Registry Editor - Files Viewed

[Ian_Mac]

My other half has an issue at work at the moment where she has basically been accused of accessing some files on the work computer that she shouldn't have.

Obviously she's denying these claims having not accessed the files at any time.

What her works IT dept have provided is a print out which is a screen shot showing 2 columns. The first on the left is an expanded system tree view of the folders on the network and the right hand column is titled Registry Editor and under this lists various file locations.

Some of these are recognised and used in her everyday job but 3/4 are unknown.

The company has a culture of staff using each others pc's for various tasks both while the person is in attendance and while pc's are left unattended.

For the other person involved IT have provided screen shots from both Excel and Word that clearly show the last files opened.

What we can't understand is why the same information has not been provided for her computer if the Excel files were opened as they say.

Is there anything else she should be asking for from the IT dept as further proof?

Or any other advice appreciated.

Thanks

 

[iscaboy]

sounds like amateur night from start to finish, from IT dept all the way down to staff training and SOP.

 

[Philnix]

The company has a culture of staff using each others pc's for various tasks both while the person is in attendance and while pc's are left unattended.

I agree with the previous poster.

The problem is using other peoples pc's whilst they are logged on. Maybe a hard lesson to log-out before going to the toilet or for coffee.

But the main problem would be that the self styled IT Gods don't seem to have bothered to set priviledges and permissions on a pc by pc , or username, or sub-network, basis. If your better half's login gave her permissions to those files, then thats the IT boys and girls problem isn't it ? If she shouldn't be able to get at the files, then those permissions should not be available to "her" pc or login, irrespective of whose dainty digits where on the keyboard.

So it's IT's problem !

Hope you get sorted and don't take any cr*p from IT people who live on some other planet and firmly believe they cannot be wrong (unles sof course, they can't fix your pc when it goes up the spout and then it's not their fault!)

Tell 'em to get stuffed.


P.

 

[agatward]

The company has a culture of staff using each others pc's for various tasks both while the person is in attendance and while pc's are left unattended.

It sounds like the company is going to have to tread very carefully here as any employment lawyer would have a field day with this. Any contract should clearly state the terms of use of IT facilities; these would usually be along the lines of:

• login credentials are issued to an individual and should only be used by that individual
• it is up to that individual to protect the use of their login by not allowing friends / colleagues to use it
• the individual should lock their system when they are away from their desk.

If there is a general ethos of people sharing accounts or not worrying about security, then the company is going to be very hard pressed to prove who did whatever it is they are alledging, and would either have to discpline all suspects equally or let the case drop.

The IT department will also have to prove that the machines and evidence has not been tampered with in any way. As iscaboy points to, what they have done smacks of an amateur outfit; so it would also be worth your OH asking for a method statement of exactly how they attained this 'evidence'. Screen shots can be modified easily, as can the registry.

If the files that have been accessed are on a central server, there should at least be last-accessed detail for the file that would show username and time / date. Depending on the system setup, this should also be present on the desktop PC in question.

Also, if she should not have accessed these files, there should really be appropriate security measures in place at the IT level to prevent her from doing so, this is not difficult to do! If this ended up going further, the company would have to explain why these security measures are not in place, or how they believe your OH worked around them.

 

[Philnix]

PS. Sorry - on re-reading your original post....

The IT dept should be able to provide a history of any file on the network together with it's history of who [which login] has accessed/edited it.
No history - their problem.

Excel/Word and stuff also usually records a history of edits and by what username ?

Don't know if thats much help.
P.

 

[Philnix]

Snap with Agatward - he put it much better while I was typing my humble two-bob's worth.

 

[Ian_Mac]

I agree with the previous poster.

The problem is using other peoples pc's whilst they are logged on. Maybe a hard lesson to log-out before going to the toilet or for coffee.

But the main problem would be that the self styled IT Gods don't seem to have bothered to set priviledges and permissions on a pc by pc , or username, or sub-network, basis. If your better half's login gave her permissions to those files, then thats the IT boys and girls problem isn't it ? If she shouldn't be able to get at the files, then those permissions should not be available to "her" pc or login, irrespective of whose dainty digits where on the keyboard.

