Sounds like its time for an anonymous tip to the state.... On Sat, Feb 23, 2008 at 8:58 AM, Joe Heaton <[EMAIL PROTECTED]> wrote:
> I agree with everything you've said Martin, but you forget who I work for. > I work for the state, which means that I use whatever "tool" they choose, > including this homegrown, insecure spreadsheet. I'm just trying to put as > much security on it as I can, and I think that in my limited ability to make > change, the drop folder is going to be the way to go. As I mentioned in my > original post, the timesheets are not just an internal thing. They are sent > to another state agency to actually get the paychecks processed and printed, > so using a 3rd party application doesn't work, one because it's not "what > the state uses", and two, because the other agency would have to accept it, > and be able to work with it. Believe me, I'm not defending how things are > done, I'm simply a pained cog in the works... > > Joe Heaton > > -----Original Message----- > From: Martin Blackstone [mailto:[EMAIL PROTECTED] > Sent: Saturday, February 23, 2008 8:40 AM > To: NT System Admin Issues > Subject: RE: Handling of confidential files > > Frankly the whole process is lame and wrought with danger. > First off, there is zero acceptable reason for having the put the SSN in > the > spreadsheet at all. > HR and payroll processing should already have that data and hopefully in a > secure location or a secure DB. Any even halfway decent payroll > application > should have all pertinent employee data required to process payment > already > in place. Any employee should and could rightfully decline to put that > information in an email. > As for the JPG signatures, once again, lazy and inappropriate. I don't > want > my signature flying all over the email space going who knows where. An > email > saying "I approve" is as likely to stand up in any court just as easily as > a > jpg signature. Considering the route the signature takes and the people > having access to it, One could argue that someone just stole the file and > forged my timesheet. > Here is a scenario. I give you my manager my timesheet with my jpg sig. > You > then change my timesheet (deducting hours) and pass it on. What good is > that > signature now? Sure, it has my name on it, but you changed it and nobody > can > really prove it. Of course the file will show it was changed, but it would > have shown that anyway since you put your signature in it. > > No offense intended Joe, but this whole process is nothing but dangerous > and > ineffective. Dangerous to staff and the business as well and has left you > open to substantial risk (see Salvador's comment regarding CA laws). > > There are dozens if not hundreds of available online timesheet > applications. > I'll bet even some open source ones that could be used to process the > whole > thing. It would not most likely be more secure, but more effective, save > time, and give you great records keeping. This isn't reinventing the > wheel. > > -----Original Message----- > From: Tim Evans [mailto:[EMAIL PROTECTED] > Sent: Saturday, February 23, 2008 8:10 AM > To: NT System Admin Issues > Subject: RE: Handling of confidential files > > Actually, the newer versions of Excel (2003 & 2007) have pretty good > encryption routines for the spreadsheet itself. VBA protection sucks. Of > course, you have to choose a good password for it to do any good. > > ...Tim > > > > -----Original Message----- > > From: Matt Plahtinsky [mailto:[EMAIL PROTECTED] > > Sent: Friday, February 22, 2008 5:10 PM > > To: NT System Admin Issues > > Subject: Re: Handling of confidential files > > > > Ss# and email = ss# getting owned. > > Password protected .xls is like wep on wireless. Its only going to > > stop casual snoop. My boss had me break a .xls password last week. > > Took less than 30 seconds to break. > > > > Matt > > > > > > > > On 2/22/08, Durf <[EMAIL PROTECTED]> wrote: > > > You want a "drop" folder: > > > > > > > http://technet2.microsoft.com/windowsserver/en/library/86987829-3f74- > > 412f-abb8-c8b22b07257d1033.mspx?mfr=true > > > > > > -- Durf > > > > > > On Fri, Feb 22, 2008 at 3:21 PM, Joe Heaton <[EMAIL PROTECTED]> > > wrote: > > > > > > > I need some alternatives to a specific process. The process in > > question > > > > is timesheets. Our timesheets are Excel spreadsheets, which are > > processed > > > > as follows: > > > > > > > > 1) All timesheets are located in the user's home folder. At the > > end of > > > > the month, the user goes in, updates for the current month, copies > > a .jpg > > > of > > > > their signature onto the current month's sheet, and forwards the > > timesheet > > > > to their manager via e-mail attachment. > > > > 2) The manager opens the timesheets for their employees, verifies > > it, and > > > > copies a .jpg of their signature onto the current month's sheet, > > and > > > > forwards the timesheets to a specific admin employee, via e-mail > > > > attachments. > > > > 3) The admin employee takes the attachments, and copies them into > > > > a folder on a server, from which the timesheets are then > > "processed" and > > > > sent to another agency, to be further processed for paycheck > > issuance. > > > > > > > > > > > > My question to my boss, is why can't we just have the managers > move > > the > > > > timesheets for their employees into the folder on the server, > > instead of > > > > e-mailing them a second time. In fact, we could have all > > processing done > > > > within that folder to begin with, without having to e-mail the > > files > > > > anywhere. > > > > > > > > The issue that comes up, is how to prevent someone from another > > department > > > > from opening someone else's timesheet. The big concern there is > > that the > > > > timesheets not only contain .jpgs of people's signatures, but also > > contain > > > > SSNs. > > > > > > > > My thought is to set permissions on the folder so that people can > > place > > > > files there, but not be able to open them once they are there. Is > > that > > > > possible with NTFS rights? I will do research on it, but I'm > > hoping that > > > > someone has already run into this type of issue and has an answer > > already. > > > > > > > > Thanks, > > > > > > > > Joe Heaton > > > > AISA > > > > Employment Training Panel > > > > 1100 J Street, 4th Floor > > > > Sacramento, CA 95814 > > > > (916) 327-5276 > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > -- > > > -------------- > > > Give a man a fish, and he'll eat for a day. > > > Give a fish a man, and he'll eat for weeks! > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > > -- > > Sent from Gmail for mobile | mobile.google.com > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.516 / Virus Database: 269.20.9/1294 - Release Date: 2/22/2008 > 6:39 PM > > > No virus found in this outgoing message. > Checked by AVG Free Edition. > Version: 7.5.516 / Virus Database: 269.20.9/1294 - Release Date: 2/22/2008 > 6:39 PM > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
