Main Nav

Message from will.froning@gmail.com

Hello All,

I'm wondering if any of your institutions monitor logon/logoff time for attendance/holiday/sick leave violations. I'm not looking for a technical answer, just whether or not your schools do this. 

I'm trying to bring some support documents to the table so we can make an educated decision on if it's something we want to pursue. My feeling is that this is VERY unusual for HigherED, but links to policies or an email (with a yes/no) would be much appreciated.

If you like I can compile my responses (anonymously) and repost to the list if there's any interest.

Thanks,
Will

P.S. It was great meeting some of you at the STL conference. Hopefully I can make the trip for the next one.

--
Will Froning
Unix SysAdmin
Will.Froning@GMail.com
MSN: wfroning@angui.sh
YIM: will_froning
AIM: willfroning

Comments

Message from will.froning@gmail.com

Hello All,

And if Joe never logs out? What if Chris logs an average of 53 hours a week and logs in while home sick? Is Chris fired for being a dedicated employee? If management see Chris is working extra hours to get the job done, does management keep the "profits" or hire more staff? Does management request web history for those logged in for 40 hours a week to ensure they're not spending that time on reddit or eBay? Maybe management can get by with simpler rules (http://www.farnamstreetblog.com/2013/04/does-a-complex-world-need-simpler-r ules/). -Eric IT professionals will never ask for your password - not in email - not over the phone, never. Eric Case, CISSP ecase (at) email (dot) arizona (dot) edu College of Architecture, Planning, and Landscape Architecture http://www.linkedin.com/in/ericcase

Hi Will,

 

Is management willing to “live by the sword and die by the sword” (hire more staff if the logs show the staff is overworked)?  How will management deal with the logs being easily gamed (not logging out)?  What about unintended consequences (your honor, I was logged in at work at the time of the hit and run)?  What does your general counsel think of the idea?  What if someone doesn’t log in but checks email via the web or phone?

 

I believe IT should be an enabler for employees to do more and that includes allowing people to work from home without getting their coworkers sick.  Do you have a pandemic plan?  Can an employee take a sick day because of a sick child but get some work done from home?

 

What if someone takes a sick day, never logs in, and goes shopping / site seeing with an out of town friend / relative?  What if someone doesn’t take a sick day but schedules meetings off site and goes shopping / site seeing with an out of town friend / relative? 

 

I don’t believe IT should be an enabler for employees or management to not do their jobs and what the IA wants can be achieved via forensics on the “home” pc, credit cards, etc.  If management is really doing their job, login/logoff activity will be an non-issue.

-Eric

 

 

IT professionals will never ask for your password – not in email – not over the phone, never.

 

Eric Case, CISSP

ecase (at) email (dot) arizona (dot) edu

College of Architecture, Planning, and Landscape Architecture

http://www.linkedin.com/in/ericcase

 

 

IT professionals will never ask for your password – not in email – not over the phone, never.

 

Eric Case, CISSP

eric (at) ericcase (dot) com

http://www.linkedin.com/in/ericcase

(520) 344-CISO (2476)

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Will Froning
Sent: Wednesday, April 24, 2013 8:24 PM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Login/Logoff Activity

 

Hello All,

Message from will.froning@gmail.com

Hello Eric,

We are a 16 year old Uni, in a country that is only 41 years old (UAE). We have a lot of inexperienced management and a small population pool of expertise to choose from. So keep that in mind if my comments seem colored.


