Shostack + Friends Blog Archive


Off with their heads!

In a private conversation, someone said “has anyone in company‘s IT staff been fired for letting people do use that software?”

I did some searching for “firing offenses” and I found a bunch of interesting random things. I’d like to quote one, “How can I fire a non-performer in today’s environment:”

You may have some offenses which are no-appeal firing offenses. If you do, those need to be told to employees at the moment of hiring and then the rules need to be enforced.

So I’m curious. What are such offenses in an IT environment? Does anyone out there have a clear written list? I’m not looking for “violations of this policy may lead to consequences up to and including termination.” I’m looking for a list of things that will get you fired, like suggesting your secretary’s job is dependent on sex. I want clear measurable statements like “IT staff will be canned if they don’t change the default password within 7 days of deployment of any IT system or device.”

Absent such up front guidance, we can’t go making statements like that and expect to have any credibility.

So, does anyone have such clear policies?

3 comments on "Off with their heads!"

  • dunsany says:

    Well, I see it similarly to “stealing this car may lead to consequences up to and including prison.” I have personally worked as a SO in places I’ve had someone fired for violating acceptable usage policy. It has to be left to the discretion of management, but often management is capricious. And if the policy violation made management look bad in a public way? Well, it’s off with their heads in the town square with all the peasants forced to watch. And THAT is better than any policy.

  • Michael says:

    Commercial, military, gov’t, the only thing that I’ve seen result in removal is porn. Even then, in some cases, put up a good enough argument (or even a bad one) and they’ll let people slide. You pretty much have to commit murder in front of the office otherwise.

  • Chandler says:

    I’ve never seen a “must-fire” policy, and I’ve developed and vetted security policies and standards with the Law Department more than once. Corporate Counsel very deliberately ensure that policy enforcement only specifies the right and not the obligation to act.

    Unfortunately, the harsh reality is that from what I’ve observed, the chosen severity of enforcement generally varies inversely with the seniority of the offender, so I assume that this structure is by-design, and not just to mitigate risk of unlawful termination litigation.

Comments are closed.