Home
Join

60 Replies

  • I provide my customers with similar information in case I do get hit by a bus.

    That said, I find it suspicious.  That's the type information exchange you would do when doing a handover - either a replacement or to an MSP.

    Spice (11) flagReport
    Was this post helpful? thumb_up thumb_down
  • "Hi we're auditing you, please give us the keys for everything in this completely secure excel document."

    This seems sketchy to me, and wouldn't raise any concerns if they were actually on site. To CYA, I would CONFIRM IN WRITING with whoever contracted these people that they've given the green light to hand over essentially all the digital keys to the kingdom.

    Spice (9) flagReport
    Was this post helpful? thumb_up thumb_down
  • First off, I wonder if they are looking to sell and this was a requirement from the buyer?

    Spice (10) flagReport
    Was this post helpful? thumb_up thumb_down
  • I would fill out everything but account names and passwords, this company doesn't need them. THis really looks like they are gathering information for your departure/replacement. There would be better ways to handle this with a password manager of some sort that can obfuscate critical info and doesn't sit on their network in an unprotected spreadsheet. 

    Spice (9) flagReport
    Was this post helpful? thumb_up thumb_down
  • And this is exactly how my last employer started their transition to outsourced IT.

    First it was “just an audit” and became “this will help with the transition “. Same basic spreadsheet too. However no IT department should maintain a list of users passwords.

    Just be sure your resume is up to date just in case.

    Spice (7) flagReport
    Was this post helpful? thumb_up thumb_down
  • I am not completely blind to the writing on the wall. I too have that same feeling, and the thought is oddly calming. I just have to CYOA and ensure they don't take my reputation out with it. How bad would that look to the next potential employer if I gave them everything they are asking for. And how stupid would I look going around to every employee who I have trained to not give out passwords, and ask for them.
    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • William9795 wrote:

    And this is exactly how my last employer started their transition to outsourced IT.

    First it was “just an audit” and became “this will help with the transition “. Same basic spreadsheet too. However no IT department should maintain a list of users passwords.

    Just be sure your resume is up to date just in case.

    Ah yes, the resume received some much needed attention several months ago when I finally determined I was in a dead end job with a concrete ceiling. I agree, this is not a typical IT audit request. At least none that I have been a part of in the last 20 years. SOX, HIPAA, even when working for Adelphia Communications just before they carted the owner off to jail - never have I seen something like this.
    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • An IT professional will not leave a place in worse shape than he/she found it. I would ask the owners if they are insistent on doing this they need to sign off on it and you will be looking for other employment. 

    I hand the owners a thumb drive with a portable copy of KeePass that connects to the database on a secure network location that has ALL account passwords for everything. All documentation in place and ready for the next guy/gal to step into the position.

    Spice (3) flagReport
    Was this post helpful? thumb_up thumb_down
  • Give them the necessities and nothing else. Even if I KNEW I was being replaced I'd still act with the responsibility I was given/asked to do when I started. It's protected until the day I walk out the door. Your IT team has been cross-trained. After that, it's their problem. 

    Spice (3) flagReport
    Was this post helpful? thumb_up thumb_down
  • It's a really rotten idea to email any password, much less the "keys to the kingdom".  It is a best practice to have all that information available, compiled in one place.  We utilize ITGlue for secure document and password storage with 2FA.  That way if someone is hurt, quits, gets fired, etc, we still have access to all the logins and passwords.  You could just fill out the xlsx and give it directly to your boss, with a written statement explaining why it violates security to email it and your protest.  Still compliant with your boss's wishes, and CYA.  

    Was this post helpful? thumb_up thumb_down
  • Follow the principle of least privilege. If it's an audit, they definitely don't need passwords. Do give them a record of hardware and software currently used by the company. Good luck.

    Spice (3) flagReport
    Was this post helpful? thumb_up thumb_down
  • I just recently went though our IT audit and that amount of information was not requested. I can't believe they expect you to give passwords to everything and everyone in a plain text file. It really does sound like they're in the beginning stages of transitioning you out. I'd politely let them know that this an unprofessional request, it violates at least a half dozen security policies, and an IT audit company does need that amount of information to perform an audit. But I wonder if your company will even listen to your concerns.

