Don't Network Administrators Require Privacy?

An anonymous reader writes to tell us that Recently their company has decided to move the IT staff out of their offices to make room for the Service Department. The move has placed the IT staff in cubicles that all face inward and lack, obviously, the ability to lock their doors at night. This is, to them, an obvious breach in security and privacy for what may be sensitive network information. Have any other Slashdot readers dealt with this sort of problem before? If so, what specific information was best suited to rectify these security concerns?

Man up, nancy.

[markv242]

Quit trying to make up bogus reasons as to why you don't want to be in a cube and just tell your boss, "I don't want to be in a cube." If it's a dealbreaker for you, resign. Next they'll be moving you down into the basement and taking away your red stapler.

Re:Man up, nancy.

[shawn(at)fsu]

Bogus is exactly right. Our company, an IT company that employs over 100,000 people worldwide has the sysadmin people in cubes. They can store the equipment in either lockable cabinets or is the server room. Sorry but this article just sounds childish and elitist.

Re:Man up, nancy.

[TheSkyIsPurple]

It's a legitimate concern in general, but we just don't know enough in specific

We had a building restack awhile back, and they wanted to bump our group into cubes. I ended up going to the Real Estate folks at HQ and letting them know that my screen would now be facing public walkways, and communications about acquisitions would be ripe for compromise. (I kinda wish we had the SOX issues back then... since I deal with private info as well, it becomes a legal issue.)

Fortunately for me, Facilities didn't want to get those goofy cubicle sliding doors, and we didn't have enough conference room space for me to be able to reserve a conference room for all my confidential meetings.

Then again, at another of our offices, all of us are in cubes, but our bank of cubes is behind a secure access controlled door, and the general users aren't allowed in there... All depends on how critical your info is, and what is available to protect it.

I wouldn't press the sube issue directly, I would press the security issue, and let management come up with their own answer.

Re:Man up, nancy.

[blincoln]

Seriously.

What company gives regular IT people their own offices?

I've been at a Fortune 500 company for five years, and in that whole time (which has spanned two buildings), the only people with offices were the directors.

Might Even Be Illegal?

[tim_mathews]

We ran into a similar issue at work. Our argument to keep our locked office was that since we have access to all the files on the network, under the HIPPA laws we're required to keep our workstations in a secured area like HR since confidential employee information could potentially be displayed on our screens. Don't know if it's true or not, but it let us keep our office.

Re:Might Even Be Illegal?

[GuyverDH]

Actually, all that has to be done, is to follow a clean desk policy.

Monitors need to be faced in such a way so that they cannot be viewed from the walkways.
I also run mine at maximum resolution (1400x1150 for the laptop and 1600x1200 for the 20" second display) with small fonts so that my eyes are the only ones that can read anything displayed (unless someone looks directly over my shoulder).

Important papers have to be stored in locking cabinets/file drawers.

No sensitive information should be stored on the workstations. All sensitive information should be stored in a protected data-center type environment. File servers, host systems, database servers should all be protected. Workstations should be set to lock within a few minutes (mine is set for 2 minutes). I also have gotten into the habit of locking my workstation before I stand up for anything.

With no locally stored sensitive information, then the administrators PC is unable to be used as a tool to gain said information.

Cubicles are not necessarily evil, they are however, a fact of corporate life.

Don't be lazy, keep the information secure, rather than trusting a simple "door-lock" to keep unsecured data secure.

Sounds pretty standard

[Clubber+Lang]

Seriously, boo hoo. I don't mean to be a jerk, but BFD. Virtually every cubicle I've ever seen has drawers and cabinets that lock, and if you're a network admin you probably have a laptop anyways right? If you read your disaster recovery or even security plan (if you've got one) you'll probably find that all staff who have laptops are supposed to bring them home.

Could someone look over your shoulder? I guess... but there are people out there (like say, me, or employees at any other benefits outsourcing company) that have access to literally thousands or even millions of people's date of birth, SSN, etc etc. We get along just fine, so will you.

I mean, sucks you lost your office... I remember mine, it was nice.

Re:I don't see that they do, no...

[Homology]

A good IT admin should be able to secure the PC on their desk and therefore everything else that they access. Help your company cut costs and keep you, it is much better than the alternative.

