Conference 7.286::digital

    How can you differentiate this from a manager (or any other employee)
    who delegates his/her secretary to open their paper mail?  Seems to
    me this is the manager's prerogative.  If you are sending something
    via electronic mail and indeed want it to be confidential, then state 
    that in the subject line.  It would seem to me that most people would 
    instruct their secretaries not to read mail marked "CONFIDENTIAL - 
    ADDRESSEE ONLY", even if they delegate the reading of all other mail.
    
    Now, if you have a secretary you can't trust - that's a whole separate
    issue...

    >On many occasions, I find that though a Manager is on leave/tour, his
    >account is 'logged-in'. Should be his/her secretary!?
    
    Maybe they've just gone off on vacation and left their workstation
    paused.  Ever think of that?
    

    I am a secretary in Pittsburgh and I can only relate the arrangement my
    manager and I have.  If he is out of town, on vacation, etc. he
    specifically asks me to print out any messages that look more important
    (confidential, etc.) than others so that he can address those first
    upon his return to the office.  Since he usually gets 20+ messages a
    day if I let them all stay in his inbox there would be messages buried
    in there that he may not see for a week after he returns.  However, if
    I've printed them and put them on his desk in a confidential envelope
    then he can usually deal with them during the first day that he's back.
    
    Luckily he trusts me to not share with the world the information that
    he receives on a day-to-day basis.  If he didn't I'm sure we wouldn't
    work things the way we do.
    
    Hope this helps,
    Lori

20 messages a day?  Oh, to have so few....

     The basic assumption that one has to be physically in the office to
    be 'logged-in' is incorrect. 
    

    re .4
    
            <<< Note 2526.4 by NETRIX::thomas "The Code Warrior" >>>

20 messages a day?  Oh, to have so few....

    And to have a secretary look after them, what's more...
    
    q	

I'm logged in right now, and I'm 900 miles from my office.

I agree  though - I think there's a potential invasion of privacy
issue when asking one's secretary to screen email.  If someone sends
you private regular mail, they can put it in a sealed envelope 
and write "personal" on the outside.  The receiver can then figure 
out if it's been read, and it keeps someone scanning the mail from
glimpsing part of the contents while sorting mail.

The same is not necessarily true of email.  When I read my email, 
I regularly type the wrong number and wind up reading a message 
I hadn't intended to read yet.  I'm sure that, aside from better
typing skills, secretaries run into the same problem.

Matt

    Almost all the people who have replied have skirted the main issue.
    
    RE .2 : Depending on how SECUR PACK is installed, system should
    normally log you off after some time, right? In such a case, the
    account couldn't have been paused!
    
    RE .3: '...luckily he trusts me..' - can everybody say this of all
    secretaries?
    
    RE .5: I do understand that the Manager could have remotely logged in;
    that's no problem, I understand it.
    
    Human by nature is inquisitive...how do you prevent the secretary from
    NOT reading other folders ( other than NEWMAIL )? 
    
    There's been plenty of discussion in DIGITAL notes-conference about
    'sanctity' of sending personal / confidential mails and also about
    whether it is an acceptable norm. What I don't understand is on what
    basis a Manager decides to let his secretary use his/her account. Can
    somebody explain the 'thinking process' / logic?
    
    Another thing is that any information one reads tends to get discussed
    / passed-on to others..imagine your appraisal notes / comments being
    known to the whole world OR your observations of a particular situation 
    becoming public knowledge.
    
    
    Anyways.....the concept is very disturbing.
    
    How about 
    
    (a)  some sort of ( AI-based? ) intelligent filter to retain specific
    mails, depending on subject/sender?
    
    (b) having 2 accounts : one for general mails and the other for
    CONFIDENTIAL ONLY?
    
    (c) insisting that everytime one is away from office/town for a long
        ^^^^^^^^^
     time, have WATCHMAIL / Auto-reply take over?
    
    Kumar

    RE:  confidentiality and the secretary...One secretary's P.O.V.
    
    I am trusted with a great deal of proprietary information within my
    organization and I am happy to report I earned that trust by being
    trustworthy!  I have access to EDCFs, performance reviews, TSFO lists,
    etc.  I have been asked to divulge this information, in fact I have
    been begged almost.  My job and my loyalty to my manager and myself is
    much more important to me than any other employee or their need to
    know.  There are a great many times I have been tempted to write a
    reply here regarding some topics, but realize that it would jeopardize
    my position.  I really like the fact that my manager trusts me with
    confidential information - not only work related, but also personal at
    times.  I value that trust and will do nothing to jeopardize it - not
    for anyone.  All this for less than $30K/year!!  Can you imagine!!
    