I fully agree with the logging out when leaving her desk, sure it's a lesson learned for the future.

There were no priviledges set on these files, this was proved when her colleague managed to stumble across them and open without issue.

It sounds like the company is going to have to tread very carefully here as any employment lawyer would have a field day with this.

Also, if she should not have accessed these files, there should really be appropriate security measures in place at the IT level to prevent her from doing so, this is not difficult to do! If this ended up going further, the company would have to explain why these security measures are not in place, or how they believe your OH worked around them.

This matter is definitely going further, a disciplinary hearing is scheduled for next week. A copy of the so called IT evidence only came through the post this morning hence my post on here.

I've passed on the comments with regard to asking for the IT method statement and how they attained the `evidence`.

There is no time/date information at all on the screen shot provided.

Obviously I don't want to mention who the employer is but suffice to say it's not a small firm by any stretch of the imagination.

 

[Philnix]

Hi Ian, again

Hope it all goes well, but it sounds as if Mrs Ian is working for a pretty slapdash outfit, so not sure what might happen !

Firstly, if sharing pc's (and therefore access to files) is commonplace - either as company policy, or just as everyone does it and everyone knows it goes on. Well, I'm flabbergasted in this day and age - that's just appalling and slapdash management of systems and information. Access to programs and files should be protected by permissions on a username basis. To be honest, if you asked most people working in a computer environment, I'm sure most people would answer their main bugbear is being denied permission to certain files they need for a specific task or project they have been handed, rather than the other way about.

Secondly, if the files alleged to have been accessed contain either confidential or sensitive info on the company or it's customers, or worse yet, personal info on employees or customers, then thats a clear breach of the Data Commission regulations which are there to ensure such info is protected and only those people that need to have access. An "open" pc management policy, allowing access to anyone walking by, whether explicit or implicitly accepted within the company culture, is simply not acceptable.

If this behaviour is known and accepted, then I wouldn't have thought a discipliniary hearing could get far, for the reasons given above and in previous posts. But, of course, even a thrown out discipliniary hearing will still appear on your wife's records. That's pretty unpleasant.

I wonder if there is some thing else going on - office politics, personal rivalries, petty grudges against people - going on. I know it's very unpleasant to consider, but has Mrs Ian been set up ?

Your wife may be in a union and be able to get some help there against unfounded, or unfair, accusations set against accepted company practice.
And if all else fails, you can involve a lawyer. I know thats an escalation and you may want to avoid that to avoid being marked as a memeber of the awkward squad in the company, but I'm sure a lawyer would shatter this case (with all due respect - in as far as I know it from you) in very short order. You can get a lawyers advice fairly cheaply for an initial consultation. Most charge less than £100 for an intial hours consultation to give you an opinion.

Hope all goes well,
P.

 

[agatward]

This matter is definitely going further, a disciplinary hearing is scheduled for next week. A copy of the so called IT evidence only came through the post this morning hence my post on here.

Don't forget that under ACAS guidelines / regulations, your OH has the right to be accompanied to any disciplinary meeting (with the exception of an initial fact-finding / exploratory meeting). The person accompanying can be a union representative or colleague, but cannot be a solicitor. It is strongly recommended to take a person along, even if just to take notes as an independent witness.

 

[Philnix]

Ian - and Mrs Ian - a few more thoughts.

Ref Agat's point above (sorry if I have that name wrong - I can't see your post while writing this) - you may or may not be entitled to legal representation present during any intial hearing , depending on your company policies. But there is nothing to stop you seeing a legal eagle beforehand to lay the case before them and rehearse any arguments/rebuttals that you may wish to use in the hearing.

Other points that occur to me :

Firstly I am sure that the companies terms and conditions and written SOP's will have some statement on unauthorised access to company computers and files therein. But if this is routinely ignored and everyone knows about it, including the immediate line or section managers, then such SOP's aren't worth the paper they are written on. It's the companies problem if they are not managing their systems properly.

