A reader writes:
My company has a written security policy requiring us to authenticate all requests we receive by phone or email before acting on the request or releasing any non-public information. This is a good policy, and necessary to protect both my company and our clients. All employees were required to sign an acknowledgement that we are aware of the policy.
Unfortunately, this policy is completely, totally, 100% ignored in my department. It’s not merely that we don’t follow it. It’s that absolutely no means exists by which we could follow it. There is no method whatsoever available to us to confirm that anyone who calls or writes really is who they claim to be — we take their word for it because we really have no alternative (unless doing absolutely no work could be considered an alternative).
Needless to say, this is a security vulnerability just waiting to blow up in our faces. I’ve mentioned it in email to both of my managers, and both of them failed to reply. Now, to my question (a 2-parter):
1. Is there some way I can approach this with management to get some action? I would like us to move toward a place where we can authenticate people and act in a way that protects both us and our clients. I see no progress (or even attempts at progress) on that front.
2. What steps do I need to take to protect myself? Sooner or later, an information leak is going to occur (assuming it has not happened already), and I don’t want to lose my job, or worse, be legally liable. With every call and email I respond to, I am in violation of a written company policy. Unfortunately, I have no alternative, as no authentication mechanism exists, and it’s impossible to perform any aspect of my job without responding to calls and emails.
You can read my answer to this question over at the Fast Track blog by Intuit Quickbase today.