Personnel files not being secured
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
8
down vote
favorite
I work for a small company (6 people) - which does not have a dedicated HR person. I have discovered some of my, along with a colleague's, personnel files laying on an open network share. This includes information ranging from reference checks on my initial application through performance reviews from the last year.
I am looking for advice on how to bring this up with management?
human-resources
suggest improvements |Â
up vote
8
down vote
favorite
I work for a small company (6 people) - which does not have a dedicated HR person. I have discovered some of my, along with a colleague's, personnel files laying on an open network share. This includes information ranging from reference checks on my initial application through performance reviews from the last year.
I am looking for advice on how to bring this up with management?
human-resources
2
Better yet, can you also see their personnel files?
â Jane Sâ¦
Jun 29 '15 at 11:41
Could you explain how is the structure of the company? How many of your colleagues have their data compromised? Is it open to someone outside the company or just within the company?
â Llopis
Jun 29 '15 at 14:33
suggest improvements |Â
up vote
8
down vote
favorite
up vote
8
down vote
favorite
I work for a small company (6 people) - which does not have a dedicated HR person. I have discovered some of my, along with a colleague's, personnel files laying on an open network share. This includes information ranging from reference checks on my initial application through performance reviews from the last year.
I am looking for advice on how to bring this up with management?
human-resources
I work for a small company (6 people) - which does not have a dedicated HR person. I have discovered some of my, along with a colleague's, personnel files laying on an open network share. This includes information ranging from reference checks on my initial application through performance reviews from the last year.
I am looking for advice on how to bring this up with management?
human-resources
asked Jun 29 '15 at 11:32
Jane
441
441
2
Better yet, can you also see their personnel files?
â Jane Sâ¦
Jun 29 '15 at 11:41
Could you explain how is the structure of the company? How many of your colleagues have their data compromised? Is it open to someone outside the company or just within the company?
â Llopis
Jun 29 '15 at 14:33
suggest improvements |Â
2
Better yet, can you also see their personnel files?
â Jane Sâ¦
Jun 29 '15 at 11:41
Could you explain how is the structure of the company? How many of your colleagues have their data compromised? Is it open to someone outside the company or just within the company?
â Llopis
Jun 29 '15 at 14:33
2
2
Better yet, can you also see their personnel files?
â Jane Sâ¦
Jun 29 '15 at 11:41
Better yet, can you also see their personnel files?
â Jane Sâ¦
Jun 29 '15 at 11:41
Could you explain how is the structure of the company? How many of your colleagues have their data compromised? Is it open to someone outside the company or just within the company?
â Llopis
Jun 29 '15 at 14:33
Could you explain how is the structure of the company? How many of your colleagues have their data compromised? Is it open to someone outside the company or just within the company?
â Llopis
Jun 29 '15 at 14:33
suggest improvements |Â
2 Answers
2
active
oldest
votes
up vote
10
down vote
This is a situation where just talking to your management is the easiest thing. Small companies often are informal and most assuredly start more informal. It may be that location was fine when there were fewer employees or the person creating it doesn't even realize others can see it (depending on how technical they are).
Just find some time and ask, "hey, I inadvertently came across my personnel file on our network share in public - this probably shouldn't be public, are you able to restrict access to this or move it?"
Depending on how your network is setup it'd be helpful to suggest ideas. Probably just securing the folder on the share drive will work. Suggestions are always great for a manager regardless.
Also, don't attribute malice when ignorance is likely.
I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
â NotMe
Apr 14 '16 at 22:21
suggest improvements |Â
up vote
-1
down vote
In my current position, I oversee internal controls, security, and compliance at my company on the IT Audit team. From personal experience,you should bring this up not only with your manager, but with the Security and IA function at your company if such function exists, and you are authorized to do so. You should review your company policies relevant to your concern - Acceptable Use of technology, confidentiality, data handling and classification...
The situation you describe seems to be an accident / lawsuit waiting to happen. It also creates great , unnecessary risk for the company. Ask yourself the following question:
What other than personal ethics, job loss, and potential criminal liability stands between you disclosing the PII / sensitive information of your colleagues or them disclosing yours to an unauthorized person?
Can you really be sure that your information such as SSN, DOB etc, given its your personnel file, has not already been compromised by a malicious outsider or internal employee?
I would expect most reasonable management to act promptly.
