Probation? Probably Not. by M. E. Kabay, PhD, CISSP Associate Professor, Computer Information Systems Norwich University, Northfield VT In discussions of employee management and security, some key areas of concern are hiring and firing. However, ongoing management also provides challenges to information assurance (IA); for example, how should IA professionals handle proposals to offer an employee a probationary period? There are two kinds of probationary period: * a period at the start of employment designed to evaluate a new employee's skills and decide on permanent employment; * a period following a serious problem, possibly leading to termination of employment if the problem or its equivalent recurs. Both types of probation raise problems for IA. In the preliminary probationary period, the candidate's employment is contingent on approval. When assigning access privileges to such a candidate, security staff should evaluate managers’ natural desire for productivity but weigh the benefits of thoroughgoing access against the possibility that the employee will soon disappear. As for probation for the error-prone or the lazy, I can accept the idea of a probationary period for employees who may be making too many mistakes or who need a kick in the pants to be motivated for better performance. However, a probationary period for an employee who has given cause to worry about security violations is far more problematic. When would it make sense to allow an employee who violates clearly stated security policies to be put on probation? There's certainly nothing wrong with correcting someone's behavior using advice, criticism or even reprimands if appropriate. What doesn’t make sense to me, though, is telling someone who has committed such a serious violation of security that they could be fired, "Well, we won't fire you right now: we'll give you
and fire you at the end of that if we don't like your behavior." If someone is not worthy of trust, why would you give them access to sensitive and critical resources at all, let alone do so while putting them on notice that they may lose their job soon? I recommend that probation for employees you don’t trust simply not be an option. Either express your support and trust in your employees or fire them right away if they no longer merit your confidence in their honesty. *** NEW! 18-month online Master of Science in Information Assurance offered by Norwich University; see < http://www3.norwich.edu/msia > for full details.
Look for the _Computer Security Handbook, 4th Edition_ edited by Seymour Bosworth and Michel E. Kabay; Wiley (New York), ISBN 0-4714-1258-9. Available now at your technical bookstore or from Amazon at: < http://www.amazon.com/exec/obidos/ASIN/0471412589/tag=fusion0e > M. E. Kabay, PhD, CISSP is Associate Professor in the Department of Computer Information Systems at Norwich University in Northfield, VT. Mich can be reached by e-mail at < mailto:[email protected] >; Web site at < http://www.mekabay.com/index.htm >. Copyright 2003 M. E. Kabay. All rights reserved. Permission is hereby granted to Network World to distribute this article at will, to post it without limit on any Web site, and to republish it in any way they see fit.
