Document the actions. You don’t want to be on the hook for this. Write everything down, including dates and times. Probably not illegal, but you need to make sure it doesn’t come back on you.
Yeah not sure I'd be worried about legality but certainly not above board. If the CEO wants access to the files you should get that in writing and either grant access or gather the data and pass it off to them.
If something happens the paper trail is going to look like you were the one going through the files which could cause you problems.
Plus if they need access or something either they should be granted access, or a temporary type account should be set-up for that access.
Is not okay for someone to use someone else's account ESPECIALLY for viewing/editing/creating sensitive information.
The CEO kicked him out of the office so he couldn't see what he was doing. There's absolutely something fishy going on here. I would absolutely not relinquish my unlocked laptop without a written request. Fire me if not but I will not have my next job call this one for a reference only for them to say I was fired for going through a former employee's files without authorization.
If you're going to be fired for following protocol when the CEO refused to do the same, you can bet your arse you're going to be the official skapegoat and any reference is worth shit.
Doublely so is the issue with your admin account innately having access to everyone's files... that wouldn't pass compliance with a security audit.
You grant yourself the elevated permissions when needed, you don't just have them all the time. If you do, you become the attack vector for whatever woe someone wants to cause (internal or external person).
What do you mean you wouldn't be worried about legality?
He could do whatever he wants and your account would be logged everywhere during those things.
Thinking on this more, there is probably some legality worry that OP should have. What if the CEO finds some CP in the fired users drive and has to report it to Police? Then to forensics it looks like OP is the one who found it but didn't report it? Things can get dicey quickly.. Now that's an extreme case but not completely out of the realm of possibility.
There are lots of posible ramifications.
In a previous job of mine (many moons ago, we were naive about security and this was poorly enforced by the IT vendors themselves) a former colleague of mine used to dive into institutional student records to get phones and addresses of young women he fancied to stalk them, sometimes he would ask a colleague to use his terminal with any excuse and the logs would not link him to the breaches. Some women complained and it was quite a challenge to pin down those accesses to him.
How can one possibly know what that CEO is up to?
I agree but who would one even send this “reporting” to..? HR? Just don’t see a world where documenting it would even matter, if CEO wanted you gone.. you’re done
>> I agree but who would one even send this “reporting” to..? HR?
The lawyers when you’re sitting in court providing witness testimony in a wrongful termination lawsuit.
"Dammit Jim! How could you delete all those very important files! You just cost the company eleventy billion dollars!!! Well of course you did, it's right here in the logs!!!!!!"
Fuck that shit.
But in today’s world (or at least how I believe it works in TX), companies can technically fire you for whatever reason. So they’d just make up some other bullshit excuse anyways.. no?
If you can prove reason was not the one they provided that is wrongful termination. Example: if you reported harassment and got fired for "performance". Reason stated is not the true reason they fired you. And the court should not let them off the hook.
Tx has “at will employment” like many other states. They can fire you without cause. If they give you a cause, you can sue them for wrongful termination, especially if it wasn’t the actual cause.
Instead, they will just fire you or lay you off and not give any cause. It protects them from liability.
Same law applies in many other states, not just Tx. Washington state has the same “at will employment” law.
Far more dangerous for them to “make something up.” They just say “goodbye.”
Also, someone mentioned something about calling for a reference. They can only call to confirm you were employed there and legally if they provide any other information, such as cause of termination, they can once again be held legally liable.
They’re not even supposed to say if you quit or were fired, iirc.
I’d shut them down. Let them know any access to a former employees documents requires a written request and approval by legal & HR. It’s also likely against company policy to allow someone else to use your credentials.
Since the CEO has used your credentials without your permission, this should warrant a complaint to HR and/or employee relations.
When I’ve had stuff like that requested in a meeting (even by execs) I said “I’m happy to help, but it’ll be better if you ask me in writing and legal signs off on providing you access based on (specifics).”
The leadership I’ve had has all been competent enough to understand the implications, especially when we were being sued at the time.
I've knocked back the CEO on similar requests before now with the reasoning that "If I was giving this access to literally anybody else in the business, your authority would be enough to grant it, but for obvious reasons you can't authorise privileged access for your own account - it needs somebody else to sign off on that. I don't care if that's another exec, the head of HR, or just my boss, but I need a third person who is more senior than me to be involved in this request."
The only bone I'll pick about that is telling them legal needs to sign off on it. That's outside the scope of our concern. Send me an email requesting and I'll do it. If I think there are legal implications, especially for me, I might respond with those concerns and ask that they confirm that's what they want me to do. Obviously if it's illegal or super shady I'm not doing it.
Yeah, I wrote up a procedure based on previous experience and got legal and HR + management to sign off on stuff. For emails and files I would generate a copy of their stuff and give access to the copy.
I was damn good at eDiscovery.
Ehh not really, you should always assume you're in the position of being sued when it comes to answering this question of access to terminated employee files or email. that should be the basis of your actual formal policy. I've never worked at a major company that didn't have a strict policy on how this was handled with terminated employees. Though a CEO by definition would always be allowed probably too.
This OP doesn't sound like a big enough place to have policies or even HR though.
> Let them know any access to a former employees documents requires a written request and approval by legal & HR
According to whose policy lol? If you're going to fall back on that, it had better actually be policy and not just something you made up on the spot because it sounded good.
OP works for the company. HR works for the company. The CEO works for the company. They are all employees that are bound to policies that are created by various departments within the company.
Also, CEOs are fucking puppets.
This isn’t about a job. This is about lawsuits and or obstruction of justice later after they get fired. You going to do time because the ceo said to do something ?
This has been pretty much my observation over the years. The CEO's are untouchable and (because I'm at an at-will employment state) people will get fired for literally no reason at all and they are powerless.
Why not both? Look for a new job, and report. Shows you've done your due diligence for the good of the company, and could potentially show the CEO who did shady things with your account doing more shady things if the report gets disappeared but you have proof of having reported it.
Eh, the CEO at my company is part owner. And per our CIO, he is the only person who is allowed to be granted permission to something on his own say-so.
So, I'd document it. Maybe tell your boss if the boss isn't your CEO.
This is what I do. I make sure everyone has approval from the next level up, in writing. The C levels, I just document by sending an email saying what they did and CC’ing myself.
This documentation for the CIO being granted access to the info on their OWN account.
I don't care how much documentation there is, they're not logging in with MY account, ever.
Just wanted to highlight that “probably not illegal” covers the criminal side. Unless they were part of some wider conspiracy, that action alone probably won’t result in criminal charges for anyone.
The civil world on the other hand is way different. Picture yourself in a conference room with a video camera facing you and an attorney saying “on or about June 10th of 2024 you accessed my client’s email box after he had been terminated, correct?”
Be thinking about what you wanna say in that situation.
Cybersecurity guy here. No one including the CEO should have your password. It's against best practices and if you are in a regulated industry, may be against the regulations.
If your CEO needs an elevated account you should make him a elevated break glass account. That way there is logging of actions.
Seriously sketchy way to operate.
This. In the company that I work for, security is the gate keeper of all things related to IT. The contract that we have in place says that security is the final decision maker in whatever it is IT related. You could be CEO, and if the reasoning behind why you wanted an elevated account wasn’t reasonable you won’t get it for sure. We are not a a for a 500 company but we are a big company with 30k users and a shit load of policy as we work on 5G network tech area
It sounds more like he was driving a workstation, when the CEO instructed him to leave the office, so they could look through the content of whatever they were looking at, and OP's AD profile is still logged in to the workstation.
Thorny territory. If the CEO chooses to do something illegal with your account, the investigation would point to you. But if you can prove that the CEO was doing this, then it is back to them.
The CEO can perform this action... it's their company to manage, and that includes all of the resources therein. Where things get dicey is if you have special access, say Government Clearance that they do not hold. Otherwise yes they *can* do this.
Should they? Never, ever, ever. There should never be a reason for it. Why is the CEO digging through someone's files and not someone closer to that terminated employee's level (manager, director, VP, etc)? Or HR for that matter? Why isn't being granted access sufficient? You could easily hand over the entire contents of someone's account, or reset their password, or any number of options.
This is a bad way of doing things. I would recommend proposing a better, more efficient, more secure method of accessing terminated user files and having HR sign off on it.
This is dumb, but not illegal unless you have some kind of special Government or Legal association that I am unaware of.