I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
â Anthony
Apr 13 '16 at 0:20
4
It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
â Kevin
Apr 13 '16 at 4:04
The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
â Ben
Apr 13 '16 at 4:47
Very unrealistic answer based on the size of the company.
â Myles
Apr 13 '16 at 21:38
suggest improvements |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
10
down vote
This is a situation where just talking to your management is the easiest thing. Small companies often are informal and most assuredly start more informal. It may be that location was fine when there were fewer employees or the person creating it doesn't even realize others can see it (depending on how technical they are).
Just find some time and ask, "hey, I inadvertently came across my personnel file on our network share in public - this probably shouldn't be public, are you able to restrict access to this or move it?"
Depending on how your network is setup it'd be helpful to suggest ideas. Probably just securing the folder on the share drive will work. Suggestions are always great for a manager regardless.
Also, don't attribute malice when ignorance is likely.
I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
â NotMe
Apr 14 '16 at 22:21
suggest improvements |Â
up vote
10
down vote
This is a situation where just talking to your management is the easiest thing. Small companies often are informal and most assuredly start more informal. It may be that location was fine when there were fewer employees or the person creating it doesn't even realize others can see it (depending on how technical they are).
Just find some time and ask, "hey, I inadvertently came across my personnel file on our network share in public - this probably shouldn't be public, are you able to restrict access to this or move it?"
Depending on how your network is setup it'd be helpful to suggest ideas. Probably just securing the folder on the share drive will work. Suggestions are always great for a manager regardless.
Also, don't attribute malice when ignorance is likely.
I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
â NotMe
Apr 14 '16 at 22:21
suggest improvements |Â
up vote
10
down vote
up vote
10
down vote
This is a situation where just talking to your management is the easiest thing. Small companies often are informal and most assuredly start more informal. It may be that location was fine when there were fewer employees or the person creating it doesn't even realize others can see it (depending on how technical they are).
Just find some time and ask, "hey, I inadvertently came across my personnel file on our network share in public - this probably shouldn't be public, are you able to restrict access to this or move it?"
Depending on how your network is setup it'd be helpful to suggest ideas. Probably just securing the folder on the share drive will work. Suggestions are always great for a manager regardless.
Also, don't attribute malice when ignorance is likely.
This is a situation where just talking to your management is the easiest thing. Small companies often are informal and most assuredly start more informal. It may be that location was fine when there were fewer employees or the person creating it doesn't even realize others can see it (depending on how technical they are).
Just find some time and ask, "hey, I inadvertently came across my personnel file on our network share in public - this probably shouldn't be public, are you able to restrict access to this or move it?"
Depending on how your network is setup it'd be helpful to suggest ideas. Probably just securing the folder on the share drive will work. Suggestions are always great for a manager regardless.
Also, don't attribute malice when ignorance is likely.
answered Jun 29 '15 at 15:00
Elysian Fieldsâ¦
96.8k46292449
96.8k46292449
I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
â NotMe
Apr 14 '16 at 22:21
suggest improvements |Â
I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
â NotMe
Apr 14 '16 at 22:21
I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
â NotMe
Apr 14 '16 at 22:21
I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
â NotMe
Apr 14 '16 at 22:21
suggest improvements |Â
up vote
-1
down vote
In my current position, I oversee internal controls, security, and compliance at my company on the IT Audit team. From personal experience,you should bring this up not only with your manager, but with the Security and IA function at your company if such function exists, and you are authorized to do so. You should review your company policies relevant to your concern - Acceptable Use of technology, confidentiality, data handling and classification...
The situation you describe seems to be an accident / lawsuit waiting to happen. It also creates great , unnecessary risk for the company. Ask yourself the following question:
What other than personal ethics, job loss, and potential criminal liability stands between you disclosing the PII / sensitive information of your colleagues or them disclosing yours to an unauthorized person?
Can you really be sure that your information such as SSN, DOB etc, given its your personnel file, has not already been compromised by a malicious outsider or internal employee?
I would expect most reasonable management to act promptly.
I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
â Anthony
Apr 13 '16 at 0:20
4
It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
â Kevin
Apr 13 '16 at 4:04
The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
â Ben
Apr 13 '16 at 4:47
Very unrealistic answer based on the size of the company.
