Slashdot Mirror
Ask Slashdot: IT Personnel As Ostriches?
MonOptIt writes: I'm a new IT professional, having recently switched from a different sci/tech field. My first gig is with a mid-size (50ish) nonprofit which includes a wide variety of departments and functions. I'm the sole on-site IT support, which means that I'm working with every employee/department regularly both at HQ and off-site locations. My questions for the seasoned pros are: Do you find yourself deliberately ignoring office politics, overheard conversations, open documents or emails, etc as you go about your work? If not, how do you preserve the impartiality/neutrality which seems (to my novice mind) necessary to be effective in this position? In either case: how do you deal with the possibility of accidentally learning something you're not supposed to know? E.g. troubleshooting a user's email program when they've left sensitive/eyes-only emails open on their workstation. Are there protections or policies that are standard, or is this a legal and professional gray-area?
Yes
IT has access to everything and should read nothing. The content is just that, content. It doesn't matter
why the fuck are you asking here, of all places, about office etiquette? haven't you noticed that over half of the people here are bitter, miserable burnouts and misfits?
are you also asking on the christian abstinence forums about finding prostitutes?
"They were pure niggers." – Noam Chomsky
Then you will be surprised when the players of office politics conspire to fire you. And they will. It's what they do. Because you're IT. You're the scum of the office by definition.
Oops... this is the wrong site for that.
"how do you preserve the impartiality/neutrality which seems (to my novice mind) necessary to be effective in this position" You keep your mouth shut about anything but your job.
I treat everyone's email the same: I don't read it. I may see subject lines but I don't see the technical reason requiring you to read them. If it's a temptation, might want to re-evaluate your own professionalism.
The same with politics and gossip: keep it to yourself; do not participate. If asked a question, smile and decline to comment. Be polite and cordial but trust no one.
Basically: do your job and stfu.
Unless you're a professional ladder climber and/or backstabber (most MBA middle-management types), it's best to just stick to IT and keep stuff to yourself.
Just keep the guy who does your yearly reviews happy and make him look good. Also, make his boss look good. If you're like me and have multiple bosses, develop your relationship with the one you think will hold that position longest. Don't burn any bridges unless you have to in order to keep your job. Every company has different standards of security, and an even wider variation of enforcement. Don't intentionally be a butt-head to anyone, and if you see anything that's off policy or could get someone fired, just politely point it out to the individual so they can correct it.
As for dealing with sensitive information, I usually ignore it. You'll see lots of stuff you probably shouldn't as the only IT guy. Just file it away and don't bring it up again--even if it seems like a good idea or a neutral situation to do so. You don't want upper management finding out the IT guy knows more about the company than they do, or they'll (often unintentionally) make your life miserable.
IT can be likable, but there will be a lot of people who will make your job harder because of their ignorance. Just do you best to educate them in a friendly way so you can work on more important things than dealing with office dunce's all the time.
Always remember that you are dealing, in your case where your internal customers are not IT savvy, that there is a reason why we refer to them as lusers:
1) They have no idea how to do what you do, and need you to help them perform even the simplest of tasks
2) What you do is so simple any moron can do it
3) Their son / brother-in-law / uncle, etc. is much more of an expert then you. They re-install Windows for them every six months, and made their system much faster by upgrading from a 512GB drive to a Terabyte drive as well as much safer by installing three, count them three different Antivirus products!
4)You are some kind of idiot, because you haven't done what their expert relative has done
I wish I was kidding. The reality regarding your question is that as an IT professional you will have access to said sensitive information. It will only make you jaded if there is good reason to be jaded. If there is good reason to be jaded, run don't walk to a better gig.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
If colleagues cannot depend on the discretion of their IT support, then they need new IT support.
OTOH if the information involves illegal activity, perhaps one ought to consult management. If management does not respond, or responds in an unethical way, maybe IT support needs to find new colleagues.
Fwiw
You can't be liable for having knowledge of information that people couldn't be bothered to encrypt. Executives can be lazy with their data and you can't be expected to do special efforts when they didn't do any to begin with. That being said, I would chose to ignore. I have been there, with information very sensible for a very big company, and just ignored that. A colleagues acted upon that same knowledge in not so subtle way and we almost got troubles for it; it was harmless so they pretended they did not realise we had access to the documents and left it at that. It could get you fired though, so you might want to just stfu. Now there would be two exception to that rule: I you were in a position where you could blow the whistle on some important information for the public good, or if you could get personal gains in the process. It's a moral decision q:
Read the System Administrators' Code of Ethics and take it to heart. Even if your job title doesn't include the words "system" or "administrator."
It's actually pretty easy to ignore the content of an email if you're focused on the email delivery process (mail server logs, the headers of forged/spam mails, things like that). Similarly, if you're doing FTP hosting or file drops for customers, you rarely need to dig into the content of the files themselves to troubleshoot upload/download problems. There are rarely reasons to dig into the content of whatever you're working on. It does come up, if (for instance) some piece of email has wacky malformed content that keep crashing the mail client, but IME those situations are uncommon.
I used to work at a mom-and-pop ISP, in a small town. Our customers included the local police and fire departments, City Hall, and most of the larger law offices and accountants' offices. Since we provided email and Web hosting (among other services), I certainly could have made some locals' lives very interesting. Hell, I had access to the email of everyone in my company, including that of the owners to whom I reported. I'll admit to having been tempted once or twice, but I'm proud to say I never abused my privilege.
Whether I'm working in IT or another area, I try to ignore what is on people's screens. I consider this a simple matter of manners, not an IT issue. You don't read over other people's sholders, do you? Do you feel the need to act on every piece of overheard gossip or twitter/facebook post? Dealing with other people's computers should be treated much the same way you treat overheard snippets of conversation on the street. Ignore it and move on.
it gets better..wait 'til some higher up comes and asks for a dump of so-and-so's inbox
for the most part people who stfu and do their job go unnoticed and usually see no promotions.
You can never ignore office politics. You don't have to play the game actively, but you do need to be aware of what's going on around you, who is in what camp, what the major conflicts are. You have to cross battle lines regularly to do your job; you can't afford to be seen as a member of the 'enemy camp' by *anyone*.
As an IT guy you need people to trust you, which means you need to be ethical. If you see something you shouldn't know, don't go chattering about it.That kind of thing does get around, and you'll lose trust instantly.
Nothing's stopping you from making personal career decisions based on the information that you come across in your daily work. For instance, if you see that the company is about to be liquidated and you don't want to be around for the mess, by all means polish your resume and start interviewing. Just don't assume that just because you saw something you have the whole picture. You could end up feeling stupid when the private email you saw turns out to be a deliberate test of your trustworthiness. It does happen.
Keep your mouth shut about the things you see. Look after your career and reputation. Be aware of politics, but abstain from participating wherever possible. After a few years when you have trust and credibility, you can consider climbing the ladder a bit and playing the game - you'll have capital to spend.
Regrettably, it seems you have no one to show you what a "professional" is or how to do "excellent" work. I pity you.
Your job is to do IT work. The person, the persons attitude, the person's opinions and beliefs do not preclude their need for good-to-excellent IT work. Do the work and you will please most people. Do, as a previous poster stated, please your boss and the one who signs your check.
