Computer Access Policies

Here is what could turn out to be a HOT Topic for discussion on this Friday morning.
Most, if not all, of you have a company computer access policy and I would suspect it would contain verbage such as 'do not share your signon and password with anyone', 'you are responsible for what ever transactions occur with your signon', and 'failure to comply with this policy can result in disciplinary action up to and including termination'.
Ok, the reality is that very few employees will actually be terminated for sharing their signon, so what other kind of disciplinary action can be doled out?
Your thoughts and comments will be greatly appreciated.
Thanks

"Ok, the reality is that very few employees will actually be
terminated for sharing their signon, so what other kind of
disciplinary action can be doled out?"

Don't be too sure of that. It would count as gross misconduct. If a
company is serious about its computer usage policies, and these days
it ought to be, it cold easily lead to termination.

I do realize that there can be cases where the employee is terminated, I on one occassion have actually terminated a developer because of such a reason.
But the situation I have now is a tenured supervisor that does not report to me and consistantly instructs their employees to share their signons and there is no way in h--- that they are going to be terminated. Therefore, I need to come up with some creative disciplinary actions to get the point across that we mean business. Any ideas will be appreciated.
Thanks

Does your company require SOX compliance? If so, then you can say that sharing passwords is a violation of SOX Section 302. If you are not SOX compliant and you know who the repeat offenders are, lock them out of the system. Make them call your IT group till they are so annoyed by the whole thing, that they eventually give in and use their assigned IDs. Stay strong. Option 2 requires steal eyed reserve.

Nichelle, perhaps you are asking the wrong people. Computer access policy should be part of the corporate policy, and as such enforced by Human Resources. If enforcement is left up to IT, you don't really have a policy.

But from your follow on, it sounds like the issue here is that a manager believes his department works better with shared than individual IDs. As a former IS security officer I have strong antipathy to this approach. But I have seen situations where there is a single terminal shared by a department, especially where data entry is small part of the job. In that case, creating a very limited access shared ID may make sense. Or, it may be that information is stored by ID, and it is reasonable that other employees also need that information. You should be looking at why this manager insists on sharing IDs. Before you start worrying about punishment, make sure that you are providing the right system set up to the users.

Hello Nichelle
Do you allow more then 1 use session, where I work the users are only allowed 1 session. this makes sharing somewhat difficult. Enforcement is very easy.

Mike

[No message]

We do not have to adhere to SOX, we are a privately held company, and we do allow more than one session. There is a business need for allowing more than one session.
Don't get me wrong, I am looking to be police, judge and jury but the people here that need to make the decision don't have any ideas for disciplinary action outside of termination, which in this case they are not about to do, so I am looking for suggestions to present.
The situation that occurs most often is an employee will put in their resignation, a replacement will be found and will start before IT is even notified. Therefore, when the new person shows up for work, their access has not been set up, and this supervisor advises them to use the last persons signons, or someone elses in the department, till they can be set up.
I have thought of suggesting this supervisor be given a week off without pay but can't think of any other creative was of disciplining them, and the supervisors manager. That is the type of suggestions I am looking for.
Thanks for you help and please keep the suggestions coming.

Nichelle,

I've seen this happen and it's not a good situation. If possible, you could disable the account of the person who has left and force the new person to just observe. This would be in hopes of the supervisor having a negative experience with a new employee who can only sit until the proper information is submitted to IT.

This would only work if users were allowed a single session at a time. A week off without pay sounds good, but would they do it?

Those privately held companies can be very creative in what they allow their employees to get away with.

Meanwhile, you're just trying to have some kind of security/procedures to follow for disabling non employees and setting up new ones.

I have also seen password/signons deleted only to find out later that the password had unique access to something that nobody had or knew about. Working with JDE software, that probably would not happen.

In situations like this, I would disable the password and not delete it for at least a year. Of course, I've worked with some awful software too.

Perhaps a letter in their HR folder? Four letters and they get a week off without pay? Lose a parking spot? Disable the supervisor's profile every day for 2 weeks and make them call and wait until you are ready to let them on the system. There needs to be some way to inconvenience or embarrass them. They have already proven that they won't do something just because it is the right and orderly way to do something.

If there is any way that you can make a deal with HR/payroll to notify you when an employee leaves that would be good too. Of course, some HR/payroll departments are much easier to work with than others.

I have been in this situation and it is indeed challenging and often hopeless. Good luck. I'll send more information if I think of anything else.

/lf