Legal question: security breach

Go on though, you're among friends, tell us what ya did?

I will email the agency tomorrow, because from the permies I'm not going anywhere. I'll keep you posted.

Make sure that emailing the agent won't breach the security policy.

The best way to do that would be to go and ask the security officer about EVERYTHING that you do, to make sure that it's not in breach of the policy.

Problem is, he is not on site, he turns up every 3-months or so unexpected and everybody fears him. He did not give me his surname, nor his contact details, nobody at the office is willing to give me his contact details, it looks like he comes and gives people a slap on the wrist and goes away. I have been informally told to ignore the whole thing and not to take it too seriously.

Strictly speaking I'm not contracted as an IT guy, so in theory I shouldn't even use a computer. In practice I'd have to and edit documents that are not in my intellectual property, so this is a bit the root of the problem. If I am breaching security the whole ClientCo is, and in my opinion they actually do. This could open a can of worms.

I am proper confused, I have 7 weeks to go and don't want to kick up a fuss.

If he's only in every three months or so, and you only have seven weeks to go, then ignore it and don't take it too seriously. If you need a reference from the client then they won't mention any security breaches - sounds like this guy might record them somewhere, but no-one has access to it to be able to do anything.

Plus, there's probably a security policy about giving references anyway....

IT Security people tend to think everything they do is so secret that they can't tell you, I wouldn't be surprised if they redacted their names from their business cards, just in case. I had a situation a few years ago on an international merger where the Head of IT Security told me that the other firm must meet their minimum security standards before they'd allow us to open a VPN to them or even the MPLS link when it was put in place. I asked for a documented list of those standards to send over for comment, I was refused as they're too sensitive to give to a third party! I asked how the other side would know they'd met the requirements or what to change if we didn't tell them what they were, the security trolls told me (direct quote) "it isn't our problem if they can't meet our standards, they should tell us what they do and we'll tell them if it's good enough".

The other side retaliated by sending a reciprocal request for the same information while refusing to give any out due to confidentiality. That didn't go down too well. I could just imagine the brown letters being sent to each other with redacted names asking for redacted information on redacted systems then demanding the other side gives them full and uncensored access to their systems.

It took escalation to COO level to resolve it and threats that when the departments were merged the most helpful Security Manager would be the one retained while the other one would be let go.

Smile and invoice. Repeat as necessary.

Something was against the rules, u weren't made aware, then they won't even give u a copy of the rules?