    In the meantime, perhaps start polishing off your resumé. Is compromising your ethics worth that job? Most likely not.

    Spice (5) flagReport
    Was this post helpful? thumb_up thumb_down
  • Sorry if I gave the wrong impression. I would never do harm regardless of the situation. That is not who I am. I will not, however, put my credibility on the line. Everything is secured in a keeper database. And I would never dream of not handing it over. I am just more in shock that a company that markets themselves and IT auditors would send along a request like this. What shocks me as much is that from some of the replies, it sounds somewhat commonplace. No wonder everyone's data is passed around like a communicable disease on the dark web.
    Only one other IT person here, and I would hope that I have given him the tools he needs to be effective if I wasn't here.
     
    Spice (3) flagReport
    Was this post helpful? thumb_up thumb_down
  • I wouldn't provide usernames, passwords, IP information, etc. If all of that stuff is documented elsewhere, there's no point in providing it to some third party, especially through un-secure channels. 

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • J_Rae wrote:

    I just recently went though our IT audit and that amount of information was not requested. I can't believe they expect you to give passwords to everything and everyone in a plain text file. It really does sound like they're in the beginning stages of transitioning you out. I'd politely let them know that this an unprofessional request, it violates at least a half dozen security policies, and an IT audit company does need that amount of information to perform an audit. But I wonder if your company will even listen to your concerns.

    In the meantime, perhaps start polishing off your resumé. Is compromising your ethics worth that job? Most likely not.

    Thank you! That is what I wanted to know. If I was crazy or not for thinking that they were asking for this stuff in this manner is wrong on a multitude of levels. I can't imagine even onsite, that they should be given free rein. I have asked about more information several times, only to be told it is just to make sure all proper documentation is in place and any necessary support in line. When I question any further than that, I am told that I am just giving them push back and I give them whatever they want. The consulting company even went as far as to imply that I was delaying to hide something. It could not have possibly been due to being in the middle of a Dell/EMC backup solution implementation and fiber upgrade.
    I also wonder if they won't report in their "findings" that I am doing something wrong to effectively push me out. They conveniently also provide managed IT services. Feels very conflict of interest to me, especially when seeing the spreadsheet. I have nothing to hide, and I have no concerns that I do not take every step possible to keep the company, employees', and customers' data safe. This whole thing doesn't sit well. I almost feel compelled to tell the powers that be that I want an independent IT auditor firm of my choosing to run a parallel audit alongside this company. To protect my reputation.
    And no, compromising my ethics is not worth any job. I have stood my ground before while working here and asked to compromise my ethics and go against what was right just because it was easier to go the wrong way. I do it again.
    Spice (6) flagReport
    Was this post helpful? thumb_up thumb_down
  • Yeah, that's sort of how my last job ended.  Several years with the company.  They got new management and a month later brought in a kid (literally, fresh from college, never had a job ANYWHERE in his life) and told me he was going to 'shadow you and perform an audit'.  Of course he was the new CEO's grandson (they drove to work together every day).  Didn't take a genius to know where THAT was going.

    I managed to force them to pony up some severance pay when they 'suddenly realized' they did not need 2 IT people for that small office.  That was about all I could manage.

    I hope your situation works out better for you. 

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • If you can get in writing the approval/demand to complete it, make sure it's WELL encrypted before sending back... :D

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Bottom line is you need to give your employer the information requested.  Make your concerns known then provide what they are asking of you.

    And yes, the MSP is going to say you're doing things wrong - that's how they drum up business.

    Spice (4) flagReport
    Was this post helpful? thumb_up thumb_down
  • I have never been through an audit where they asked for IDs and passwords to critical systems.  This, to me, is no audit.  It sounds more like them trying to get rid of you, but I tend to see that side of the fence more often than not.  Also, I have never worked anywhere that the users passwords were kept.

    Spice (5) flagReport
    Was this post helpful? thumb_up thumb_down
  • 1- No, this is NOT normal.

     -Reply to that email CCing the owners/CEO stating that requesting this information via unsecure email and in unencrypted text goes against the grain of every IT person (seasoned or not) on the planet. Offer to give all information if the auditors can setup a secure vehicle to trade such information. DONT give them hints as to how to do this, I believe these people need to be led slowly to what they want. Make THEM work for it. Make sure you are UBBER pleasant but please stop short of being sickening sweet.

    2- Research the auditing company &/OR find an article on auditing best practices and voice your concerns to the owners/CEOs toward the end....drag this out as long as you can so you have plenty of time to get your "stuff" together.

    3- Freshen that resume.

    4- When the time is right, smile and wave goodbye.

    The End.

    Good luck!!!!

    Spice (9) flagReport
    Was this post helpful? thumb_up thumb_down
  • I have to agree with everyone else, it seems kind of like they are just making sure they can hand over operations to someone else to cut costs, and that is step one.

    On the chance that's not the case though, I would voice your concerns with who ever is directly above you.

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Neither option is correct really. They are rational on wanting to have a 3rd party do an audit, but it should be done by someone who knows IT and not vacation rentals. With all the recent "quit and screwed the company" shock and horror stories out there the company likely wants to make sure that business continuity is assured.

    The plan is sound, their choice of delivery is not.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • Okay I have never been an through an audit but if they are conducting an audit shouldn't they be the ones collecting the information?

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Similar thing happened to me at my first IT position. New management came in, new IT company came, and out I went. I put 'The Keys to the Digital Kingdom' on a flash drive, handed them to the CEO, and said 'Adios!'

    Now, 4 years later, I am glad that happened because that company was headed in the wrong direction. Last I knew, the company was filing bankruptcy and liquidating all assets! Is it bad that I kind of smiled typing that last sentence? ;)

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • Unreal...

    The most difficult part of it is trying to diplomatically explain to higher-ups in your shop that you are seeing red flags with the requests coming from the consultants.

    I went around and around with CxO’s in a former job. They kept pushing to “give the consultants whatever they asked for”. Finally, someone independent sort of clued them in that the nimrods they hired were less than stellar.

    I ended up departing there at a later time and the consultants continued mucking things up for another year before they were finally cut off from the gravy train.

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • on it's face it sounds like a good idea.  The way I am interperting this is either.

    A) they are in fact looking at showing you the door and want to make sure they have everything

    B) They just want to hire a buddy and give them some money

    C) They were talking to some buddy and they mentioned how messed they got when their IT guy died or left and this is what they put in place to protect them next time, and your owners thought that was a good idea.

    As for the excel sheet and the information they are requesting.  An excel sheet can be encrypted, it is a .xlsx which means it cant be easily broken.  Just make sure you use a really strong complex password that is totally random.  As for the users and passwords, that isn't too uncommon to have critical user names and passwords stored somewhere safe and encrypted accessible by yourself and 1 or 2 more people just in case.  I find it odd they want this as part of an audit but perhaps they are saying audit and meaning something different but its a convenient word for it.  I would shoot an email to my boss/owner/ceo whatever stating my miss givings about sharing some of this data and in this manner, let them tell you they want you to do it anyways and just hang on to that email.  When it is all said and done you as an employee should be doing what your employer asks you to if it is not morally or ethically wrong, your job would be to lay out the risks and let them decide.

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • I have to comply with Federal audits covering our Sheriff's Office and our Jail.  They don't ask for login and password information.  I would fill out ONLY what you feel comfortable sharing (especially through insecure communication channels) and leave the rest blank.  

    Spice (3) flagReport
    Was this post helpful? thumb_up thumb_down
  • Nothing particularly useful to add in addition to some of the good sympathy shown so far, but I just received a request from a manager-level individual to have full, unfettered access to one of our critical systems so that he's not frustrated by "permission denied" errors.

    I have my response typed up, but I just messaged my boss and my teammate to check if anyone else has spoken to him first before I unleash (politely, of course) the "holy hell no" on him.  I'm more than happy to troubleshoot his processes and evaluate his permission set.

    I am NOT turning him into a system administrator for the sake of his "convenience."

    We've had issues with contractor companies who've sent us unencrypted data files of contract employees via unencrypted e-mails, where those attachments included names, addresses, SSNs, etc.  We've yelled at them numerous times.  They continue to do it.

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • I have been through a couple of surprise audits in a few different places I have worked now. Therefore, I have experienced these at different levels throughout my career. I would not provide half of the information they are requesting. They do not need it. Frankly I find it extremely suspect they would even ask for most of it. 