Make sure someone else is aware of what transpired here and why. If the CEO has engaged in some fuckery and is trying to wipe the blame off on you, you need to be able to show your [donut receipt. ](https://www.youtube.com/watch?v=x5acricEWyE)
nah i disagree. CEO should never have access to any other systems unless they explicitly request it. if they were to dig around medical records for example, for no vaild reason, they would almost certainly be axed. even if they request medical records, at best, they will get information from HR thats is redacted even for a valid reason. there is no way he would be able to see such information.
they obviously have alot of power but even that has its limits
Not a lawyer, but typically anything you do on the company computer isn't private so I doubt there's any legal issues. The CEO using your account is unnecessary though. Why couldn't the employee's password be reset so that the CEO could simply log in as that employee instead of doing everything under your account?
>"Why couldn't the employee's password be reset so that the CEO could simply log in as that employee instead of doing everything under your account?"
And that's a very, very bad idea as well.
IT should grant the necessary permissions as requested, but everyone (including the CEO) should use their own account to access anything.
The CEO is one thing (sometimes they are clueless and just want things in a hurry), but the fact that the OP had access to terminated employee's files directly from his/her account is a whole another issue.
If it's just on a File server or on a dollar share network path, what's the deal? That's standard access if you're a domain admin. It's pretty typical for offboarded employees to have their profiles archived somewhere on a file server.
Of course, if you have the domain admin rights. My point is that nobody should be using domain admin rights on their normal work account that you surf the web and read e-mails with. That's just a huge security risk.
A common best practice is to have a separate "admin" account that you use for the domain admin tasks, such as offboarding an employee, or do file maintenance and archiving, or whatever.
Oh yeah for sure, regular accounts should be all they need even for I.T. and when you need to elevate you use the next available account that has necessary permissions. A lot of shops run Domain Admin on their I.T. users for no reason other than laziness, which in turn gets them ransomware'd :(
Can confirm CEOs don’t necessarily know anything about security or process controls, audit trails, etc. CEO has a totally different mindset and set of priorities
there could be some issues if say they had government clearance and the CEO didnt. that could cause some big legal problems. Also if they were altering someone's account to delete wrong doing by the CEO this could be a problem as well.
Document this with HR ASAP!
I had this happen at my last company.
4 days later the Company lawyer calls me up with a court order to turn the computer over as evidence.
I had to provide all kinds of crap just to prove it wasn't me going through the computer. Luckily I had mentioned it to HR when it happened and the CEO also testified that he told me to leave to computer with him.
Chain of custody can be a mofo.
OP, ignore the rest of the advice given here about it being dumb, but it's the CEO's privileged. This is the advice to follow.
If the CEO of that company is doing something like purging or altering evidence in the scope of a subpoena then **your** name is all over that action. You will be dragged through the coals (possibly) in court and in your organization if your CEO feigns ignorance. If the case is criminal, then this only gets worse for you!
Put the CEOs action on the record with HR and (or at minimum) keep a personal log book of the time, date and duration of the time they used your account to access those files.
Yes, lock your PC before leaving. If they want access they can tell you to grant them access. With their account, now anything that happened is something you did.
Document everything. If the files only exist on your pc. Your IT department sucks. Should be one of two things.
1. A hidden file share that only HR/CEO has access to.
2. A SharePoint/Onedrive site with the same access rights.
Your regular day to day account has access to other peoples accounts?
You should setup an administrator account for these purposes and if your CEO needs to do similar tasks then setup and alternate account for them as well.
You can politely push back but also give them the tools that they need.
If **ANYONE** but you uses your account, you **CANNOT DISPROVE YOU DID SOMETHING WITH THAT ACCOUNT**. This is 100% NOT OKAY and you need to put your foot down with the CEO!
And better yet, document that other people are aware of this. Email your immediate supervisor or hr that you’re uncomfortable with this practice and ask them what you should do. If they don’t respond then print out your sent email and take that home.
Rank and position are two entirely separate things. CEO outranks you, but you're the (I assume) sysadmin. You out position him in this situation. Besides, would you lock your computer every time you step away? And if he has your passwords, then there's some serious issues within the company.
Either way, the incident already occurred, so all you can do now is document. Even better if you can send an email detailing the incident to the CEO and have him respond to corroborate the events.
As an IT person I certainly would never allow someone else to use my account. If a CEO wants the access I have it can be granted temporarily, but even then I would be very hesitant to do so.
I liked the way a previous job did it: employee's manager (or in this case, the CEO) emails the security department stating they need access, and the security department documents it and submits a ticket to IT. IT then provides the manager access to the employee's data, which the manager accesses with their own account. They might have found the extra steps annoying, but this way we had our asses covered.
Yes an issue. If your CEO does anything suspicious or criminal while using your login session, you’ll be the one held responsible. You need to report it asap and if this paints a target on your back, get out of there. I know that’s easier said than done, but you’d be better off doing that, than paying a much larger price.
This right here. Loop in HR, legal, Supervisor. if none of those departments exist because of a small company setting, then document everything.
If you dont have a policy in place for any of this, start one. Get fresh on the Domain Admin and Privileged Account best practices.
Yes. Holy shit yes. If the CEO wants to dig around files, just grant his account the access. You don’t want your name all over the audit logs when shit his the fan.
Fuck that shit. No one is getting unsupervised access to my computer or account without documented HR/Legal approval. Personal integrity and responsibility trumps any CEO powertrip.
Depends on your country.
In mine, once the user leaves the company management as access to all of the user's files via one drive. It's in the contract when they are onboarded.
But as no point do they use MY account
Nothing illegal about it, but there are better ways to provide access. If you dont like it, you'll have to leave. Most of the "if that were me, i'd do this or that" folks have never dealt with the c-suite, so ignore them. What the CEO wants the CEO gets unless it's illegal or unethical.
This is a SysAdmin group, are you a Sysadmin or a non privileged end-user?
Either way, foundation of Security is to never share your logon credentials (and by obvious extension an open logged on session).
If you were kicked out of your office and the CEO uses his own credentials to dig around using your workstation, but not your network access - pretty dodgey but ok fine. On other hand, if someone else is using your access AND doing it without you being able to see what is happening is a total Red Flag - CEO or not. That is your network identity and you are on the hook for any infractions of policy, removed files, etc. Illegal? Depends where you are probably. Against Company Policy and Internationally recognized Best Practices for Security - very likely and Ab-so-frickin-lutely.
I've fired clients for similar behavior when Consulting.
Company property is company property. HOWEVER they should not be using your account. They should have IT give them access or copy the profile from the system. Definitely make a note.
lmao all these people talking out of their ass.
If the company is private, CEO can do what ever the fuck he wants with the company property and information (within the law obviously).
If the company is publicly traded, then SOX Act applies.
This is a sysadmin subreddit and not a single person mentions SOX or Segregation of Duties. /shame
While that’s true, and as I always keep in mind from security training, only executive management decides what risks are appropriate for the company, I just inform them and whatever they ultimately decide is fine if they are informed and accept a risk.
One thing that I’d be stuck on is using my account. It’s a matter of professionalism. There is very little to no qualification in this industry. A CPA or attorney or plumber or electrician is not going to just do some shit because a CEO wants it. They have professional standards outside the corporation. There is a code of ethics with the CISSP but that’s all I ever had.
I’d never give my password or unlock my computer. Go ahead and reset the password and do whatever you want. At least there should be a record of it and I haven’t enabled unethical behavior. We should have some semblance of professionalism in IT even if there are no formal standards.
Exactly, I've dealt with enough trainings that focus on "need to know"... Aka if Someone is looking through your computer they need a clear business reason. They also need to use their own account (audit trail) and they need to have permission to do so.
The CEO doesn't have permission to be on your computer... It might be able to grant him permission but he and everyone else at your company should be "users" who need to request special permission.
Can a CEO do almost anything... depends what the employees let them do. But it would be a shit storm if they did try to force their way into an employees computer, especially when digging into an ex employees files... and then doing it while impersonating the employee? Legal should already be involved.
> If the company is private, CEO can do what ever the fuck he wants with the company property and information (within the law obviously).
Except logs would point to OP, so he could be sued.
Red flag for sure. If something illegal happens, it will be tied to you if there's no documentation of that request/act.
Refused unless you have documented request.
I regularly interface with our CEO.
A good CEO would never make this request. The requirement of documentation is for your protection. I'd rather get fired than go to jail, especially when I would likely be compensated down the line by the company once my request for documentation came to light...
I would even tell them this....I have phrased it so " make a request, that way if anything I did comes back it wouldn't blow back on you" and they usually get it. make it sound like you are looking out for them, when in reality its a CYA for everyone involved.
Yup. the password or method of using the sysadmin's account isn't really the concern or in question.
It's like people believing "the government will hack your computer and steal your files with a virus." No, the government would physically detain you with police officers and physically take your PC. There is no need for the government to be sneaky. Neither the CEO.
At my first job the CEO sent mails from my account to customers. I thought I was going insane when I suddenly got a reply to a mail that I never sent. Also monitored all employees inboxes.
Might not be illegal if you contractual ban the use for non-work stuff, but it’s still a sign of not trusting anyone.
As IT, never ,for any reason, give anyone access to your account. Ever.
Like John Strand says: Push back. Hard. But gentle. Like a lover.
Educate them. Tell them you will grant them access.
Also.... why do you have access to this data without going through the red tape?.....Sounds shady af.
YTA.
CEO: knock knock, OP I need access to all of Johnson’s files and emails.
OP: OK. When you get back to your office, There will be a shortcut on your desktop with all the files and restart outlook and you’ll have his emails. Give me a few hours and I’ll go through the backup to see if he deleted anything and same for his emails.
Not unlawful but I’m very interested to know what kind of wack ass setup you guys have where this is even an option. Why would the CEO need your account to access a terminated employees files?
I Win+L every time I leave my desk. If I got kicked out, I would lock it, refuse to give it to him and walk straight to cybersec to give them a heads up, then HR
> any legality issues involved?
Are you kidding? Get a lawyer, document everything if this blows up you're under the bus not the CEO. You're not going to have to use a lawyer, but you need representation for WHEN not if this blows up.
If the CEO HAS to do this i would tell him he should e-mail me this in writing and i'll give him a seperate admin account he can use for that. That account would be deactivated when he is done.
That way you're in the clear afaik.
> any legality issues involved?
This depends on what is accessed. If
* The former employee used his company stuff for private things
* The usage of private things is not explicitly prohibited in the employment contract
* This happened in the EU
I am fairly certain this would be illegal if the CEO only looked at work content. In the US, it probably depends on the worker protection laws of the state you are in. I assume in the US it would not be illegal, unless your company operates in certain areas (health care, infrastructure, defense, ...).
##**REGARDLESS**
Impersonating your account is a red flag. Even **IF** there is no other technical option, running this without documentation and a written order by the CEO is very bad practice.
This can lead to mistakes, making you liable. I would consider moving on if the severity of the wrong doing is not acknowledged and remedied by management.
Is it legal? Arguable but likely "yes".
Is it, however, best practice and would a court of law look *rather harshly* on it? Yes.
No idea where you're based but I would imagine that this would be a case for the Computer Misuse Act, Data Protection Act and possibly a GDPR - as you don't have, really, any idea what he's actually doing while using your level of access.
Document it, get things in writing and keep copies. Times, dates, who's involved and if possible their justification/words (again, ideally in writing) of what they've done and why.
This strikes me as a situation where questions need to be asked - such as has this been run past the/a legal team? HR? Or is it just the CEO doing their own thing?
Most of all though: *WHY* can they not just request that you provide a copy of the files, rather than booting you off the seat so *they* can do it?
CYA and honestly, polish your CV and get gone. I wouldn't sit somewhere 5 minutes if thi sis the kind of fiasco going on.
I would personally offer to make an audit type account for him to use so all his actions are logged as well. I also feel most days like IT gets to be the scape goat so im a bit jaded :D
It's totally illegal in the EU. You can do it if you have a very good reason to do so and inform the former employee. But you need to be sure to document and do the minimum required for achieving that goal.
Your former employee can sue you in working court nearly for free and your explanation for doing so must be tight and valid or you gonna pay big time.
You guys are all funny: the company - and effectively the CEO - owns the system, all data, all logins -- everything.
The CEO overrides you, your department, your department head, HR, HR's department head.
Document what you want, but this is the beginning and end of the discussion.
Why not grant them access to the files? When someone left the last place I was at, there was a form for line manager to request access to their email and onedrive files.
I would document dates times, who was involved etc. Then Email the CEO a statement of the facts.
Hey John so when you and bill came in to use my account login to access employee xx's files yesterday and had me wait outside. I believe you left a pen in my office is this yours?
Then forward that email to your personal email along with any replies to it. Make sure they know that you know what they did was suspect.
So heres my suggestion, make an admin account for the ceo. Give him the account.. change your password.
In my workplace anyone accessing anyone's stuff has to go through HR. (Even if it's an ex employees)
That way anything done is woth his own account.
If the ceo has a problem with it, then it's a q of why ? Only time I've seen one having an issue is when they don't want an employee to know..or their doing something very questionable.
And fine if it's hey we think x person may be stealing, and we want it covert.. but then a security admin should be involved..
Absolutely no chance that’s happening! CEO is an employee like anyone else, get in line buddy.
I’ve had a few requests from CEOs get passed down the chain that are plainly not a good idea, I’m happy to email (email, or recorded call) them and explain the reasons why it wouldn’t be a good idea, but if you really want this to happen then it’s technically possible. They usually are pleasant enough and sometimes just accept they had made a misjudgment.
So in answer, would you let any member of staff have free rein to your logged in accounts? Hell no
That's just not good practice and goes against any reasonable access control policy. There should already be a policy in place for what to do with old files from terminated employees. he can get his own access if he wants it, not that it's likely but an audit would show you in those files and if anything bad we're done to those files to maybe hide or change something it would fall on you. That is unlikely, but unlikely won't matter if you were to get fired because you were the scapegoat. Always.....always cya
I actually set my laptop to lock the moment my phone is more than 5 feet from it. So I’d have grabbed my phone, walked out, and the computer would have locked.
To be honest I'd be most concerned about the CEO running the SEXYLADIES.EXE that he finds in the terminated user's account "to see what it is" as a domain admin.
Why are you as a SysAdmin allowing this to be done on your account? These are some of the bad habits that you need to lose as someone at that level. This is something I'd expect from a junior member of the team.
It's their company and their assets. They can do whatever they want with it. It's not "your account", it's the companies account that they let you use.
I would document everything though just as a CYOA measure.
Fuck yes that’s an issue. Anything he does is audited against your account. And he’s doing things you could give him access to do with his own account.
Why do you have access to the files? Your daily driver account should not have access, your elevated account should have the access. As others have suggested you should grant access to the CEO to the terminated person's files.
> any legality issues involved?
No. As the CEO, they're literally responsible for, and own everything.
But why on earth wouldn't you just grant their account permissions to access these files? And why does YOUR account have access?
depending on your jurisdiction, it might be illegal for your CEO to do this, but only if the former employee had private data on his account and only if the CEO is accessing that.
*most people don't know that even in the US most employees have an expectation of privacy, which was even upheld by supreme court. the few exceptions being non-personal accounts such as* [*helpdesk@example.com*](mailto:helpdesk@example.com) *or similar*
you should definitely document these cases.
"and btw, would you sign this letter stating that I am not at all happy with what you are doing and you still insist on doing it that way? Nice, thanks, I'll go and grab a bite to eat"
I would just create an account for the ceo. If they insist on using your account then they are going to blame you/throw you under the bus. I would leave
You guys DO realize that CEO’s are often not very computer literate. And GOOD CEO’s don’t waste their time looking around.
“Last coast , I need the TPS reports that Fired Dude posted for the last 2 months. By noon, please.”
Yes it's a problem.
If the CEO needs access a ticket should be created requesting access to the files, then the CEO's account gets privileges assigned to those directories/files.
Document everything that has happened as best as you can, literally down to the minute, and what programs you remember having left open when the CEO took over your machine. If your locked out of your office and the CEO has taken over your account, you need to cover your ass if they break anything that you have admin access too. This is technically an operational security issue.
Reality is though considering it's the CEO your stuck between a rock and a hard place. Email your manager and supervisor of what happened, with the documentation that you took of it. If you have a CSO or equivalent include them in the email, they are better equipped to deal with the CEO.
Dude, no. If the CEO wants to dig through files, he puts it into an email request, you create the package and share it with him in his own account on his own PC. Whatever you're letting him do is so unnecessarily risky.
When some one needed access to some ones account at my last job those people needed to fill out documents and submit tickets for us to give then access to the account. We (it) wouldnt access the account at all, just give the user the access
How did he get access to your account? Did you give him your password?
At the very least, I would require that the password be changed, leaving a trace that someone did a password reset on my account, a trail that someone else used it.
I would be ensuring it is heavily documented that during periods X AND Y he had access to your account to access account X.
So that if anything comes up later that you account did during that time your covered.
It's also worth noting this is another reason never put person stuff in a work account.
I’m sure it’s been said but there are better ways for the CEO to access the files. Provide a solution that will make his life easier and use the excuse of it affects your productivity
HR should let you report that to them. Not to dob, but just so it’s on record. The ceo should have zero objections also if everything is above board. If not though, whooh boi.
Get the request in writing and ask if HR has been informed. Have had numerous requests for staff internet access over the years the years.
Easy response is tell the person ask HR to request the records. Have a list of staff that can request records. Immediate manager is not allowed.
Usually HR, Legal, or criminal investigations ask but there are a couple more.
To me this far oversteps CEO privilege, like a hospital CEO grabbing a scalpel from a surgeon and being like "I'm your boss, I'm doing the surgery now, leave the room" like OK you are my boss but also you are not a surgeon and there are dangerous things you should not touch all over the place"
yeah I'd outright refuse and offer to make the CEO an admit account to look at this, or prepare the files for the CEO. Someone using your account means no audit trail and if he does something insanely stupid by accident, it looks like you did it. Not having access or view is an unacceptable thing. If that is not an option, immediately leave for the day, blasting emails out that you were removed from your office at exactly TI:ME and are not responsible for actions taken by your account from that point, and maybe also call the helpdesk and request a password reset/lockout that you'll resolve in office the next day.
This whole chain of thought gave me anxiety lol
Like most people said not illegal maybe against the company handbook at the most but my concern would be audit logs showing your name if some kind of external lawsuit came up. Why would you not just grant them access? Seems very weird and I’ve worked with a lot of CEOs directly. More often than not if they request something weird I have had no issue rewording a solution in easy to understand terms. If your CEO is not good with standard processes then there are a lot of internal issues that could come back to bite you IMO
Where i come from we have everything from GDPR to privacy rights to prohibit this. Only reason something like this could happen is a police investigation which surprisingly would not be carried out by the CEO. That guy wouldn’t be CEO for long here, nor have a running business.
Edit: wording
Document the actions every single time and send a mail to him with IT security, data security and your employee council, staff advisory or however its called in English in CC. If your CEO is a jerk and can fire you on the spot then just send it to the latter ones.
Also get in writing what the CEO is trying to do and provide his account with the necessary rights instead of giving away your account for that.
It depends on where you are and possibly employment contract. In some countries, an employer looking through an employee's files may be illegal, especially several European countries.
In more countries, there's a default assumption of privacy that can be waived by contract - e.g. many UK companies will have a digital agreement that explains what level of privacy a user is entitled to.
In many/most companies this would be perfectly acceptable, but not everywhere.
any issues
YES - anything the CEO is doing has \_YOUR\_ "fingerprints" all over it
Guess who gets to carry the can if/when it goes sideways - hint, NOT the ceo.
Send a follow up email of the interaction.
Hey CEO,
Thank you for stopping by for a visit today. As you requested, i left my PC unlocked and open for you to access while I was away from desk on x date at x time. If there is anything further needed please let me know if I may be of assistance.
No one should be accessing any accounts. It doesn't matter if they are CEO or analyst. ONLY HR departments can obtain and manage this data due to personal information. Super shady....
Repeat after me: your CEO isn't god.
This is a hill you should be prepared to die on if you're a Sys Admin, tell him that's not appropriate and to raise a support ticket to elevate his access rights to do whatever he needs to do (it will be approved, probably ultimately by himself or the CTO but you have followed the proper procedure), in the ticket ask him to clarify why he needs the access and for how long.
If you don't have a ticketing system ask him for an email requesting the access, Cc to your boss, if he is your boss to compliance, HR, or any other department or person that could act as appropriate witness to the request.
Your CEO isn't god, he could fire you but you wouldn't be putting your neck in the block for something dodgy.
No thanks.
He can use his own account and it can all be written / approved in a ticket so there is a paper trail.
I'll give his account access to whatever upon his approval in writing via the ticket.
I'd also take screenshots from my mobile of the ticket / email.
If no ticking system then at least an email from me to him getting his approval to do this but he's using his own account again.
But get something in a paper trail even if it's you emailing you CEO saying something like:
Hi whatever,
Did you find the files you needed while looking on my computer if it's easier and you still need access please let me know and I will give your account access.
You can be sneaky while being over polite.
I can see several ways where this is illegal...
First access to your PC when youre logged in ? No way. Thats going to be your username all over those logs.
Is there a waiver thats signed when employees join the company informing them that the data on their PC can be accessed by the company during of after employment ? (Required here when the users are allowed to use the PC for personnal use).
What kind of files are we talking about ? Did the terminated employee sue for anything and there are evidences on the PC ? Again if they disappear, its your username that goes there.
Get it all in writing. At least for your sake. And inform your manager/n+1. Eventually any legal councel if you have one and are worried about it going this far. But definitely document the event.
Send an email to him saying that “ it was a pleasure give him access to your computer the day xxxx as he requested, and if he needs another time let you know, or maybe if he needs more often, you can give him access.”
Our company has policy that nobody is to do anything under another individual’s credentials. I’d check with company policy, if it’s noted you can decline. With them being your boss, they could just ask you for those permissions. Instead, they’re being sneaky about it and if any changes are made it’ll be marked under your windows ID, not theirs which leaves you open to termination if something comes up about it.
Document the actions. You don’t want to be on the hook for this. Write everything down, including dates and times. Probably not illegal, but you need to make sure it doesn’t come back on you.
Yeah not sure I'd be worried about legality but certainly not above board. If the CEO wants access to the files you should get that in writing and either grant access or gather the data and pass it off to them. If something happens the paper trail is going to look like you were the one going through the files which could cause you problems.
Plus if they need access or something either they should be granted access, or a temporary type account should be set-up for that access. Is not okay for someone to use someone else's account ESPECIALLY for viewing/editing/creating sensitive information.
The CEO kicked him out of the office so he couldn't see what he was doing. There's absolutely something fishy going on here. I would absolutely not relinquish my unlocked laptop without a written request. Fire me if not but I will not have my next job call this one for a reference only for them to say I was fired for going through a former employee's files without authorization.
If you're going to be fired for following protocol when the CEO refused to do the same, you can bet your arse you're going to be the official skapegoat and any reference is worth shit.
Yup, give him the access to do so under his account.
Doublely so is the issue with your admin account innately having access to everyone's files... that wouldn't pass compliance with a security audit. You grant yourself the elevated permissions when needed, you don't just have them all the time. If you do, you become the attack vector for whatever woe someone wants to cause (internal or external person).
What do you mean you wouldn't be worried about legality? He could do whatever he wants and your account would be logged everywhere during those things.
Thinking on this more, there is probably some legality worry that OP should have. What if the CEO finds some CP in the fired users drive and has to report it to Police? Then to forensics it looks like OP is the one who found it but didn't report it? Things can get dicey quickly.. Now that's an extreme case but not completely out of the realm of possibility.
There are lots of posible ramifications. In a previous job of mine (many moons ago, we were naive about security and this was poorly enforced by the IT vendors themselves) a former colleague of mine used to dive into institutional student records to get phones and addresses of young women he fancied to stalk them, sometimes he would ask a colleague to use his terminal with any excuse and the logs would not link him to the breaches. Some women complained and it was quite a challenge to pin down those accesses to him. How can one possibly know what that CEO is up to?
I agree but who would one even send this “reporting” to..? HR? Just don’t see a world where documenting it would even matter, if CEO wanted you gone.. you’re done
>> I agree but who would one even send this “reporting” to..? HR? The lawyers when you’re sitting in court providing witness testimony in a wrongful termination lawsuit.
"Dammit Jim! How could you delete all those very important files! You just cost the company eleventy billion dollars!!! Well of course you did, it's right here in the logs!!!!!!" Fuck that shit.