â Myles
Apr 13 '16 at 21:38
suggest improvements |Â
up vote
-1
down vote
In my current position, I oversee internal controls, security, and compliance at my company on the IT Audit team. From personal experience,you should bring this up not only with your manager, but with the Security and IA function at your company if such function exists, and you are authorized to do so. You should review your company policies relevant to your concern - Acceptable Use of technology, confidentiality, data handling and classification...
The situation you describe seems to be an accident / lawsuit waiting to happen. It also creates great , unnecessary risk for the company. Ask yourself the following question:
What other than personal ethics, job loss, and potential criminal liability stands between you disclosing the PII / sensitive information of your colleagues or them disclosing yours to an unauthorized person?
Can you really be sure that your information such as SSN, DOB etc, given its your personnel file, has not already been compromised by a malicious outsider or internal employee?
I would expect most reasonable management to act promptly.
I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
â Anthony
Apr 13 '16 at 0:20
4
It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
â Kevin
Apr 13 '16 at 4:04
The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
â Ben
Apr 13 '16 at 4:47
Very unrealistic answer based on the size of the company.
â Myles
Apr 13 '16 at 21:38
suggest improvements |Â
up vote
-1
down vote
up vote
-1
down vote
In my current position, I oversee internal controls, security, and compliance at my company on the IT Audit team. From personal experience,you should bring this up not only with your manager, but with the Security and IA function at your company if such function exists, and you are authorized to do so. You should review your company policies relevant to your concern - Acceptable Use of technology, confidentiality, data handling and classification...
The situation you describe seems to be an accident / lawsuit waiting to happen. It also creates great , unnecessary risk for the company. Ask yourself the following question:
What other than personal ethics, job loss, and potential criminal liability stands between you disclosing the PII / sensitive information of your colleagues or them disclosing yours to an unauthorized person?
Can you really be sure that your information such as SSN, DOB etc, given its your personnel file, has not already been compromised by a malicious outsider or internal employee?
I would expect most reasonable management to act promptly.
In my current position, I oversee internal controls, security, and compliance at my company on the IT Audit team. From personal experience,you should bring this up not only with your manager, but with the Security and IA function at your company if such function exists, and you are authorized to do so. You should review your company policies relevant to your concern - Acceptable Use of technology, confidentiality, data handling and classification...
The situation you describe seems to be an accident / lawsuit waiting to happen. It also creates great , unnecessary risk for the company. Ask yourself the following question:
What other than personal ethics, job loss, and potential criminal liability stands between you disclosing the PII / sensitive information of your colleagues or them disclosing yours to an unauthorized person?
Can you really be sure that your information such as SSN, DOB etc, given its your personnel file, has not already been compromised by a malicious outsider or internal employee?
I would expect most reasonable management to act promptly.
edited Apr 13 '16 at 0:19
answered Apr 12 '16 at 23:42
Anthony
5,1611255
5,1611255
I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
â Anthony
Apr 13 '16 at 0:20
4
It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
â Kevin
Apr 13 '16 at 4:04
The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
â Ben
Apr 13 '16 at 4:47
Very unrealistic answer based on the size of the company.
â Myles
Apr 13 '16 at 21:38
suggest improvements |Â
I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
â Anthony
Apr 13 '16 at 0:20
4
It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
â Kevin
Apr 13 '16 at 4:04
The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
â Ben
Apr 13 '16 at 4:47
Very unrealistic answer based on the size of the company.
â Myles
Apr 13 '16 at 21:38
I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
â Anthony
Apr 13 '16 at 0:20
I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
â Anthony
Apr 13 '16 at 0:20
4
4
It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
â Kevin
Apr 13 '16 at 4:04
It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
â Kevin
Apr 13 '16 at 4:04
The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
â Ben
Apr 13 '16 at 4:47
The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
â Ben
Apr 13 '16 at 4:47
Very unrealistic answer based on the size of the company.
â Myles
Apr 13 '16 at 21:38
Very unrealistic answer based on the size of the company.
â Myles
Apr 13 '16 at 21:38
suggest improvements |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f48972%2fpersonnel-files-not-being-secured%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
2
Better yet, can you also see their personnel files?
â Jane Sâ¦
Jun 29 '15 at 11:41
Could you explain how is the structure of the company? How many of your colleagues have their data compromised? Is it open to someone outside the company or just within the company?
â Llopis
Jun 29 '15 at 14:33