    Pretty sure to hand over some of that stuff would be a potential GDPR stick they could beat you with... Seems to me this is not an experienced company and should not be handling an audit.

    Was this post helpful? thumb_up thumb_down
  • While I can see the need for an audit, and can only scratch my head at the choice they made as to whom is going to perform the audit, I'd have serious doubs with an excel sheet like this being dropped off. So yes, I can see serious reservations with this. 

    I would voice my concerns with the requesters of the audit with the Excel sheet in hand. And I'd be sure to emphasize what filling in details about the IT infrastructure (or even plain passwords) could mean in terms of company liability and security. 

    I mean, knowing what kind of firewall is in place already cuts down on potential attack vectors a hacker could use to breach security. If passwords are handed out for users, that gives the potential of someone accessing the main company system as that user and thus retrieve (or worse, delete) all data that user has access to. Potentially selling that data to the companies competitors. Printers might be another angle of attack, so knowing what type and model printer you have may also provide a means of entry onto the network or to sensitive data (HP's The Wolf comes to mind -  https://www.youtube.com/watch?v=U3QXMMV-Srs).

    At this point I can see the legitimacy of the request for an audit. What I can't really see is if the requesters actually know what handing over sensitive information may result in. So before filling this out I'd get a written approval from the entire management staff or even CEO that they know what is asked of you, what you're requested to hand out, and they are aware of any and all potential results of that information being released (which includes closing the company). And even then I'd fill out the form while leaving out as much specifics as I could. 

    Keep us posted on your progress with this.

    Was this post helpful? thumb_up thumb_down
  • Where's Roberts reply ?
    cant see it..

    OP....
    you have been asked to do something which the management feel is necessary for one of many reasons.
    if you decided that you know better and refuse to provide the information that's been requested, then it will only re-enforce their feeling that you are empire building.
    And this in turn will make them feel their original request was very much warranted.

    Do as requested... and smile when doing it.

    as already advised, get the CV cleaned up and ready for action.



    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • don't forget to inform the whole management, that you will be giving their credentials over too.

    and maybe add, what this gives the "auditors" the possibility to do, like writing emails in their identity, browse all their personal files, etc.

    then get your cv up to date and look for a decent company to work for ;-) 

    Spice (4) flagReport
    Was this post helpful? thumb_up thumb_down
  • btw. if this happened to me in germany, I'd instantly file it to the government agency for privacy protection.

    luckily we have some main principles (i just take two most relevant out of seven) of data austerity and appropriation.

    you may only collect the least amount of data to fulfill the required task. 

    you must give the exact purpose why the data is collected, and it is not lawful to use it for any other purpose

    as an it pro, you will be able to tell, which of data they want on this spreadsheet, that you would not even place on something like a spreadsheet. well, mosly any ;-)

    so you could ask to tell you the exact purpose of the audit, and make a proposal, how this could be done in a secure and professional manner.

    (you might want to read how we crazy europeans do this privacy protection stuff :-)   https://eugdpr.org/ )

    and maybe you should send them your public key for email encryption and aks for their digital signature and tell them, that you will not respond to unencrypted and unsigned email in this case...

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Umm.... Personally, if I had an  employer who asked me to fill that out, I would flat refuse. If they had a problem with that, I would probably explain to them that I was happy to provide all of that information on the condition that it was done in a manner that was in accordance to the policies and procedures that you have in place. If they are not technically minded people, go a little easy and explain it like this.

