I agree with everything you've said Martin, but you forget who I work for. I work for the state, which means that I use whatever "tool" they choose, including this homegrown, insecure spreadsheet. I'm just trying to put as much security on it as I can, and I think that in my limited ability to make change, the drop folder is going to be the way to go. As I mentioned in my original post, the timesheets are not just an internal thing. They are sent to another state agency to actually get the paychecks processed and printed, so using a 3rd party application doesn't work, one because it's not "what the state uses", and two, because the other agency would have to accept it, and be able to work with it. Believe me, I'm not defending how things are done, I'm simply a pained cog in the works...
Joe Heaton -----Original Message----- From: Martin Blackstone [mailto:[EMAIL PROTECTED] Sent: Saturday, February 23, 2008 8:40 AM To: NT System Admin Issues Subject: RE: Handling of confidential files Frankly the whole process is lame and wrought with danger. First off, there is zero acceptable reason for having the put the SSN in the spreadsheet at all. HR and payroll processing should already have that data and hopefully in a secure location or a secure DB. Any even halfway decent payroll application should have all pertinent employee data required to process payment already in place. Any employee should and could rightfully decline to put that information in an email. As for the JPG signatures, once again, lazy and inappropriate. I don't want my signature flying all over the email space going who knows where. An email saying "I approve" is as likely to stand up in any court just as easily as a jpg signature. Considering the route the signature takes and the people having access to it, One could argue that someone just stole the file and forged my timesheet. Here is a scenario. I give you my manager my timesheet with my jpg sig. You then change my timesheet (deducting hours) and pass it on. What good is that signature now? Sure, it has my name on it, but you changed it and nobody can really prove it. Of course the file will show it was changed, but it would have shown that anyway since you put your signature in it. No offense intended Joe, but this whole process is nothing but dangerous and ineffective. Dangerous to staff and the business as well and has left you open to substantial risk (see Salvador's comment regarding CA laws). There are dozens if not hundreds of available online timesheet applications. I'll bet even some open source ones that could be used to process the whole thing. It would not most likely be more secure, but more effective, save time, and give you great records keeping. This isn't reinventing the wheel. -----Original Message----- From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Saturday, February 23, 2008 8:10 AM To: NT System Admin Issues Subject: RE: Handling of confidential files Actually, the newer versions of Excel (2003 & 2007) have pretty good encryption routines for the spreadsheet itself. VBA protection sucks. Of course, you have to choose a good password for it to do any good. ...Tim > -----Original Message----- > From: Matt Plahtinsky [mailto:[EMAIL PROTECTED] > Sent: Friday, February 22, 2008 5:10 PM > To: NT System Admin Issues > Subject: Re: Handling of confidential files > > Ss# and email = ss# getting owned. > Password protected .xls is like wep on wireless. Its only going to > stop casual snoop. My boss had me break a .xls password last week. > Took less than 30 seconds to break. > > Matt > > > > On 2/22/08, Durf <[EMAIL PROTECTED]> wrote: > > You want a "drop" folder: > > > > http://technet2.microsoft.com/windowsserver/en/library/86987829-3f74- > 412f-abb8-c8b22b07257d1033.mspx?mfr=true > > > > -- Durf > > > > On Fri, Feb 22, 2008 at 3:21 PM, Joe Heaton <[EMAIL PROTECTED]> > wrote: > > > > > I need some alternatives to a specific process. The process in > question > > > is timesheets. Our timesheets are Excel spreadsheets, which are > processed > > > as follows: > > > > > > 1) All timesheets are located in the user's home folder. At the > end of > > > the month, the user goes in, updates for the current month, copies > a .jpg > > of > > > their signature onto the current month's sheet, and forwards the > timesheet > > > to their manager via e-mail attachment. > > > 2) The manager opens the timesheets for their employees, verifies > it, and > > > copies a .jpg of their signature onto the current month's sheet, > and > > > forwards the timesheets to a specific admin employee, via e-mail > > > attachments. > > > 3) The admin employee takes the attachments, and copies them into > > > a folder on a server, from which the timesheets are then > "processed" and > > > sent to another agency, to be further processed for paycheck > issuance. > > > > > > > > > My question to my boss, is why can't we just have the managers move > the > > > timesheets for their employees into the folder on the server, > instead of > > > e-mailing them a second time. In fact, we could have all > processing done > > > within that folder to begin with, without having to e-mail the > files > > > anywhere. > > > > > > The issue that comes up, is how to prevent someone from another > department > > > from opening someone else's timesheet. The big concern there is > that the > > > timesheets not only contain .jpgs of people's signatures, but also > contain > > > SSNs. > > > > > > My thought is to set permissions on the folder so that people can > place > > > files there, but not be able to open them once they are there. Is > that > > > possible with NTFS rights? I will do research on it, but I'm > hoping that > > > someone has already run into this type of issue and has an answer > already. > > > > > > Thanks, > > > > > > Joe Heaton > > > AISA > > > Employment Training Panel > > > 1100 J Street, 4th Floor > > > Sacramento, CA 95814 > > > (916) 327-5276 > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > -- > > -------------- > > Give a man a fish, and he'll eat for a day. > > Give a fish a man, and he'll eat for weeks! > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > -- > Sent from Gmail for mobile | mobile.google.com > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.9/1294 - Release Date: 2/22/2008 6:39 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.9/1294 - Release Date: 2/22/2008 6:39 PM ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
