Boss wants me to falsify a report. How should I document this unethical demand?Company doesn't follow security policies advertised to clientsHow to document / track day-to-day activities?Being a company's only web person, how should I expect to be treated?How to talk about a coworker work in a reportDocument to convince boss to buy hardware over other hardwareHow to document ongoing harassment in a professional way?Spending Project Money on Non Project WorkHow to Document Grievances?How do I write technical handover documentation before leaving a company?How to document sources of stress in the workplace?How to deal with favoritism in a scrum team?
Equivalence relation by the symmetric difference of sets
What is a Power on Reset IC?
Need help interpreting panel specification
In general, would I need to season a meat when making a sauce?
Can a British citizen living in France vote in both France and Britain in the European Elections?
Why were helmets and other body armour not commonplace in the 1800s?
Apt - strange requests to d16r8ew072anqo.cloudfront.net:80
Defining the standard model of PA so that a space alien could understand
Why didn't Thanos use the Time Stone to stop the Avengers' plan?
How to cut a climbing rope?
Should one buy new hardware after a system compromise?
Efficient Algorithm for the boundary of a set of tiles
The art of clickbait captions
Why do most published works in medical imaging try to reduce false positives?
Which European Languages are not Indo-European?
Website returning plaintext password
How to deal with a colleague who is being aggressive?
What does $!# mean in Shell scripting?
Could a 19.25mm revolver actually exist?
How should I introduce map drawing to my players?
First Match - awk
Is it true that cut time means "play twice as fast as written"?
What is the function of the corrugations on a section of the Space Shuttle's external tank?
Is it rude to call a professor by their last name with no prefix in a non-academic setting?
Boss wants me to falsify a report. How should I document this unethical demand?
Company doesn't follow security policies advertised to clientsHow to document / track day-to-day activities?Being a company's only web person, how should I expect to be treated?How to talk about a coworker work in a reportDocument to convince boss to buy hardware over other hardwareHow to document ongoing harassment in a professional way?Spending Project Money on Non Project WorkHow to Document Grievances?How do I write technical handover documentation before leaving a company?How to document sources of stress in the workplace?How to deal with favoritism in a scrum team?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I work in IT, and my manager is trying to get my coworker and I to submit a falsified security scan to a client of ours. Basically, he wants us to modify and submit the results of a security scan that exclude vulnerabilities that were discovered during the scan. This is part of a larger project that we are working on for the client.
My manager reports directly to the company CEO, and the CEO himself is pressuring my manager to get this project done no matter what. The CEO doesn't care if corners are cut or there is anything unethical being done.
For me, the issue is very simple, I will not do what my manager is asking as I find it to be highly unethical. Because this is part of a larger project, I have been working on other things in attempt to give myself some time to figure out what to do. I am also trying to figure out how to best document what my manager is trying to get me to do, which brings me to my question.
So far, everything that manager has asked me to do related to this has been spoken verbally. I have made several failed attempts to get him to put anything in writing. Yesterday, I asked him in writing what he wanted done with the security scans and he wrote back to me, "we already discussed this, you know what to do."
Because I will be putting my job on the line when I eventually have to tell my manager "no", I want to at least be able to document what my manger has asked me to do. I don't currently have any way to prove that he has even asked that I do something unethical. Is there a better approach that I can take? I am more concerned for my professional reputation than my job.
ethics documentation california
edited 47 mins ago
200_success
1,7051123
asked 18 hours ago
it-guyit-guy
8041511
|
show 8 more comments
I work in IT, and my manager is trying to get my coworker and I to submit a falsified security scan to a client of ours. Basically, he wants us to modify and submit the results of a security scan that exclude vulnerabilities that were discovered during the scan. This is part of a larger project that we are working on for the client.
My manager reports directly to the company CEO, and the CEO himself is pressuring my manager to get this project done no matter what. The CEO doesn't care if corners are cut or there is anything unethical being done.
For me, the issue is very simple, I will not do what my manager is asking as I find it to be highly unethical. Because this is part of a larger project, I have been working on other things in attempt to give myself some time to figure out what to do. I am also trying to figure out how to best document what my manager is trying to get me to do, which brings me to my question.
So far, everything that manager has asked me to do related to this has been spoken verbally. I have made several failed attempts to get him to put anything in writing. Yesterday, I asked him in writing what he wanted done with the security scans and he wrote back to me, "we already discussed this, you know what to do."
Because I will be putting my job on the line when I eventually have to tell my manager "no", I want to at least be able to document what my manger has asked me to do. I don't currently have any way to prove that he has even asked that I do something unethical. Is there a better approach that I can take? I am more concerned for my professional reputation than my job.
ethics documentation california
edited 47 mins ago
200_success
1,7051123
asked 18 hours ago
it-guyit-guy
8041511
2
Could wikileaks send the scan results to the client... :)
– Solar Mike
18 hours ago
Are you supposed to provide it to him to pass along or do you send it directly to the client?
– John Spiegel
18 hours ago
3
Also, where are you located? There may be whistleblower protections that could help you.
– David K
18 hours ago
14
@it-guy You might find this page useful: California Whistleblower Protection Laws
– David K
18 hours ago
1
OP, this question is very similar to what you are facing, I think the answers there may also be helpful to you. workplace.stackexchange.com/questions/105378/…
– Anthony
14 hours ago
|
show 8 more comments
I work in IT, and my manager is trying to get my coworker and I to submit a falsified security scan to a client of ours. Basically, he wants us to modify and submit the results of a security scan that exclude vulnerabilities that were discovered during the scan. This is part of a larger project that we are working on for the client.
My manager reports directly to the company CEO, and the CEO himself is pressuring my manager to get this project done no matter what. The CEO doesn't care if corners are cut or there is anything unethical being done.
For me, the issue is very simple, I will not do what my manager is asking as I find it to be highly unethical. Because this is part of a larger project, I have been working on other things in attempt to give myself some time to figure out what to do. I am also trying to figure out how to best document what my manager is trying to get me to do, which brings me to my question.
So far, everything that manager has asked me to do related to this has been spoken verbally. I have made several failed attempts to get him to put anything in writing. Yesterday, I asked him in writing what he wanted done with the security scans and he wrote back to me, "we already discussed this, you know what to do."
Because I will be putting my job on the line when I eventually have to tell my manager "no", I want to at least be able to document what my manger has asked me to do. I don't currently have any way to prove that he has even asked that I do something unethical. Is there a better approach that I can take? I am more concerned for my professional reputation than my job.
ethics documentation california
edited 47 mins ago
200_success
1,7051123
asked 18 hours ago
it-guyit-guy
8041511
I work in IT, and my manager is trying to get my coworker and I to submit a falsified security scan to a client of ours. Basically, he wants us to modify and submit the results of a security scan that exclude vulnerabilities that were discovered during the scan. This is part of a larger project that we are working on for the client.
My manager reports directly to the company CEO, and the CEO himself is pressuring my manager to get this project done no matter what. The CEO doesn't care if corners are cut or there is anything unethical being done.
For me, the issue is very simple, I will not do what my manager is asking as I find it to be highly unethical. Because this is part of a larger project, I have been working on other things in attempt to give myself some time to figure out what to do. I am also trying to figure out how to best document what my manager is trying to get me to do, which brings me to my question.
So far, everything that manager has asked me to do related to this has been spoken verbally. I have made several failed attempts to get him to put anything in writing. Yesterday, I asked him in writing what he wanted done with the security scans and he wrote back to me, "we already discussed this, you know what to do."