On Thu, 25 Apr 2013, Will Froning wrote: > This is a request from the internal auditor to see if it is common practice > to monitor this in academia (starting to look heavily like NO). > > As others on the list have mentioned, this is really a management issue at > it's core. The rebuttal for that comment was something like: "If technology > can help us to identify a management weakness, we can make corrective > policy driven actions to fix the weakness. IT isn't there to fix the > problem, but to provide visibility into whether or not there is a problem > to correct." Setting aside privacy issues (which I suspect are more complex and worth more consideration than your IA is allowing), I think the next critical question you have to ask is whether technology does, in fact, provide you with accurate "visibility" into a possible problem. After all, your metrics are only as useful as the accuracy and validity of the measuring tool. Their thinking seems to be that being "logged in" is the same as working, and while I suppose this might be true for some types of work, I suspect it's the exception to the rule. If I log out at the end of the day, then Joe stops me on my way out and we have a 30 minute conversation about something I'm working on, then the logs under-represent my actual work. Alternately, if I log in the minute I show up at work, then go grab some coffee, chat with Bob about the football match for 15 minutes, sit back down at my workstation and check my stock portfolio and the international news for another 15 minutes, the log over-represents my work. And those examples are probably unintentional "noise" in the metric. If I'm the type of person that IA is really hoping to find, I'm likely to spend a lot of time and energy figuring out even more clever ways to fool the system into thinking I'm working when I'm not. Or, as others have mentioned, what if I forget to log out at the end of the day. What if I'm particularly forgetful and I regularly forget to log out at the end of the day. Will this be viewed as an attempt to artificially inflate my work hours and how will it be handled by IA / Management? I actually made it a goal at the beginning of the year to better track my own time (admittedly I'm categorizing my time rather than just looking at login/logout times) and I can tell you that I regularly forget to start and/or stop the clock. I sometimes forget to stop it when I go to lunch. Other times, I forget to restart it when I get back from lunch. It's not unusual that I forget to stop it at the end of a day, and once or twice, that day has been a Friday. Of course, the tool I use allows me to go back and fix these mistakes, but then allowing something like that would defeat the purpose of what IA is wanting to do. Finally, if IA thinks this would help them get an accurate picture, my recommendation would be that they try it out themselves for six months before deciding whether to implement it site-wide. And I don't mean this just as a snide "see how they like it" comment. Testing it themselves will allow them to determine whether it's accurate and valid, whether it has unexpected consequences (such as impact to morale, perhaps?) and whether the cost of collecting metrics is justified by the results. -- Shane Williams Senior Information Technology Manager School of Information, University of Texas at Austin shanew@ischool.utexas.edu - 512-471-9471
Actually it isn't.  If you want to use a house analogy it would be more like seeing if someone is inside using their home.

I believe Will just wants to know if any institution monitors login/logout in order to see if people are laving early or something along those lines.  I'm not sure what else it would tell you.

To my knowledge we don't do it at MU other than if we had an investigation of some kind and had to build a timeline.

steve


Message from valdis.kletnieks@vt.edu

On Wed, 24 Apr 2013 15:01:36 -0400, Walter Moore said: > investigations. We have never made any effort to see see if people are > accessing restricted systems when they are on sick leave or vacation. Though the case can be made that if Joe Smith is known to be on vacation in Hawaii, any attempted access with his credentials from Zanzibar is probably suspect. On the other hand, a login from Zanzibar is even *more* suspect if Joe is sitting in his office. :) Similarly, it's pretty easy to establish a pattern of when I'm in my office, and when I come in via VPN from a relatively small chunk of Comcast cable address space, so if an attempt is made from a Starbuck's, that's probably well into the unusual... How many of you do anomaly analysis for stuff like this? And what sorts of anomalies have you found useful or not useful to track?
I looked at this from a pure security aspect. Some types of data we audit, counter tactics, or evaluate, especially those types that could indicate an attack/brute force/rogue access to systems, seems confidential information to me and my organization that would not want to disclose. It's the same reason armored bank trucks have confidential and ever changing routes/dates/times - need to know and not everyone needs to. Justin Bennett Supervisor of Network Technology Information Technology jbennett@msjc.edu Mt. San Jacinto College Phone 951-639-5090 http://www.msjc.edu  Security Notice: MSJC Information Technology Staff will never ask for your password. Keep your passwords private to protect yourself and the security of our network.
Message from hhoffman@ip-solutions.net

