We're a small company with only a handful of employees. Our non-technical COO has asked that we setup a copy of the production database for him to use with a service like Chartio, because our (admittingly poor) admin dashboard doesn't meet his needs.
The COO wants to use a friend (a contractor) to help integrate the Chartio service with our database.
All our passwords are encrypted, but emails and names are stored in clear text.
We handle payment processing through a 3rd party provider so we don't store any sensitive financial information except transaction totals.
Is this a bad idea, or am I being overly cautious?
PS: We'd be setting up the database server ourselves, so we'd have control over the firewall and such.
Answer
In the end, the company directors are there to make "big picture" decisions on behalf of the company, so I don't think I'd be prepared to put my foot down about doing something that's merely unwise (though I wouldn't do something I believed to be illegal - in many jurisdictions, "following superior orders" won't protect you against the consequences of breaking the law).
If it were me, I'd want him to instruct me in writing to give him the copy, and preferably in that instruction to confirm that he was aware of my concerns about that database leaving the company, but was instructing me to proceed nonetheless.
No comments:
Post a Comment