Because I will be putting my job on the line when I eventually have to tell my manager "no", I want to at least be able to document what my manger has asked me to do. I don't currently have any way to prove that he has even asked that I do something unethical. Is there a better approach that I can take? I am more concerned for my professional reputation than my job.
ethics documentation california
ethics documentation california
edited 47 mins ago
200_success
1,7051123
asked 18 hours ago
it-guyit-guy
8041511
edited 47 mins ago
200_success
1,7051123
asked 18 hours ago
it-guyit-guy
8041511
edited 47 mins ago
200_success
1,7051123
edited 47 mins ago
200_success
1,7051123
edited 47 mins ago
200_success
1,7051123
1,7051123
asked 18 hours ago
it-guyit-guy
8041511
asked 18 hours ago
it-guyit-guy
8041511
asked 18 hours ago
it-guyit-guy
8041511
8041511
2
Could wikileaks send the scan results to the client... :)
– Solar Mike
18 hours ago
Are you supposed to provide it to him to pass along or do you send it directly to the client?
– John Spiegel
18 hours ago
3
Also, where are you located? There may be whistleblower protections that could help you.
– David K
18 hours ago
14
@it-guy You might find this page useful: California Whistleblower Protection Laws
– David K
18 hours ago
1
OP, this question is very similar to what you are facing, I think the answers there may also be helpful to you. workplace.stackexchange.com/questions/105378/…
– Anthony
14 hours ago
|
show 8 more comments
2
Could wikileaks send the scan results to the client... :)
– Solar Mike
18 hours ago
Are you supposed to provide it to him to pass along or do you send it directly to the client?
– John Spiegel
18 hours ago
3
Also, where are you located? There may be whistleblower protections that could help you.
– David K
18 hours ago
14
@it-guy You might find this page useful: California Whistleblower Protection Laws
– David K
18 hours ago
1
OP, this question is very similar to what you are facing, I think the answers there may also be helpful to you. workplace.stackexchange.com/questions/105378/…
– Anthony
14 hours ago
2
2
Could wikileaks send the scan results to the client... :)
– Solar Mike
18 hours ago
Could wikileaks send the scan results to the client... :)
– Solar Mike
18 hours ago
Are you supposed to provide it to him to pass along or do you send it directly to the client?
– John Spiegel
18 hours ago
Are you supposed to provide it to him to pass along or do you send it directly to the client?
– John Spiegel
18 hours ago
3
3
Also, where are you located? There may be whistleblower protections that could help you.
– David K
18 hours ago
Also, where are you located? There may be whistleblower protections that could help you.
– David K
18 hours ago
14
14
@it-guy You might find this page useful: California Whistleblower Protection Laws
– David K
18 hours ago
@it-guy You might find this page useful: California Whistleblower Protection Laws
– David K
18 hours ago
1
1
OP, this question is very similar to what you are facing, I think the answers there may also be helpful to you. workplace.stackexchange.com/questions/105378/…
– Anthony
14 hours ago
OP, this question is very similar to what you are facing, I think the answers there may also be helpful to you. workplace.stackexchange.com/questions/105378/…
– Anthony
14 hours ago
|
show 8 more comments
5 Answers
5
active
oldest
votes
He probably does not want to put the request in writing because he knows that can get subpoenaed later. I think there are two steps for you to take:
- Document what you have been asked to do. Write down the dates of these directives and these conversations to the best of your memory. You should also backup the email exchanges this request has been alluded to, even vaguely. Written down accounts are not 100% bulletproof evidence, but it holds more sway than if you are just trying to remember it later.
- Inform your boss that you find what he is asking you to do to be unethical and you are unwilling to change the report or sign off on someone else changing the report (or whatever the case may be).
I feel for you being put into this situation, but you are doing the right thing in sticking by your ethics.
answered 18 hours ago
dbeerdbeer
9,43962231
17
Perhaps send a confirmatory email back to the boss.Re: Our discussion yesterday; you want me to X. Y. Z. Please confirm I have understood correctly?
– Stewart
13 hours ago
Is it possible that such emails help document things even if my manager doesn't respond?
– it-guy
11 hours ago
5
@it-guy Yes they help, even if they get no response - generally they will create logs, particularly time-stamped/etc. and are hard (but not impossible) to fake (would likely require the e-mail service owner to get involved) - plus they are easy to forward on to whomever when it gets escalated (boss's boss, lawyer, etc.) - and if the files are mysteriously purged, that doesn't look well either
– user2813274
10 hours ago
1
Depending on local laws you might be able to record his asking you verbally.
– Loren Pechtel
5 hours ago
add a comment |
I am not a lawyer, but this seems to go beyond the ethical realm into a legal one.
I work in IT, and my manager is trying to get my coworker and I to submit a falsified
security scan to a client of ours.
This sounds like fraud.
Contact a lawyer immediately to determine how best you can protect yourself, and to find out if you have done anything that makes you potentially liable.
A lawyer may tell you to resign immediately.
Documentation is fine, but do not make personal copies of client or company information, such as taking pictures on your phone, saving company email threads, or sending documents to a personal email account. If you have already done so, delete those immediately.
If your employer ends up getting found out (which I certainly hope is the case), your employer could retaliate by filing a lawsuit or criminal complaint against you (no matter how frivolous) based on your handling of company data.
answered 16 hours ago
mcknzmcknz
20.5k86783
A lawyer might not advise you to do the ethical thing. If it's safer legally for OP to ignore what's happening and leave, then that still leaves his employer's customers highly vulnerable to whatever the vulnerabilities allow.
– forest
6 hours ago
2
@forest my assumption is that a lawyer would be able to advise on how to safely be a whistleblower if that is what the OP wishes to do.
– mcknz
6 hours ago
add a comment |
Dan and dbeer covered much of my first thoughts. Copy what pieces you can and manually log the rest. Some of this is risky, but I'm focused on your assertion you are willing to lose this job over this (and I applaud you for it).
You could also respond back to his noncommittal email with copies of the original result and a doctored draft with "DRAFT" watermarks and bcc a personal email.
"Per our discussion, here are the original and a draft of the scans with the redacted results." Assuming he verbally tells you that is what he wants and to send it (and maybe to stop emailing proof), at that point you are somewhat cornered into telling him you cannot comply with sending falsified scan results. If you want to salvage the relationship, a discussion around remediation plans might be in order. Most audits I've been involved in are more interested in truth followed by a plan to improve risks. But that may not hold here.
He may check email logs and know what you're up to. If so, he should also know you have documented his malfeasance. Hopefully that would give him pause before threatening to ruin you. He might do something like threatening you with some sort of NDA by sending yourself that email. Remember that's a desperation move. The only way he can prove it is by providing evidence that he's trying to defraud a client.
answered 17 hours ago
John SpiegelJohn Spiegel
2,317413
Emails are great so long as they aren't hosted by the company. It's common a company will take over your email upon departure (or firing) so the OP's boss could easily log in and delete the email. So it's a good idea to export everything, at least once a week to make sure you're at least covered especially when someone is telling you to do something unethical. Nothing is stopping them from continuing their unethical behavior and gain access to your email and deleting the appropriate items or even faking communications.
– Dan
16 hours ago
1
Also if you aren't already it might be a good idea to digitally sign your emails. That is 100% proof you sent it and something that can't be replicated by a bad actor unless they compromised everything you have.
– Dan
16 hours ago
1
Emailing info might protect the OP, but I would not send any company or client data to a personal email. This could violate an NDA or similar agreement. If you have a gmail account, for instance, the OP would essentially be hosting proprietary information via a third party.
– mcknz
16 hours ago
@mcknz That's definitely a consideration. IANAL, but personally, I'd be willing to pit that risk against willful fraud.
– John Spiegel
15 hours ago
add a comment |
I can speak to part of this from my experience as an infosec coordinator at a SaaS business. (I can't speak to all of it, because my employer has a culture of compliance; our executives would never play this game.)
