Legal question: security breach

Are you through an agency or sub-contractor? I presume from what he says that they should be making you aware of site based processes like this and H&S etc. I seem to remember in the past I have been provided these to sign by the agents but I also know that I have been required to read/sign them by the client once I arrived on site.

First off I would check with your agent/Sub con about the process. The agreement could be they are required to cover all this before you step foot on site so they could be failing the client by not making you aware or getting you to sign before you arrive.

EDIT : From a personal perspective you could go back to the SO cap in hand and explain you haven't seen this and are looking in to why but could he supply you with a copy to read just so you are aware and don't make the mistake in the future. If he refuses then I am sure the client would like to know he is facilitating these security breaches by not helping you to understand. they should be there to help you and prevent these, not wait for them to fail.

Smile and invoice.

Repeat as necessary.

I am with the agency, however this particular agency is owned by the client. I think the manager might have got himself confused.

Indeed the contract it says that I am subject to the group's IT policy, the group in this case being the same.

So I should insist in having a copy, shouldn't I?

By them refusing to provide it, are they not breaking some rule? I've contacted the agency, they don't know how to handle this.

Nothing has happened in the end but I need to know how to behave in the future.

EDIT: I've got two months to go, I hope they don't f. about with references.

You give your client as a reference??!? Just give agency name and they will confirm you worked there and nothing more. They don't want to get hauled of a barrel for giving incorrect or libellous feedback.

You are working on site, it is essential you get a copy of it. Am surprised you don't have to sign it as well. Someone has f'd up big style. Whoever has, get a copy for yourself so at least you can keep your nose clean.

You can't breach a contract you know nothing about.

Go back to the security manager and politely point that out. Then ask him who will give you a copy of the security policy if he refuses to give it to you.

Agree 100%.
I am though confused by your statement that the client and the agency are the owned by the client ( IE I read it that they were the same company ?? ).

Regardless, if your contract states you are obligated to comply with "XYZ" then you need to be provided with sight of same.

" I could possibly sue you" probably isn't the most pragmatic way to go

HTH

Beat me to it

IT Security people tend to think everything they do is so secret that they can't tell you, I wouldn't be surprised if they redacted their names from their business cards, just in case. I had a situation a few years ago on an international merger where the Head of IT Security told me that the other firm must meet their minimum security standards before they'd allow us to open a VPN to them or even the MPLS link when it was put in place. I asked for a documented list of those standards to send over for comment, I was refused as they're too sensitive to give to a third party! I asked how the other side would know they'd met the requirements or what to change if we didn't tell them what they were, the security trolls told me (direct quote) "it isn't our problem if they can't meet our standards, they should tell us what they do and we'll tell them if it's good enough".

The other side retaliated by sending a reciprocal request for the same information while refusing to give any out due to confidentiality. That didn't go down too well. I could just imagine the brown letters being sent to each other with redacted names asking for redacted information on redacted systems then demanding the other side gives them full and uncensored access to their systems.

It took escalation to COO level to resolve it and threats that when the departments were merged the most helpful Security Manager would be the one retained while the other one would be let go.

Sound like a bunch of incompetents. Writing policies or codes of connection that they refuse to share with the intended audience, words fail me.

Go on though, you're among friends, tell us what ya did?