Nah, this just means that Joe has outsourced his job for a quarter of his pay and browses reddit and 4chan all day long ;-) Cheers, Harry On 04/24/2013 06:24 PM, Valdis.Kletnieks@vt.edu wrote: > On Wed, 24 Apr 2013 15:01:36 -0400, Walter Moore said: > > On the other hand, a login from Zanzibar is even *more* suspect if Joe > is sitting in his office. :) >
Message from will.froning@gmail.com

Hello All,

And if Joe never logs out? What if Chris logs an average of 53 hours a week and logs in while home sick? Is Chris fired for being a dedicated employee? If management see Chris is working extra hours to get the job done, does management keep the "profits" or hire more staff? Does management request web history for those logged in for 40 hours a week to ensure they're not spending that time on reddit or eBay? Maybe management can get by with simpler rules (http://www.farnamstreetblog.com/2013/04/does-a-complex-world-need-simpler-r ules/). -Eric IT professionals will never ask for your password - not in email - not over the phone, never. Eric Case, CISSP ecase (at) email (dot) arizona (dot) edu College of Architecture, Planning, and Landscape Architecture http://www.linkedin.com/in/ericcase

Hi Will,

 

Is management willing to “live by the sword and die by the sword” (hire more staff if the logs show the staff is overworked)?  How will management deal with the logs being easily gamed (not logging out)?  What about unintended consequences (your honor, I was logged in at work at the time of the hit and run)?  What does your general counsel think of the idea?  What if someone doesn’t log in but checks email via the web or phone?

 

I believe IT should be an enabler for employees to do more and that includes allowing people to work from home without getting their coworkers sick.  Do you have a pandemic plan?  Can an employee take a sick day because of a sick child but get some work done from home?

 

What if someone takes a sick day, never logs in, and goes shopping / site seeing with an out of town friend / relative?  What if someone doesn’t take a sick day but schedules meetings off site and goes shopping / site seeing with an out of town friend / relative? 

 

I don’t believe IT should be an enabler for employees or management to not do their jobs and what the IA wants can be achieved via forensics on the “home” pc, credit cards, etc.  If management is really doing their job, login/logoff activity will be an non-issue.

-Eric

 

 

IT professionals will never ask for your password – not in email – not over the phone, never.

 

Eric Case, CISSP

ecase (at) email (dot) arizona (dot) edu

College of Architecture, Planning, and Landscape Architecture

http://www.linkedin.com/in/ericcase

 

 

IT professionals will never ask for your password – not in email – not over the phone, never.

 

Eric Case, CISSP

eric (at) ericcase (dot) com

http://www.linkedin.com/in/ericcase

(520) 344-CISO (2476)

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Will Froning
Sent: Wednesday, April 24, 2013 8:24 PM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Login/Logoff Activity

 

Hello All,

Message from will.froning@gmail.com

Hello Eric,

We are a 16 year old Uni, in a country that is only 41 years old (UAE). We have a lot of inexperienced management and a small population pool of expertise to choose from. So keep that in mind if my comments seem colored.