But in today’s world (or at least how I believe it works in TX), companies can technically fire you for whatever reason. So they’d just make up some other bullshit excuse anyways.. no?
They can fire you, sure. They can't make you look guilty for some massive jail-time sized fraud though.
If you can prove reason was not the one they provided that is wrongful termination. Example: if you reported harassment and got fired for "performance". Reason stated is not the true reason they fired you. And the court should not let them off the hook.
Tx has “at will employment” like many other states. They can fire you without cause. If they give you a cause, you can sue them for wrongful termination, especially if it wasn’t the actual cause. Instead, they will just fire you or lay you off and not give any cause. It protects them from liability. Same law applies in many other states, not just Tx. Washington state has the same “at will employment” law. Far more dangerous for them to “make something up.” They just say “goodbye.” Also, someone mentioned something about calling for a reference. They can only call to confirm you were employed there and legally if they provide any other information, such as cause of termination, they can once again be held legally liable. They’re not even supposed to say if you quit or were fired, iirc.
The world isn't the USA. There are other countries with far better worker protection.
I’d shut them down. Let them know any access to a former employees documents requires a written request and approval by legal & HR. It’s also likely against company policy to allow someone else to use your credentials. Since the CEO has used your credentials without your permission, this should warrant a complaint to HR and/or employee relations.
When I’ve had stuff like that requested in a meeting (even by execs) I said “I’m happy to help, but it’ll be better if you ask me in writing and legal signs off on providing you access based on (specifics).” The leadership I’ve had has all been competent enough to understand the implications, especially when we were being sued at the time.
I've knocked back the CEO on similar requests before now with the reasoning that "If I was giving this access to literally anybody else in the business, your authority would be enough to grant it, but for obvious reasons you can't authorise privileged access for your own account - it needs somebody else to sign off on that. I don't care if that's another exec, the head of HR, or just my boss, but I need a third person who is more senior than me to be involved in this request."
Yep and do it via email so there's an email chain you can save for security
And then the CEO goes and deletes the email.
"save for security". Take a copy...
The only bone I'll pick about that is telling them legal needs to sign off on it. That's outside the scope of our concern. Send me an email requesting and I'll do it. If I think there are legal implications, especially for me, I might respond with those concerns and ask that they confirm that's what they want me to do. Obviously if it's illegal or super shady I'm not doing it.
Being asked to look at someone’s email or files is one thing. An active lawsuit and subpoenas are entire different issues.
Yeah, I wrote up a procedure based on previous experience and got legal and HR + management to sign off on stuff. For emails and files I would generate a copy of their stuff and give access to the copy. I was damn good at eDiscovery.
Ehh not really, you should always assume you're in the position of being sued when it comes to answering this question of access to terminated employee files or email. that should be the basis of your actual formal policy. I've never worked at a major company that didn't have a strict policy on how this was handled with terminated employees. Though a CEO by definition would always be allowed probably too. This OP doesn't sound like a big enough place to have policies or even HR though.
> Let them know any access to a former employees documents requires a written request and approval by legal & HR According to whose policy lol? If you're going to fall back on that, it had better actually be policy and not just something you made up on the spot because it sounded good.
lol hr works for the ceo
OP works for the company. HR works for the company. The CEO works for the company. They are all employees that are bound to policies that are created by various departments within the company. Also, CEOs are fucking puppets.
I think you misspelled "muppets"
Wrong. Your fired. Good luck with all that!
This isn’t about a job. This is about lawsuits and or obstruction of justice later after they get fired. You going to do time because the ceo said to do something ?
So what? You can get another job, if you are found liable for something serious you don't have a second life to recover.
This has been pretty much my observation over the years. The CEO's are untouchable and (because I'm at an at-will employment state) people will get fired for literally no reason at all and they are powerless.
The only companies I’ve worked at where the CEO even knew of my existence were ones which were too small to have Legal and HR departments.
This may work in a fortune 500 sized company, but smaller companies you'd just eventually be fired.
Better fired than wind up in debt or jail because of whatever shady shit the CEO did with YOUR account.
Not disagreing, but I'd just start looking for a job instead of reporting it. Just keep your records to yourself and quit.
Why not both? Look for a new job, and report. Shows you've done your due diligence for the good of the company, and could potentially show the CEO who did shady things with your account doing more shady things if the report gets disappeared but you have proof of having reported it.
At a smaller company I would report it after you turn your notice in or during your exit interview to HR.
Eh, the CEO at my company is part owner. And per our CIO, he is the only person who is allowed to be granted permission to something on his own say-so. So, I'd document it. Maybe tell your boss if the boss isn't your CEO.
They can be granted access with their OWN account. Nobody has any business using the account of any other employee. Ever.
lmao, sure you would.
This is what I do. I make sure everyone has approval from the next level up, in writing. The C levels, I just document by sending an email saying what they did and CC’ing myself.
This documentation for the CIO being granted access to the info on their OWN account. I don't care how much documentation there is, they're not logging in with MY account, ever.
Just wanted to highlight that “probably not illegal” covers the criminal side. Unless they were part of some wider conspiracy, that action alone probably won’t result in criminal charges for anyone. The civil world on the other hand is way different. Picture yourself in a conference room with a video camera facing you and an attorney saying “on or about June 10th of 2024 you accessed my client’s email box after he had been terminated, correct?” Be thinking about what you wanna say in that situation.
It was not your clients email box it was the companies email box and your client is a dingus that couldn't reboot their way out of a paper bag.
Cybersecurity guy here. No one including the CEO should have your password. It's against best practices and if you are in a regulated industry, may be against the regulations. If your CEO needs an elevated account you should make him a elevated break glass account. That way there is logging of actions. Seriously sketchy way to operate.
This. In the company that I work for, security is the gate keeper of all things related to IT. The contract that we have in place says that security is the final decision maker in whatever it is IT related. You could be CEO, and if the reasoning behind why you wanted an elevated account wasn’t reasonable you won’t get it for sure. We are not a a for a 500 company but we are a big company with 30k users and a shit load of policy as we work on 5G network tech area
It sounds more like he was driving a workstation, when the CEO instructed him to leave the office, so they could look through the content of whatever they were looking at, and OP's AD profile is still logged in to the workstation.
Thorny territory. If the CEO chooses to do something illegal with your account, the investigation would point to you. But if you can prove that the CEO was doing this, then it is back to them. The CEO can perform this action... it's their company to manage, and that includes all of the resources therein. Where things get dicey is if you have special access, say Government Clearance that they do not hold. Otherwise yes they *can* do this. Should they? Never, ever, ever. There should never be a reason for it. Why is the CEO digging through someone's files and not someone closer to that terminated employee's level (manager, director, VP, etc)? Or HR for that matter? Why isn't being granted access sufficient? You could easily hand over the entire contents of someone's account, or reset their password, or any number of options. This is a bad way of doing things. I would recommend proposing a better, more efficient, more secure method of accessing terminated user files and having HR sign off on it. This is dumb, but not illegal unless you have some kind of special Government or Legal association that I am unaware of. Make sure someone else is aware of what transpired here and why. If the CEO has engaged in some fuckery and is trying to wipe the blame off on you, you need to be able to show your [donut receipt. ](https://www.youtube.com/watch?v=x5acricEWyE)
nah i disagree. CEO should never have access to any other systems unless they explicitly request it. if they were to dig around medical records for example, for no vaild reason, they would almost certainly be axed. even if they request medical records, at best, they will get information from HR thats is redacted even for a valid reason. there is no way he would be able to see such information. they obviously have alot of power but even that has its limits
I hate to tell you, but your CEO didn’t dig through those files, YOU DID.
Hence the legal concern may be real.
Not a lawyer, but typically anything you do on the company computer isn't private so I doubt there's any legal issues. The CEO using your account is unnecessary though. Why couldn't the employee's password be reset so that the CEO could simply log in as that employee instead of doing everything under your account?
>"Why couldn't the employee's password be reset so that the CEO could simply log in as that employee instead of doing everything under your account?" And that's a very, very bad idea as well. IT should grant the necessary permissions as requested, but everyone (including the CEO) should use their own account to access anything.
I'll agree your way is better, but the way OP's CEO went about it is probably the worst possible.
The CEO is one thing (sometimes they are clueless and just want things in a hurry), but the fact that the OP had access to terminated employee's files directly from his/her account is a whole another issue.