In most cases these requests come from a part of the customer's business who are simply checking boxes before signing off on new vendors. On cynical days I think they just weigh these reports, or wordcount them.
It's sometimes possible to submit a truthful scan to a customer if you include an explanation and a remediation plan. Many customers will accept that, and it will boost your credibility: corporate infosec people like transparency. (They will follow up to make sure you remediated the situation, however.)
It's perfectly reasonable to send just a summary of a scan to a customer; the details of your systems and vulnerabilities are actually nobody's business but yours, and disclosing them increases your attack surface.
I suppose it's possible to submit a fake scan to a customer to get the business. But you'd be wise to prepare a remediation plan and ask your boss to agree to implementing it if you do that.
If you do send a fake scan, and then some cybercreep successfully attacks you, what could happen? Unless you are in health care, I suppose the worst-case scenario is Equifax: disastrous publicity for your customer and you. Or your owner could send your CTO onto Fox News to lie about it, like they did when Panera had a breach. But it probably won't be that bad.
If you are a health-care HIPAA associated business entity and you have patient data, and it leaks, and somebody was negligent, that is a crime that pierces the corporate veil, meaning individuals can be criminally liable and can't hide behind an LLC. In that case you'd be wise to refuse to sign off.
Look, it's a pain in the ...neck to work for a company that doesn't have a culture of compliance. You know that. But, it's possible to use this as an excuse to start pushing for change in your company. My suggestion number 4 might be a way to get that going.
The right question for you, and for your executives, is "how can we make our customers' data safer?" Compromising about this just might get you further along that path. Just something to think about.
If you do compromise, I suggest you write a "memo to file" describing the situation, and the instructions given to you, and your actions. Print it out and take it home. It's just for you, not for your executives or colleagues. It will help you remember exactly who said what and when if you have to describe this incident a few years from now.
answered 16 hours ago
O. JonesO. Jones
14.9k24377
1
+1 for mentioning a compromise solution. I like how its not directly confrontational but at the same time can be used for future action. As a InfoSec professional myself, I know full well sometimes the best solution may not be the ideal
– Anthony
14 hours ago
The remediation plan for committing fraud might be to make sure you have enough to post bail.
– mcknz
14 hours ago
In reality, attacking people—playing the unethical card—is not a very effective way of getting them to change. And anybody who reads the news can see that getting people to change is really hard, and really urgent.
– O. Jones
9 hours ago
add a comment |
My thought is if you have the original scans and the modified scans, then simply burn the actual scans to a cd and drop it in the mail to the company. Include an encrypted text file with a code phrase that identifies it to you. If you ever need to go on the stand, so to speak, you can describe what is in that encrypted text file so you'll have a standing. It's also great if your boss throws you under the bus in front of the company, and you can say you included a encrypted file with a code phrase only you'd know. I think that is the best approach in terms of insurance. Otherwise I think your boss and his bosses can make up whatever they like and you have virtually no proof especially if they told you verbally.
answered 18 hours ago
DanDan
10.8k41935
1
I am not a lawyer. I agree with the spirit of this answer, but I think the OP could potentially get in trouble for unauthorized release of company information, even if it's for a good cause. Better to get legal advice.
– mcknz
17 hours ago
1
Good point about release of information, but that is information that is supposed to go to the client, whether it should go prior top being "doctored" or not is a different question...
– Solar Mike
17 hours ago
@SolarMike I would assume that to be the case, and that the OP would hopefully be protected because of that fact, but the law is weird and not always fair.
– mcknz
17 hours ago
1
@mcknz oh yes, "a man is innocent until proven broke"...
– Solar Mike
17 hours ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "423"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: false,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f137131%2fboss-wants-me-to-falsify-a-report-how-should-i-document-this-unethical-demand%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
StackExchange.ready(function ()
$("#show-editor-button input, #show-editor-button button").click(function ()
var showEditor = function()
$("#show-editor-button").hide();
$("#post-form").removeClass("dno");
StackExchange.editor.finallyInit();
;
var useFancy = $(this).data('confirm-use-fancy');
if(useFancy == 'True')
var popupTitle = $(this).data('confirm-fancy-title');
var popupBody = $(this).data('confirm-fancy-body');
var popupAccept = $(this).data('confirm-fancy-accept-button');
$(this).loadPopup(
url: '/post/self-answer-popup',
loaded: function(popup)
var pTitle = $(popup).find('h2');
var pBody = $(popup).find('.popup-body');
var pSubmit = $(popup).find('.popup-submit');
pTitle.text(popupTitle);
pBody.html(popupBody);
pSubmit.val(popupAccept).click(showEditor);
)
else
var confirmText = $(this).data('confirm-text');
if (confirmText ? confirm(confirmText) : true)
showEditor();
);
);
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
He probably does not want to put the request in writing because he knows that can get subpoenaed later. I think there are two steps for you to take:
- Document what you have been asked to do. Write down the dates of these directives and these conversations to the best of your memory. You should also backup the email exchanges this request has been alluded to, even vaguely. Written down accounts are not 100% bulletproof evidence, but it holds more sway than if you are just trying to remember it later.
- Inform your boss that you find what he is asking you to do to be unethical and you are unwilling to change the report or sign off on someone else changing the report (or whatever the case may be).
I feel for you being put into this situation, but you are doing the right thing in sticking by your ethics.
answered 18 hours ago
dbeerdbeer
9,43962231
17
Perhaps send a confirmatory email back to the boss.Re: Our discussion yesterday; you want me to X. Y. Z. Please confirm I have understood correctly?
– Stewart
13 hours ago
Is it possible that such emails help document things even if my manager doesn't respond?
– it-guy
11 hours ago
5
@it-guy Yes they help, even if they get no response - generally they will create logs, particularly time-stamped/etc. and are hard (but not impossible) to fake (would likely require the e-mail service owner to get involved) - plus they are easy to forward on to whomever when it gets escalated (boss's boss, lawyer, etc.) - and if the files are mysteriously purged, that doesn't look well either
– user2813274
10 hours ago
1
Depending on local laws you might be able to record his asking you verbally.
– Loren Pechtel
5 hours ago
add a comment |
He probably does not want to put the request in writing because he knows that can get subpoenaed later. I think there are two steps for you to take:
- Document what you have been asked to do. Write down the dates of these directives and these conversations to the best of your memory. You should also backup the email exchanges this request has been alluded to, even vaguely. Written down accounts are not 100% bulletproof evidence, but it holds more sway than if you are just trying to remember it later.
- Inform your boss that you find what he is asking you to do to be unethical and you are unwilling to change the report or sign off on someone else changing the report (or whatever the case may be).
I feel for you being put into this situation, but you are doing the right thing in sticking by your ethics.
answered 18 hours ago
dbeerdbeer
9,43962231
17
Perhaps send a confirmatory email back to the boss.Re: Our discussion yesterday; you want me to X. Y. Z. Please confirm I have understood correctly?
– Stewart
13 hours ago
Is it possible that such emails help document things even if my manager doesn't respond?
– it-guy
11 hours ago
5
@it-guy Yes they help, even if they get no response - generally they will create logs, particularly time-stamped/etc. and are hard (but not impossible) to fake (would likely require the e-mail service owner to get involved) - plus they are easy to forward on to whomever when it gets escalated (boss's boss, lawyer, etc.) - and if the files are mysteriously purged, that doesn't look well either
– user2813274
10 hours ago
1
Depending on local laws you might be able to record his asking you verbally.
– Loren Pechtel
5 hours ago
add a comment |
He probably does not want to put the request in writing because he knows that can get subpoenaed later. I think there are two steps for you to take:
- Document what you have been asked to do. Write down the dates of these directives and these conversations to the best of your memory. You should also backup the email exchanges this request has been alluded to, even vaguely. Written down accounts are not 100% bulletproof evidence, but it holds more sway than if you are just trying to remember it later.
- Inform your boss that you find what he is asking you to do to be unethical and you are unwilling to change the report or sign off on someone else changing the report (or whatever the case may be).
I feel for you being put into this situation, but you are doing the right thing in sticking by your ethics.
answered 18 hours ago
dbeerdbeer
9,43962231
He probably does not want to put the request in writing because he knows that can get subpoenaed later. I think there are two steps for you to take:
- Document what you have been asked to do. Write down the dates of these directives and these conversations to the best of your memory. You should also backup the email exchanges this request has been alluded to, even vaguely. Written down accounts are not 100% bulletproof evidence, but it holds more sway than if you are just trying to remember it later.
- Inform your boss that you find what he is asking you to do to be unethical and you are unwilling to change the report or sign off on someone else changing the report (or whatever the case may be).
I feel for you being put into this situation, but you are doing the right thing in sticking by your ethics.
answered 18 hours ago
dbeerdbeer
9,43962231
answered 18 hours ago
dbeerdbeer
9,43962231
answered 18 hours ago
dbeerdbeer
9,43962231
answered 18 hours ago
dbeerdbeer
9,43962231
9,43962231
17
Perhaps send a confirmatory email back to the boss.Re: Our discussion yesterday; you want me to X. Y. Z. Please confirm I have understood correctly?
– Stewart
13 hours ago
Is it possible that such emails help document things even if my manager doesn't respond?
– it-guy
11 hours ago
5
@it-guy Yes they help, even if they get no response - generally they will create logs, particularly time-stamped/etc. and are hard (but not impossible) to fake (would likely require the e-mail service owner to get involved) - plus they are easy to forward on to whomever when it gets escalated (boss's boss, lawyer, etc.) - and if the files are mysteriously purged, that doesn't look well either
– user2813274
10 hours ago
1
Depending on local laws you might be able to record his asking you verbally.
– Loren Pechtel
5 hours ago
add a comment |
17
Perhaps send a confirmatory email back to the boss.Re: Our discussion yesterday; you want me to X. Y. Z. Please confirm I have understood correctly?
– Stewart
13 hours ago
Is it possible that such emails help document things even if my manager doesn't respond?
– it-guy
11 hours ago
5
@it-guy Yes they help, even if they get no response - generally they will create logs, particularly time-stamped/etc. and are hard (but not impossible) to fake (would likely require the e-mail service owner to get involved) - plus they are easy to forward on to whomever when it gets escalated (boss's boss, lawyer, etc.) - and if the files are mysteriously purged, that doesn't look well either
– user2813274
10 hours ago
1
Depending on local laws you might be able to record his asking you verbally.
– Loren Pechtel
5 hours ago
17
17
Perhaps send a confirmatory email back to the boss.
Re: Our discussion yesterday; you want me to X. Y. Z. Please confirm I have understood correctly?– Stewart
13 hours ago
Perhaps send a confirmatory email back to the boss.
Re: Our discussion yesterday; you want me to X. Y. Z. Please confirm I have understood correctly?– Stewart
13 hours ago
Is it possible that such emails help document things even if my manager doesn't respond?
– it-guy
11 hours ago
Is it possible that such emails help document things even if my manager doesn't respond?
– it-guy
11 hours ago
5
5
@it-guy Yes they help, even if they get no response - generally they will create logs, particularly time-stamped/etc. and are hard (but not impossible) to fake (would likely require the e-mail service owner to get involved) - plus they are easy to forward on to whomever when it gets escalated (boss's boss, lawyer, etc.) - and if the files are mysteriously purged, that doesn't look well either
– user2813274
10 hours ago
@it-guy Yes they help, even if they get no response - generally they will create logs, particularly time-stamped/etc. and are hard (but not impossible) to fake (would likely require the e-mail service owner to get involved) - plus they are easy to forward on to whomever when it gets escalated (boss's boss, lawyer, etc.) - and if the files are mysteriously purged, that doesn't look well either
– user2813274
10 hours ago
1
1
Depending on local laws you might be able to record his asking you verbally.
– Loren Pechtel
5 hours ago
Depending on local laws you might be able to record his asking you verbally.
– Loren Pechtel
5 hours ago
add a comment |
I am not a lawyer, but this seems to go beyond the ethical realm into a legal one.
I work in IT, and my manager is trying to get my coworker and I to submit a falsified
security scan to a client of ours.
This sounds like fraud.
Contact a lawyer immediately to determine how best you can protect yourself, and to find out if you have done anything that makes you potentially liable.
A lawyer may tell you to resign immediately.
Documentation is fine, but do not make personal copies of client or company information, such as taking pictures on your phone, saving company email threads, or sending documents to a personal email account. If you have already done so, delete those immediately.
If your employer ends up getting found out (which I certainly hope is the case), your employer could retaliate by filing a lawsuit or criminal complaint against you (no matter how frivolous) based on your handling of company data.
answered 16 hours ago
mcknzmcknz
20.5k86783
A lawyer might not advise you to do the ethical thing. If it's safer legally for OP to ignore what's happening and leave, then that still leaves his employer's customers highly vulnerable to whatever the vulnerabilities allow.
– forest
6 hours ago
2
@forest my assumption is that a lawyer would be able to advise on how to safely be a whistleblower if that is what the OP wishes to do.
– mcknz
6 hours ago
add a comment |
I am not a lawyer, but this seems to go beyond the ethical realm into a legal one.
I work in IT, and my manager is trying to get my coworker and I to submit a falsified
security scan to a client of ours.
This sounds like fraud.
Contact a lawyer immediately to determine how best you can protect yourself, and to find out if you have done anything that makes you potentially liable.
A lawyer may tell you to resign immediately.
Documentation is fine, but do not make personal copies of client or company information, such as taking pictures on your phone, saving company email threads, or sending documents to a personal email account. If you have already done so, delete those immediately.
If your employer ends up getting found out (which I certainly hope is the case), your employer could retaliate by filing a lawsuit or criminal complaint against you (no matter how frivolous) based on your handling of company data.
answered 16 hours ago
mcknzmcknz
20.5k86783
A lawyer might not advise you to do the ethical thing. If it's safer legally for OP to ignore what's happening and leave, then that still leaves his employer's customers highly vulnerable to whatever the vulnerabilities allow.
– forest
6 hours ago
2
@forest my assumption is that a lawyer would be able to advise on how to safely be a whistleblower if that is what the OP wishes to do.
– mcknz
6 hours ago
add a comment |
I am not a lawyer, but this seems to go beyond the ethical realm into a legal one.
I work in IT, and my manager is trying to get my coworker and I to submit a falsified
security scan to a client of ours.
This sounds like fraud.
Contact a lawyer immediately to determine how best you can protect yourself, and to find out if you have done anything that makes you potentially liable.
A lawyer may tell you to resign immediately.
Documentation is fine, but do not make personal copies of client or company information, such as taking pictures on your phone, saving company email threads, or sending documents to a personal email account. If you have already done so, delete those immediately.
If your employer ends up getting found out (which I certainly hope is the case), your employer could retaliate by filing a lawsuit or criminal complaint against you (no matter how frivolous) based on your handling of company data.
answered 16 hours ago
mcknzmcknz
20.5k86783
I am not a lawyer, but this seems to go beyond the ethical realm into a legal one.
I work in IT, and my manager is trying to get my coworker and I to submit a falsified
security scan to a client of ours.
This sounds like fraud.
Contact a lawyer immediately to determine how best you can protect yourself, and to find out if you have done anything that makes you potentially liable.
A lawyer may tell you to resign immediately.
Documentation is fine, but do not make personal copies of client or company information, such as taking pictures on your phone, saving company email threads, or sending documents to a personal email account. If you have already done so, delete those immediately.
If your employer ends up getting found out (which I certainly hope is the case), your employer could retaliate by filing a lawsuit or criminal complaint against you (no matter how frivolous) based on your handling of company data.
answered 16 hours ago
mcknzmcknz
20.5k86783
answered 16 hours ago
mcknzmcknz
20.5k86783
answered 16 hours ago
mcknzmcknz
20.5k86783
answered 16 hours ago
mcknzmcknz
20.5k86783
20.5k86783
A lawyer might not advise you to do the ethical thing. If it's safer legally for OP to ignore what's happening and leave, then that still leaves his employer's customers highly vulnerable to whatever the vulnerabilities allow.
– forest
6 hours ago
2
@forest my assumption is that a lawyer would be able to advise on how to safely be a whistleblower if that is what the OP wishes to do.
– mcknz
6 hours ago
add a comment |
A lawyer might not advise you to do the ethical thing. If it's safer legally for OP to ignore what's happening and leave, then that still leaves his employer's customers highly vulnerable to whatever the vulnerabilities allow.
– forest
6 hours ago
2
@forest my assumption is that a lawyer would be able to advise on how to safely be a whistleblower if that is what the OP wishes to do.
– mcknz
6 hours ago
A lawyer might not advise you to do the ethical thing. If it's safer legally for OP to ignore what's happening and leave, then that still leaves his employer's customers highly vulnerable to whatever the vulnerabilities allow.
– forest
6 hours ago
A lawyer might not advise you to do the ethical thing. If it's safer legally for OP to ignore what's happening and leave, then that still leaves his employer's customers highly vulnerable to whatever the vulnerabilities allow.
– forest
6 hours ago
2
2
@forest my assumption is that a lawyer would be able to advise on how to safely be a whistleblower if that is what the OP wishes to do.
– mcknz
6 hours ago
@forest my assumption is that a lawyer would be able to advise on how to safely be a whistleblower if that is what the OP wishes to do.
– mcknz
6 hours ago
add a comment |
Dan and dbeer covered much of my first thoughts. Copy what pieces you can and manually log the rest. Some of this is risky, but I'm focused on your assertion you are willing to lose this job over this (and I applaud you for it).
You could also respond back to his noncommittal email with copies of the original result and a doctored draft with "DRAFT" watermarks and bcc a personal email.
"Per our discussion, here are the original and a draft of the scans with the redacted results." Assuming he verbally tells you that is what he wants and to send it (and maybe to stop emailing proof), at that point you are somewhat cornered into telling him you cannot comply with sending falsified scan results. If you want to salvage the relationship, a discussion around remediation plans might be in order. Most audits I've been involved in are more interested in truth followed by a plan to improve risks. But that may not hold here.
He may check email logs and know what you're up to. If so, he should also know you have documented his malfeasance. Hopefully that would give him pause before threatening to ruin you. He might do something like threatening you with some sort of NDA by sending yourself that email. Remember that's a desperation move. The only way he can prove it is by providing evidence that he's trying to defraud a client.
answered 17 hours ago
John SpiegelJohn Spiegel
2,317413
Emails are great so long as they aren't hosted by the company. It's common a company will take over your email upon departure (or firing) so the OP's boss could easily log in and delete the email. So it's a good idea to export everything, at least once a week to make sure you're at least covered especially when someone is telling you to do something unethical. Nothing is stopping them from continuing their unethical behavior and gain access to your email and deleting the appropriate items or even faking communications.
– Dan
16 hours ago
1
Also if you aren't already it might be a good idea to digitally sign your emails. That is 100% proof you sent it and something that can't be replicated by a bad actor unless they compromised everything you have.
– Dan
16 hours ago
1
Emailing info might protect the OP, but I would not send any company or client data to a personal email. This could violate an NDA or similar agreement. If you have a gmail account, for instance, the OP would essentially be hosting proprietary information via a third party.
– mcknz
16 hours ago
@mcknz That's definitely a consideration. IANAL, but personally, I'd be willing to pit that risk against willful fraud.
– John Spiegel
15 hours ago
add a comment |
Dan and dbeer covered much of my first thoughts. Copy what pieces you can and manually log the rest. Some of this is risky, but I'm focused on your assertion you are willing to lose this job over this (and I applaud you for it).
You could also respond back to his noncommittal email with copies of the original result and a doctored draft with "DRAFT" watermarks and bcc a personal email.
"Per our discussion, here are the original and a draft of the scans with the redacted results." Assuming he verbally tells you that is what he wants and to send it (and maybe to stop emailing proof), at that point you are somewhat cornered into telling him you cannot comply with sending falsified scan results. If you want to salvage the relationship, a discussion around remediation plans might be in order. Most audits I've been involved in are more interested in truth followed by a plan to improve risks. But that may not hold here.
He may check email logs and know what you're up to. If so, he should also know you have documented his malfeasance. Hopefully that would give him pause before threatening to ruin you. He might do something like threatening you with some sort of NDA by sending yourself that email. Remember that's a desperation move. The only way he can prove it is by providing evidence that he's trying to defraud a client.
answered 17 hours ago
John SpiegelJohn Spiegel
2,317413
Emails are great so long as they aren't hosted by the company. It's common a company will take over your email upon departure (or firing) so the OP's boss could easily log in and delete the email. So it's a good idea to export everything, at least once a week to make sure you're at least covered especially when someone is telling you to do something unethical. Nothing is stopping them from continuing their unethical behavior and gain access to your email and deleting the appropriate items or even faking communications.
– Dan
16 hours ago
1
Also if you aren't already it might be a good idea to digitally sign your emails. That is 100% proof you sent it and something that can't be replicated by a bad actor unless they compromised everything you have.
– Dan
16 hours ago
1
Emailing info might protect the OP, but I would not send any company or client data to a personal email. This could violate an NDA or similar agreement. If you have a gmail account, for instance, the OP would essentially be hosting proprietary information via a third party.
– mcknz
16 hours ago
@mcknz That's definitely a consideration. IANAL, but personally, I'd be willing to pit that risk against willful fraud.
– John Spiegel
15 hours ago
add a comment |
Dan and dbeer covered much of my first thoughts. Copy what pieces you can and manually log the rest. Some of this is risky, but I'm focused on your assertion you are willing to lose this job over this (and I applaud you for it).
You could also respond back to his noncommittal email with copies of the original result and a doctored draft with "DRAFT" watermarks and bcc a personal email.
"Per our discussion, here are the original and a draft of the scans with the redacted results." Assuming he verbally tells you that is what he wants and to send it (and maybe to stop emailing proof), at that point you are somewhat cornered into telling him you cannot comply with sending falsified scan results. If you want to salvage the relationship, a discussion around remediation plans might be in order. Most audits I've been involved in are more interested in truth followed by a plan to improve risks. But that may not hold here.
He may check email logs and know what you're up to. If so, he should also know you have documented his malfeasance. Hopefully that would give him pause before threatening to ruin you. He might do something like threatening you with some sort of NDA by sending yourself that email. Remember that's a desperation move. The only way he can prove it is by providing evidence that he's trying to defraud a client.
answered 17 hours ago
John SpiegelJohn Spiegel
2,317413
Dan and dbeer covered much of my first thoughts. Copy what pieces you can and manually log the rest. Some of this is risky, but I'm focused on your assertion you are willing to lose this job over this (and I applaud you for it).
You could also respond back to his noncommittal email with copies of the original result and a doctored draft with "DRAFT" watermarks and bcc a personal email.
