It’s easy to be casual about confidentiality and to miss the finer aspects of what a system administrator needs to be quiet about in daily dealings with users and customers. There are obvious confidentiality agreements and the usual corporate trade secrets and new products – but there are other things that we as admins must be wary of.
The obvious corporate secrets include things such as trade secrets, secret formulas, research, new product development, and more. Perhaps almost as obvious are customer data and patient information (in healthcare related industries).
However, what about the server break-in? Certainly anyone affected will have to be told – but how much? And what can be told around the water cooler?
A server compromise is a perfect example of an area where we as admins should know a lot more than we tell. Telling all of the details could alert the cracker to what is known and not known, and could potentially compromise any future legal action against the cracker. Talking could also affect any public relations that the company may wish to do in the wake of a serious event like this.
Other items include user privacy. Certainly users expect a certain measure of privacy – perhaps too much given the realities of administration today. However, what does an email administrator do when they find out that someone is cheating on their spouse? Answer: nothing. What do you say to others? Nothing. A lot of things fall into this category.
However, what if you as an admin find something that demands action – perhaps legal action? Pornography on a system, for instance – or hate mail – or spam being sent? Best thing is to send it up the chain of command in the most secure way: face to face – on a walk in the clear air if necessary. Document (on paper) as much as possible, and pass that up the chain of command as well – perhaps keeping a second copy just in case. Sign and date both. And after all this, what do you tell your coworkers? Nothing. Absolutely nothing. Also, never ever identify the person until all action is done – and perhaps not even then.
What about the new fancy security feature that got installed? It doesn’t matter if it is digital, physical, or otherwise: say as little as possible. When working at a bank, one learns this first-hand and quickly; data center security and server security are the same way. Of course, among your cohorts in the trenches, security is a shared topic – but it is not for public (or staff) consumption.
It is better to err on the side of caution and silence than to say too much – and in this digital age, any thing in email or on disk is already too much and can be recovered. To maintain the strictest confidentiality, don’t use digital means to talk about confidential matters.