Security, user access, login and reporting. How do you mentally adjust for the negative aspects of security management?

security user-management logging reporting

Solution 1:

Not to be rude, but suck it up. Your the IT Manager, part of your job is to snoop on what employees are doing when someone in management feels that it is warranted. If you aren't up for the job, then perhaps it isn't the correct job for you.

And I'm sure this will make few fairly unpopular around here for a while.

Solution 2:

I wasn't an IT manager, but usually the guy they asked to do discovery. Here's how I handled it.

  • I work for the organization.
  • The organization has a right to protect itself. We're not just talking about intellectual property, but also potential lawsuits.
  • Employees are properly informed about what they can and cannot do. They sign a document indicating that they understand those things. If they didn't read that document, that's not something I can control.
  • In order to protect itself, sometimes the organization has to investigate.
  • Someone has to do that investigation.
  • It needs to be done right.
  • It needs to be done by a person with integrity.
  • I believe I fit those qualifications.
  • If the organization finds something out of compliance, failure to take action can open the organization up to trouble. For instance, if the organization knew an employee was accessing porn and did nothing about it...
  • If the organization refuses to act, gets busted, pays a huge fine, I may end up being unemployed.
  • I want to stay employed. Therefore, it's in my best interests to do the job right.
  • If at any time the organization asks me to do something I feel is unethical or illegal, I have the choice to walk away. In the case of something illegal, I have the responsibility to report it.

And that's what it amounts to. If you aren't comfortable doing the work, you need to walk away. Otherwise, do the best job possible, handle it with the utmost of integrity, and see that the organization receives the information or service it needs to protect itself (so long as it is ethical and not illegal).

Solution 3:

You can't let your feelings get involved about it. One can always voice an objection to the people who want the information, but in the end anything done on a company computer on company time...is company information.

Solution 4:

Your job is to tend the systems of your employer. Laws do vary by country, but in the United States, any computer equipment purchased by the employer is their property and can be used as they see fit. This is not exactly a wonderful way to look at things, but that's the way it is. That being said...

Your reputation and integrity are the keys to the kingdom. So here you are, having to handle something that, for any employee, is pretty much less-than-tasteful, but you should continue to do with with your reputation and integrity intact. Because when you are guarding all of your employer's trade secrets, processes, knowledge, communications, and even bank balances, integrity is what will allow you to work around these things.

As far as dealing with the unpleasant side of it...yes, it does bother many people. The trick is to remember that you are managing your employer's machines - not yours. You are entrusted with protecting and managing their systems, and while you put your blood, sweat, and tears into making them viable, it's still your employer's equipment at the end of the day.

Another way to look at it - this is a management issue. Your job is to provide services to the company, not manage the employees. If management wants to just enforce rules but not remind their employees of the rules, that's their choice - although it is (admittedly) a detriment to the company and employee morale.

Related

Delete all subkeys in a registry key
Adding a second IP to Debian Server
How to configure UNIX or Linux for administration via serial connection
What processors do/do not support PAE?
Split vim window
Performance of IIS+ASP.NET vs (NGINX + FastCGI + Mono or XSP)? [closed]
One Database vs. Multiple Databases [closed]
Data Center Design and Preferences
Static route toward a DNS Address, it is possible?
How to use basic auth for single file in otherwise forbidden Apache directory?
What is the optimum way to secure a company wide wiki?
Expression of type 'System.Int32' cannot be used for return type 'System.Object'