    • Tell them that you have spent your career at their company pounding security into the heads of your fellow employees. You implemented specific policies and procedures for handling sensitive data like employee usernames and passwords, confidential company data, and low level schematics. Tell them what this "auditing company" is asking for, is a collection of the sum of ALL of that data. 
    • Explain that with that one file, if it were filled out, you would be eliminating every single piece of security software, intrusion monitoring, etc that they have spent thousands (tens of thousands, hundreds of thousands) of dollars on implementing.
    •  Equate it to a bank providing a full blueprint of their building, schematics on every lock inside, neatly organized list of combinations to lockboxes, alarm/disarm codes, value of every item inside and times the night security guard takes a crap. 
    • This would be a good learning opportunity for them to see that that data should never exist in one place ever, under any circumstance, no ifs ands or buts. (and honestly that includes your head, hopefully you are using complex generated passwords secured with multi factor authentication within a system that monitors and documents view access as well as write access to each password) 
    • Ask for the proof of insurance that this auditing company holds, and whether or not their policy is large enough to cover the entire value of not only your company but the companies of every client, customer, contractor etc that you hold data on within your systems. Because if that excel file falls into the wrong hands, a bad actor could lurk completely unknown, with full unfettered administrator access, monitoring and recording every bit that is exchanged. 
    • If none of that is working and they are still requiring you to do it, lie to them. Tell them that the servers are set to self destruct which in turn wipes all the employee pcs which then naturally triggers a nuclear bomb in utah to be fired directly at company HQ and sharks with lasers on their heads to be sent after all kittens and puppies world wide. Because if after all of that, if they still cant see what they are asking you to do is beyond reckless, they are not worth your time and its a good day to quit and find a job with a company that deserves to exist. 
    Spice (5) flagReport
    Was this post helpful? thumb_up thumb_down
  • Alequaff

    I disagree. There is no reason whatsoever that an administrator should have employee passwords. The only person that should know employee X's password is employee X. I see this so often in corporate IT and it scares the hell out of me. The only thing you are doing by knowing user passwords, is enforcing bad security hygiene and opening yourself up to liability and potential risks. I have seen it happen more than once, the IT Guy knows everyone's passwords, Employee X's account is compromised, and in an attempt to save face (or their job) they say it wasnt them. By even knowing the password, you create a scenario where the admin is on defense. Imagine worst case scenario. IT guy logs in as the employees all the time to update applications or certificates whatever. The FBI shows up and says an email account associated to one of the employees has been discovered to be trading child pornography. If the only person that knows the users password is the user, its an open and shut case. Logs prove that the password hasn't changed and that anything you as an Admin would do would be flagged as "on behalf of" the employee. A day of trying to prove your own innocence in a situation like that is not worth any amount of convenience you gain by having user passwords.  Not to mention avoided problems due to users using the same password at work as they do for their bank, and gmail etc. 

    Security 101 Rule number 1 

    Never give out your password to anyone. 

    Administrators are anyones, last time I checked.

    Spice (6) flagReport
    Was this post helpful? thumb_up thumb_down
  • Yeah, that's way more information than any auditor would need.

    After my manager left several months ago I've been the acting manager in my department and I've helped with a couple year-end audits since then and also gone through a vendor review process and am preparing for an environment upgrade for our SharePoint farm - and none of those activities asked for THAT level of detail. It sounds like they're getting ready to replace or outsource your position and you should get out on your terms before you're forced out on theirs!

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • TB33T wrote:

    Follow the principle of least privilege. If it's an audit, they definitely don't need passwords. Do give them a record of hardware and software currently used by the company. Good luck.

    ^^^This. Always follow least privilege. Best way to protect yourself and your company. 

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • Working in insurance, we get audited by a couple entities every year. As the Network Admin and now Systems Manager I'm never usually asked for more than hardware models, some examples of logging, and support contracts. My team get a few other request, but again it's never for actual account info. They typically want to see policies and examples of how we're implementing them. You don't need accounts to make sure ducks are in a row. Even in depth state audits usually present the standards/by-laws we're expected to follow and then they ask for evidence that we're doing that. These people come on-site for physical checks and process our information in our buildings to be secure... I'd expect nothing less from other 'professional auditors'. 

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Like a rat from a sinking ship brother.

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Any recommendations on independent audit companies that I could engage to run a real audit to cover my butt? I really have zero issue with an audit, and even welcome it. They are a pain but a necessity to be effective and to see holes in the fabric. It just needs to be a real audit from a company who knows what they are doing. Meeting with my boss at 11. I'd like to be fully armed with why this is a bad idea to use this particular company, as well as alternative solutions. Unless it really is just a move to push me out. Which I think (or hope anyway) that she will be honest with me. If not, I may be firing myself today.

    Was this post helpful? thumb_up thumb_down
  • I agree with what pretty much everyone here has said. My only thought that I did not see mentioned was... What if this is part of the audit? Maybe they are asking for these things to see if you do have all of it, and will willingly give it up. Maybe by not giving it you pass the test...Just a thought ;)

    Was this post helpful? thumb_up thumb_down
  • While most of the comments here are well founded - security, best practices, etc., the bottom line is his employer is asking for this information - it doesn't matter who the employer may give it to or for what purpose.

