Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Nightingale1974
Viewer
2 weeks ago
2 weeks ago

Company Ethics

Hello, this is my first post, apologies if it’s not in the right group.

The company that I work for uses an external service to post monthly wage slips to a portal, each member of staff must sign up to use the service using a personal email account, staff that don’t sign up to the service receive their wage slips via the postal service.

 

It’s not mandatory for staff to use the service but its highly suggested that this is the way to go when you join and the majority 90% of staff use the portal.

 

We have identified that the service is not secure enough, i.e it does not employ MFA or any form of complex password requirements, furthermore you can bombard the portal with passwords and it doesn’t have any lockout.

 

We have told the business that this service does not conform to standards and we should inform staff immediately, recommend that they download their historic slips and close down their account. The business has refused our advice stating it would cost them too much in postal costs if everyone did this.

 

Clearly ethics plays a big part in me coming here and asking for advice. Can anyone suggest a pragmatic next step?

Reply
2 Replies
Steve-Wilme
Advocate II
2 weeks ago
2 weeks ago

You may want to consider if your company has any process for assuring suppliers prior to contracting with them.  You may also want to consider if the company contracted is breaching any part of the agreement with them as there may be liabilities and indemnities specified in the contract.  You employer probably has a legal obligation to provide you with a pay slip specifying pay and deductions.  If you work in a jurisdiction that has a privacy regulator then they may offer advice to organisations and your company may be obliged to appoint a privacy officer.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Reply
Nightingale1974
Viewer
2 weeks ago
2 weeks ago

Thank you for the advice Steve. I will certainly take your advice.
Its a shame this scenario was procured way before we got our act together with supplier onboarding, this would never happen now.
Reply
0 Kudos