If you do a good-to-excellence job, you may have earned the right to answer questions about your person, your opinions and beliefs IF YOU WANT. Even Democrats and Republicans can wholeheartedly agree about things like the local sports teams or colleges. You don't have to talk about everything that enters your head to every other person.
You don't need to be impartial or neutral to do your job.
A sysadmin has a code of ethics. Check SAGA for the official organization's code. The information you receive through actual IT work is not yours. For example, it may be necessary to see stuff that is confidential but it is not your right to disclose it. Keep your mouth shut. It also means that when the manager wants to look at all his employees files, you refuse unless it is a bona fide emergency (and provable). You have to protect the privacy of all the people on your network.
God help you because nobody else is.
Just about everyone where I work has a foible that makes them unique ... but they know they can trust me to keep it to myself. There's apparently a coffee-machine crowd that talks, and tells each other who can be trusted, without needing to reveal details ... go figure.
If you want to 'advance' in your career, use all the info and dive into office politics, it's the only way.
If you want to be a professional, your work is to enable their work, and the content of mail is none of your business.
You always need to look at the risk vs reward aspect when determing whether or not you should pay attention or stick your head in the dirt. If the potential consequences are high, but reward is little, then stick your head in the dirt. If the consequences are low, but the reward is high, then I would pay attention.
The hard part for you, is determining what really matters to you and what risks are unnaceptable. And this is also highly dependant on what normative ethical system you subscribe to.
As an IT professional, you will have access to data that regular employees don't. You keep your mouth shut and you don't snoop. Period. You only look at as much as you have to diagnose and fix problems; the details are irrelevant.
It's called "being professional."
Think of it as the equivalent of lawyer-client or doctor-patient relationships.
I do not fail; I succeed at finding out what does not work.
I see nothing ... I hear nothing ...
Never get involved with reading others' emails, documents, etc., that you are not required to be privy to.
Never ever let the temptation allow you to see others' performance reviews, salaries, politics. I've seen how it leads to telling someone else and then they become the go to person for information. And if the information is bad and they didn't share it, even though they had no idea, well, they didnt' say that there was a problem, the @$$#013! Hell, I've seen someone with access to the HR database pull up salaries of EVERYONE and share it out. "Oh, can you tell me how much Jason Mcboogerhead is making? What?!? I'm making $1k less?! WTF, time to march off to the manager!!!" [A manager who was stunned at the level of knowledge! AFAIK, no info was given out about how the salary info was found. I found out later when it was offered to me.]
Ignore any overheard conversations, it'll only be a couple of people talking, who knows the truth and what really is going on? You must throw out any info you "accidentally" pick up too. The obvious is the missing context of the info. As a manager, I've had other directors and managers openly talk about staffing, budget, bonuses, performance or lack thereof, in front of me. In all cases I threw away what I heard, after all, all I'm hearing is a snippet of a longer discussion. It's not my business to try to save John's job if he's pissed someone off, so I'm better off not worrying about it.
Sometimes I received a list of users to be locked out of their accounts. The only reasons to receive such a list is that they are being laid-off/let-go or in a heap of trouble. I never shared such a list with anyone. It was given to me, as a manager, in confidence. Keep that confidence. Even after the firing, I still didn't tell anyone, there's no point or net positive to be gained.
In another instance I was at a company that changed their HR such that you logged into a page, and it told you your salary, OT rates, etc. You could print your confirmation of employment for loans and such there too. But there was a bug. This bug allowed me to view everyone's salary, their bank account info and some other stuff in a nice neat chart. I immediately picked up the phone and called head office IT Security and talked them through the bug. They fixed it, phoned me back to test with me on the phone, thanked me and sent off a thank you cc'd to my manager, director, etc., praising my immediate response and "help" in fixing it.
What I didn't do was say, "Hey everybody, look at this!" and print it off, etc. Nor did I read further than a few lines and then remove it from my screen. To this day, I run into some of the higher-ups from then from time to time, they still remember me, who I was, only because of that email and that to them I was trustworthy.
It's not up to you to solve office politics, who said what to whom, or anything else. You are there to do IT. So do it and maintain your dignity and professionalism and just don't even think of looking.
You, and hopefully everyone else, will hopefully see that you are in a position of trust. You are trusted by many to keep secrets. If you can do that, it only helps your reputation. If someone can actually say you are trustworthy in your IT job then you've accomplished a lot and it only helps down the road when you want to switch jobs.
Vip
In either case: how do you deal with the possibility of accidentally learning something you're not supposed to know? E.g. troubleshooting a user's email program when they've left sensitive/eyes-only emails open on their workstation.
Pretty simple really. To do your job professionally and ethically, you avoid discovering sensitive information to the greatest extent. If the situation truly needs exposing you to private information or, you do it accidentally, you keep your mouth shut about it.
Unless, of course, you are someone eating fish tacos inside an NSA control room and delightfully reading all the data that passes through.
I have a friend who was in a government IT position and was sometimes required to investigate people for misconduct and ultimately get them fired or jailed. It was basically his job to snoop and it weighed on him very hard. He ended up going working at a little, low stress computer repair shop for about 100k less and was happier for it.
Me, on the other hand :) I always remind people that I don't want to know what they are doing on their computer, and if I do come across something I can't unsee it will stay with me. The implication here is that I'm cool and just want to help them, but in the very back of their minds they know that I AM NOT TO BE FUCKED WITH, because I have a firm grip on all their secrets/balls. This unspoken understanding has kept me employed and duely respected for 17 years in IT now. I've been told many times that I would be pretty dangerous if I decided to use my skills for evil, and I'm always like: "Yah, never forget that. Please don't hesitate to call me if their is anything I can do for you and I hope you have a splendiforous day!"
Just for fun, answer this question and quickly move on to reading the rest of my post. Explanation at the end.
"HOW MANY animals of EACH KIND did Moses take on the Ark?"
The mind is a dangerous thing when presented with incomplete information -- it just extrapolates it, sometimes even substituting the incomplete original version with the extrapolated raw version. You might *think* you saw something noteworthy, but it was only your mind showing you a rabbit on the moon.
This is one of the chief values of privacy - to be able to keep information that was meant for your perspective, and is not ready to show to the outside world, to yourself.
So I would say ask yourself this question: Is there any ambiguity in your mind about your anticipation of the needless loss of life or property based on what you have seen. If there is, then the benefit of doubt goes to the person you spied on. Consider what you saw as an aberration... mangled data that cannot be trusted.
As for that question - Did you answer two? It was Noah, not Moses who gathered animals on an Ark.
If you were not officially told then ignore it.
Don't backstab anyone. Don't read anything without permission. Don't get involved in anyone's infighting. Do your best to help all your customers, even if they are trying to undermine you. Play politics only as much as you have to, people will try to play you. You have to be aware of it and respond tactfully.
Your duty to report serious criminality overrides these rules. Your duty to report gross immorality may override these rules, you have to decide that one based on what you believe in.
Cover your ass.
Explain to a user before working on their system that they should close all content (not just E-mail) and that they should save as appropriate to ensure data loss protection. This way, you can also reboot their system as necessary, and if ever something comes back regarding eyes only material, you can say you asked the user to close all content before working on the machine and that this is your personal policy to prevent such situations.
Other animals that IT personnel may impersonate include canaries and guinea pigs.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Once you have established the rule, "IT rules", most people will cower before you and try to get their work done without offending you or getting on the wrong side of you. That means you can celebrate "Mission Accomplished". Your company will have a few that know how networks work and know a smattering of knowledge about Unix or Linux. They might have even served as root of some lab or the other in the grad school. Find them, stop them completely on their tracks. Thwart every one of their moves. Either they leave you alone, or the leave the company. I T should have unquestioned authority over the corporate infrastructure, and ideally there should be no one in the company capable of questioning you.
So the rules for IT is "IT Rules".
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
> Do you find yourself deliberately ignoring office politics
It's a slow form of career suicide. The corollary of being neutral is that there are few, if any, people in the higher echelons on your side when it comes to promotions, good assignments, and layoffs.
From the 1940s through the 1960s do you know who the most powerful and feared man in Washington was? It sure as hell wasn't the President, or any congresscritter. It was J. Edgar Hoover. This was a man in a position to dig up dirt on anyone and everyone. Every politician from Presidents to lowly clerks feared crossing him for what what he knew could end careers. Many People believe that he may or may not have ordered the assassinations of many high profile figures in the 60s.
The point is use that information for your own benefit. Don't share it, and don't use it unless absolutely necessary. Wait for the right moments to strike. You are in a prime position to find the key players, make friends on all sides and play them against each other. If you play your cards right, in a short period of time, you should have a prime high-paying, do-nothing executive position and nobody would dare fire you.
Also, read some Nicollo Machiavelli some time. Great stuff!
First, I wouldn't say a "50ish" people company is "mid-sized" :) But that isn't really your question.
I can only speak for myself- I can and do see things that are confidential. It is pretty much impossible for me not to. I deal with it by focusing only on my work. Most of the time I don't even really "see" what it is I am looking at... intentionally glancing away or closing things that are not part of the scope of my assistance. Unfortunately that doesn't always work and am exposed to things that get "registered" in my mind. Sometimes I see things that are disappointing or disturbing... but it is my job to retain confidentiality; that is part of being a professional.
The hard parts come when/if I see something that is:
1) Against our IT policies (mostly security practices)
2) Against company policy
3) Against the law
4) Immoral
Thankfully, after doing this for 27+ years, I have yet to consciously run into anything illegal or immoral. I have run into things against policy and there have been times I had to report it or deal with it... just depends on how severe it was.
Think of it this way- it could be MUCH worse... you could be a defense lawyer.
Well most of us are introverts, maybe thats why we end up with these roles. So yes.
- http://www.milkme.co.uk
Don't read it even if you inadvertently see it. Don't repeat things you may have overheard or seen. Testicles, Spectacles, Wallet and Watch all apply.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Slashdot Beta really sucks. Please...stop trying to f up Slashdot. Everyone, everyone hates it. People who have never seen a computer hate it. For the sake of the world, end this pointless and reckless project.
So tell us, what's it like working there at the NSA?
Table-ized A.I.
There is a lot of good advice here, so let me add a cautionary tale. I used to work for a local government as their “computer guy”. I got a call from a user who was unable to watch some video he had on a thumb drive. As part of diagnosing the problem, I logged in to his computer using my own account, copied the contents of the thumb drive to the hard disk, and played it from there. It turned out that playing the video worked from the hard drive and the rear USB connector, but not from the front. I told him this and closed the call, but didn't delete the video from his hard drive. I noted the call in my log, but didn't mention that the video was pornographic.
Much later, about a year after I my employment had been terminated, I got a call from the town's police. One of the detectives wanted to talk to me, and asked me to drop by the police station. It seems that someone had discovered that this user had been watching porn on his computer, and when they examined his computer they found that same porn on his hard drive, under my name. They gave me the third degree, wanting me to admit that I had been the source of the porm. I suspect they wanted me to be the scapegoat, since I was no longer an employee.
I acted calm, pleasant, truthful and stupid. They told me that I could be in big trouble if I didn't cooperate, and I responded by saying if I lied in order to tell them what they wanted to hear, in the long run I would get confused about what lies I had told, and get caught in a contradiction. Of course, it helped that they all knew me, so I had credibility when it came to being stupid. It also helped that these were small-town cops; I probably wouldn't last five minutes in an NYPD interrogation room.
This happened more than five years ago, and I haven't heard anything about it since.
Welcome to the club, it's such a strange position and one that gives us much more de facto power than one would think at first glance. As the systems grew over time from fancy calculators to automating all business processes this issue creeped in and many organizations haven't addressed it directly. Yes you should attempt to be as impartial as possible. However you should consider a serious discussion with your direct supervisor about the reality of having access to all company data. I would go into that meeting with some options you find palatable like: I won't involve myself or notify you unless it's a violation of the organization's fair use policy (which I hope you have). That policy should eliminate any possible crime or directly harmful behavior from a grey area. It is a delicate area but everyone in the organization should be made aware that the systems don't belong to them (likely in the non-profit sector they belong the public with the board as decision makers) and may be actively monitored at any time. This has nothing to do with you directly it's a reality of all modern networks and email. The policy should be clear enough to communicate to all employees so they are aware of your duty. All of this is especially difficult in dysfunctional political environments but I've never had a problem letting them establish the rules and applying them fairly. These matters should be communicated with all the top management and board President if applicable. What they choose to do with their careers isn't our affair unless they misuse the systems or break rules we are responsible for monitoring. I've been primary IT for several non-profits and served many small and medium sized organizations in a similar capacity since 1994.
The problem with reading an e-mail that's incriminating is that it may be out of context. If you do not have the knowledge required to fully understand the implications of the data, then there really is nothing you can do.
For example, at one job I have access to medical files, but I am not the doctor treating the patient and I am not in a position to judge anything about a patient no matter what information I might see. A man could be prescribed Viagra because of a heart condition, or a woman the pill because of the uterine condition.
If something does unambiguously require some initiative from you, you'll know. And when that happens pay for a consultation with your own lawyer before doing anything.
This would be a good time to subtly remind your users, or at least the higher up ones that they should never put something in an email they would be afraid to see in court, or directly read to the recipient, face to face. In the same conversation, you would mention that due to your job, you have access to everyone's email account (as you must) because SOMEONE has to administer it.
You cannot evade office politics, ever. Just don't do stupid things like buy a new hire a 27" Dell Ultrasharp while your bosses son in accounting is using a 19" Chinese knockoff. Common sense.
Don't take sides, remain neutral when Sally tells you what an asshole Bill is. DO NOT run over to Bill and tell him. That is what Sally wants.Eventually the peons will stop and perhaps your boss will realize he can share something with you, without the entire company knowing 5 minutes later. Common sense.
Dont play favorites. If the biggest dick head in the company needs a new workstation, get it for him. If you dont, you are only hurting your company, not the dick head.
I could continue, but you probably get the drift by now.
YES!
You have privileged access, but that is NOT a privilege to read/discuss/gossip about things you see and hear.
We have an awfully lot of boy-scouts in this discussion, and while I only believe about 10% of them, they do actually give the right answer if for the wrong reasons.
The real problem with knowing things you shouldn't comes from your (in)ability to act on them, and the risk of accidentally letting something slip at the worst possible time.
Consider the best possible case - You find out about a major organizational change, and have some ability to position yourself to exploit it. That happens once a decade, at best, and a lot can go wrong (while you position yourself to take over as the regional director of IT after a merger, you later learn that the buying company plans to 100% centralize their IT infrastructure and you don't even have a job - Or the exact opposite, you start looking for a new job and later learn that those employees who stuck it out through the merger got some insane multi-year severance package).
Now consider the worst case - You company's stage four drug looks awesome, highly effective with low side effects, and the FDA will rule on approving it next week. You buy a shitload of stock. Option 1) The FDA approves it, you make a fortune, and the SEC immediately starts breathing down your neck. Option 2) the FDA rejects it for unknown reasons, and you take a bath.
Basically, your FP has the right idea - Play ostrich. Every time you visit Joe's computer, he has facebook/youtube/a game up and you have to clean out hundreds of porn-related spyware sites? You see nothing. Who cares about Joe - Best for your sanity.
In my field, education, it's quite common for the IT guy to be the one with absolute access to more things than anyone else. Nobody else, not even the data-protection officer, or the people on the senior management team, or the people ultimately in charge of the school (the heads and governors) has as much access to information as the IT guy.
Senior-management team files, HR databases, etc. are part and parcel of the job. The web filter logs are generally very revealing and, hence, why I anonymise them by default (Usually squid logs - which only contain source IP addresses, which can only be correlated to a machine using the DHCP logs, which can only be correlated to a user using the Windows event logs on the AD servers - NOT something you can do accidentally, but also allows you to analyse, spot trends and find dodgy things without immediately revealing the source. When I come upon something that worries me, I go to my boss, ask permission to de-anonymise those records, provide them with my results. I've had to do it a couple of times and it turned out to be nothing, but I've also worked with colleagues who've spotted a paedophile on the staff that way and got them prosecuted).
Despite all that data access, tou don't look. It's that simple. If I'm asked to work on a confidential file or database, that's what you do. It's just data. What you see is just numbers and letters and then forgotten. You do not dig. Not only are there alerts and warnings for digging into certain things (and I don't want to KNOW what triggers those alerts or warnings necessarily, but I know that they are in place on the MIS databases, for example - I only trigger them when it's been part of my job to go into that part of the databases), but it's a matter of professionalism.
If I become "exposed" to salary details, or witness protection details (children in schools rarely have as simple a home life as they might at first appear to have), or that some child's father is a Colonel in the Army who's asked for his address details to be maintained private, or whatever... that's what you do. You're not there to suck up data, you just treat it like anything else and move on.
If I suspect illegal activity - there's a lot of activity you CANNOT ignore in a school - I'd go through the proper channels and report it however I'm supposed to. It came up as part of my job, it's not like I was snooping for it.
I *STILL*, fifteen years into my career, look away when I ask people to set their passwords. I don't WANT to know. I want the deniability if someone gets into their account to say "There is no way I could know their password, without triggering a reset of their account, which would lock them out and inform them immediately anyway". My boss keeps trying to tell me his password "to save time". I don't want it. With it, I could - in theory - change my own salary, or modify any amount of details. Chances are it would get picked up eventually but if you were clever enough, you could get away with an awful lot very quickly, or very discretely.
Hence, I don't WANT to know those things. I choose to forget them, unless there is a reason to immediately report them. I suggest you get into the habit of doing the same.
Long, long ago, early in my career, I spent about fifteen years in the non-profit sector.
You don't ignore office politics, but you don't take sides either unless there is a crisis brewing -- something illegal, highly unethical, or financially dangerous. When you work in IT, you're in a "support" position, rather than a "line" position. Your job is to support. So when there's a big pissing match between two line functions, your job is to support *both* sides.
Often this means documenting business processes that sort of evolved via the lava flow antipattern; 50ish is the size where things start to get out of hand, because it's the size where the amateurishly hacked-together processes that keep the organization running start to break down because everyone can't be aware of everything that's going on in detail, in real-time. Make it your business to understand what business systems (not necessarily computer systems) *accomplish*. That puts you in a position to offer a third way, the one that emerges as obvious to everyone once somebody has figured out what's actually going on.
It's supposedly hard to implement changes in non-profits because of the consensus-driven decision making processes, but I found that I could make that process work for me. Lack of understanding is a vacuum; presented with a clear picture people usually line up behind the obvious solution quickly. But you do have to do your homework. Never surprise anyone with anything in a meeting. Bring people up to speed with things you're going to say about their work *before* the meeting so they don't feel blind-sided.
In a crisis be prepared to do the right thing. If you're in a non-profit they're paying you below market rates, so you can do better elsewhere. There is no call for getting yourself sucked into something that offends your self-respect. I resigned one job because my superior (the COO) was doing things that were financially reckless and improper (spending without proper authorization). I informed the CEO in my exit interview. That was my solution to the problem of not getting drawn into a persistent pattern of dysfunction.
When you handle sensitive information, just ask yourself what is the professional thing to do? Be discreet. Resist the temptation to peek at data, and when you *do* accidentally learn something you're not supposed to know, disclose that to the responsible parties. Be trustworthy, and present a trustworthy face.
Finally, don't let them pay you far below the market rate for your services, and expect a really good benefits package, including 1.5x to 2x the vacation you'd get in a for-profit. Insist on the respect due a professional. Non-profits are full of young people who haven't learned that the IT guy isn't there to be kicked around when they're frustrated, and the fact that you're in a support position rather than a more glamorous line position doesn't make your work any less important.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
As an IT worker, your job is to see that the company assets you are assigned are functional and delivering proper service to end users.
It is NOT your job to audit the company's books.
It is NOT your job to Big Brother company e-mail (unless it is).
It is NOT your job to run the company.
It is NOT your job to set business policy for the company.
This is what they have financial wonks, sales wonks and managerial types for.
You never know when something you see "accidentally" is:
A) Blown out of proportion
B) A test
C) Misleading
D) Legit
So going all "I've locked myself into the server room and am calling the police!" could be both wildly inappropriate AND career-ending.
Sure, you don't want to aid, nor abet immoral/criminal activity.
But it isn't your job to arbitrarily decide what that is!
Now, if the feds come knocking on your door, asking for data, go ahead! At that point, you're pretty much safe.
Until then, you're simply a disruptive influence to the company that needs to be let go.
Chas - The one, the only.
THANK GOD!!!
If a secretary with no professional qualifications can take minutes in a senior management meeting and maintain confidentiality about what was said there's no reason you, as a theoretically highly-educated IT worker, can't do the same about the content of emails you happen to read in the course of doing your job.
I started out all full of piss and vinegar and eventually learned to relax.
You will only make enemies if you play politics. Only play in politics that involve you directly. Let everything else go. It's not your job to know it though you have the ability to. You won't be faulted for not disclosing something that your privileges allowed you to know, but declined to know.
Be everyone's friend. I made friends and gained people's trust by being fair. They told me even more. I could go around uninstalling their games and stuff... But I didn't because it's just piss them off. So I just told them I saw the game and if something starts behaving weirdly, I'm going to blame the game first, and that they should uninstall it before I came back. That seemed to be enough to cover my ass in the event someone else found it and reported it to the head of IT. It kept me from making enemies. Exercising restraint is the key to success. If no one likes you, they won't put in the good word.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
The best bet , besides discretion and trust, is to tell users to close open programs and demonstrate issues with non sensitive materials when they do not do so. Explain the issue in a non confrontational fashion and if the user continues to expose you to sensitive materials discuss the matter only with your direct supervisor (or HR or Legal depending on corporate structure, content and sensitivity) . Alternatively ask your direct supervisor how to react. you could also ask for a company wide email or reminder to close sensitive materials before it or contractors arrive.
nb: about illegal content (pr0n, harassment, etc) that could get you fired if you see it , or are accused of knowing about it, protect your assets and report the matter to direct supervisor following corporate policy.