On Thu, 25 Apr 2013, Will Froning wrote: > This is a request from the internal auditor to see if it is common practice > to monitor this in academia (starting to look heavily like NO). > > As others on the list have mentioned, this is really a management issue at > it's core. The rebuttal for that comment was something like: "If technology > can help us to identify a management weakness, we can make corrective > policy driven actions to fix the weakness. IT isn't there to fix the > problem, but to provide visibility into whether or not there is a problem > to correct." Setting aside privacy issues (which I suspect are more complex and worth more consideration than your IA is allowing), I think the next critical question you have to ask is whether technology does, in fact, provide you with accurate "visibility" into a possible problem. After all, your metrics are only as useful as the accuracy and validity of the measuring tool. Their thinking seems to be that being "logged in" is the same as working, and while I suppose this might be true for some types of work, I suspect it's the exception to the rule. If I log out at the end of the day, then Joe stops me on my way out and we have a 30 minute conversation about something I'm working on, then the logs under-represent my actual work. Alternately, if I log in the minute I show up at work, then go grab some coffee, chat with Bob about the football match for 15 minutes, sit back down at my workstation and check my stock portfolio and the international news for another 15 minutes, the log over-represents my work. And those examples are probably unintentional "noise" in the metric. If I'm the type of person that IA is really hoping to find, I'm likely to spend a lot of time and energy figuring out even more clever ways to fool the system into thinking I'm working when I'm not. Or, as others have mentioned, what if I forget to log out at the end of the day. What if I'm particularly forgetful and I regularly forget to log out at the end of the day. Will this be viewed as an attempt to artificially inflate my work hours and how will it be handled by IA / Management? I actually made it a goal at the beginning of the year to better track my own time (admittedly I'm categorizing my time rather than just looking at login/logout times) and I can tell you that I regularly forget to start and/or stop the clock. I sometimes forget to stop it when I go to lunch. Other times, I forget to restart it when I get back from lunch. It's not unusual that I forget to stop it at the end of a day, and once or twice, that day has been a Friday. Of course, the tool I use allows me to go back and fix these mistakes, but then allowing something like that would defeat the purpose of what IA is wanting to do. Finally, if IA thinks this would help them get an accurate picture, my recommendation would be that they try it out themselves for six months before deciding whether to implement it site-wide. And I don't mean this just as a snide "see how they like it" comment. Testing it themselves will allow them to determine whether it's accurate and valid, whether it has unexpected consequences (such as impact to morale, perhaps?) and whether the cost of collecting metrics is justified by the results. -- Shane Williams Senior Information Technology Manager School of Information, University of Texas at Austin shanew@ischool.utexas.edu - 512-471-9471
On 04/25/2013 01:20 AM, Will Froning wrote: > Hello Eric, > > We are a 16 year old Uni, in a country that is only 41 years old (UAE). We > have a lot of inexperienced management and a small population pool of > expertise to choose from. So keep that in mind if my comments seem colored. Where are the login/logout logs coming from? Having worked with AD logging myself it depends on what you are trying to show and how accurate you need it to be. For example, logout events cannot be trusted -- they often never occur even when a "logout" does. There's a MS KB or blog on this issue. But you can't even trust login events. A typical case is collecting the AD controller login events -- guess what happens when the user logs in on a laptop that isn't connected to the network and uses a cached credential for login? This really sounds like the sort of request we occasionally get from supervisors who don't want to supervise. They want to replace a difficult, often subjective, measure of employee "quality" with a simple, "objective" measure. What is the underlying goal of measuring employee logins/logouts compared to official work hours? From the original post: > monitor logon/logoff time for > attendance/holiday/sick leave violations. So, using a measure that is known to not be accurate to monitor for violations is good why? Not saying you said it was (you didn't) just raising it rhetorically. For concerns about management requiring work while on sick leave higher management should 1) make it clear they don't approve of the practice, 2) don't push middle and lower management to produce work beyond what they're staffed to do, 3) cultivate an environment where employees feel free to speak out, 4) provide a mechanism for complaints without retribution. Of course, all of that is more work than instructing IT to "audit logon/logoffs vs attendance/holiday/sick leave." For concerns about employees not working while present at work/on paid time then 1) realistic production/effort goals should be set, 2) performance should be periodically measured against these goals, 3) provide a mechanism for an employee to contest if there is disagreement between the supervisor's evaluation and the employee's self assessment. Of course, setting realistic production/effort goals requires significant effort and continual evaluation as times change. On the face of it, it would appear that the desire is to push hard management work onto IT whether or not IT can even meet the requirements. Tim Doty > > >
Message from will.froning@gmail.com

Hello All,


Message from will.froning@gmail.com

Hello All,


Message from will.froning@gmail.com

Hello All,


Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.