Considering government agencies arenĀ¹t even supposed to use SSN as an identifier in the state of CA...
On 2/23/08 3:53 PM, "Don Ely" <[EMAIL PROTECTED]> wrote: > Sounds like its time for an anonymous tip to the state.... > > On Sat, Feb 23, 2008 at 8:58 AM, Joe Heaton <[EMAIL PROTECTED]> wrote: >> I agree with everything you've said Martin, but you forget who I work for. I >> work for the state, which means that I use whatever "tool" they choose, >> including this homegrown, insecure spreadsheet. I'm just trying to put as >> much security on it as I can, and I think that in my limited ability to make >> change, the drop folder is going to be the way to go. As I mentioned in my >> original post, the timesheets are not just an internal thing. They are sent >> to another state agency to actually get the paychecks processed and printed, >> so using a 3rd party application doesn't work, one because it's not "what the >> state uses", and two, because the other agency would have to accept it, and >> be able to work with it. Believe me, I'm not defending how things are done, >> I'm simply a pained cog in the works... >> >> Joe Heaton >> >> -----Original Message----- >> From: Martin Blackstone [mailto:[EMAIL PROTECTED] >> Sent: Saturday, February 23, 2008 8:40 AM >> To: NT System Admin Issues >> Subject: RE: Handling of confidential files >> >> Frankly the whole process is lame and wrought with danger. >> First off, there is zero acceptable reason for having the put the SSN in the >> spreadsheet at all. >> HR and payroll processing should already have that data and hopefully in a >> secure location or a secure DB. Any even halfway decent payroll application >> should have all pertinent employee data required to process payment already >> in place. Any employee should and could rightfully decline to put that >> information in an email. >> As for the JPG signatures, once again, lazy and inappropriate. I don't want >> my signature flying all over the email space going who knows where. An email >> saying "I approve" is as likely to stand up in any court just as easily as a >> jpg signature. Considering the route the signature takes and the people >> having access to it, One could argue that someone just stole the file and >> forged my timesheet. >> Here is a scenario. I give you my manager my timesheet with my jpg sig. You >> then change my timesheet (deducting hours) and pass it on. What good is that >> signature now? Sure, it has my name on it, but you changed it and nobody can >> really prove it. Of course the file will show it was changed, but it would >> have shown that anyway since you put your signature in it. >> >> No offense intended Joe, but this whole process is nothing but dangerous and >> ineffective. Dangerous to staff and the business as well and has left you >> open to substantial risk (see Salvador's comment regarding CA laws). >> >> There are dozens if not hundreds of available online timesheet applications. >> I'll bet even some open source ones that could be used to process the whole >> thing. It would not most likely be more secure, but more effective, save >> time, and give you great records keeping. This isn't reinventing the wheel. >> >> -----Original Message----- >> From: Tim Evans [mailto:[EMAIL PROTECTED] >> Sent: Saturday, February 23, 2008 8:10 AM >> To: NT System Admin Issues >> Subject: RE: Handling of confidential files >> >> Actually, the newer versions of Excel (2003 & 2007) have pretty good >> encryption routines for the spreadsheet itself. VBA protection sucks. Of >> course, you have to choose a good password for it to do any good. >> >> ...Tim >> >> >>> > -----Original Message----- >>> > From: Matt Plahtinsky [mailto:[EMAIL PROTECTED] >>> > Sent: Friday, February 22, 2008 5:10 PM >>> > To: NT System Admin Issues >>> > Subject: Re: Handling of confidential files >>> > >>> > Ss# and email = ss# getting owned. >>> > Password protected .xls is like wep on wireless. Its only going to >>> > stop casual snoop. My boss had me break a .xls password last week. >>> > Took less than 30 seconds to break. >>> > >>> > Matt >>> > >>> > >>> > >>> > On 2/22/08, Durf <[EMAIL PROTECTED]> wrote: >>>> > > You want a "drop" folder: >>>> > > >>>> > > >> http://technet2.microsoft.com/windowsserver/en/library/86987829-3f74- >>> > 412f-abb8-c8b22b07257d1033.mspx?mfr=true >>>> > > >>>> > > -- Durf >>>> > > >>>> > > On Fri, Feb 22, 2008 at 3:21 PM, Joe Heaton <[EMAIL PROTECTED]> >>> > wrote: >>>> > > >>>>> > > > I need some alternatives to a specific process. The process in >>> > question >>>>> > > > is timesheets. Our timesheets are Excel spreadsheets, which are >>> > processed >>>>> > > > as follows: >>>>> > > > >>>>> > > > 1) All timesheets are located in the user's home folder. At the >>> > end of >>>>> > > > the month, the user goes in, updates for the current month, copies >>> > a .jpg >>>> > > of >>>>> > > > their signature onto the current month's sheet, and forwards the >>> > timesheet >>>>> > > > to their manager via e-mail attachment. >>>>> > > > 2) The manager opens the timesheets for their employees, verifies >>> > it, and >>>>> > > > copies a .jpg of their signature onto the current month's sheet, >>> > and >>>>> > > > forwards the timesheets to a specific admin employee, via e-mail >>>>> > > > attachments. >>>>> > > > 3) The admin employee takes the attachments, and copies them into >>>>> > > > a folder on a server, from which the timesheets are then >>> > "processed" and >>>>> > > > sent to another agency, to be further processed for paycheck >>> > issuance. >>>>> > > > >>>>> > > > >>>>> > > > My question to my boss, is why can't we just have the managers >> move >>> > the >>>>> > > > timesheets for their employees into the folder on the server, >>> > instead of >>>>> > > > e-mailing them a second time. In fact, we could have all >>> > processing done >>>>> > > > within that folder to begin with, without having to e-mail the >>> > files >>>>> > > > anywhere. >>>>> > > > >>>>> > > > The issue that comes up, is how to prevent someone from another >>> > department >>>>> > > > from opening someone else's timesheet. The big concern there is >>> > that the >>>>> > > > timesheets not only contain .jpgs of people's signatures, but also >>> > contain >>>>> > > > SSNs. >>>>> > > > >>>>> > > > My thought is to set permissions on the folder so that people can >>> > place >>>>> > > > files there, but not be able to open them once they are there. Is >>> > that >>>>> > > > possible with NTFS rights? I will do research on it, but I'm >>> > hoping that >>>>> > > > someone has already run into this type of issue and has an answer >>> > already. >>>>> > > > >>>>> > > > Thanks, >>>>> > > > >>>>> > > > Joe Heaton >>>>> > > > AISA >>>>> > > > Employment Training Panel >>>>> > > > 1100 J Street, 4th Floor >>>>> > > > Sacramento, CA 95814 >>>>> > > > (916) 327-5276 >>>>> > > > [EMAIL PROTECTED] >>>>> > > > >>>>> > > > >>>>> > > > >>>> > > >>>> > > >>>> > > -- >>>> > > -------------- >>>> > > Give a man a fish, and he'll eat for a day. >>>> > > Give a fish a man, and he'll eat for weeks! >>>> > > >>>> > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ >>>> > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ >>> > >>> > -- >>> > Sent from Gmail for mobile | mobile.google.com <http://mobile.google.com/> >>> > >>> > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ >>> > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ >> >> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ >> ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ >> >> >> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ >> ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ >> >> No virus found in this incoming message. >> Checked by AVG Free Edition. >> Version: 7.5.516 / Virus Database: 269.20.9/1294 - Release Date: 2/22/2008 >> 6:39 PM >> >> >> No virus found in this outgoing message. >> Checked by AVG Free Edition. >> Version: 7.5.516 / Virus Database: 269.20.9/1294 - Release Date: 2/22/2008 >> 6:39 PM >> >> >> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ >> ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ >> >> >> >> >> --- >> Salvador Manzo [ 620 W. 35th St - Los Angeles, CA 90089 e. [EMAIL >> PROTECTED] ] >> Auxiliary Services IT, Datacenter >> University of Southern California >> 818-612-5112 >> In matters of style, swim with the current; in matters of principle, stand >> like a rock. Thomas Jefferson ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