Don't forget that in Europe privacy does extend to your work email account.
If for example I use work email to communicate with my wive, the company is not allowed to read the contents of those emails.
Even work related emails have been seen as a private communication and should not be read. The reason for this is that work related communication is more effective when both parties know it is private. If employees know they are being monitored, their communication will be more careful and use words that won't make then look bad toward the monitor.
Even if phone calls and other communication is being recorded; in case the recording is need to solve a dispute with a third party; then it will note in the policy of the company exactly when and how these recordings can be accessed. Often these recordings can only be accessed by the employee who was being recorded.
I spent about twelve years as an IT director. I had access to every email account and every document created including financials. I discovered that most of my co-workers where doing their absolute best to stab each other in the back. The lies were rampant. Management was also lying to the employees (leading from the top down?) about company finances. It made me very unhappy to know about all the horrible things they were doing to each other. I think I would have been much happier not knowing all of those things. So my recommendation is to ignore all of that information you could "see" and just do what's necessary for your job.
I was the IT manager of a hospital. The HIPAA rules apply. You can't repeat what you hear and you can't read what you weren't supposed to see. Seriously, learn to not even focus your eyes on private information. However, there is nothing wrong with using what you hear to help you make decisions about what you should do, such as leaving a business that is in financial trouble or setting aside some server space for that expansion someone is planning but didn't think to consult with IT about.
If no, move to another job.
...it stops with you. I saw many embarrassing/absurd/job threatening/demeaning things while servicing employee computers. One of them belonged to the company president. None ever appeared to be criminally illegal and did not go beyond me. Part of the job.
"Computers are useless. They can only give you answers."
-- Pablo Picasso
I manage a computer repair shop. I teach my guys that discretion is paramount. First of all I'd they snoop on customer files they get fired. Second if the do see something they aren't to discuss it. Finally if they stumble on something criminal (like kiddy porn) they report it to me and I deal with it. In the case of the aforementioned I'll call the cops. But I make the decision and the responsibility.
there are 10 types of people in this world, those who read binary and those who don't. which are you!
As an IT professional you must be trustworthy. In smaller unregulated industries you may not be subject to restricted audited access to production data or even email. The employer should probably have you sign an NDA, non-disclosure agreement. In larger financial and healthcare institutions your access will be highly restricted and when you do access production data you will be audited and logged.
I maintain a servant attitude when dealing with my customers and yes, I do see things I shouldn't but I simply ignore it and keep my mouth shut. Most of the time I simply dont care. It is nome of my business. I can know about termimations, downsizing, corporate changes that would affect the stock price, etc. I could be arrested and sued if I were to leak any information.
You are in an excellent position to learn, you are forced to as you are alone. Stay away from politics, learn a lot, prioritize your work, study a lot on your free time. In 1.5 or 2 years, leave this job for a better place.
Your eyes as an I.T. professional are to focus on the issues not what people are doing. With great power comes great responsibility. As the keeper of the kingdom you do just that, keep it safe.
Anything you learn during the course of your duties should never be discussed. What you learn around the coffee machine should be not talked about either lest people jump to the wrong conclusion.
You can pretty much ignore everything around you that doesn't violate company policies. Except child pornography. I did a PC refresh project at a local hospital when my coworker came across child pornography on a workstation. He reported it to our supervisor. Together they reported it security. They each had separate meetings with the security chief and the hospital attorney.
The worker -- a high-level administrator -- freaked out when he didn't get a new computer and his old computer sat on his desk without the hard drive. We stonewalled him on what happened to the hard drive, as security confiscated the hard drive as evidence. He spent a whole day running around like a chicken with his head cut off, unable to do any work and no one saying anything to him. Police were waiting for him the next morning. Because this was a hospital that had a reputation to protect, the news media didn't report on the case.
Well at least you've managed to get a sense of superiority out of replying to these comments even though you do not seem to have grasped the context of the discussion.
Calling an IT person a janitor as an insult shows a lack of respect for both and is as stupid as calling a marketing person a hooker or a finance person a thief.
I remember the first time an employer realized that I had access to everything . She froze for a few seconds while she processed the idea, shrugged, and went on with her request.
You're going to learn things you don't want to know and see things people don't expect you to see. My least favorite experience was someone who had an email stuck in their outbox. "Subject Re: Re: Re: Re: Re: My widdle wuvvy bear From: Not His Wife" And thank you so much, preview line, for confirming the content. So, with a straight face and chipper tone, "Next time a message gets stuck, you can just select it and hit delete." I didn't add, "And you, of all people, should know better than to use company email to conduct that sort of activity because we archive everything. I just did an archive search for you last month."
My most favorite was when I was helping someone with some simple thing and minimized her browser to discover that her desktop wallpaper was a picture of her frolicking in a bikini. Again, just go on like it's nothing out of the ordinary. Heck, if I looked like that, I'd want to look at me all day, too. Oh, and there was an intern who, when she finished her assignment, cleared everything off her desktop except a topless pic of herself.
If I'd seen evidence of blatant criminal activity or harassment, I would have reported it to the person's manager and my boss and let them deal with it. But politics and gossip and salaciousness were ignored. I was employed to keep the equipment running, not be the morality police.
We have the same job and I've been at it 18 years.
The first thing to bring up to management is a Technology Administration Policy.
In there provide the expectations of the Firm, and include any prohibitions regarding use of social media, games, personal email accounts, and other productivity-related issues.
State that all of the Firm's technology, and the products of that technology (documents, spreadsheets, emails, etc.) are owned by the Firm and WILL be inspected as management directs.
In the Policy inform all employees that they are to report violations, or suspected violations of the Technology Administration Policy to you.
There are other issues you can cover in there like password rules, prohibitions for using business email for personal use. Get management to work with you so everybody's on board.
Here's some other stuff:
Don't snoop. Ever. Tell management point blank that you are not snooping, and will not snoop unless management tells you to. When they tell you to take a look-see, especially if they are concerned about abuse of one person, snoop and report on several others. This covers you and management later, if questioned.
For some systems like financials, payroll, time card, etc. tell management you don't want entry passwords. You'll work with the individuals responsible for those systems and have those operators log in for you and THEN do your work.
If something odd happens in there, you want to be the first eliminated.
I see stuff I shouldn't a lot. If it's a violation on the part of a co-worker, I work it out with them. You want to have a good working relationship with all of your people. If they fight you, remind them that they are actually fighting the Firm. If things get nasty, take them to management.
When I see stuff I'm not supposed to on management computers, I just keep my mouth shut. NEVER gossip about that stuff. It WILL get back to the wrong people.
Your job and mine are atypical in that everyone is our boss. Make recommendations via email so you have a trail and let management do informed risk assessment. Remember that you are on the wrong side of the ledger. You are a cost center. Most times when you meet with management, it will be about spending money. That means everyone in the Firm will have to swim a little harder.
Make life easier for yourself by adopting the right attitude BEFORE you make contact with a coworker: They are absolutely right, and you agree with them. You are on their side, always. It's not you vs them. It's you and them vs the problem.