Bullshit. Once you have physical access to the PC you can compromise it.

Money talks

[Thu25245]

Draw up a budget proposal for whatever locking file cabinets, secure equipment cabinets, Kensington locks (better than nothing...) and desktop security software that you'll need to ensure the security and functionality of your information systems. Keep in mind that this includes not only malicious snoopers but also cleaning staff that snag cables with their vacuum cleaners, and take whatever precautions are necessary.

Be thorough, but don't make stuff up. Don't make it a turf war, just make it clear that you're working to protect the systems that you're responsible.

Come up with this proposal, and an estimate of the costs, and request that Accounting begin soliciting bids from vendors. And then lightly suggest that this would not be necessary if you could have good locking offices.

Keep in mind, though, that private offices are only effective if they are truly private. If they're not always proerly locked, or if too many people have the keys, then you'll be the worst kind of office hypocrite.

Re:In a hallway

The fun solution to that problem is to act like his secretary but follow through with 0 of the requests. Give this to him? Oh sure. Is he in his office? No, he's out for the day. His car is being towed? Ok, I'm calling him now. *smirk*

If anyone complains, blame it on their incompetence.

Re:Yes, and stripper girlfriends

[v1]

The "secure your computer" idea is obvious enough. There are other subtle problems though.

The "looking over your shoulder" problem is more difficult to deal with than you might think. More than once I've had issues with users stalking up behind me and reading my screen before I even knew they were there. (the really rude ones ask questions about what they've read) I could be doing any number of sensitive things - sending someone an email discussing the layoffs that are scheduled for next week, chatting with someone sending them their new account password, drafting a memo to someone outlining new security policy... posting the new router passwords on a secure filestore... any of these and more could be serious breaches of security and privacy if observed by the wrong people, and as another poster mentioned, could violate state or federal laws.

It's really a design problem to set up a cubicle where the user faces away from their door. For one, they can either look at their visitor OR their computer, but not both. I always prefer looking at my monitor, and then off to its side to see my guest. This also allows me to look up information for them without having to turn my back on them. Intelligent cubicle design has the desk on the left or right of the doorway, not opposite it. If your desk is opposite your cubicle doorway, tell your HR to get a clue. The best cubicle design is of course to have to walk around your desk and sit down, facing the doorway as well as your monitor, but I'll recognize that not every company has the space or the funds for such large cubicles.

As for physical security, that's another matter in itself. The best design is of course to have every computer imaged identically, with network login and home folder, and to allow no one to store their own information on the local hard drive. This seldom goes completely followed, and all sorts of things wind up on the local drives. Besides being a backup risk, anyone with physical access when you are away from your cubicle can rummage through your hard drive. Some I.T. are paranoid even of the nighttime janitors and clean the I.T. room themselves so they don't have to give out another key. But for that I'd say if you don't have janitorial staff you can trust at least that much, you need to find new janitors.

And of course if the fileserver is in your cubicle with you, that opens up a whole new can of worms. (and if not, why is your office away from the server room?) On that note I will say one thing I am against... leaving the server with an account logged in on it. I see that where I work sometimes, and it bothers me. I like that extra layer of security on top of physical security, and knowing someone with a key can play with the server is not my idea of a Good Thing(tm).

Looks like you're not getting much sympathy

[Maniacal]

I'll go ahead and give you a little.

I'm a network admin and not only am I part of the small percentage in our company that has an office, I'm part of an even smaller percentage that has a locking door. For me, it might not be completely necessary but it's desired for 3 reasons:

1) Work space - At any one time I might be working on 2 or 3 laptops and desktops while loading a server or configuring a router, etc. I need the space to set it all up. I have a counter top that runs along 2.5 walls of my office and a long table on the blank wall and it's all often occupied. My office doubles as my shop/lab.

2) Security - I have stacks of laptops, hard drives, routers, switches, etc. stored in my office and with our growth, more coming in every day. It's not that someone couldn't steal this stuff from elsewhere in our facilies, it's just that it's much easier to get to in my office. No unplugging, unbolting, etc. Just grab a stack of laptops and go. I've seen cabinets mentioned in other posts but I have too much stuff going on and if I was in one of our cubes I'd be lucky to fit 1 cabinet.