Secondly, of course, it would have helped if Mrs Ian had spotted inadvertently come across something she should not have had access to on the computer in the past and reported it. Or something that she, or colleages in same department or permission level, shouldn't have had access to. Warn the company that something needed tightening up, before someone other than Mrs Ian does something naughty. But I guess we're past that now.

But lastly, I wonder if you have an ambush defence here ?
Knowing the operation of large companies (and middling size ones run by complacent or lazy managers !) my guess is that the "IT evidence" has been produced by some underling in IT.

You know it works - manager says to 19yr old whizz-kid, get me such and such records off the system - because said manager is too important [can't be *rsed] to do it him/herself.

So the whizz-kid produces what is asked for.
Now - I don't know what this evidence is - whether it is a record of system activity/accesses or whether said whizz-kid can also actually look at the files themselves.

The point is - just because someone works in IT and therefore can get into the system at many levels - that does not give them the right to access any files they like , particularly if they have personal info in them. So if you can demonstrate that the IT person who made up the evidence has,or even just could have, actually opened the files in question then that pretty much proves the argument that the system is lacking basic security and access management doesn't it ?

P.

 

[tpwuk]

I would love to know which company this is. Today, IT security is massive and any IT department not adopting best practices need to be named and shamed!

 

[iscaboy]

You're kidding, right?

I did contracting for yonks, in TOTAL I think there were 4 places that ran a tight ship, 6 if you included two "official" sites.

any system with humans in it is vulnerable to human nature, and IT department staff are at least as vulnerable humans as anyone else.

I can't tell you how many jobs I did at midnight recovering data deleted by disgruntled employees, CEO sat next to me, telling me to invoice it as "system maintenance", and other such stories...

 

[tpwuk]

No I'm not kidding. I'm an IT pro with 23 years in the game. 10 of those years as a contractor.

 

[Ian_Mac]

Hi Ian, again

Hope it all goes well, but it sounds as if Mrs Ian is working for a pretty slapdash outfit, so not sure what might happen !

Firstly, if sharing pc's (and therefore access to files) is commonplace - either as company policy, or just as everyone does it and everyone knows it goes on. Well, I'm flabbergasted in this day and age - that's just appalling and slapdash management of systems and information. Access to programs and files should be protected by permissions on a username basis. To be honest, if you asked most people working in a computer environment, I'm sure most people would answer their main bugbear is being denied permission to certain files they need for a specific task or project they have been handed, rather than the other way about.

Secondly, if the files alleged to have been accessed contain either confidential or sensitive info on the company or it's customers, or worse yet, personal info on employees or customers, then thats a clear breach of the Data Commission regulations which are there to ensure such info is protected and only those people that need to have access. An "open" pc management policy, allowing access to anyone walking by, whether explicit or implicitly accepted within the company culture, is simply not acceptable.

If this behaviour is known and accepted, then I wouldn't have thought a discipliniary hearing could get far, for the reasons given above and in previous posts. But, of course, even a thrown out discipliniary hearing will still appear on your wife's records. That's pretty unpleasant.

I wonder if there is some thing else going on - office politics, personal rivalries, petty grudges against people - going on. I know it's very unpleasant to consider, but has Mrs Ian been set up ?

Your wife may be in a union and be able to get some help there against unfounded, or unfair, accusations set against accepted company practice.
And if all else fails, you can involve a lawyer. I know thats an escalation and you may want to avoid that to avoid being marked as a memeber of the awkward squad in the company, but I'm sure a lawyer would shatter this case (with all due respect - in as far as I know it from you) in very short order. You can get a lawyers advice fairly cheaply for an initial consultation. Most charge less than £100 for an intial hours consultation to give you an opinion.

Hope all goes well,
P.

It was employees personal data that was accessed by her colleague in the office, no password protection or any other form protection was present. In the report received through the post there is a brilliant statement made which is `any blips in the IT system are irrelevant in this case` so it appears the company are trying to take no responsibility at all for the fact that all the information was available to any member of staff who happened to be logged in.