"Per our discussion, here are the original and a draft of the scans with the redacted results." Assuming he verbally tells you that is what he wants and to send it (and maybe to stop emailing proof), at that point you are somewhat cornered into telling him you cannot comply with sending falsified scan results. If you want to salvage the relationship, a discussion around remediation plans might be in order. Most audits I've been involved in are more interested in truth followed by a plan to improve risks. But that may not hold here.
He may check email logs and know what you're up to. If so, he should also know you have documented his malfeasance. Hopefully that would give him pause before threatening to ruin you. He might do something like threatening you with some sort of NDA by sending yourself that email. Remember that's a desperation move. The only way he can prove it is by providing evidence that he's trying to defraud a client.
answered 17 hours ago
John SpiegelJohn Spiegel
2,317413
answered 17 hours ago
John SpiegelJohn Spiegel
2,317413
answered 17 hours ago
John SpiegelJohn Spiegel
2,317413
answered 17 hours ago
John SpiegelJohn Spiegel
2,317413
2,317413
Emails are great so long as they aren't hosted by the company. It's common a company will take over your email upon departure (or firing) so the OP's boss could easily log in and delete the email. So it's a good idea to export everything, at least once a week to make sure you're at least covered especially when someone is telling you to do something unethical. Nothing is stopping them from continuing their unethical behavior and gain access to your email and deleting the appropriate items or even faking communications.
– Dan
16 hours ago
1
Also if you aren't already it might be a good idea to digitally sign your emails. That is 100% proof you sent it and something that can't be replicated by a bad actor unless they compromised everything you have.
– Dan
16 hours ago
1
Emailing info might protect the OP, but I would not send any company or client data to a personal email. This could violate an NDA or similar agreement. If you have a gmail account, for instance, the OP would essentially be hosting proprietary information via a third party.
– mcknz
16 hours ago
@mcknz That's definitely a consideration. IANAL, but personally, I'd be willing to pit that risk against willful fraud.
– John Spiegel
15 hours ago
add a comment |
Emails are great so long as they aren't hosted by the company. It's common a company will take over your email upon departure (or firing) so the OP's boss could easily log in and delete the email. So it's a good idea to export everything, at least once a week to make sure you're at least covered especially when someone is telling you to do something unethical. Nothing is stopping them from continuing their unethical behavior and gain access to your email and deleting the appropriate items or even faking communications.
– Dan
16 hours ago
1
Also if you aren't already it might be a good idea to digitally sign your emails. That is 100% proof you sent it and something that can't be replicated by a bad actor unless they compromised everything you have.
– Dan
16 hours ago
1
Emailing info might protect the OP, but I would not send any company or client data to a personal email. This could violate an NDA or similar agreement. If you have a gmail account, for instance, the OP would essentially be hosting proprietary information via a third party.
– mcknz
16 hours ago
@mcknz That's definitely a consideration. IANAL, but personally, I'd be willing to pit that risk against willful fraud.
– John Spiegel
15 hours ago
Emails are great so long as they aren't hosted by the company. It's common a company will take over your email upon departure (or firing) so the OP's boss could easily log in and delete the email. So it's a good idea to export everything, at least once a week to make sure you're at least covered especially when someone is telling you to do something unethical. Nothing is stopping them from continuing their unethical behavior and gain access to your email and deleting the appropriate items or even faking communications.
– Dan
16 hours ago
Emails are great so long as they aren't hosted by the company. It's common a company will take over your email upon departure (or firing) so the OP's boss could easily log in and delete the email. So it's a good idea to export everything, at least once a week to make sure you're at least covered especially when someone is telling you to do something unethical. Nothing is stopping them from continuing their unethical behavior and gain access to your email and deleting the appropriate items or even faking communications.
– Dan
16 hours ago
1
1
Also if you aren't already it might be a good idea to digitally sign your emails. That is 100% proof you sent it and something that can't be replicated by a bad actor unless they compromised everything you have.
– Dan
16 hours ago
Also if you aren't already it might be a good idea to digitally sign your emails. That is 100% proof you sent it and something that can't be replicated by a bad actor unless they compromised everything you have.
– Dan
16 hours ago
1
1
Emailing info might protect the OP, but I would not send any company or client data to a personal email. This could violate an NDA or similar agreement. If you have a gmail account, for instance, the OP would essentially be hosting proprietary information via a third party.
– mcknz
16 hours ago
Emailing info might protect the OP, but I would not send any company or client data to a personal email. This could violate an NDA or similar agreement. If you have a gmail account, for instance, the OP would essentially be hosting proprietary information via a third party.
– mcknz
16 hours ago
@mcknz That's definitely a consideration. IANAL, but personally, I'd be willing to pit that risk against willful fraud.
– John Spiegel
15 hours ago
@mcknz That's definitely a consideration. IANAL, but personally, I'd be willing to pit that risk against willful fraud.
– John Spiegel
15 hours ago
add a comment |
I can speak to part of this from my experience as an infosec coordinator at a SaaS business. (I can't speak to all of it, because my employer has a culture of compliance; our executives would never play this game.)
In most cases these requests come from a part of the customer's business who are simply checking boxes before signing off on new vendors. On cynical days I think they just weigh these reports, or wordcount them.
It's sometimes possible to submit a truthful scan to a customer if you include an explanation and a remediation plan. Many customers will accept that, and it will boost your credibility: corporate infosec people like transparency. (They will follow up to make sure you remediated the situation, however.)
It's perfectly reasonable to send just a summary of a scan to a customer; the details of your systems and vulnerabilities are actually nobody's business but yours, and disclosing them increases your attack surface.
I suppose it's possible to submit a fake scan to a customer to get the business. But you'd be wise to prepare a remediation plan and ask your boss to agree to implementing it if you do that.
If you do send a fake scan, and then some cybercreep successfully attacks you, what could happen? Unless you are in health care, I suppose the worst-case scenario is Equifax: disastrous publicity for your customer and you. Or your owner could send your CTO onto Fox News to lie about it, like they did when Panera had a breach. But it probably won't be that bad.
If you are a health-care HIPAA associated business entity and you have patient data, and it leaks, and somebody was negligent, that is a crime that pierces the corporate veil, meaning individuals can be criminally liable and can't hide behind an LLC. In that case you'd be wise to refuse to sign off.
Look, it's a pain in the ...neck to work for a company that doesn't have a culture of compliance. You know that. But, it's possible to use this as an excuse to start pushing for change in your company. My suggestion number 4 might be a way to get that going.
The right question for you, and for your executives, is "how can we make our customers' data safer?" Compromising about this just might get you further along that path. Just something to think about.
If you do compromise, I suggest you write a "memo to file" describing the situation, and the instructions given to you, and your actions. Print it out and take it home. It's just for you, not for your executives or colleagues. It will help you remember exactly who said what and when if you have to describe this incident a few years from now.
answered 16 hours ago
O. JonesO. Jones
14.9k24377
1
+1 for mentioning a compromise solution. I like how its not directly confrontational but at the same time can be used for future action. As a InfoSec professional myself, I know full well sometimes the best solution may not be the ideal
– Anthony
14 hours ago
The remediation plan for committing fraud might be to make sure you have enough to post bail.
– mcknz
14 hours ago
In reality, attacking people—playing the unethical card—is not a very effective way of getting them to change. And anybody who reads the news can see that getting people to change is really hard, and really urgent.
– O. Jones
9 hours ago
add a comment |
I can speak to part of this from my experience as an infosec coordinator at a SaaS business. (I can't speak to all of it, because my employer has a culture of compliance; our executives would never play this game.)
In most cases these requests come from a part of the customer's business who are simply checking boxes before signing off on new vendors. On cynical days I think they just weigh these reports, or wordcount them.