    -sandy

re .9 and being logged off after a certain amount of time - 

thankfully, I've never worked for a group that had something 
that logged me out at night.  Those things are a real pain in the
butt.

re .10 - your manager trusts you, but do the people who send him 
confidential mail trust you?  If it's not ok with them if you read
their messages, then youur manager is committing a breach of 
confidentiality, IMHO.

Matt

    Two comments:
    
    1. In my experience, a large proportion of managers (and almost all
    senior managers) work with their secretaries in the way described in
    reply 10 above.  To act as if this were otherwise, is to deny the
    reality of this communications medium.  If you have something that is
    "for his/her eyes only", I think that you'd best give it to the person
    personally.
    
    2. I entirely subscribe to the comments in .10; secretaries at Digital
    handle much of this company's cost center reporting, the salary system
    ticklers, and a whole host of confidential information in partnership
    with the managers they support.  In the main, they do it in a
    professional, confidential and sensitive manner.  It is simply part of
    the job, IMHO.  It seems to me that there are a lot of people who don't
    view this *profession* as being the valuable one that it is.
    

    Re .10, .12:
    
    .10> I am trusted . . .
    
    .12> . . . they do it in a professional, confidential and sensitive
    .12> manner . . .
    
    .12> It seems to me that there are a lot of people who don't view this
    .12> *profession* as being the valuable one that it is.
    
    What does the value of the "profession" have to do with security? 
    Nothing.  There's plenty of people in the company more valuable than
    secretaries, but we still have them use their own accounts, not other
    people's.
    
    Why?  There are tens of thousands of people in this company.  _Some_ of
    them are going to misuse, steal, or destroy information.  If a system
    is properly set up, many improper acts can be traced to a specific
    person.  But if multiple people are sharing an account, the system
    can't provide any way to tell them apart.
    
    Allowing more than one person to use one account is a violation of
    corporate security policy, and with good reason.
    
    
    				-- edp

    Re .13
    
    This may not be obvious to you "edp". But a manager has a secretary
    monitor his/her mail account so they can spend their time doing
    something more productive. A job of a good secretary is to make sure
    that a manager gets to see what is important and doesn't get to see
    what is unimportant. A poor secretary doesn't do this very well and
    gets the reputation for being a poor screen or just a nuisance. But
    good secretaries (and from what I've seen most secretaries in Digital
    fall into the latter category) really help a manager be more efficient
    at their job.
    
    Which would you prefer:
    
      a) Send mail to a manager and have it ignored because it wasn't read
    	 or aged.	
      b) Have it screened by a secretary and have it acted upon. The best
         secretaries even know the organization well enough to forward on
         mail to somebody more appropriate to answer it.
      c) Hire more 6 figure salary managers so that they can keep up with
         their mail.
    
    Dave

    RE:  .14
    
    Dave,
    
    As a secretary, I thank you for the reply you wrote.  It's more or 
    less what I tried to express is reply .3.
    
    Lori

    
>    Allowing more than one person to use one account is a violation of
>    corporate security policy, and with good reason.
    
 
	If you use ALL-IN-1, it is a feature included by request from many
	customers.

	A secretary can get access to the managers inbox, read, and outbox, as
	if they were folders in their own account.......if the manager
	gives them access.


	Heather

    Re .14:
    
    > This may not be obvious to you "edp".
    
    It is perfectly obvious to me, but if you are questioning
    comprehension, it is time to examine your own understanding of computer
    systems.  Did I write one word that would imply a secretary should not
    process a manager's mail?  No, I did not.  I said they should have a
    separate account.  Is your knowledge of the computer systems we
    manufacture so slight that you do not know that multiple users can
    share information?
    
    > But a manager has a secretary monitor his/her mail account so they
    > can spend their time doing something more productive.
    
    What on Earth does this have to do with using separate accounts?  Not a
    thing.  In an earlier note, I described two ways a secretary can handle
    a manager's mail from a separate account.  One way is to have the
    manager's mail forwarded to the secretary's account.  The secretary can
    then filter, process, and file the manager's mail.  Mail the manager
    needs to see can be sent back with forwarding disabled.  The second way
    is to set up ACLs so the secretary has access to the manager's mail.  A
    competent system manager should be able to set up both of these
    situations and explain the advantages and disadvantages of each.
    
    Note that neither of the two above arrangements would allow the
    secretary to send out mail from the manager's account, or vice-versa. 
    Thus, neither person could impersonate the other -- that's part of the
    advantage of having separate accounts.
    
    
    				-- edp

    Re .16:
    
    Using the files of one account from another is NOT the same as using
    another account.
    
    
    				-- edp

EDP,

  How often have you needed mail from the cost center manager or further up the
chain to get something approved?  Mail from the secretary's account doesn't cut
it.  So secretaries often have to use the manager's account in order to
generate the mass of approvals that this company thrives on.

	Dave

    Re .19:
    
    Representing mail from a secretary as mail from a manager is fraud and
    is one of the things that proper system security is supposed to
    prevent.
    
    
    				-- edp

The discussion in .17 etc about how a secretary can have access to a
manager's mail without having login access to the manager's account
is useful and interesting.  While I agree with the points about
security, it needs to be pointed out that secretaries have been
signing their boss' names to routine documents for centuries. 
Good secretaries (or perhaps I really mean a good administrative
assistants) know how their boss wants things done, including what
constitutes a routine task that the boss wants taken care of without
bugging him/her.  

The better and more official way to do this is to have the manager
sign things him/herself on the secretary's recommendation.  However,
if the secretary says it is routine, is the manager really going to 
read the stuff before signing?  There isn't a lot of difference in
practice between this and the secretary signing the manager's name
by direction.  If one asks whose fault it is if the secretary abuses 
this trust, my answer is that it is the manager's fault (as well as the 
secretary's fault).  Managers are supposed to know whom to trust, and
managers are responsible for what their people do.

However, this is a side issue from the main discussion, which relates
to whether a manager has a right to choose to let a secretary see
his/her mail.  There are two answers that should be obvious.  First,
computer messages are NOT secure, and email should NEVER be used for
really confidential information.  There are plenty of opportunities for
anyone with system privileges to secretly peek at the files.  For that
matter, it's a risk to store confidential information in a computer at
all, if anyone who isn't trusted has access to the system.  Or to store
it in a filing cabinet if you don't trust everyone who has keys to it.

The second obvious answer is that this is no different from a manager
telling a secretary to open ALL paper mail, including mail marked
"personal and confidential".  I believe that some managers do this
(though usually with a short list of people whose mail shouldn't be
opened).  Want to bet that Bob Palmer doesn't do this?  There's plenty of
junk mail that comes marked "personal" precisely to try to get it past
those whose job it is to filter the mail.  As someone said, if it's so
confidential that it cannot be trusted to a secretary, then it should be
given directly to the manager.

	Enjoy,
	Larry

PS -- My family owns a document signed "Abraham Lincoln".  It's a land 
grant for some acerage in South Dakota.  Apparently the law or custom
of the time required the president's signature on the land grants.  As 
I said, secretaries have been signing their boss' names for centuries.  LS

The proper solution is to set up the system to grant a secretary access to a
manager's mail.  The proper solution is to allow the secretary "approval
authorization" for the manager.

The improper solution is the LAZY one taken so often at Digital:  let the
secretary log in to the manager's account.  As edp points out, this behavior
violates corporate security standards and should not be tolerated.

If I had a need for you to look at my bank account and where I spent my money, I
certainly wouldn't hand you my bank card and give you my password.

Paul

	Maybe you shouldn't argue the implementation details and
	just stick with the principles here.. There's a million
	and one ways to skin a cat. Whether is should be done is
	the arguement.

						mike

    
    
    IMHO:  There is no one, in any company, more important than a secretary.
    
    Anyone not in control of the flavor and implications of that
    observation, cannot be successful.
    
    J.B.

>    IMHO:  There is no one, in any company, more important than a secretary.
    
    I've seen successful companies that have no secretaries, but I have yet 
    to see a company that consists of only secretaries.
    
    Wayne

    I wonder if we should consider "what" a "manager" is.
    
    A manager has been given authority, and responsibility, for many
    discretionary actions.  
    
    None of this authority is given to non-managers.
    
    The manager delegates to the non-manager (secretary) according to
    discretionary decision.
    
    What this brings up is, in our "culture", ignorance of the implied
    "this does not apply to managers" in our policies and procedures
    manuals.  Work is not a democracy in practice.  We cannot "own"
    property at work, nor be protected from "pursuit of happiness".  It
    will take many court cases to turn this around, to where the rules
    apply even to managers.  If ever that will happen.
    
    The other cultural exception which applies is "private secretary".
    That role is discharged with honor by very many upright individuals.
    If it's not broke, don't fix it.  Still, I think I want to be able
    to send an electronic equivalent to the company's "Personnel" level,
    explicitly addressee-only, with a wrapping that at least deters (not
    defeats) accidental-key or curiosity breaches.
    
    Rich
    
    

    What if I know that the person who is reading the Managers's mail is
    a person whom others consider 'chatty'? 
    
    
    I know a lot of you would say '...how come he remains to be a
    secretary?...' One of the mysteries of life, I would say.
    
    So, the question is: SHOULD ONE NEVER SEND CONFIDENTIAL / PERSONAL /
    PRIVATE MAIL TO ANYONE without ascertaining that the recipient NEVER
    allows anybody else to read his/her mail?
    
    Kumar 

    re: -1
    
   >> So, the question is: SHOULD ONE NEVER SEND CONFIDENTIAL / PERSONAL /
   >> PRIVATE MAIL TO ANYONE without ascertaining that the recipient NEVER
   >> allows anybody else to read his/her mail?
    
    If you are that concerned about it, send your letter (registered mail
    with return receipt) to your manager's home.  Oops, may run into the
    same problem at the manager's home (spouse, S.O., children).
    
    Roberta Davidson-Stratton

    Re .27
    
    The answer is simple. If you have specific instances of a secretary
    betraying confidences they have been entrusted with you whould report
    it to their manager. Professional secretaries don't disclose
    confidential information. And unprofessional ones that do should be
    fired, no questions asked.
    
    Dave

    In the real world, or at least in Washington, Congressmen employ
    legions of secretaries who process mail and sometimes answer it in the
    name of the Congressman. This has gone on for centuries; there used to
    be a word for that job, which I believe was "amenuensis" (but I can't
    spell it and it's not in either of my dictionaries).  My family has a
    set of correspondence from forty years ago between my father and
    then-Representative John F. Kennedy; of twelve letters he got from JFK,
    two have been judged as signed by Kennedy, and the other ten by two
    different secretaries essentially forging Kennedy's signature.
    
    This is not a computer problem per se; it is a practice of long
    standing.

    
    You don't even get that from the president!  There are thousands of
    letters to the president every day.  There is no way he could answer
    them.  So, what did the White House do, you may ask.
    
    They have developed a software package (used to run on a VAX), that 
    scans the letter looking for "key" words and/or phrases.  From these
    key words/phrases, a response is generated (by the computer), and the
    response is printed on (used to be), an LPS40.  And YES, the LPS40 
    also SIGNS the letter using the presidents hand written signature.
    
    The signature is digitized and put into a postscript file.
    
    Soooo....be glad that a "human" signed your letter, even if it was
    forged.
    

    "The signature is digitized and put into a postscript file."
    
    Actually, it's a tiled bitmap file.
    
    							Ann B.

re .30

"In the real world, or at least in Washington, Congressmen ....."

There's something wrong with this phrase....

    Just Jumping in with my 2 cents.....If the secretary...is doing "all"
    this for the manager, then I think the mang should give up his salery 
    or pay a % to each secretary for the amount of work they are doing for 
    him!!! Personally I feel that it is the Managers responsibility to
    check his/her own mail and respond to them...That's there job...instead
    of attending 20 meeting's a week...stay and work issues????????
    (boy is this opening a can of worms.8^).. I also happen to know that
    using someones account is against Security......(I'm ex-security)
    
                                 Bob

>    I also happen to know that
>    using someones account is against Security......(I'm ex-security)
 
	However, you can read someones inbox, outbox and read folder, and send 
	a mail, without logging into their account, they just have to set up the
	parameters, via menu functions.

	It is a feature of ALL-IN-1, specifically designed for managers
	and secretaries to work better together with the aid of technology.

	Personally, I would like to see all secretaries doing this, and 
	filtering/prioritising the managers mail, and doing other work that they
	can do for them, and allow the managers to get on and manage.......or
	we'll never get out of the mess we're in.