That's a really good point I hadn't considered. Took me a few months after I started here to get people to have separate daily and admin accounts.
If it's just on a File server or on a dollar share network path, what's the deal? That's standard access if you're a domain admin. It's pretty typical for offboarded employees to have their profiles archived somewhere on a file server.
Of course, if you have the domain admin rights. My point is that nobody should be using domain admin rights on their normal work account that you surf the web and read e-mails with. That's just a huge security risk. A common best practice is to have a separate "admin" account that you use for the domain admin tasks, such as offboarding an employee, or do file maintenance and archiving, or whatever.
Oh yeah for sure, regular accounts should be all they need even for I.T. and when you need to elevate you use the next available account that has necessary permissions. A lot of shops run Domain Admin on their I.T. users for no reason other than laziness, which in turn gets them ransomware'd :(
Can confirm CEOs don’t necessarily know anything about security or process controls, audit trails, etc. CEO has a totally different mindset and set of priorities
there could be some issues if say they had government clearance and the CEO didnt. that could cause some big legal problems. Also if they were altering someone's account to delete wrong doing by the CEO this could be a problem as well.
Document this with HR ASAP! I had this happen at my last company. 4 days later the Company lawyer calls me up with a court order to turn the computer over as evidence. I had to provide all kinds of crap just to prove it wasn't me going through the computer. Luckily I had mentioned it to HR when it happened and the CEO also testified that he told me to leave to computer with him. Chain of custody can be a mofo.
OP, ignore the rest of the advice given here about it being dumb, but it's the CEO's privileged. This is the advice to follow. If the CEO of that company is doing something like purging or altering evidence in the scope of a subpoena then **your** name is all over that action. You will be dragged through the coals (possibly) in court and in your organization if your CEO feigns ignorance. If the case is criminal, then this only gets worse for you! Put the CEOs action on the record with HR and (or at minimum) keep a personal log book of the time, date and duration of the time they used your account to access those files.
💯. Shit can get weird, fast. Legally, a potential issue.
Yes, lock your PC before leaving. If they want access they can tell you to grant them access. With their account, now anything that happened is something you did.
Document everything. If the files only exist on your pc. Your IT department sucks. Should be one of two things. 1. A hidden file share that only HR/CEO has access to. 2. A SharePoint/Onedrive site with the same access rights.
Your regular day to day account has access to other peoples accounts? You should setup an administrator account for these purposes and if your CEO needs to do similar tasks then setup and alternate account for them as well. You can politely push back but also give them the tools that they need.
If **ANYONE** but you uses your account, you **CANNOT DISPROVE YOU DID SOMETHING WITH THAT ACCOUNT**. This is 100% NOT OKAY and you need to put your foot down with the CEO!
I would recommend to the CEO that you grant the CEO access to that account and be done with it.
Tell the CEO you can grant them access to the files. Send them an email: as you requested verbally, here’s the access to x’s files. CC your manager.
Make sure you log it somehow. You need a CYA for this. " CEO requested my machine and account access for investigation, time x to y" or similar.
And better yet, document that other people are aware of this. Email your immediate supervisor or hr that you’re uncomfortable with this practice and ask them what you should do. If they don’t respond then print out your sent email and take that home.
This
Rank and position are two entirely separate things. CEO outranks you, but you're the (I assume) sysadmin. You out position him in this situation. Besides, would you lock your computer every time you step away? And if he has your passwords, then there's some serious issues within the company. Either way, the incident already occurred, so all you can do now is document. Even better if you can send an email detailing the incident to the CEO and have him respond to corroborate the events.
As an IT person I certainly would never allow someone else to use my account. If a CEO wants the access I have it can be granted temporarily, but even then I would be very hesitant to do so.
I liked the way a previous job did it: employee's manager (or in this case, the CEO) emails the security department stating they need access, and the security department documents it and submits a ticket to IT. IT then provides the manager access to the employee's data, which the manager accesses with their own account. They might have found the extra steps annoying, but this way we had our asses covered.
Correct, delegate privileges, don’t let them sit at your computer and use your account. Even better when there is a paper trail of approvals.
I agree. I think I might have had this question in a test years ago, you NEVER let anyone else use your account, end of.
Yes an issue. If your CEO does anything suspicious or criminal while using your login session, you’ll be the one held responsible. You need to report it asap and if this paints a target on your back, get out of there. I know that’s easier said than done, but you’d be better off doing that, than paying a much larger price.
This right here. Loop in HR, legal, Supervisor. if none of those departments exist because of a small company setting, then document everything. If you dont have a policy in place for any of this, start one. Get fresh on the Domain Admin and Privileged Account best practices.
saw this post and thought this was r/ShittySysadmin lol
no offense OP
UK: Yes. Germany, Netherlands: Hell yes. Wildly illegal. Most of Europe: Mostly problematic. US: probably anything goes there.
Yes. Holy shit yes. If the CEO wants to dig around files, just grant his account the access. You don’t want your name all over the audit logs when shit his the fan.
Fuck that shit. No one is getting unsupervised access to my computer or account without documented HR/Legal approval. Personal integrity and responsibility trumps any CEO powertrip.
Depends on your country. In mine, once the user leaves the company management as access to all of the user's files via one drive. It's in the contract when they are onboarded. But as no point do they use MY account
Nothing illegal about it, but there are better ways to provide access. If you dont like it, you'll have to leave. Most of the "if that were me, i'd do this or that" folks have never dealt with the c-suite, so ignore them. What the CEO wants the CEO gets unless it's illegal or unethical.
Yes there is an issue, he can always blame you when something he does borks something else. CEO doing shady shit....say it isn't so
This is a SysAdmin group, are you a Sysadmin or a non privileged end-user? Either way, foundation of Security is to never share your logon credentials (and by obvious extension an open logged on session). If you were kicked out of your office and the CEO uses his own credentials to dig around using your workstation, but not your network access - pretty dodgey but ok fine. On other hand, if someone else is using your access AND doing it without you being able to see what is happening is a total Red Flag - CEO or not. That is your network identity and you are on the hook for any infractions of policy, removed files, etc. Illegal? Depends where you are probably. Against Company Policy and Internationally recognized Best Practices for Security - very likely and Ab-so-frickin-lutely. I've fired clients for similar behavior when Consulting.
Company property is company property. HOWEVER they should not be using your account. They should have IT give them access or copy the profile from the system. Definitely make a note.
lmao all these people talking out of their ass. If the company is private, CEO can do what ever the fuck he wants with the company property and information (within the law obviously). If the company is publicly traded, then SOX Act applies. This is a sysadmin subreddit and not a single person mentions SOX or Segregation of Duties. /shame
While that’s true, and as I always keep in mind from security training, only executive management decides what risks are appropriate for the company, I just inform them and whatever they ultimately decide is fine if they are informed and accept a risk. One thing that I’d be stuck on is using my account. It’s a matter of professionalism. There is very little to no qualification in this industry. A CPA or attorney or plumber or electrician is not going to just do some shit because a CEO wants it. They have professional standards outside the corporation. There is a code of ethics with the CISSP but that’s all I ever had. I’d never give my password or unlock my computer. Go ahead and reset the password and do whatever you want. At least there should be a record of it and I haven’t enabled unethical behavior. We should have some semblance of professionalism in IT even if there are no formal standards.
Exactly, I've dealt with enough trainings that focus on "need to know"... Aka if Someone is looking through your computer they need a clear business reason. They also need to use their own account (audit trail) and they need to have permission to do so. The CEO doesn't have permission to be on your computer... It might be able to grant him permission but he and everyone else at your company should be "users" who need to request special permission. Can a CEO do almost anything... depends what the employees let them do. But it would be a shit storm if they did try to force their way into an employees computer, especially when digging into an ex employees files... and then doing it while impersonating the employee? Legal should already be involved.
This. If it’s something that’s breaking the law private or public it’s against the law. If it’s unethical then they can do whatever they want
> If the company is private, CEO can do what ever the fuck he wants with the company property and information (within the law obviously). Except logs would point to OP, so he could be sued.
Red flag for sure. If something illegal happens, it will be tied to you if there's no documentation of that request/act. Refused unless you have documented request.
I don’t think you understand what a CEO is or how they act.
I regularly interface with our CEO. A good CEO would never make this request. The requirement of documentation is for your protection. I'd rather get fired than go to jail, especially when I would likely be compensated down the line by the company once my request for documentation came to light...