It's sometimes possible to submit a truthful scan to a customer if you include an explanation and a remediation plan. Many customers will accept that, and it will boost your credibility: corporate infosec people like transparency. (They will follow up to make sure you remediated the situation, however.)
It's perfectly reasonable to send just a summary of a scan to a customer; the details of your systems and vulnerabilities are actually nobody's business but yours, and disclosing them increases your attack surface.
I suppose it's possible to submit a fake scan to a customer to get the business. But you'd be wise to prepare a remediation plan and ask your boss to agree to implementing it if you do that.
If you do send a fake scan, and then some cybercreep successfully attacks you, what could happen? Unless you are in health care, I suppose the worst-case scenario is Equifax: disastrous publicity for your customer and you. Or your owner could send your CTO onto Fox News to lie about it, like they did when Panera had a breach. But it probably won't be that bad.
If you are a health-care HIPAA associated business entity and you have patient data, and it leaks, and somebody was negligent, that is a crime that pierces the corporate veil, meaning individuals can be criminally liable and can't hide behind an LLC. In that case you'd be wise to refuse to sign off.
Look, it's a pain in the ...neck to work for a company that doesn't have a culture of compliance. You know that. But, it's possible to use this as an excuse to start pushing for change in your company. My suggestion number 4 might be a way to get that going.
The right question for you, and for your executives, is "how can we make our customers' data safer?" Compromising about this just might get you further along that path. Just something to think about.
If you do compromise, I suggest you write a "memo to file" describing the situation, and the instructions given to you, and your actions. Print it out and take it home. It's just for you, not for your executives or colleagues. It will help you remember exactly who said what and when if you have to describe this incident a few years from now.
answered 16 hours ago
O. JonesO. Jones
14.9k24377
1
+1 for mentioning a compromise solution. I like how its not directly confrontational but at the same time can be used for future action. As a InfoSec professional myself, I know full well sometimes the best solution may not be the ideal
– Anthony
14 hours ago
The remediation plan for committing fraud might be to make sure you have enough to post bail.
– mcknz
14 hours ago
In reality, attacking people—playing the unethical card—is not a very effective way of getting them to change. And anybody who reads the news can see that getting people to change is really hard, and really urgent.
– O. Jones
9 hours ago
add a comment |
I can speak to part of this from my experience as an infosec coordinator at a SaaS business. (I can't speak to all of it, because my employer has a culture of compliance; our executives would never play this game.)
In most cases these requests come from a part of the customer's business who are simply checking boxes before signing off on new vendors. On cynical days I think they just weigh these reports, or wordcount them.
It's sometimes possible to submit a truthful scan to a customer if you include an explanation and a remediation plan. Many customers will accept that, and it will boost your credibility: corporate infosec people like transparency. (They will follow up to make sure you remediated the situation, however.)
It's perfectly reasonable to send just a summary of a scan to a customer; the details of your systems and vulnerabilities are actually nobody's business but yours, and disclosing them increases your attack surface.
I suppose it's possible to submit a fake scan to a customer to get the business. But you'd be wise to prepare a remediation plan and ask your boss to agree to implementing it if you do that.
If you do send a fake scan, and then some cybercreep successfully attacks you, what could happen? Unless you are in health care, I suppose the worst-case scenario is Equifax: disastrous publicity for your customer and you. Or your owner could send your CTO onto Fox News to lie about it, like they did when Panera had a breach. But it probably won't be that bad.
If you are a health-care HIPAA associated business entity and you have patient data, and it leaks, and somebody was negligent, that is a crime that pierces the corporate veil, meaning individuals can be criminally liable and can't hide behind an LLC. In that case you'd be wise to refuse to sign off.
Look, it's a pain in the ...neck to work for a company that doesn't have a culture of compliance. You know that. But, it's possible to use this as an excuse to start pushing for change in your company. My suggestion number 4 might be a way to get that going.
The right question for you, and for your executives, is "how can we make our customers' data safer?" Compromising about this just might get you further along that path. Just something to think about.
If you do compromise, I suggest you write a "memo to file" describing the situation, and the instructions given to you, and your actions. Print it out and take it home. It's just for you, not for your executives or colleagues. It will help you remember exactly who said what and when if you have to describe this incident a few years from now.
answered 16 hours ago
O. JonesO. Jones
14.9k24377
I can speak to part of this from my experience as an infosec coordinator at a SaaS business. (I can't speak to all of it, because my employer has a culture of compliance; our executives would never play this game.)
In most cases these requests come from a part of the customer's business who are simply checking boxes before signing off on new vendors. On cynical days I think they just weigh these reports, or wordcount them.
It's sometimes possible to submit a truthful scan to a customer if you include an explanation and a remediation plan. Many customers will accept that, and it will boost your credibility: corporate infosec people like transparency. (They will follow up to make sure you remediated the situation, however.)
It's perfectly reasonable to send just a summary of a scan to a customer; the details of your systems and vulnerabilities are actually nobody's business but yours, and disclosing them increases your attack surface.
I suppose it's possible to submit a fake scan to a customer to get the business. But you'd be wise to prepare a remediation plan and ask your boss to agree to implementing it if you do that.
If you do send a fake scan, and then some cybercreep successfully attacks you, what could happen? Unless you are in health care, I suppose the worst-case scenario is Equifax: disastrous publicity for your customer and you. Or your owner could send your CTO onto Fox News to lie about it, like they did when Panera had a breach. But it probably won't be that bad.
If you are a health-care HIPAA associated business entity and you have patient data, and it leaks, and somebody was negligent, that is a crime that pierces the corporate veil, meaning individuals can be criminally liable and can't hide behind an LLC. In that case you'd be wise to refuse to sign off.
Look, it's a pain in the ...neck to work for a company that doesn't have a culture of compliance. You know that. But, it's possible to use this as an excuse to start pushing for change in your company. My suggestion number 4 might be a way to get that going.
The right question for you, and for your executives, is "how can we make our customers' data safer?" Compromising about this just might get you further along that path. Just something to think about.
If you do compromise, I suggest you write a "memo to file" describing the situation, and the instructions given to you, and your actions. Print it out and take it home. It's just for you, not for your executives or colleagues. It will help you remember exactly who said what and when if you have to describe this incident a few years from now.
answered 16 hours ago
O. JonesO. Jones
14.9k24377
answered 16 hours ago
O. JonesO. Jones
14.9k24377
answered 16 hours ago
O. JonesO. Jones
14.9k24377
answered 16 hours ago
O. JonesO. Jones
14.9k24377
14.9k24377
1
+1 for mentioning a compromise solution. I like how its not directly confrontational but at the same time can be used for future action. As a InfoSec professional myself, I know full well sometimes the best solution may not be the ideal
– Anthony
14 hours ago
The remediation plan for committing fraud might be to make sure you have enough to post bail.
– mcknz
14 hours ago
In reality, attacking people—playing the unethical card—is not a very effective way of getting them to change. And anybody who reads the news can see that getting people to change is really hard, and really urgent.
– O. Jones
9 hours ago
add a comment |
1
+1 for mentioning a compromise solution. I like how its not directly confrontational but at the same time can be used for future action. As a InfoSec professional myself, I know full well sometimes the best solution may not be the ideal
– Anthony
14 hours ago
The remediation plan for committing fraud might be to make sure you have enough to post bail.
– mcknz
14 hours ago
In reality, attacking people—playing the unethical card—is not a very effective way of getting them to change. And anybody who reads the news can see that getting people to change is really hard, and really urgent.
– O. Jones
9 hours ago
1
1
+1 for mentioning a compromise solution. I like how its not directly confrontational but at the same time can be used for future action. As a InfoSec professional myself, I know full well sometimes the best solution may not be the ideal
– Anthony
14 hours ago
+1 for mentioning a compromise solution. I like how its not directly confrontational but at the same time can be used for future action. As a InfoSec professional myself, I know full well sometimes the best solution may not be the ideal
– Anthony
14 hours ago
The remediation plan for committing fraud might be to make sure you have enough to post bail.
– mcknz
14 hours ago
The remediation plan for committing fraud might be to make sure you have enough to post bail.
– mcknz
14 hours ago
In reality, attacking people—playing the unethical card—is not a very effective way of getting them to change. And anybody who reads the news can see that getting people to change is really hard, and really urgent.
– O. Jones
9 hours ago
In reality, attacking people—playing the unethical card—is not a very effective way of getting them to change. And anybody who reads the news can see that getting people to change is really hard, and really urgent.
– O. Jones
9 hours ago
add a comment |
My thought is if you have the original scans and the modified scans, then simply burn the actual scans to a cd and drop it in the mail to the company. Include an encrypted text file with a code phrase that identifies it to you. If you ever need to go on the stand, so to speak, you can describe what is in that encrypted text file so you'll have a standing. It's also great if your boss throws you under the bus in front of the company, and you can say you included a encrypted file with a code phrase only you'd know. I think that is the best approach in terms of insurance. Otherwise I think your boss and his bosses can make up whatever they like and you have virtually no proof especially if they told you verbally.
answered 18 hours ago
DanDan
10.8k41935
1
I am not a lawyer. I agree with the spirit of this answer, but I think the OP could potentially get in trouble for unauthorized release of company information, even if it's for a good cause. Better to get legal advice.
– mcknz
17 hours ago
1
Good point about release of information, but that is information that is supposed to go to the client, whether it should go prior top being "doctored" or not is a different question...
– Solar Mike
17 hours ago
@SolarMike I would assume that to be the case, and that the OP would hopefully be protected because of that fact, but the law is weird and not always fair.
– mcknz
17 hours ago
1
@mcknz oh yes, "a man is innocent until proven broke"...
– Solar Mike
17 hours ago
add a comment |
My thought is if you have the original scans and the modified scans, then simply burn the actual scans to a cd and drop it in the mail to the company. Include an encrypted text file with a code phrase that identifies it to you. If you ever need to go on the stand, so to speak, you can describe what is in that encrypted text file so you'll have a standing. It's also great if your boss throws you under the bus in front of the company, and you can say you included a encrypted file with a code phrase only you'd know. I think that is the best approach in terms of insurance. Otherwise I think your boss and his bosses can make up whatever they like and you have virtually no proof especially if they told you verbally.
answered 18 hours ago
DanDan
10.8k41935
1
I am not a lawyer. I agree with the spirit of this answer, but I think the OP could potentially get in trouble for unauthorized release of company information, even if it's for a good cause. Better to get legal advice.
– mcknz
17 hours ago
1
Good point about release of information, but that is information that is supposed to go to the client, whether it should go prior top being "doctored" or not is a different question...
– Solar Mike
17 hours ago
@SolarMike I would assume that to be the case, and that the OP would hopefully be protected because of that fact, but the law is weird and not always fair.
– mcknz
17 hours ago
1
@mcknz oh yes, "a man is innocent until proven broke"...
– Solar Mike
17 hours ago
add a comment |
My thought is if you have the original scans and the modified scans, then simply burn the actual scans to a cd and drop it in the mail to the company. Include an encrypted text file with a code phrase that identifies it to you. If you ever need to go on the stand, so to speak, you can describe what is in that encrypted text file so you'll have a standing. It's also great if your boss throws you under the bus in front of the company, and you can say you included a encrypted file with a code phrase only you'd know. I think that is the best approach in terms of insurance. Otherwise I think your boss and his bosses can make up whatever they like and you have virtually no proof especially if they told you verbally.
answered 18 hours ago
DanDan
10.8k41935
My thought is if you have the original scans and the modified scans, then simply burn the actual scans to a cd and drop it in the mail to the company. Include an encrypted text file with a code phrase that identifies it to you. If you ever need to go on the stand, so to speak, you can describe what is in that encrypted text file so you'll have a standing. It's also great if your boss throws you under the bus in front of the company, and you can say you included a encrypted file with a code phrase only you'd know. I think that is the best approach in terms of insurance. Otherwise I think your boss and his bosses can make up whatever they like and you have virtually no proof especially if they told you verbally.
answered 18 hours ago
DanDan
10.8k41935
edited 18 hours ago
answered 18 hours ago
DanDan
10.8k41935
answered 18 hours ago
DanDan
10.8k41935
answered 18 hours ago
DanDan
10.8k41935
10.8k41935
1
I am not a lawyer. I agree with the spirit of this answer, but I think the OP could potentially get in trouble for unauthorized release of company information, even if it's for a good cause. Better to get legal advice.
– mcknz
17 hours ago
1
Good point about release of information, but that is information that is supposed to go to the client, whether it should go prior top being "doctored" or not is a different question...
– Solar Mike
17 hours ago
@SolarMike I would assume that to be the case, and that the OP would hopefully be protected because of that fact, but the law is weird and not always fair.
– mcknz
17 hours ago
1
@mcknz oh yes, "a man is innocent until proven broke"...
– Solar Mike
17 hours ago
add a comment |
1
I am not a lawyer. I agree with the spirit of this answer, but I think the OP could potentially get in trouble for unauthorized release of company information, even if it's for a good cause. Better to get legal advice.
– mcknz
17 hours ago
1
Good point about release of information, but that is information that is supposed to go to the client, whether it should go prior top being "doctored" or not is a different question...
– Solar Mike
17 hours ago
@SolarMike I would assume that to be the case, and that the OP would hopefully be protected because of that fact, but the law is weird and not always fair.
– mcknz
17 hours ago
1
@mcknz oh yes, "a man is innocent until proven broke"...
– Solar Mike
17 hours ago
1
1
I am not a lawyer. I agree with the spirit of this answer, but I think the OP could potentially get in trouble for unauthorized release of company information, even if it's for a good cause. Better to get legal advice.
– mcknz
17 hours ago
I am not a lawyer. I agree with the spirit of this answer, but I think the OP could potentially get in trouble for unauthorized release of company information, even if it's for a good cause. Better to get legal advice.
– mcknz
17 hours ago
1
1
Good point about release of information, but that is information that is supposed to go to the client, whether it should go prior top being "doctored" or not is a different question...
– Solar Mike
17 hours ago
Good point about release of information, but that is information that is supposed to go to the client, whether it should go prior top being "doctored" or not is a different question...
– Solar Mike
17 hours ago
@SolarMike I would assume that to be the case, and that the OP would hopefully be protected because of that fact, but the law is weird and not always fair.
– mcknz
17 hours ago
@SolarMike I would assume that to be the case, and that the OP would hopefully be protected because of that fact, but the law is weird and not always fair.
– mcknz
17 hours ago
1
1
@mcknz oh yes, "a man is innocent until proven broke"...
– Solar Mike
17 hours ago
@mcknz oh yes, "a man is innocent until proven broke"...
– Solar Mike
17 hours ago
add a comment |
Thanks for contributing an answer to The Workplace Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f137131%2fboss-wants-me-to-falsify-a-report-how-should-i-document-this-unethical-demand%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
Could wikileaks send the scan results to the client... :)
– Solar Mike
18 hours ago
Are you supposed to provide it to him to pass along or do you send it directly to the client?
– John Spiegel
18 hours ago
3
Also, where are you located? There may be whistleblower protections that could help you.
– David K
18 hours ago
14
@it-guy You might find this page useful: California Whistleblower Protection Laws
– David K
18 hours ago
1
OP, this question is very similar to what you are facing, I think the answers there may also be helpful to you. workplace.stackexchange.com/questions/105378/…
– Anthony
14 hours ago