Last tip: You're gonna get yelled at. People have apologized to me afterwards. I tell them it's OK. I understand. I'm the guy to yell at because I'm the only one who will fix it, " ... and thanks for the apology. It means a lot to me that you want to clear things up."
If you and I are professional, we will get past each incident without anyone getting pissed.
Good luck.
It little behooves the best of us to comment on the rest of us.
To mangle a phrase, just because you take no interest in office politics doesn't mean that office politics won't take an interest in you.
Pay attention to little things. Watch the comings and goings of those who think they're players. Listen to everything that people try to tell you and never take sides out loud.
"Yeah, really?" is pretty much all I say when people try to drag me into their battles.
I hate the games of office politics but I'm a realist and I understand that I have to know the game to avoid it.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
I hate to break up the ostrich fest here however... At least in the United States... If you know something and don't report it.. You're complicit and will get in whatever trouble you're sticking your head into. The gold standard for the prosecution is, "should you have known". It's not.. Can I prove with evidence that he knew. Also.... Be aware.... They can and WILL subpoena you and there's not a single thing that you can do about it. You can't even plead the fifth to quash the subpoena because it's a subpoena for company records not your own records. As someone with experience in the above.. Do yourself a favor. Report bad things. Yes there is a cost... But it's way less then being charged with a crime because you should have known.
Think three times before talking about, or using, anything that you learn accidentally in the course of doing your job.
You'll undoubtedly take note of office politics (although you don't necessarily talk to others about the detail, or how you came about it); office politics may well affect how you go about your job anyway, and it often helps to know where the potential traps and difficulties are, so that you can attempt to step around them.
You never, under (almost) any circumstances, discuss anything confidential that you came upon by accident and weren't entitled to know, if you do so, you are likely to find yourself looking for a new job very quickly - and quite right, too. The only exception I can think of to that would be if you were to come across something that the law or your employer would expect you to bring to an appropriate person's attention, where not doing so could land you in serious trouble if it subsequently came out that you hadn't done so. If unsure, consider covering yourself by questioning it, confidentially but in writing. Escalate, with care and tact, if not happy with the reply. And understand that, in doing so, you're not so much doing so doing so out of duty, as covering your own position.
(Putting things in writing is a good policy anyway, for almost all aspects of almost any job - NEVER assume that people will choose to remember things the way that you do, or that "nice" people won't attempt to hang you out to dry at a later date, if it serves their purpose. When you agree something verbally with someone, if it's even remotely important, drop them a note confirming YOUR understanding of what was agreed.)
I remember those feelings, when I started my current job.
We sell email servers that do encryption- we have different kind of services, some where it is not possible for us (programmers/supporters) to ever see those mails(Expensive) and the cheaper ones, where if a mail as an example gets cutted off during transmission it ends up in folder for failed mails- where we have to look at it and decide what to do.
When a mail fails I have to look at it, to make a guess about why it failed- and I skim the mails- if it is something interesting- sorry but i read the mail.
It is not like if it is base64 encoded i go and decode it, but I need to see the data.
All of us do that- everyone in our company. It is not something we talk about loudly, but if we see something funny, we read it.
Some companies have "secure distribution mail boxes" where if x@companyA.com sends to y@companyb.com the mail will be encrypted for secure@companyb.com and after decryption it will be routed to y@companyb.com in their internal network.
Sometimes if a mails fails, we know the automated distribution will not work- and it will end up in the distribution folder, for everybody in receiving company to read.
One time a mail failed that involved sextalk with a married goverment official and another in the same goverment.
We knew the mail would end up in the "distribution mail folder" for companyY to manually forward.
So we deleted it.
There is no formal training or ethics for this I think- so that is how we do it.
But that is the way it is, because an unencrypted mail is just a postcard- people should except it to be read.
That is why we have laws about personal information should not be in emails.
So if people are stupid enough to put you in a situation where you cannot avoid getting a glimpse of information- it is not your fault.
And it is nothing special that you get that information, lots of people do- information is dealyed in all steps of the chain.
The director is the first to know someone is getting cutted, the the middle leaders, the those that will get cutted.
If everybody else can be trusted in not abusing that information- so can you!
The perv probably didn't have enough money to pay for damages to his victims and you? In some countries the government will actually make sure you get a reasonable compensation for the financial and social losses you had, even if the perpetrator didn't have any.
I was promised a flying car. Where is my flying car?
Obligatory Uncle Ben quote here.. As someone who has access to everything, you need to exercise a certain level of discretion. However, at the same time you need to have some common sense.
Yes Francis, the world has gone crazy.
The System Administrators Guild has a statement of ethics I have always tried to adhere to,you will learn things about people in your careet that you would rather not know. It helps to maintain a split mind when dealing with content.
Code of Ethics
Fair Treatment
I will treat everyone fairly. I will not discriminate against anyone on grounds such as age, disability, gender, sexual orientation, religion, race or national origin.
Privacy
I will access private information on computer systems only when it is necessary in the course of my duties. I will maintain the confidentiality of any information to which I may have access. I acknowledge statutory laws governing data privacy such as the Commonwealth Information Privacy Principles.
Communication
I will keep users informed about computing matters that may affect them -- such as conditions of acceptable use, sharing of common resources, maintenance of security, occurrence of system monitoring and any relevant legal obligations.
System Integrity
I will strive to ensure the integrity of the systems for which I have responsibility, using all appropriate means -- such as regularly maintaining software and hardware; analysing levels of system performance and activity; and, as far as possible, preventing unauthorised use or access.
Co-operation
I will co-operate with and support my fellow computing professionals. I acknowledge the community responsibility that is fundamental to the integrity of local, national, and international network resources.
Honesty
I will be honest about my competence and will seek help when necessary. When my professional advice is sought, I will be impartial. I will avoid conflicts of interest; if they do arise I will declare them.
Education
I will continue to update and enhance my technical knowledge and management skills by training, study, and the sharing of information and experiences with my fellow professionals.
Social Responsibility
I will continue to enlarge my understanding of the social and legal issues that arise in computing environments, and I will communicate that understanding to others when appropriate. I will strive to ensure that policies and laws about computer systems are consistent with my ethical principles.
Workplace Quality
I will strive to achieve and maintain a safe, healthy, productive workplace for all users.
Simple rule: I don't (physically) touch computers where someone's logged in. ssh is okay. If in the process of troubleshooting an issue I need to look into someone's data, they are asked for permission beforehands. If some sort of maintenance on an office computer requires some sort of physical/local access, and there's someone currently logged in on the box, I ask them to log out. Finally, if a user seeks assistance with something where physical presence is required (say, KDE misbehaving (does it ever well-behave?)), then it's the user's responsibility not to make me see sensitive information in the okay-just-show-me-what-you-did step.
CLI paste? paste.pr0.tips!
When my daughter did tech support at college she was told to ignore everything except child porn. That was reported.
I have designed, built, tested, audited, and supported security compliant environments for over 2 decades. A decade at a DOD site, and about the same time afterwards with PCI and HIPPA compliance. In many cases, you need to report seeing things you are not supposed to see. "Forget" is illegal in many cases, so claiming it's a viable answer is dangerous.
That said, from TFA it does not appear to be a legal issue here. Just warning that it's not good advice in general.
