null

Indeed, the value of PII to an attacker is often underestimated

nightjarnz

Unfortunately your manager's stance is not uncommon, particularly in NZ.

nightjarnz

Make it secure from the ground up, or you have hell trying to retro fit it later. Same like accessibility.

null

Often as developers all we can do is point out the danger and gather enough evidence to prove we pointed it out and tried our best

nightjarnz

"Sorry we gave your records to a stalker because they worked here too" is a shit line.

null

Your manager needs to answer what impact the information you're collecting will have to the individual if it were ever made public.

nightjarnz

The threat isn't always "from outside" either. The principle of least access applies, etc. to prevent someone in one inside the company looking up someone elses private details.

nz_tom

Yup, but I'm trying to push my manager to consider aspects of our security which he dismisses with the statement 'its behind the fire wall, its fine'. Fact is, I asked him what sort of monitoring we have of our network, and we dont have any. We are a small IT team, im the sole developer here and hell, it's my first full time position out of uni, so I barely consider myself intermediate. My manager who does all the network, mail and BI stuff is over worked as hell, we all are since the other department has been on a hiring bonanza as the company has expanded massively...but still, I worry that someone is already in our network, or they will be, and we wont know until its too late (or probably never). Maybe Im just paranoid, but when that happens I know the fingers are going to be pointed at me, so Im trying to do what I can to improve our security.

nightjarnz

the beauty of MFA is that it's optional by default. You can use it if you want it, but ignore it if you're security adverse.

nz_tom

That's a good idea. I have it set up so that I can execute workflows before and after employment events. On exit, I could have it set up to encrypt the records that contain personal info. I dont know what Im going to do about the key though... I think you can set up a YubiKey to decrypt GPG...but the HR lady has trouble with technology as is, and I doubt my manager would think its worth using a Yubikey especially so since he shot down my recommendation of requiring 2fA for all internal staff accessing the internal site. I guess atleast I enabled 2fA for my admin account lol...