Educause Security Discussion mailing list archives
Re: Login/Logoff Activity
From: Shane Williams <shanew () ISCHOOL UTEXAS EDU>
Date: Thu, 25 Apr 2013 07:45:42 -0500
On Thu, 25 Apr 2013, Will Froning wrote:
This is a request from the internal auditor to see if it is common practice to monitor this in academia (starting to look heavily like NO). As others on the list have mentioned, this is really a management issue at it's core. The rebuttal for that comment was something like: "If technology can help us to identify a management weakness, we can make corrective policy driven actions to fix the weakness. IT isn't there to fix the problem, but to provide visibility into whether or not there is a problem to correct."
Setting aside privacy issues (which I suspect are more complex and worth more consideration than your IA is allowing), I think the next critical question you have to ask is whether technology does, in fact, provide you with accurate "visibility" into a possible problem. After all, your metrics are only as useful as the accuracy and validity of the measuring tool. Their thinking seems to be that being "logged in" is the same as working, and while I suppose this might be true for some types of work, I suspect it's the exception to the rule. If I log out at the end of the day, then Joe stops me on my way out and we have a 30 minute conversation about something I'm working on, then the logs under-represent my actual work. Alternately, if I log in the minute I show up at work, then go grab some coffee, chat with Bob about the football match for 15 minutes, sit back down at my workstation and check my stock portfolio and the international news for another 15 minutes, the log over-represents my work. And those examples are probably unintentional "noise" in the metric. If I'm the type of person that IA is really hoping to find, I'm likely to spend a lot of time and energy figuring out even more clever ways to fool the system into thinking I'm working when I'm not. Or, as others have mentioned, what if I forget to log out at the end of the day. What if I'm particularly forgetful and I regularly forget to log out at the end of the day. Will this be viewed as an attempt to artificially inflate my work hours and how will it be handled by IA / Management? I actually made it a goal at the beginning of the year to better track my own time (admittedly I'm categorizing my time rather than just looking at login/logout times) and I can tell you that I regularly forget to start and/or stop the clock. I sometimes forget to stop it when I go to lunch. Other times, I forget to restart it when I get back from lunch. It's not unusual that I forget to stop it at the end of a day, and once or twice, that day has been a Friday. Of course, the tool I use allows me to go back and fix these mistakes, but then allowing something like that would defeat the purpose of what IA is wanting to do. Finally, if IA thinks this would help them get an accurate picture, my recommendation would be that they try it out themselves for six months before deciding whether to implement it site-wide. And I don't mean this just as a snide "see how they like it" comment. Testing it themselves will allow them to determine whether it's accurate and valid, whether it has unexpected consequences (such as impact to morale, perhaps?) and whether the cost of collecting metrics is justified by the results. -- Shane Williams Senior Information Technology Manager School of Information, University of Texas at Austin shanew () ischool utexas edu - 512-471-9471
Current thread:
- Re: Login/Logoff Activity, (continued)
- Re: Login/Logoff Activity Valdis Kletnieks (Apr 24)
- Re: Login/Logoff Activity Justin Bennett (Apr 24)
- Re: Login/Logoff Activity Harry Hoffman (Apr 24)
- Re: Login/Logoff Activity Will Froning (Apr 24)
- Re: Login/Logoff Activity Eric Case (Apr 24)
- Re: Login/Logoff Activity Will Froning (Apr 24)
- Re: Login/Logoff Activity Tim Doty (Apr 25)
- Re: Login/Logoff Activity Eric Case (Apr 24)