The biggest single thing to put into your debugging arsenal is test data. Need to debug mail, send test mail. Need to test encryption/decryption, make dummy files to encrypt and test. A user can't do something, provide them test data to work with that you know is clean. A user has a display problem, have them bring up the application with NO data loaded. These are extra steps, but worthwhile steps. If users complain about loading test data explain it to them.
The second biggest thing for you to have handy is a big dose of honesty. If you open something confidential, make sure that someone knows you saw it (you report to someone as an IT professional, even if it's the CEO directly). If you have to access a users desktop, ask them to watch and make sure you don't open a file that they may not want you to see. If you have to open something you know is sensitive, get permission first (preferably in writing).
There are surely exceptions (Edward Snowden), but that's a much longer discussion. Sysadmins by nature have access to more than any single person in the company. Good sysadmins don't flaunt or take advantage of that fact.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Read the:
USENIX System Administrators' Code of Ethics
LOPSA System Administrators' Code of Ethics
You're an IT PROFESSIONALl now. Act like it. Ignore the politics.
With "root"/"Administrator" account access to IT systems, you're basically God and have access to everything in IT. TRUST IS EVERYTHING between IT administrators and your users.
There was a time when bankers and accountants were highly respected because they had a fiduciary duty to their clients/customer. Following the recent economic crash of the Great Recession and Enron-type scandals, the reputations of companies like Goldman Sachs and Arthur Anderson were significantly tarnished and people's perception of them have noticeably changed. Sure, there's always been other scandals/incidents before but most people only remember the most recent big ones.
Physicians have their Hippocratic Oath, Professional Engineers have their Obligation of the Engineer, and lawyers have their professional code. Yes, every day, there's some new news story of a medical doctor, engineer, or lawyer violating all or some part of these oaths. The intention is that we all like to think/hope that as professionals, we can strive to maintain these goals and call out the ones who have gone astray.
All workplaces have some sort of internal office politics. This is what happens in any size or type of company or organization of humans due to company/organizational policies and just the nature of individuals (which tends towards being selfish or fiefdom-protecting). Being a "non-profit" is ultimately more of a tax status issue and does not automatically mean the entire non-profit organization or that all of its workers are 100% perfect, selfless, always altruistic individuals who all agree on everything.
More criminal minds might call such altruistic people "suckers" depending on the situation. Or what sometimes happens is that the altruistic individuals in charge made false assumptions about the costs or labor involved for operations and refuse to believe that we can't just all work for free or get stuff/materials for free just for the "good of the children blah blah blah". How many rich donors can you really get?
The goal is to find a job that has office politics which you can reasonably tolerate. Since you said you're new, there may be other background history in your organization that you're not aware of that you're just stumbling across now.
And yes, there's always 1 (or more) "crazy people" in any company/organization. Be cautious in dealing with them. Do your job (e.g. fix their computer if broken) but don't get looped into whatever personal agenda they're advancing.
Really doing something about any of the office politics sometimes might mean getting your manager involved (or becoming a manager). A good manager can serve as your "shield" (or "scapegoat" depending on your viewpoint) so you can defer/blame certain things to them ("I'd like to help you but my boss lady said I can't. Talk to her about it."). This is not a path to be chosen lightly.
All that being said...always keep your resume/CV up-to-date and your co-worker and business relationships cordial. Separate your work stuff from your personal stuff. Getting too entangled in this can turn into utter poison for yourself and your future career.
Sometimes, you've just go to bail. Really. If you can describe your workplace with the one word of "miserable" and you've made reasonable efforts to deal with it in a reasonable time period (maybe 3-6 months?), it's really time to go.
Even though it's kind of really targeted towards managers, Patrick Lencioni's book
I work for a small police department, about 50 people and one of the 3 civilian full time staff. In the 13 years I've been in this job, I've learned several things, first of which is my subject line: "What has been seen can not be unseen". I learned this the hard way after someone asked me to assist in ghosting the hard drive of someone who was, in the local parlance, a potential "Diddler", child pornographer. As asked, I ghosted the drive, then when staff found no illegal images, I dug through the drive searching for hidden directories.
... a... SHEET. Not missing a beat, I move the installer to the C: drive and set to. Finish install, enter registration keys, configure, done. As I'm getting up to go, I turned and said "I trust I'll receive no further complaints from this office, right?" He looked, nodded vigorously, and I walked out.
Yes. I found them, all right. Now, I have a daughter, 15 today but only 4 at the time, and some of the images I saw, frankly, haunt me to this day. Back then we had no direct resource for digital discovery / evidence collection, and after seeing those images.... I wrote our discovery and extraction policy and worked out a deal with another law enforcement agency to have their people take care of that. I'm well paid, but there is not enough money on this planet to get me to again see what I saw.
Over the course of day to day IT stuff, I have seen emails or documents which yeah, maybe I shouldn't see. Sure, I'm CJIS (Criminal Justice Information Services) certified, etc, but I don't need to see some things. But my boss, the Chief, and my coworkers know that all I'm interested in is making sure we're secure, that the officers and staff can perform their jobs, get email, track cases, track safe keeping, evidence, etc and it's going to work. That's it. I'm not the moral compass. Of course, if I saw someone was up to something illegal with my babies (computers) I would gather evidence and present it immediately! And I'm a very vocal advocate for privacy AND freedom of civilians to record police activity, something my coworkers now agree with me on. But if I, for example, read that one officer gets paid more than another officer for his hourly construction detail, that's none of my business. I mostly stay in my office, work on the things I need to work on, study, and do my job.
IMO that's what we do. We fix things, we keep the show running. That said, you may find yourself with perhaps some leverage. For example, I had one troublesome user who asked my help on installing a piece of software. I went to his desk, asked where the installer was, and he had no idea. So, first thing I did was check the "Downloads" directory. Sure enough, there was the installer, as well as a metric crapton of video files with titles like "Pegging" and "Tranny". He went white... as
These are traditional issues for the corporate sysadmin. Perhaps less now as corporations are segmenting services more.
Early on, I realized that as an admin I had access to everything, and I had to adopt some sort of moral code in order to function. So things I inadvertently learned I kept to myself, and tried to forget, and even under pressure, consistently refused to use my access to, for instance, allow a manger to spy on another manager (a real example).
It takes a long time to build trust, and only a single incident to blow it. After awhile, employees would come to me with serious private issues, like a potentially damaging email inadvertently sent to the wrong person, secure in the knowledge that if the need was legitimate I would fix it and not talk about it afterwards.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Knowledge is power. It's just more info that you can use as leverage later.
Some people are in sensitive positions due to the nature of their jobs. Janitors have keys for every office, including the CEO. Security personnel are in the position to spy on the entire plant. Sysadmins potentially have access to all communications, data, perhaps even HR records. What you do or don't do with this access is a test of your character. And should, in a perfect world, have bearing on whether your career continues. (Example: TSA personnel saving naked photos for later viewing.)
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
In IT we have access to info that is usually reserved for C level execs. Either accidental reading when troubleshooting or shared in meetings. I have always looked at IT work as a sort of priesthood. What people do on their computer is their business. I don't share it with others. All data is kept confidential. Sometimes knowing when someone is going to be terminated that is sometimes a little awkward. But you just do your job like you always do and try to avoid office politics.
Your the watcher now. Ignore what does risk human life. Speak up if it does. Snowden is a good example.
Simples.
