Question for IT/security folks

Curio

Curio

Curio

Soldato
Joined
14 Mar 2004
Posts
8,040
Location
Brit in the USA
Have been with this company 2 months and this is my first "official" IT support job. This is a small company - about 15 people. I'm the tech/office support guy.

So there is a company (recommended by our accountant) that is possibly going to help us with our taxes and offer other financial advice. In order to do this they need to see all our sales data from last year. I have dumped all this raw data from our accounting software into an RTF file for them to import into their own software - as per their instructions. I'm a little uneasy about just handing all this data over. Some of it is sensitive in that it shows all our profit margins, markups and possibly other even more sensitive information. It just seems odd handing all this over to a company we don't know just to see if they can offer us a service.

It's not so much that I think it's a scam or anything - just that I had to sign non-disclosure paperwork when I joined due to some of our stuff being sensitive in nature.....and now we're just going to e-mail all this important data to a bunch of people who may not even work for us in the end.

My boss (the GM) is OK with this, but is there anything I should be doing here? Is there a common procedure we should be following....getting them to sign something saying they'll destroy the data, for example? And do you think my boss should sign off on this too? I don't want to be in a position later on where somebody asks me why I sent financial information out and I can only reply "the boss told me to".

Or am I being overly cautious with this?

Thanks!
 
Email your boss with a list of what all exactly you will be doing
in it request authorisation to do this , once he replies back with an ok , your ass is covered
 
Mr. Peri Peri said:
How do you know the boss is OK with it? Has he expressed this in writing (email maybe?) or just verbally agreed?
Click to expand...

Only verbal really. He knows what they want and instructed me to liaise with them in order to get the data out of our software. Got nothing official in writing though. I just feel like I need him to sign something saying "yes, I authorize you to release this data" or some such.
 
My experience is unless the boss is uber switched on, they don't understand the implications and initially say "just do it", therefore you should detail your concerns and they will probably say "only give parts, sanitise it, etc".
 
Curio said:
Have been with this company 2 months and this is my first "official" IT support job. This is a small company - about 15 people. I'm the tech/office support guy.

So there is a company (recommended by our accountant) that is possibly going to help us with our taxes and offer other financial advice. In order to do this they need to see all our sales data from last year. I have dumped all this raw data from our accounting software into an RTF file for them to import into their own software - as per their instructions. I'm a little uneasy about just handing all this data over. Some of it is sensitive in that it shows all our profit margins, markups and possibly other even more sensitive information. It just seems odd handing all this over to a company we don't know just to see if they can offer us a service.

It's not so much that I think it's a scam or anything - just that I had to sign non-disclosure paperwork when I joined due to some of our stuff being sensitive in nature.....and now we're just going to e-mail all this important data to a bunch of people who may not even work for us in the end.

My boss (the GM) is OK with this, but is there anything I should be doing here? Is there a common procedure we should be following....getting them to sign something saying they'll destroy the data, for example? And do you think my boss should sign off on this too? I don't want to be in a position later on where somebody asks me why I sent financial information out and I can only reply "the boss told me to".

Or am I being overly cautious with this?

Thanks!
Click to expand...

Why not just ask your boss in the same way that you ask us?
I'm sure he will put you at your ease.

Bosses aren't always nasty horrible people and appreciate feedback or comments from their staff.
You are obviously a junior and need direction so don't worry so much.
 
I think you're being negligent if you don't raise your concerns with your manager. Just because he's your boss doesn't mean he always makes the right decisions.
 
In that case I would go with lurkios suggestion. Email the boss detailing what you intend on doing requesting their authorization to proceed. When you have that you are good to go :)
 
Thanks guys. I've asked him for something stating that he authorizes me to send them the data. He's a *****ly old bugger, so I just wanted to make sure of what I was doing :p

Oldbag - it's not really that simple though is it. Obviously I wouldn't send such info out unless my boss told me. The issue was more that I wanted something "official" from him.
 
Echoing the posts above, if you have concerns, raise these and explain them to your manager.

Don't just ask him to sign off on it. You might be covered but that's hardly going to help your company if this is a giant mistake?
 
Curio said:
Thanks guys. I've asked him for something stating that he authorizes me to send them the data. He's a *****ly old bugger, so I just wanted to make sure of what I was doing :p

Oldbag - it's not really that simple though is it. Obviously I wouldn't send such info out unless my boss told me. The issue was more that I wanted something "official" from him.
Click to expand...

It is though. Either you are confident on what to send, or, as others suggested, you double-check with your manager for the green light. :)
 
JC said:
Echoing the posts above, if you have concerns, raise these and explain them to your manager.

Don't just ask him to sign off on it. You might be covered but that's hardly going to help your company if this is a giant mistake?
Click to expand...

The thing is if a manager agrees something and you voice your concerns it won't be your fault as an employer. The manager doing the signing off should understand more than underneath him and if he agrees then it's their fault for giving the green light.

On the other hand if OP just did it without the sign off they could be in trouble especially due to data protection.
 
You should probably highlight anything you feel might have been overlooked and the suggestion that this other company agrees to not disseminate the data, destroy it after x amount of time etc..etc.. is reasonable.

Just put it across as an easy suggestion your boss can make a quick decision on and not as another problem for him to consider.... your job is really to get the data to them, not to consider bigger picture issues regarding the data - if you can go to your boss and say 'I've got the data I can send it as is - I've also filtered it and can send this file with x and y removed if you like' then its a quick decision for him as you've essentially presented him with two solutions.

Tbh.. you're a 15 person organisation - I doubt anyone really cares too much about your profit margins on anything.
 
Last edited:
dowie said:
Tbh.. you're a 15 person organisation - I doubt anyone really cares too much about your profit margins on anything.
Click to expand...

This ^ How is your accountancy company going to do your accounts without financial data? :D

As for sending the files. Just get your boss to email you saying its OK. If you're struggling to play Cover Your Arse in a 15 man organisation never get a job in IT in a huge Public Sector organisation. Playing CYA in one of those is a work of art, and full time job. Trust me.
 
It might just be me but I'm wondering why an RTF file for the data in the first place? A spreadsheet sounds a much more natural option but I'm sure they know what they're doing.

Is there going to be any form of encryption placed on the file? I doubt that anyone is likely to intercept it or care too much about the data even if they did but it would seem better practice to at least put in some form of password (if nothing else) on the data before sending it via email (if indeed you must send it by email rather than some more secure means).
 
You must log in or register to reply here.
Back
Top Bottom