours done before you leave for training?]

OK… names, passwords, phone numbers etc. change. So, we’ll probably do this exercise periodically."

None of us trust him and feel he is fire happy. Isn't this an IT security violation? Any know where I can site something to block this? Thinking of giving old passwords.

Its not an IT security violation, but it is against IT best practices. I would get ahold of the Information Security Policy and see what it states in there. Generally they state "password should not be shared, etc etc etc". You must work at a small company? I mean almost all systems have administrators that can reset passwords if you "got hit by a bus", so even if they dont know your password an admin could reset it and log in as you anyway. He wants account numbers? To me this seems like an internal phising scam for him to see who will actually respond to this. There is no reason you should have to share passwords etc with the CEO.

 

[Sick03Vert]

If he's the CEO, there's not shit you can do. He does sound fire-happy though. Also, having everyone's information stored like that (the "vault" usually means "top desk drawer in his office") is a security risk through and through.

I do this shit all day at work. It's always keep this secure, keep that secure. But then the high up retards want everyone's shit and they store it next to their Starbuck's coffee in their unlocked office.

MOST business management these days is half-retarded when it comes to I.T. They don't understand the processes, and they don't care, then they bitch to me when shit gets cracked. Friggen bitches.

We have sales guys come and go daily. As system administrator, I can reset anything that needs it quickly and easily with no need for passwords.

 

[xenodragon]

He's the CEO of the company and the information he's requesting is company information. I see no problem with it. He's not asking for personal information, just passwords for accounts that he as a CEO ought to have access to anyway. Plus, the envelope idea (if locked in safe) is smart really.

Posted via Topify on Android

That is incorrect. I am an IT auditor, and its a big red flag when the CEO has this type of information. We generally recommend CEO's have NO access to systems other than what they need. CEO's think they are entitled to this information, they are not, and its a big security risk.

 

[paynecasey]

Just seams soooo shady. Access to my email? Come on.

 

[oldmodman]

Does the boss claim that they will not be opened unless you die?

Easy to test. Put a sheet of paper in the envelope that says "I just don't trust you" and seal it.
With the name and phone number of your best friend that has the real envelope and will really give it up if you are dead.

Since you know it will be opened so he can spy on your stuff he will know that everyone is onto him.

 

[03Sssnake]

That is incorrect. I am an IT auditor, and its a big red flag when the CEO has this type of information. We generally recommend CEO's have NO access to systems other than what they need. CEO's think they are entitled to this information, they are not, and its a big security risk.

Agreed... I am an IT Manager and just the thought of sharing administrative credentials makes me cringe. There is no good business reason for this and if he really is a shady guy, you have just given him the keys to the kingdom. I can understand contact info for key IT personnel, their backups and 3rd party partners, i.e. developers/programmers etc. That should be fully documented and accessible to those with the need to know anyways. With regard to the password issue, at least one or two of the other admins should have the ability/privileges to reset credentials should a crisis arise.


I would be wary and suspect the real business reason would be outsourcing your team to 3rd party consultants....or maybe this CEO just wants to know how many times he has been caught on shemale pornsites

 

[Tx5811]

I would get on LinkedIn and start applying elsewhere immediately. Sounds like they're shipping your job to India.

 

[ElscottHavoc]

Fair enough, I work for a small company and assumed OP did too. If our IT guy got hit by a bus we'd be screwed that's why I thought it seemed reasonable.

He's the CEO of the company and the information he's requesting is company information. I see no problem with it. He's not asking for personal information, just passwords for accounts that he as a CEO ought to have access to anyway. Plus, the envelope idea (if locked in safe) is smart really.

Posted via Topify on Android

That is incorrect. I am an IT auditor, and its a big red flag when the CEO has this type of information. We generally recommend CEO's have NO access to systems other than what they need. CEO's think they are entitled to this information, they are not, and its a big security risk.

Posted via Topify on Android

 

[wallie40]

rm -rf / ... nuff said.

 

[zak88lx]

OP - I don't like the wording the CEO is using.
At my old company the President would always use the "Hit by a bus" scenario whenever he was planning on firing someone, or if he thought someone was leaving the company.

He would collect passwords, documentation, duties, scripts, etc.
Essentially, anything that they would need to pass-on to the new replacement.

 

[paynecasey]

I've got my IT guy hunting down policies and fighting for us. I'll give contacts but not passwords. But like some of you said. If he isn't shady he won't open these sealed envelopes and I could put what ever I wanted and he'd never know.

 

[VirtualSVT]

Uh that's a big hell no lol

Time for a new job buddy. Something is about to go down.

 

[Stanley]

Giving out the password to login to my comp would probably get me fired, so this seems strange to me.

 

[thomas91169]

Considering you have an actual IT department (meaning youre not some family business with one dude who 4hrs a week manages some IT like stuff), you guys should already have policies regarding who gets IT security information, possibly even your HR department.

 

[wht93gted]

For me, technically speaking, anything I do, write, say, e-mail etc from work, is property of my work.
All the e-mails I send from a company owned computer, instant messages, or documents on that computer are "technically" property of the company.
Even posting this from work, makes me liable for my company to read it and discipline me based on what I say; example, if I said "<insert company name here> sucks ass".

That said, the way he asked, doesn't seem professional.
Also, there should be corporate policies that outline that type of thing. In a corporate infrastructure, there's no reason an IT admin couldn't override credentials or use their admin credentials, to login and see any and everything you do, in the 'hit by a bus' scenario. The CEO shouldn't need or posses that information for anything. It's not the like CEO is going to assume your day-to-day activities if you were "hit by a bus"; assuming you aren't an executive in the company.

 

[paynecasey]

My IT guy just tossed a bomb on him with IT policy preventing password sharing. I also whistle blowed this to the Board. His evaluation is past due.

 

[Blk04L]

Good move. Shady email by him.