Firings Upheld At Ohio U. For IT Workers Dismissed After Data Breaches
- 3
- Add a Comment
An update for those of us following the Ohio University security breach situation:
The August firings of two IT workers at Ohio University after a series of data security breaches have been upheld by the schools provost. The move, made public today, comes despite a recommendation last month by a grievance committee that the workers be rehired and given public apologies.
In letters yesterday to the two former IT employees, Provost Kathy Krendl said she reviewed the terminations and the grievance committees three-page recommendation but concluded the firings were justified. Krendl has the final authority in such matters under the policies of the Athens, Ohio-based school. [Source: Computerworld Article]
Personally I think this is a good thing. Carelessness is just as bad as malicious intent in these sorts of things. The days of security being someone else’s problem are over. Everyone needs to be mindful of security issues, from developers to end users. What are you doing to stay secure?
3 Comments
Carl
November 17th, 2006
at 7:41am
I agree that malicious intent merits dismissal. And if a pattern of carelessness has been observed, this also merits dismissal.
But, having been a Network Analyst (maintained the network, not including servers) for a university, I had noticed that there was little to no proactive funding for many years. (I have since left that position, so I don’t know what is the present practice.) For most of the years I was a Network Analyst, most of the security not inherent to the applications in use, was due to the work of the Network Analysts and was implimented on the multiple routers of the network.
I think that some of the change in managements involvement came about because of one incident. A recovered hard drive was issued to another person for system expansion. This hard drive was recovered from the PC
Carl
November 17th, 2006
at 7:48am
(continued…) of the wife of the university’s President. None of the information on that hard drive was erased, to include the POP’d email. It took two days for the drive to be issued. Once it was known that ALL the data was still on the hard drive, it took less than two hours before the hard drive was picked up for erasure and re-formating.
Will it always take something wrong to happen before ‘management’ allows simple, and needed, procedures to be implimented? Seems like it.
(This was a two part post because I inadvertantly hit in the middle. If a moderator wants to combine my posts, please go ahead.)
Sid Gilbert
November 17th, 2006
at 10:14am
The firings seem to need to be reversed. The grievance commitee found that the outgoing CIO was responsible for the problem, not the two workers he fired for the breach. I quote the grivance commitee:
“The committee’s letter said there was “ample evidence” that both men were fulfilling the specific security roles in their job descriptions and that OU’s security problems didn’t stem from their work activities. “There was no clear duty or authority granted to Mr. Reid or Mr. Acheson to develop IT community policies or procedures or to implement a plan for total network security,” the panel wrote.”
They not only recommended rehire, but a public apology. The public apology was to restore their reputations with people who think “Carelessness is just as bad as malicious intent..”
The head of the university seems more interested in scrambling to cover the university’s collective behinds in case of a future lawsuit than in actually fixing the situation or doing justice to her employees. If I were one of the tech workers I would shortly own my own university.