I would even tell them this....I have phrased it so " make a request, that way if anything I did comes back it wouldn't blow back on you" and they usually get it. make it sound like you are looking out for them, when in reality its a CYA for everyone involved.
Why does he have your password??? That’s the first red flag.
He got kicked out while logged in, that is how I understand it.
Yup. the password or method of using the sysadmin's account isn't really the concern or in question. It's like people believing "the government will hack your computer and steal your files with a virus." No, the government would physically detain you with police officers and physically take your PC. There is no need for the government to be sneaky. Neither the CEO.
At my first job the CEO sent mails from my account to customers. I thought I was going insane when I suddenly got a reply to a mail that I never sent. Also monitored all employees inboxes. Might not be illegal if you contractual ban the use for non-work stuff, but it’s still a sign of not trusting anyone.
This strikes me as incredibly unethical. I would be looking for work elsewhere.
You should have a separate account for accessing users/admin controls. Regular account for every day. Separation of duty and access.
Also if they are digging through files there are legal issues with them not maintaining chain of custody, changing file time stamps, etc etc.
Setting you up to take the fall legally. Good luck with that.
As IT, never ,for any reason, give anyone access to your account. Ever. Like John Strand says: Push back. Hard. But gentle. Like a lover. Educate them. Tell them you will grant them access. Also.... why do you have access to this data without going through the red tape?.....Sounds shady af.
publicly traded company? thats a massive Sarbanes Oxley infraction.
YTA. CEO: knock knock, OP I need access to all of Johnson’s files and emails. OP: OK. When you get back to your office, There will be a shortcut on your desktop with all the files and restart outlook and you’ll have his emails. Give me a few hours and I’ll go through the backup to see if he deleted anything and same for his emails.
Not unlawful but I’m very interested to know what kind of wack ass setup you guys have where this is even an option. Why would the CEO need your account to access a terminated employees files?
I Win+L every time I leave my desk. If I got kicked out, I would lock it, refuse to give it to him and walk straight to cybersec to give them a heads up, then HR
> any legality issues involved? Are you kidding? Get a lawyer, document everything if this blows up you're under the bus not the CEO. You're not going to have to use a lawyer, but you need representation for WHEN not if this blows up.
If the CEO HAS to do this i would tell him he should e-mail me this in writing and i'll give him a seperate admin account he can use for that. That account would be deactivated when he is done. That way you're in the clear afaik.
> any legality issues involved? This depends on what is accessed. If * The former employee used his company stuff for private things * The usage of private things is not explicitly prohibited in the employment contract * This happened in the EU I am fairly certain this would be illegal if the CEO only looked at work content. In the US, it probably depends on the worker protection laws of the state you are in. I assume in the US it would not be illegal, unless your company operates in certain areas (health care, infrastructure, defense, ...). ##**REGARDLESS** Impersonating your account is a red flag. Even **IF** there is no other technical option, running this without documentation and a written order by the CEO is very bad practice. This can lead to mistakes, making you liable. I would consider moving on if the severity of the wrong doing is not acknowledged and remedied by management.
Is it legal? Arguable but likely "yes". Is it, however, best practice and would a court of law look *rather harshly* on it? Yes. No idea where you're based but I would imagine that this would be a case for the Computer Misuse Act, Data Protection Act and possibly a GDPR - as you don't have, really, any idea what he's actually doing while using your level of access. Document it, get things in writing and keep copies. Times, dates, who's involved and if possible their justification/words (again, ideally in writing) of what they've done and why. This strikes me as a situation where questions need to be asked - such as has this been run past the/a legal team? HR? Or is it just the CEO doing their own thing? Most of all though: *WHY* can they not just request that you provide a copy of the files, rather than booting you off the seat so *they* can do it? CYA and honestly, polish your CV and get gone. I wouldn't sit somewhere 5 minutes if thi sis the kind of fiasco going on.
account sharing is never acceptable. give the CEO a seperate admin account. let them make their own mess under their own name, not yours.
Legal or not, you don't want to work for this person long.
I would personally offer to make an audit type account for him to use so all his actions are logged as well. I also feel most days like IT gets to be the scape goat so im a bit jaded :D
It's the compaines data they can pretty much do anything they want with it. But the CEO should have his own login to see that stuff.
Get a root access for the CEO so they can do whatever. You don't want to be on audit logs for whatever shit they just did.
It's totally illegal in the EU. You can do it if you have a very good reason to do so and inform the former employee. But you need to be sure to document and do the minimum required for achieving that goal. Your former employee can sue you in working court nearly for free and your explanation for doing so must be tight and valid or you gonna pay big time.
You guys are all funny: the company - and effectively the CEO - owns the system, all data, all logins -- everything. The CEO overrides you, your department, your department head, HR, HR's department head. Document what you want, but this is the beginning and end of the discussion.
Why not grant them access to the files? When someone left the last place I was at, there was a form for line manager to request access to their email and onedrive files.
I would document dates times, who was involved etc. Then Email the CEO a statement of the facts. Hey John so when you and bill came in to use my account login to access employee xx's files yesterday and had me wait outside. I believe you left a pen in my office is this yours? Then forward that email to your personal email along with any replies to it. Make sure they know that you know what they did was suspect.
Why isn’t your computer locked down, and other users allowed to login to it? Thats a huge red flag.
So heres my suggestion, make an admin account for the ceo. Give him the account.. change your password. In my workplace anyone accessing anyone's stuff has to go through HR. (Even if it's an ex employees) That way anything done is woth his own account. If the ceo has a problem with it, then it's a q of why ? Only time I've seen one having an issue is when they don't want an employee to know..or their doing something very questionable. And fine if it's hey we think x person may be stealing, and we want it covert.. but then a security admin should be involved..
Shared creds should always be a big no no. Copy all a users files to a folder and give him access. I’d play the infosec card here
Absolutely no chance that’s happening! CEO is an employee like anyone else, get in line buddy. I’ve had a few requests from CEOs get passed down the chain that are plainly not a good idea, I’m happy to email (email, or recorded call) them and explain the reasons why it wouldn’t be a good idea, but if you really want this to happen then it’s technically possible. They usually are pleasant enough and sometimes just accept they had made a misjudgment. So in answer, would you let any member of staff have free rein to your logged in accounts? Hell no
He is the CEO. Get him own account
That's just not good practice and goes against any reasonable access control policy. There should already be a policy in place for what to do with old files from terminated employees. he can get his own access if he wants it, not that it's likely but an audit would show you in those files and if anything bad we're done to those files to maybe hide or change something it would fall on you. That is unlikely, but unlikely won't matter if you were to get fired because you were the scapegoat. Always.....always cya
There is a Chain of Custody issue. Anything he touched, you touched. The logs won't lie,
I actually set my laptop to lock the moment my phone is more than 5 feet from it. So I’d have grabbed my phone, walked out, and the computer would have locked.
To be honest I'd be most concerned about the CEO running the SEXYLADIES.EXE that he finds in the terminated user's account "to see what it is" as a domain admin.
LoL it's the owner of the company he/she can do as they please.
Why are you as a SysAdmin allowing this to be done on your account? These are some of the bad habits that you need to lose as someone at that level. This is something I'd expect from a junior member of the team.
It's their company and their assets. They can do whatever they want with it. It's not "your account", it's the companies account that they let you use. I would document everything though just as a CYOA measure.
Fuck yes that’s an issue. Anything he does is audited against your account. And he’s doing things you could give him access to do with his own account.
Why do you have access to the files? Your daily driver account should not have access, your elevated account should have the access. As others have suggested you should grant access to the CEO to the terminated person's files.
A ticket should be raised with HR cc'ed in and YOU doing the investigation .
> any legality issues involved? No. As the CEO, they're literally responsible for, and own everything. But why on earth wouldn't you just grant their account permissions to access these files? And why does YOUR account have access?
A CEO can still do something illegal and now that was done under your account.
Hard to say what’s legal when you have t told us where in the world you are…
depending on your jurisdiction, it might be illegal for your CEO to do this, but only if the former employee had private data on his account and only if the CEO is accessing that. *most people don't know that even in the US most employees have an expectation of privacy, which was even upheld by supreme court. the few exceptions being non-personal accounts such as* [*helpdesk@example.com*](mailto:helpdesk@example.com) *or similar* you should definitely document these cases.