I notice you mention being `set up` and it has crossed our minds that someone else in the office could easily have used her computer to quickly view a file. The layout of the office is that it's effectively split in 2 so my other half does spend time between the front and back offices. In the past for example the screen saver has been altered on her PC to have some `custom text` added but unfortunately nobody in the case I can't see anyone holding their hand up to anything.

Unfortunately she isn't in a union. Depending what happens this week we may need to start looking for some legal advice

Don't forget that under ACAS guidelines / regulations, your OH has the right to be accompanied to any disciplinary meeting (with the exception of an initial fact-finding / exploratory meeting). The person accompanying can be a union representative or colleague, but cannot be a solicitor. It is strongly recommended to take a person along, even if just to take notes as an independent witness.

Luckily she was offered the option of being accompanied at the initial fact finding meeting which she accepted. For the hearing this week one of the departmental managers will be with her to act as a witness.

Fingers crossed!

 

[iscaboy]

For the hearing this week one of the departmental managers will be with her to act as a witness.

NO!

Departmental manager is as far away from an impartial witness as it is possible to get... then it is her word against her accusers AND her "witness"

Get some bloody legal advice before you make any more mistakes.

 

[Philnix]

I'm with IscaBoy !

 

[Sp!ke]

If I was wishing to pry into employee data or other sensitive data I would certainly make sure I didnt do it logged on as myself.

How many people knew her paasword? Could it be even that the IT people themselves have ever been given her password?

 

[agatward]

As per previous posts, some legal advice would certainly be a good thing to take at this point.

It would appear that the company has not taken reasonable measures to protect personnel information, which is something that the Information Commissioner would certainly be interested in hearing about - the company has a duty of care to protect personnel information due to the Data Protection Act at the very least, and unless they can demonstrate that your OH has contravened (or attempted to contravene) any security measures put in place, IMHO they are on very shaky ground.

 

[st13phil]

Unfortunately she isn't in a union. Depending what happens this week we may need to start looking for some legal advice

Luckily she was offered the option of being accompanied at the initial fact finding meeting which she accepted. For the hearing this week one of the departmental managers will be with her to act as a witness.

Fingers crossed!

In the absence of a Union Rep, please ask her to get someone independent who she trusts (not one of the line managers in the organisation!) to act as a witness.

Personally, I would seek some specialist advice now rather than waiting to see what happens at a disciplinary hearing this week. Judging by some of the information you've provided already it would appear that the employer has little grasp of IT security, and it's perfectly possible that they have as tenuous a grasp of employment law. It is very important that an accurate independent record of the meeting be kept by your wife as this could be crucial in challenging any future action that is detrimental to her. By asking salient questions and noting the company's response at the hearing it could be remarkably easy to destroy their case - but that relies upon knowing what to ask and keeping a good record of what is discussed.

From what information you have provided it would seem that the company has no real evidence that your wife has committed any breach of discipline, with the probable exception of leaving her PC logged in but unsecured. If you can demonstrate that to have been common and accepted practice then I suspect their case would collapse completely - but you really must take expert advice on that.

 

[Soltan]

For what it's worth accessing is not the same as opening. Some virus-scanners are set to scan network shares which could count as access if you had the folder open on your machine. Not sure what difference that might make in this case though, but thought I'd mention it.


If it was me, I'd be asking why the witch-hunt? What steps had the company taken to secure confidential data. What are they claiming was done with the files? If opened, then where is the evidence (word/excel/recent docs history). If copied, again where is the evidence (network security logs). If none of this very specific evidence exists then the case is a joke. I'm not sure what the screenshot is from that they are presenting but something from a registry editor might not be worth the paper it's printed on if the evidence can't be interpreted correctly.

Best advise I can give is to go in prepared. Mention legal aspects (some good advice in the thread), refer to getting union involvement, solicitor etc. and play the harrasment angle as much as possible (open PC culture, no real evidence, blaming staff for weakness in their IT processes and security, high level of stress for your OH). Turning the tables on the bully's often works a treat.