    Make your objections known then provide the information asked for.

    Any employee of mine that would not provide business related information when asked by me would be terminated on the spot.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • Sound like your company has a vision vacuum.

    You've managed to navigate the adversities fairly well, but it sounds like management doesn't understand how a full disaster recovery plan should look like.  They're hiring a consultant because they don't have a IS Director who can bridge technical knowledge with a forward-thinking vision for the company. 

    Critical business information (like network information, user credentials, etc.) should never be given to any outside organization, at least not without a signed NDA that legally protects the business against unauthorized use by the consultant. 

    You're right to resist giving over certain information not necessary for an audit. The consultant and company management should appreciate that, too. 

    I'd stick to your guns on this one. And polish your resume. 

    Was this post helpful? thumb_up thumb_down
  • That is all information that you should have documented somewhere. Personally, I'd let them know that I have it documented, but I've got more important things to do than put it all in a list for you and give strangers my passwords. If you're the only IT member, then you may want to have passwords written down somewhere and shared with the person above you on the totem pole, just in case if something were to happen. Ideally, there would be two IT personnel to avoid a single point of failure. It does sound like you're doing a great job.... maybe too great. Some other posts may be on to something that perhaps the company is looking to show you the door.

    Was this post helpful? thumb_up thumb_down
  • Da_Schmoo

    it doesn't matter who the employer may give it to or forwhat purpose.

    She may actually have a fiduciary responsibility that would prevent him from doing something that he believed would cause irreparable harm to the company and its ability to make a profit. But you're right that he doesn't really have much of an option if his employer knows all of the stated risks and still is ordering him to do it.

    But the one option she does have is to say no and tender his resignation., Which I would say is completely appropriate in this situation.

    What I am really hoping is that the employer is just IT Clueless and did not understand fully what they were really asking him to hand over. That once they see it in the right light, they will be on our side.

    For what it's worth, I do not think that you are on the chopping block. I think that the Excel file is far too stock and cookie cutter to be the product of even the least capable MSP. It reminds me of a company in my town that provides outsourced HR to companies. They also have a list a mile long of additional services they offer. In reality these additional services are nothing more than an easy way to add a line item and a $1,000 bonus in their pocket at the expense of an already overworked IT manager,

    Good luck with your meeting. Im waiting with bated breath on this one


    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • There are some things they are asking for that you shouldn't know. Users domain PW. No one needs that but the user. 

    I wouldn't hand out any passwords to a 3rd party. If they need access to these systems they can request an account to be set-up on a per system basis, with justification. 

    There should be multiple people within the business that can access said systems, for the hit by the bus scenario. 

    Spice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Nathan107 wrote:

    Alequaff

    I disagree. There is no reason whatsoever that an administrator should have employee passwords. The only person that should know employee X's password is employee X.

    Correct, I would assume they are not looking for employee passwords, but admin passwords which is common to keep secured records in case someone gets hit by a bus.

    Was this post helpful? thumb_up thumb_down
  • obr-hi wrote:

    Any recommendations on independent audit companies that I could engage to run a real audit to cover my butt? I really have zero issue with an audit, and even welcome it. They are a pain but a necessity to be effective and to see holes in the fabric. It just needs to be a real audit from a company who knows what they are doing. Meeting with my boss at 11. I'd like to be fully armed with why this is a bad idea to use this particular company, as well as alternative solutions. Unless it really is just a move to push me out. Which I think (or hope anyway) that she will be honest with me. If not, I may be firing myself today.

    Ask her point blank if they're trying to get rid of you. This secret crap that companies try to pull is ridiculous and demoralizing

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • the request aside, can we just talk about how the thing is set up?

    1st: no you can't/shouldn't provide half of that.

    2nd: its almost impossible to follow what they were trying to do when organizing it

    3rd: it looks like it was made by someone who looked for buzz/keywords for IT and threw them into a sheet and copy and pasted some stuff from other badly written audit sheets.

    seems ridiculous, express your concern to higher ups an put some shine on that resume just in case.

    Spice (3) flagReport
    Was this post helpful? thumb_up thumb_down

Read these next...