3) Peace and quiet - Between the useless chatter, relentless phone calls, streaming music and other noises, I can hardly hear myself think out there (cube world). Not to mention the drive through questions. Everybody and their little brother feels the need to stop by my office and ask a question on their way by. I don't mind it all the time. In fact I'm quite sociable, open and helpful but when I'm troubleshooting a tough problem or working on a project I just don't like to be disturbed. I generally deal with user issues in the morning and work on projects in the afternoon and evening. After lunch, when I close my door, everyone knows not to come knockin unless their problem is preventing them from completing their work.

That's my 47 cents.

Re:Yes, and stripper girlfriends

[Lux]

Nice post.

> But for that I'd say if you don't have janitorial staff you can trust at least that much, you need to find new janitors.

I disagree. I think your colleagues are making a very prudent move by cleaning those rooms themselves. It's not about trust, it's about money. A janitorial position is simply not worth passing up a hefty bribe.

Fun example: My sister went to school in Ghana for a year. Going price for a human to do menial labor is about $5/month (or something like that,) so the school kept four people watching the international dorm 24/7. Going price to get into the international dorm: about $20. After a "break-in" the guards get fired, take a paid month off, find another shitty job. The burgler gets a laptop to fence. Everyone's happy.

Now, if the school had one person on duty 24/7, and that person was making $20/month, then that person might start valueing the job over bribes. Job security in a position paying 4x what you could get anywhere else is worth a lot more than one month's pay.

Even ignoring the difference in salary, an IT person has a lot invested in their career that a janitor does not. So they're going to be intrinsically much harder to bribe. Even if you get a dishonest one.

Re:Yes, and stripper girlfriends

[Mike+Markley]

Yeah, and that's the overpriced ThinkGeek one. I've seen them cheaper than that $10, and even free at trade shows.

I think that most professional geeks need to come to grips with reality. If you're in IT, you probably think you're more important than you really are, while management probably thinks you're less important than you really are. This, obviously, adds up to a huge disparity, and causes plenty of conflict when these two distorted realities butt heads.

I'm sure some will look at this and say "no, really, I'm that important", but really, you're not. First, think about how many other people have exactly as much value as you do to the business. Unless you're in a very, very small shop, there's more than one person doing critical IT things in the first place. Then consider the people who produce whatever it is that your business does. It's popular in geek circles to complain that those people don't understand that they wouldn't be able to do their jobs without us geeks. Well, here's a news flash: you wouldn't have that job to do without them.

Next, try to remove that built-in Dilbert filter you've developed, and take a critical look at your immediate management. Now, your manager may be just as utterly useless as the stereotypes one would normally apply, but more often than not, that's an unfair stereotype. I know for certain that without my team lead or our group's manager, who both know how to work within the corporate political system to get things done, I would have been either downsized because upper management had no idea whether I was of any use, or I would have been fired for pissing off enough people.

You should also consider what those other departments really do (outside of the automatic reaction you probably have to that question, which is almost certainly along the lines of "annoy me" or "piss me off"). Sure, without the network guys, lots of things wouldn't get done; what wouldn't get done without this other department? "Service Department" is sufficiently generic that I have no idea what they do, but contrary to the common jokes about it, businesses aren't usually in the habit of hiring people to do nothing. Or take the Sales department, which is one of the bigger targets of IT vitriol. The individuals may often deserve it, or they may not (I've known some incredibly slimy sales guys in my life), but either way: the business needs customers. Without the IT guys, the sales guys would lack email, IM, and possibly even the productivity tools they use daily, but without the sales guys, nobody would be paying the IT guys' salaries.

For reference, I've only ever worked in one place where the IT staff got offices instead of cubicles, and that's mainly because there weren't any cubicles anywhere in our small office space. Not to mention the fact that it was about a 25-person ISP, and our customer base was primarily in a few counties. Oh, and they've since been gobbled up by a much larger competitor, had their employees laid off, and moved operations to another state.

I think, ultimately, that the submitter (and the GP) need a reality check. Despite what years in IT have led you to believe, you're not the most important preson in the organization and you're never going to be viewed as such. Millions of people get their jobs done just fine within cubicles. And for the GP: if you have a server in your cube or office, you're just asking for it anyway.