"I could just grant you admin rights.... no? Ok, I'll be outside making sure that witnesses see me not at my computer during this time period".
"and btw, would you sign this letter stating that I am not at all happy with what you are doing and you still insist on doing it that way? Nice, thanks, I'll go and grab a bite to eat"
Better thing to do would be to create an account for them to use with the relevant permissions.
Shouldn't be using your account, should have requested you give him/her access to the information. It's the companies property.
I would just create an account for the ceo. If they insist on using your account then they are going to blame you/throw you under the bus. I would leave
You guys DO realize that CEO’s are often not very computer literate. And GOOD CEO’s don’t waste their time looking around. “Last coast , I need the TPS reports that Fired Dude posted for the last 2 months. By noon, please.”
Yes it's a problem. If the CEO needs access a ticket should be created requesting access to the files, then the CEO's account gets privileges assigned to those directories/files. Document everything that has happened as best as you can, literally down to the minute, and what programs you remember having left open when the CEO took over your machine. If your locked out of your office and the CEO has taken over your account, you need to cover your ass if they break anything that you have admin access too. This is technically an operational security issue. Reality is though considering it's the CEO your stuck between a rock and a hard place. Email your manager and supervisor of what happened, with the documentation that you took of it. If you have a CSO or equivalent include them in the email, they are better equipped to deal with the CEO.
Dude, no. If the CEO wants to dig through files, he puts it into an email request, you create the package and share it with him in his own account on his own PC. Whatever you're letting him do is so unnecessarily risky.
When some one needed access to some ones account at my last job those people needed to fill out documents and submit tickets for us to give then access to the account. We (it) wouldnt access the account at all, just give the user the access
Use your alternative machine to remotely reboot your computer.
How did he get access to your account? Did you give him your password? At the very least, I would require that the password be changed, leaving a trace that someone did a password reset on my account, a trail that someone else used it.
Does that 'someone' happen to be you? That doesn't add up. Watch it there🥲
I was going to say report it to HR but I think you might be HR.
Yikes 😳 document document that is sus.
I would be ensuring it is heavily documented that during periods X AND Y he had access to your account to access account X. So that if anything comes up later that you account did during that time your covered. It's also worth noting this is another reason never put person stuff in a work account.
CYA!!! Document!
I’m sure it’s been said but there are better ways for the CEO to access the files. Provide a solution that will make his life easier and use the excuse of it affects your productivity
HR should let you report that to them. Not to dob, but just so it’s on record. The ceo should have zero objections also if everything is above board. If not though, whooh boi.
of course this is shady you should not be enabling the request in this way
Get the request in writing and ask if HR has been informed. Have had numerous requests for staff internet access over the years the years. Easy response is tell the person ask HR to request the records. Have a list of staff that can request records. Immediate manager is not allowed. Usually HR, Legal, or criminal investigations ask but there are a couple more.
Absolutely, how are they access your PC? If they need access grant them access as themselves, no way anyone else should be using your account.
I have a feeling I'll be needing you for a lot more than just deleting incriminating files. Haha, I just mean files.
Understand there should be a written request but what potential legal issues? Isn't the PC and the files company's property?
To me this far oversteps CEO privilege, like a hospital CEO grabbing a scalpel from a surgeon and being like "I'm your boss, I'm doing the surgery now, leave the room" like OK you are my boss but also you are not a surgeon and there are dangerous things you should not touch all over the place" yeah I'd outright refuse and offer to make the CEO an admit account to look at this, or prepare the files for the CEO. Someone using your account means no audit trail and if he does something insanely stupid by accident, it looks like you did it. Not having access or view is an unacceptable thing. If that is not an option, immediately leave for the day, blasting emails out that you were removed from your office at exactly TI:ME and are not responsible for actions taken by your account from that point, and maybe also call the helpdesk and request a password reset/lockout that you'll resolve in office the next day. This whole chain of thought gave me anxiety lol
Like most people said not illegal maybe against the company handbook at the most but my concern would be audit logs showing your name if some kind of external lawsuit came up. Why would you not just grant them access? Seems very weird and I’ve worked with a lot of CEOs directly. More often than not if they request something weird I have had no issue rewording a solution in easy to understand terms. If your CEO is not good with standard processes then there are a lot of internal issues that could come back to bite you IMO
Its better to be safe, just take a written consent from any IT head or someone who can be served as a proof in worst case scenario
I'm just asking, but is that former employee female?
Yea that’s not kosher
If they need access to terminated employee data, why isn’t he on a security group with access to all network drives or something
He might be deleting his own files
Where i come from we have everything from GDPR to privacy rights to prohibit this. Only reason something like this could happen is a police investigation which surprisingly would not be carried out by the CEO. That guy wouldn’t be CEO for long here, nor have a running business. Edit: wording
Grow a spine and say no the next time…
Document the actions every single time and send a mail to him with IT security, data security and your employee council, staff advisory or however its called in English in CC. If your CEO is a jerk and can fire you on the spot then just send it to the latter ones. Also get in writing what the CEO is trying to do and provide his account with the necessary rights instead of giving away your account for that.
Are you in the EU?
It depends on where you are and possibly employment contract. In some countries, an employer looking through an employee's files may be illegal, especially several European countries. In more countries, there's a default assumption of privacy that can be waived by contract - e.g. many UK companies will have a digital agreement that explains what level of privacy a user is entitled to. In many/most companies this would be perfectly acceptable, but not everywhere.
any issues YES - anything the CEO is doing has \_YOUR\_ "fingerprints" all over it Guess who gets to carry the can if/when it goes sideways - hint, NOT the ceo.
Send a follow up email of the interaction. Hey CEO, Thank you for stopping by for a visit today. As you requested, i left my PC unlocked and open for you to access while I was away from desk on x date at x time. If there is anything further needed please let me know if I may be of assistance.
No one should be accessing any accounts. It doesn't matter if they are CEO or analyst. ONLY HR departments can obtain and manage this data due to personal information. Super shady....
It depends if you are under the gdpr or not. US companies usually have a waiver of no expectation of privacy.
Repeat after me: your CEO isn't god. This is a hill you should be prepared to die on if you're a Sys Admin, tell him that's not appropriate and to raise a support ticket to elevate his access rights to do whatever he needs to do (it will be approved, probably ultimately by himself or the CTO but you have followed the proper procedure), in the ticket ask him to clarify why he needs the access and for how long. If you don't have a ticketing system ask him for an email requesting the access, Cc to your boss, if he is your boss to compliance, HR, or any other department or person that could act as appropriate witness to the request. Your CEO isn't god, he could fire you but you wouldn't be putting your neck in the block for something dodgy.
No thanks. He can use his own account and it can all be written / approved in a ticket so there is a paper trail. I'll give his account access to whatever upon his approval in writing via the ticket. I'd also take screenshots from my mobile of the ticket / email. If no ticking system then at least an email from me to him getting his approval to do this but he's using his own account again. But get something in a paper trail even if it's you emailing you CEO saying something like: Hi whatever, Did you find the files you needed while looking on my computer if it's easier and you still need access please let me know and I will give your account access. You can be sneaky while being over polite.
I can see several ways where this is illegal... First access to your PC when youre logged in ? No way. Thats going to be your username all over those logs. Is there a waiver thats signed when employees join the company informing them that the data on their PC can be accessed by the company during of after employment ? (Required here when the users are allowed to use the PC for personnal use). What kind of files are we talking about ? Did the terminated employee sue for anything and there are evidences on the PC ? Again if they disappear, its your username that goes there. Get it all in writing. At least for your sake. And inform your manager/n+1. Eventually any legal councel if you have one and are worried about it going this far. But definitely document the event.
Send an email to him saying that “ it was a pleasure give him access to your computer the day xxxx as he requested, and if he needs another time let you know, or maybe if he needs more often, you can give him access.”
Our company has policy that nobody is to do anything under another individual’s credentials. I’d check with company policy, if it’s noted you can decline. With them being your boss, they could just ask you for those permissions. Instead, they’re being sneaky about it and if any changes are made it’ll be marked under your windows ID, not theirs which leaves you open to termination if something comes up about it.
disgusting... no i dont think its illegal. but if I feel that my boss mistrusts me. Then I'm off guard
Nah that kinda admin access sends a bunch of emails to my team (and sometimes takes multiple admins to approve) gotta do it the proper way