Use of contract worker

[morganlefay]

We have recently hired a contract worker to assist on a project and I am trying to advise HR and upper management on using a contract to outline an AUP for when said contractor accesses the internet....and also have him document his work.

I am hoping for some has a links to some basic guidelines to follow showing how important it is to have a contract and documentation of the work done....and the risks of not having these in place.

Any links and or suggestions are greatly appreciated as always!

MLF

[dinowuff]

Hey MLF Start here http://www.sans.org/reading_room/whi...nsibility-it_3

Now since I know a bit about your contractor, I have a nice little bit of malware I could send you. It will do all the nasty things slammer and code red did, but it will not replicate or spread. I use it every now and again when my lusers don't follow the "don't allow vendors or contractors to connect to the network with out contacting IT first" Rule.

[morganlefay]

Thanks Dino...yes same contractor.

I did find the constant DNS requests were his iphone piggybacking on his laptop to get mail as Hybr|d suggested....but I still receive excessive UDP requests which I attribute to P2P. When I blocked the program on the local router in use (segmented from our corporate network)...the little ba$tard reset it...and then "could not" remember the admin password he set.

I again reset the router.....and approached upper management. They have no contract....no documentation. A project that was to take 1-2 weeks is now in its 3rd month...and the little twerp is playing P2P network games while here. <shaking head>

Of course...now the little ba$tard knows I am on to him.

<sigh> .......all I can say is...its typical from our upper management

MLF

[HYBR|D]

Why does the contractor have access to the Router?

[morganlefay]

The contractor has physical access to the router because he and the R and D products are on a segmented lan ....outside of our corporate network...but sharing our internet. Together we set up the router ...which he needed access to for the setup of the devices in development...using both wifi and wired.

Once the initial setup and functionality was done...I reset the admin password and set it to filter the P2P traffic....he hard reset it...and would not give me the password

He has physical access to it because he told management he needed access to set it up.....

I am trying to make them see that he does not need access to it for the project....

I reset and set a password that I did not share with contractor....the UDP traffic has since stopped.....with no loss of functionality to our R and D devices.

Because there is no contract or AUP...he can pretty well reset if he likes.....unless I can show management reasons and risks of letting him do so.

Hence my initial request

MLF

[nihil]

he hard reset it...and would not give me the password

"pick a window, you are going out"

I guess I would cut off his internet share.................if they want to do their own thing then let them?................... but they have to make their own arrangements.

Back in the day I would give a contractor a telephone socket and let them get on with it............OK that was pre-broadband. Nowadays I would be tempted to set up a standalone home broadband account to achieve the same (make sure that it is the slowest and crappest you can find)............as a corporate you might have to go for the type of account that pubs, restaurants and cafes use...............over here those are pretty basic.

What the hell kind of organisation employs a contractor without a contract, terms of reference etc.???? I mean contractor..................................?

I don't know Canadian law, but over here if someone set a password on your system (which they have no legitimate reason to do) and then refused to reveal it, they would be looking at "the big house" for sure.

Does your company have a legal department? they might be interested?

[dinowuff]

It's not flattery, consider it more of begging. Really. The last two times I tried to hire a network administrator, either the resumes had LOL typed in somewhere or the applicants couldn't explain sub-netting.

Everyone and their brother is M$ certified and if it isn't windows server 2008 or at least have wizards, they don't know how to use it.

On applicant explained to me that there was no need for a CISCO firewall because windows server had a firewall built in.

The worst part is all applicants now days believe that customer service is their #1 priority.

Really? They realize there customers are end users and they sincerely believe that the customer is always right.

I fear we are raising a generation of Super Users and Bitches and Bastards like us are a dying breed.

Sorry about the RANT, The server room on the North end of the building got to 100 degrees early Sunday morning and I've been dealing with that.

[nihil]

The worst part is all applicants now days believe that customer service is their #1 priority.

So do I, and so do you! the main difference is that you and I would only consider it to be such if it were part of an existing Service Level Agreement (SLA) After all, it is by providing customer service (in its broadest sense) that we earn our money; but we do need to have rules of engagement?

I come from a development and project management background, and insist on terms of reference, a user requirements specification and a project plan. All of which have to be signed off by senior user management. If you don't insist on that you are wide open to what we call "scope creep"

They realize there customers are end users and they sincerely believe that the customer is always right.

But they don't realise that the degree of customer correctness is directly proportionate to the number of used twenties ($20) in the "brown envelope"?

and Bitches and Bastards like us are a dying breed.

Hey Dino, can't you spell "professional" because that is what it really boils down to.