How To Hire A Sysadmin, Part II   4 comments

As promised, albeit a bit later than originally scheduled, the second part of “How To Hire A Sysadmin”, with the Second Question to ask a potential hire:

“You are sitting at your desk one day when the Chief Operations Officer shows up out of nowhere and says, ‘I believe that my assistant Frank has been communicating company secrets to competitors.  We let Frank go this morning.  I want a copy of all Frank’s files and his email put into the Operations share on the file server so that the Ops group can go through it to see what the damage is.’  What do you say?”

I’ll give you a hint, the best answer is a very quick and unequivocal “I’m sorry, Dave, I can’t do that.”  The second (almost as acceptable) reply is, “I’m afraid you’ll have to have that okayed by the office of legal counsel.”  [edited to add]  This actually can go either way in terms of what’s the “best” answer.  I’m getting ahead of myself.

I’ll give you another hint, hiring someone who answers the question correctly may turn out to be a pain in your butt later.  It’s for your own good.

In spite of the fact that (at least in the State of California) your employees’ email accounts are regarded as property of the company, the fact still remains that you (in this case The Company or The Organization or whatever) have legal responsibilities when it comes to employee data.  From Harvard Law (just one example):

The general idea has been that the employer owns the equipment, and can therefore set the terms of its use. Even under current law, which has been deferential to employer monitoring, this does not mean that employers are free to monitor or not monitor at will. It is not clear, for example, whether employers who fail to notify their employees that they monitor their mouseclicks will avoid liability for invasion of privacy. Moreover, even if employers issue a general notice to employees that they may be monitored, an employee might argue that more specific notice is required.

Even if your workplace has very well defined rules regarding employee’s use of electronic equipment, be aware that you can have all kids of serious repercussions for mishandling data.  If Frank’s mother recently emailed Frank that she had Hepatitis C, and that information winds up getting out, you can be up for a world of painola.

Handling data discovery, even internal to the company, is not something that a systems administrator should *ever* regard as his (or her) blanket responsibility.  They shouldn’t be monitoring general computer usage either, but that’s a subject for another post.  Oh, wait, I already wrote that one.

In the United States, there are three classical professions, namely… doctor, lawyer, and priest according to Wikipedia.  It’s generally given now that this list is somewhat longer, the Department of Labor has a whole list of “professional and related occupations“.

Generally, to be officially regarded as a “profession” (as opposed to an “occupation”) you need to meet a few requirements, one of which is some sort of professional body.  Borrowing straight from the Wikipedia page:

Professions are typically regulated by statute, with the responsibilities of enforcement delegated to respective professional bodies, whose function is to define, promote, oversee, support and regulate the affairs of its members. These bodies are responsible for the licensure of professionals, and may additionally set examinations of competence and enforce adherence to an ethical code of practice. However, they all require that the individual hold at least a first professional degree before licensure. There may be several such bodies for one profession in a single country, an example being the ten accountancy bodies (ACCA, ICAEW, ICAI, ICAS, CIMA, CIPFA, AAPA, CIMA, IFA, CPA) of the United Kingdom, all of which have been given a Royal Charter although not necessarily considered to hold equivalent-level qualifications.

Typically, individuals are required by law to be qualified by a local professional body before they are permitted to practice in that profession. However, in some countries, individuals may not be required by law to be qualified by such a professional body in order to practice, as is the case for accountancy in the United Kingdom (except for auditing and insolvency work which legally require qualification by a professional body). In such cases, qualification by the professional bodies is effectively still considered a prerequisite to practice as most employers and clients stipulate that the individual hold such qualifications before hiring their services.

There is no nationally-recognized “systems administrator” professional body (there ought to be), and yet we have administrative or root access to the file servers upon which sit not just your corporate data, financials, customer lists, etc., but also *your* email and *your* documents (that’s one major reason why there ought to be).  If you are a doctor, a lawyer, an engineer, or an accountant you may actually *lose* the ability to do your job in perpetuity if you fail to exercise your professional responsibilities in the eyes of your professional body; you can lose your license to practice law, or medicine, or submit plans to City Hall, etc.  This is a double-edged sword: if you mess up, you can literally be ejected from the profession.  However, with it comes a protection that currently systems administrators don’t have: if The Boss tells you to do something that violates your professional ethics, you can tell The Boss, “I’m sorry Dave, I can’t do that, because I could lose my license.”  Right now, sysadmins have the responsibility to protect the data, but we don’t have much in the way of business clout.  You want to hire someone who will actively refuse to let you shoot yourself in the foot, even without that backing.

Trust me.

Advertisements

Posted October 27, 2009 by padraic2112 in management, tech

4 responses to “How To Hire A Sysadmin, Part II

Subscribe to comments with RSS.

  1. This is a good article. I do disagree that there is no nationally recognized professional sysadmin body. The League of Professional System Administrators (http://lopsa.org/) functions in this capacity. There is a code of ethics that each member must adhere to, and is a growing, functioning body of people devoted to advancing the profession of systems administration.

    The differences between system administrators and, say, electricians, is that there is no license required to do administration work, any more than there is to be a mechanic. Sure, there are certifications that you can get in both arenas, but there’s no one that says “You haven’t passed this test, you can’t replace the belts on that car”. Or set up a mail server.

    Should there be? I don’t think so. There is no “one infrastructure” in place that must be adhered to, as there is with the national electrical grid. The closest you could come would be a network-centric certification that adheres to the rules of the internet. The only one that I know of that is network based, vendor neutral, and widely recognized is CompTIA Network+, and most of the networking professionals that I know look down on that cert.

    In the end, it is up to each organization to decide the necessary skill set required for their IT workers, and to dictate the training / certification they need their employees to have.

    When your car is broken, you can go to a national chain where all of the mechanics are ACE certified and things are done by the book. Or you can go to Bubba’s tire and bait shop. Both can change your tire, but if I had to rebuild my engine, I know where I’d go.

  2. Well, by “nationally recognized”, I mean “people generally require membership in it to get the job”. That’s certainly not the case for LOPSA (although I am a member, coinkydinkily).

    And I get the argument that systems administration, like software engineering (or computer programming), or database administration, or any one of a number of IT positions doesn’t have the formal infrastructure API like electricians do (or architects, who must adhere to building codes or whatnot).

    At the very least, though, there should be covering categories among formal professions. If you want to be a systems administrator for a health organization, you have access to the information doctors do, you should have the same ethical requirements a doctor does. Same with sysadmins who work for accounting or legal professions. This generally does exist for military/criminology work (no clearance, no job, sorry).

    If you break the rules, you should be effectively disbarred from working in those areas, for the same reasons you would disbar a lawyer or revoke a doctor’s license to practice… and for the same empowerment reasons those professions have: because you ought to have a formal framework (with a formal grievance process) to say to someone who asks you to do something illegal/unethical, “No, I can’t do that”.

    Not that *I* need it, but I’m a stubborn cuss.

  3. I liked the first part better; in particular, I think that you can teach these sorts of ethical rules pretty quickly and easily, whereas teaching people how to think about system administration (the first part) is much harder. You may be willing to do it, if you’re hiring a junior person that you want to indoctrinate er I mean train, but you really need to know that ahead of time. A gap in a candidate’s clue about sysadmin ethics seems like much less of a problem to me.

  4. Pingback: More on Exception Scenarios « Pat’s Daily Grind

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: