Reply to: Legal question: security breach

Shame they can't discipline him and sack him. K*$£

But if you breach one, then you wont be working & Invoicing wash and repeat

Apparently the manager now is getting a slap on the wrist from HQ.

I'm not sure if I could have stopped myself from laughing in his face.

Something was against the rules, u weren't made aware, then they won't even give u a copy of the rules?

Give me a break!

This ^^^^^^

If I wanted to deal with politics, power struggles, anal security policies and other stupid tulip then I would go back to being a permie. As a contractor I'm there to do a job so I get on with it and leave the permies to build their own silly little empires.

I have worked with these types of people before as well. They have like two email addresses, one normal and one encrypted (why I dont know) have a room with one way looking glass and private numbers and things like their Linkedin Profile are intitials only, right up their own arse like they are working for GHCQ or something.

With regards to the OP, when I start a new role the first email I send asks if there is a IT Policy, Social Media Policy, Emaila nd Internet Policy and also any other policies I should be aware of. What I receive in response then covers my backside.

WHS

If he's only in every three months or so, and you only have seven weeks to go, then ignore it and don't take it too seriously. If you need a reference from the client then they won't mention any security breaches - sounds like this guy might record them somewhere, but no-one has access to it to be able to do anything.

Plus, there's probably a security policy about giving references anyway....

Problem is, he is not on site, he turns up every 3-months or so unexpected and everybody fears him. He did not give me his surname, nor his contact details, nobody at the office is willing to give me his contact details, it looks like he comes and gives people a slap on the wrist and goes away. I have been informally told to ignore the whole thing and not to take it too seriously.

Strictly speaking I'm not contracted as an IT guy, so in theory I shouldn't even use a computer. In practice I'd have to and edit documents that are not in my intellectual property, so this is a bit the root of the problem. If I am breaching security the whole ClientCo is, and in my opinion they actually do. This could open a can of worms.

I am proper confused, I have 7 weeks to go and don't want to kick up a fuss.

Make sure that emailing the agent won't breach the security policy.

The best way to do that would be to go and ask the security officer about EVERYTHING that you do, to make sure that it's not in breach of the policy. End each conversation with "Thanks - shame I can't have a copy of the policy", eg.

You: I'm about to send an email to the team discussing what work we have planned. Does that breach the security policy?
SO: no.
You: Thanks - shame I can't have a copy of the policy

<15 minutes later>
You: I've had a reply from XXX, and I need to comment on it. Does that breach the security policy?
SO: no.
You: Thanks - shame I can't have a copy of the policy

<15 minutes later>
etc etc

I will email the agency tomorrow, because from the permies I'm not going anywhere. I'll keep you posted.

What a bloody idiot, how can you follow a policy you know nothing about.

This sounds like a real "jobsworth".

Just forget about it.

Sound like a bunch of incompetents. Writing policies or codes of connection that they refuse to share with the intended audience, words fail me.

Go on though, you're among friends, tell us what ya did?

IT Security people tend to think everything they do is so secret that they can't tell you, I wouldn't be surprised if they redacted their names from their business cards, just in case. I had a situation a few years ago on an international merger where the Head of IT Security told me that the other firm must meet their minimum security standards before they'd allow us to open a VPN to them or even the MPLS link when it was put in place. I asked for a documented list of those standards to send over for comment, I was refused as they're too sensitive to give to a third party! I asked how the other side would know they'd met the requirements or what to change if we didn't tell them what they were, the security trolls told me (direct quote) "it isn't our problem if they can't meet our standards, they should tell us what they do and we'll tell them if it's good enough".

The other side retaliated by sending a reciprocal request for the same information while refusing to give any out due to confidentiality. That didn't go down too well. I could just imagine the brown letters being sent to each other with redacted names asking for redacted information on redacted systems then demanding the other side gives them full and uncensored access to their systems.

It took escalation to COO level to resolve it and threats that when the departments were merged the most helpful Security Manager would be the one retained while the other one would be let go.

Beat me to it