	Heather

    <moderate simmer on>
    
    ...and just to add to Heather's comments, maybe security could look at
    business needs as well as technological standards - the one person/one
    account rule is a pile of rubbish, which IS are the first to violate
    with the SYSTEM and system administration accounts.
    
    <moderate simmer off>
    
    Paul

	Err, what 1-person 1-account rule?


	3-account Heather

    Corporate Security say that each account should only have one owner and
    one person accessing it (multi-access forbidden)
    
    Paul

I guess the thing that amazes me so much about this whole discussion is that we
have a plainly stated corporate policy openly ignored, not by technical
individuals, but by the same people whose jobs it is to ensure this is enforced
in the first place!

Consider the following that I have run across over the years:

1) A DM who *never* read his own mail but had his secretery print it off so he
   could take it home and read it at night.

2) A unit manager who, quite innocently, didn't even understand that there was
   a policy against having his secretary read *and reply* from his account
   because he had been doing it routinely for years, as had been his peers.

3) A new services manager who felt it was *privilege* that came with the job to
   have a secretary who could get into his account so he didn't have to read
   and answer mail.


These are not just the exeptions to the rule, it is standard practice.
I am not arguing for or against having a secretary read a manager's mail.  There
are many good arguements for it as well as against it (all discussed here).

However, either the practice should be stopped or the security policy revised so
we have some consistency.

    re.  letters to President scanned electronically for keywords and reply
    generated automatically from generic canned responses according to
    keywords.
    
    If this is true then it makes little sense to write the President.  I
    don't write to get an automated response to help encourage me to keep
    my mouth shut because the automated response is telling me what I want
    to hear.
    
    I want a HUMAN with at least input to the President to read the letter
    and generate a reply which at least considered what I said.  I suppose
    that writing Senators and Representatives involves similiar 'programs'?
    
    This new E Mail thing 'straight to the President' which was announced a
    couple of weeks ago REEKS of the ability to 'scan' ones E Mail and
    computer generate 'responses'.  Now its even EASIER to scan incoming
    mail... they don't even HAVE to scan the letters... they will already
    HAVE the softcopy you E Mailed them!  Talk about depersonalization....
    this has reached the height of depersonalization.  I know, they CAN'T
    read all the damm letters.... too many of them and all.  If thats the
    case then they should just SAY SO and don't bother with a reply... 
    
    Jeff
    

    As to sending a letter to the President and automatically scanned words ... 
    this could get funny.  Imagine how a letter sent to the President like
    this might be received:
    
    Dear Mr. President, 
    
    Sorry to hear that the Press shot down your latest ideas.  From what I
    understand, it was a bit of a bombshell for you to terminate the last
    press conference so abruptly due to that loaded question.  Seems like
    the press is always looking for some sort of smoking gun, I suppose.
    May I offer a simple suggestion?  Next time the press is spying on you,
    just nuke 'em with your sexy smile like you did at the last successful
    press conference.  They probably feel tortured when you just kill them
    all off with a sentence that just cuts things short.
    
    					Sincerly,  
    
    					A. Faithful Supporter

    
    (automated reply)  but no headers say so.
    
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    
    Dear A. Faithful Supporter,
    
    Thank you so much for your thoughtfull letter.  Yes, we do have press
    conferences and we appreciate your interest in them.  The President has
    such a busy schedule he has to cut some of them short.
    
    Write again the next time you have questions about press conferences.
    
    
                                                Sincerely,
    
                                                President XXXXXX

    Well folks...it has been great hearing different viewpoints from all
    sections of people. I know it is very difficult to arrive at some sort
    of 'conclusion' but let me try to summarise / conclude:
    
    1. Most people recognise / agree that electronic mail systems are NOT
       to be used for confidential mail. 
    
    2. Most probably, confidential matters should be hard-copied and passed
       on to the recipient ( in a sealed cover! ) with appropriate
       markings.
    
    3. In general, most secretaries in Digital are trusted.
    
    4. Whoever is incharge of implementing Corporate Security ( as
       applicable to computer systems ) should review the current practices 
       and repair the dents.
    
    5. We do not have sufficient 'techniques' to prevent 'misuse' (
       pls..don't flame me for using this term ) of ALL-IN-1 or VAXmail.
    
    So.....take care and be more careful in future. That's a good lesson 
    learnt from these discussions.
    
    Thanks to all the participants.
    
    Kumar