If it's a data security issue or grossly offensive (kiddie porn, financial fraud, etc) hand it over to your boss, make it his problem. If he fails to act, forward your concerns to the appropriate VP/board member.
Anything else, stay well away from the firing line. Who's screwing who (both literally and metaphorically) is none of your business. You didn't read it (even if you did) and it's up to local management to do their own dumpster diving.
The only exception is the "f**ked company" scenario which should be communicate discreetly to all IT personnel so they can get their CV into the recruiters hands before the s**t hits the fan.
I was a Systems Administrator for a 3 letter government agency. Yes, I had access to everything under the Sun (ignore the pun --Sun Workstations--). I kept my nose to the tasks at hand. Data is data. The operating system, and everything related to it were my business. System uptimes, disk loads, data rates, software performance, network security, hardware/software interaction: these were my business. It included very specialized (bespoke) hardware attaching to COTS computers with bespoke software that sometimes needed a lot of tweaking. If it works, and performs well, we are good (Classified/Secret/Top Secret/Ultra stamped at the top of documents was rightly ignored too). I don't do that anymore though, and since my name isn't Snowden, that's where my description stops.
Before I work on someone's machine, I ask that person to close all windows that may have sensitive content s/he may not want me to see. This policy establishes a certain amount of trust with the user. Put the onus on the user to determine what s/he considers private and sensitive. Easy-peasy, and it only takes 30 seconds.
'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
After 20 years in the business I find that very few people will leave sensitive documents open on their screens when they know you are going to be there so it seldomly happens.
The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
Here are some tenets of being a good tech.
1) First, do no harm.
2) Don't judge. Your job isn't to care about the content of the data, except spam and illegal stuff; your job is to care that the data is available and accessible.
2) People are boring; computers are interesting. You're not going to find anything interesting, and a good tech should be more interested in the tech then contents of people's data. If you do find something by accident, keep your mouth shut about it unless it's illegal and harmful to the company/institution.
4) Play your cards close to the vest. There is no need to tip your hand or be anything but neutral.
In general, I don't care about people. I don't care about their lives, their kids, their dogs, or their mountain of cat pics. I have my own stuff to take care of, personally and professionally, and I'd much rather spend time dealing with that then other people's crap.
That position sounds really callous and cold, but
Your only obligation is to do your job. As an IT professional that includes security and such - so you can't ignore everything.
I did learn after my first couple of jobs though, it doesn't pay to get involved with the drama.
At the last job that I had the only "involvement" I had with the inter-office drama was in telling the CEO that she was breaking a licensing agreement. She argued(?) with me for over an hour at which point I said, "Listen, you can do what you want. I've done MY job by letting you know, and it's in writing."
Fortunately I was able to move on to a much better environment - one which largely keeps me away from other people.
Just do your job, if someone put in a ticket complaining their email won't open, you fix their email so it opens. It is impossible to avoid seeing sensitive information. On a daily basis I see SSID's, bank account numbers, loan letters, discussions about customers, etc... You just ignore it. If you come across something illegal or suspicious then you speak with HR as to what process they prefer you follow for reporting it. If they do not have a process for reporting it then you report it to the appropriate legal authorities. You are not a cop, it is not your responsibility to take any direct action to stop anything or talk down to someone. If you can't handle any situations you consider immoral then you resign.
Thanks to everyone for your responses. The mean response is, frankly, what I expected: be professional & trustworthy, because it's not our job to be otherwise. This is both heartening and worrying; some of the examples above from admins who did "the right thing" set my teeth on edge. I like to think that I'm an honest, open person. However, as Feynman famously said: "The easiest person to fool is yourself". Thanks to the folks who shared the USENIX/SAGE links above. I've now got a copy of the sysadmin code posted right above my KVM/WIP stack, so I'll see it regularly. Optics was easier: photons don't concern themselves overly much with morality and ethics.
I tend to take the see no evil, hear no evil, speak no evil approach. Unless I'm being subpoenaed for evidence I saw nothing.
The book was about the 'professional' executioner for the King of France, whom found himself responsible for actually having to behead the King and his family whom had employed him for so many years. I apologize for not remembering the name, but it discusses this exact topic throughout history.
Yes. My first post-college gig was with a small company, barely 100 people including off-site. I was one of three IT people in house. One who ha dseniority over me pretty much exclusively handled the PBX and DNIS routing for our phone systems. One was our manager, who was also pretty much everyones manager and he had bigger problems than IT. I was the programmer and the two of us basically juggled SQL tasks in the database, as well as web programming, system imaging, software installation, troubleshooting, talking with our off-site guys and coordinating everything with them - and to top that off, we assisted with general crap like printer issues, and we had meetings we had to attend. All while being overly micromanaged.
So we worked in the middle of a different department who did nothing but talk all day about things I'd classify as office politics. We had to ignore them - literally had t, because they were basically immune to everything unless they massively fucked up, so it was just a retarded idea to ever even acknowledge that you had any idea there was a world outside of technology and what they hired you to do.
Piece of advice: NEVER respond to all. Never acknowledge any office politics. If ylou do ever confront anyone or make a disparaging or even slightly sarcastic remark about any person or any thing, do it in private where no one can hear you and if it's talking with someone - make absolutely sure you trust that person entirely. Even in strictly IT firms, people are bitches. Seriously. Don't even play their games.
I have worked in IT/MIS for many years (15+) and what I have learned is that you look without looking. I can look at a screen full of text and read none of it. I don't notice things that ordinary people would look at. You train your mind not to remember things that people say. You are only responsible for what you know in most cases. But learn when you are and aren't. Know your environment and what you have to report and what you should avoid seeing.
Some good rules are:
1. when you look at someones email don't read any of it. You will regret it!
2. If a user needs you to work on their system ask them to close all their windows first. I cant tell you how many times I've seen pictures of people I didn't want to see because someone left their browser open.
3. When you are moving peoples data don't open files to verify them. Ask the owner to or do a check sum by verifying size or MD5 Hash tags.
4. Never query a database unless you want to know whats in it. I was once working on something and I didn't know what a table held. Well it was the financial info for the company more or less. I know how much my bosses made last year and they told me I couldn't have a raise because of loss of profits. Well that was bullshit...I did not need to see.
Always keep in mind "Know what you need to to do your job effectively; But ignorance is bliss! "
I'd say that home-user support is often worse than corporate support. Rarely have I had to delve deeply into the guts of somebody machine. Usually email is either just some headers floating by on a mailserver, or a list of message as I'm doing a transfer/restore on somebody's machine.
If a user's machine is somehow infected, you dump an image and restore a fairly well-known list of applications from scratch. Documents are on the network (also to be double-scanned by AV as necessary).
Home users though. Files can be anywhere. Documents can be anywhere. Going through an infected machine to clean out nastiness that came in deity-knows-when by deity-knows-how can involve sifting through a lot of crap. Copying to a fresh re-image still involves going through old accounts/files and trying to find what should be copied over. People have copious amounts of downloaded crap from the internet. Person documents. Personal finance info. Saved passwords. Very "personal" videos/pictures, etc
The first question I usually ask before digging in is "is there any location you DON'T want me looking on your computer while I do a backup/restore". I also generally get clients to log in themselves rather than providing me with a password (or just reset the password with an admin disk/account) since many people use the same login for a lot of stuff.
I found it just much easier to not care and it was much easier to ignore stuff in peoples email.