Monday, November 19, 2007

Proxy snark

Last week, I received a password call. Normally a simple enough thing but in this case the user was part of the Audit Department. Being Audit, these users have a higher security level than we do and so we cannot access their profiles to verify their identities or change certain passwords. The procedure is for us to call Data Security and have them address the issue.

On this call, the person at Data Security said "You know you can do these, right?" and directed me towards something labeled as an Emergency Password Reset Procedure. This was for off-hours and weekends when the Data Security Department wasn't staffed and was a back door around security.

I countered that the first page of the documentation indicated that during business hours we were to direct calls to Data Security. She resisted, saying that the workaround was available anytime but did the password reset anyway.

Afterwards, I sent a message to the Site Manager:

"Even though she did the password reset, she indicated that we can user the "emergency" procedures any time. I suspect that Data Security simply doesn't want to be bothered with these calls. (That, and they always take at least half a dozen rings and one rollover for anyone at Data Security to answer the phone.)

If Data Security wants the Emergency Reset Procedures to be standard
procedure, they should contact the Help Desk and authorize that change. If that is the case and they are authorizing us to bypass the access levels for audit all the time then it makes sense that we shouldn't be a lower access level than audit. Pointing that out to them will probably have them change their minds about making the Emergency Reset Procedures the new standard."

To my surprise, the Site Manager forwarded my comments in the entirety, snarkiness and all, to the head of the Data Security Department.

I wonder ho well that's going to go over.

No comments: