IT Privacy at work help (CEO wants all admin staff user passes) Security issue

[Zerohe]

If he's the CEO, there's not shit you can do. He does sound fire-happy though. Also, having everyone's information stored like that (the "vault" usually means "top desk drawer in his office") is a security risk through and through.

I do this shit all day at work. It's always keep this secure, keep that secure. But then the high up retards want everyone's shit and they store it next to their Starbuck's coffee in their unlocked office.

MOST business management these days is half-retarded when it comes to I.T. They don't understand the processes, and they don't care, then they bitch to me when shit gets cracked. Friggen bitches.

We have sales guys come and go daily. As system administrator, I can reset anything that needs it quickly and easily with no need for passwords.

QFMFT

As a Network Admin, I dont trust End users. I dont trust themselves with themselves. Sure as hell not giving it to him. I would speak with the director of IT explain to him how this goes against best practices and is a foolish idea.

That is incorrect. I am an IT auditor, and its a big red flag when the CEO has this type of information. We generally recommend CEO's have NO access to systems other than what they need. CEO's think they are entitled to this information, they are not, and its a big security risk.

IT if anyone should be collecting the info for logins and credentials across the various systems and tools. Hes a CEO he runs a business. Let him run his business. Information and Data continuity is the job of the INFORMATION TECHNOLOGY DEPARTMENT. In my situation, if the CEO, which sits 1 row over from me, did have my login credentials, do you think he would know how to get into vSphere and keep an organization running?

IT should be doing this pre-flight check. Not the CEO. I've never even heard of this. If someone leaves, I can check their email by going into the Exchange server hosted on one of our 100 VMs. Like the CEO would know about it.:rollseyes . Through there I could access all of our vendors, affiliates and partners and their contact info as well, seeing as how it is all integrated into Office/Exchange. This is stuff you need another IT guy to even facilitate so I dont see going the extra mile and giving it to him. There needs to be a board meeting or the Director of IT needs to step up and not let his boss or bosses boss(Most IT Directors go through the CFO) walk all over him. Wouldnt Do It/FAKE IT.

Giving out the password to login to my comp would probably get me fired, so this seems strange to me.

Yeah but suddenly against all advisable knowledge and sense they want you to do it anyway? Yeah not giving it to you. and im looking for another job. Shady Mofo.:nono:

 

[paynecasey]

I'm the CFO.

 

[Zerohe]

I'm the CFO.

Well now.... that places you in a particularly sticky situation. Talk to IT and have Credentials "Fabricated" if you genuinely do not trust this guy.

 

[rotor_powerd]

Credentials aren't needed if you were to be "hit by a bus." Anything can be reset and opened up by a network administrator. Active Directory account, Exchange/Office 365 account, etc. etc. Having credentials written down on paper is always a bad idea.

 

[paynecasey]

IT Response to admin and CEO

"It is in our IT Security Policy that passwords should always be masked, encrypted and never printed. In the event of the loss of an employee, the IT department can access the employees accounts and reset passwords if needed with the administrative log in.







Regarding passwords, our IT Policy doc statespg. 17)




Restrictions on Recording Passwords - Passwords are masked or suppressed on all online screens, and are never printed or included in reports or logs. Passwords are stored in an encrypted formats."


CEO response

"IT has a good catch (see below). Think this is a narrowly applied control to accessing our IT system (EHR, e-mail). Still need all other access information, whatever it may be, such as to our bank accounts, electronic files, computer programs, grants, vendor accounts, etc. Some folks may not have any significant access information to report. Try to cover where you, and you alone, gets access to information or to do reporting and the like. Can exclude things like the EHB where multiple people have access."

I'm the only guy who touches websites for grant funds and banks. He knows this. Just painted a target on my back for sure.

 

[Double"O"]

^ Dayum

 

[Drive XR7]

Call a meeting of the board?

 

[DHG1078]

Is there log-in information you have that the IT department doesn't have, can't override, etc.?

 

[paynecasey]

Is there log-in information you have that the IT department doesn't have, can't override, etc.?

I have federal website and bank logs the IT wouldn't be able to find yes. Currently applying for accounting jobs.

 

[zak88lx]

OP - Is it possible your company is being acquired?
That might explain this request from your CEO.

 

[paynecasey]

My IT guy said we should do what the CEO asks but email him and the board. And say I'm doing this in protest and it is his board approved policy and protocol.

 

[GodStang]

IT System Admin person also. If we ever shared passwords we would be in huge trouble. There is no reason he should need any of your info. If something happens to you files can be gotten off your PCs easily so no need there. Most places emails are hosted on servers and an IT admin can get to those if needed. There is nothing in our realm we can not get if something happens to you. Now if your IT department is half ass that may be a different story.

 

[xenodragon]

Uhhh EHR as in electronic health record application? Sent you a PM

 

[paynecasey]

Job hunting now. Two a day minimum. Applied for Controller and Financial Account Manager.

He wants bank user passes. Only one with that is me. He should had said Casey I need your info.

 

[RDJ]

I'm the CFO.

jesus you guys are making a mountain out of a ****ing mole hill. while I agree with the sentiment it is against best IT practices, and goes against probably 150 security rules in place at every company and government entity I have ever worked for. the solution is simple …

take a piece of paper, copy the first page of War and Peace, or copy the IT regulations where it says it is against company policy to share that information. put it in a security envelope. after sealing it write your initials across the seal making sure that they are on both the flap and the envelope itself. Then seal all seams with clear scotch tape. fold over the corners. and give him the envelope. if he ever says why did you give me an envelope full of crap you have nailed him on his dishonesty and lack of integrity with his own mouth

 

[...Mark...]

My IT guy just tossed a bomb on him with IT policy preventing password sharing. I also whistle blowed this to the Board. His evaluation is past due.

Probably the best course of action that you guys could have taken.. This way it's not just one of you not feeling uncomfortable with the request but a few members of the team. It show's unity..

Well played.

 

[Sick03Vert]

Your CEO is a douchenozzle and you need a better job.