[HN Gopher] Financial Institution Letters: Vacation Policies (1995) ___________________________________________________________________ Financial Institution Letters: Vacation Policies (1995) Author : mooreds Score : 119 points Date : 2022-10-14 13:46 UTC (9 hours ago) (HTM) web link (www.fdic.gov) (TXT) w3m dump (www.fdic.gov) | andirk wrote: | Couple this with a Chaos Monkey [1], which is "responsible for | randomly terminating instances in production", on their first day | of vacation. | | [1] https://netflix.github.io/chaosmonkey/ | LinuxBender wrote: | I went through this when working for a bank. It really felt like | an outdated and not well thought out idea. I automated almost | everything that I did daily. If I were doing something nefarious | I would have automated it and it would still be running to this | day within obfuscated automation accounts and systems, not as me. | This is not even a new concept. This applies equally to | mainframes, on-prem servers, clouds, kittens and cattle. | aerostable_slug wrote: | If you were able to do that, someone (probably multiple people) | weren't doing their jobs. That should have been architecturally | impossible. | | At a certain level, you can't fix stupid (note: the person in | my anecdote wasn't the stupid person). Example: once upon a | time I worked for a very large public utility and got to be | friends with a cool guy who seemed to live in the underground | server rooms below Utility HQ. He would offer us (infosec | group) 'free' hardware from time to time, which was cool (bear | in mind CAPEX is a very good thing in the regulated utility | industry, so there were all kinds of things kicking around | taking up space). | | At one point I was wandering around the halls underground, he | spotted me, and said "Hey Mark, can you use this?" while | pointing to a check printing machine loaded with valid | corporate check paper. My jaw dropped. The first thing I did | was look around for 'tells' of a corporate security sting. | Dollar signs rolled in front of my eyes. | | I asked said subterranean server room dweller if he had any | idea what he had, and what he could do with it (I have no doubt | one could easily make off with zillions of dollars and have it | written off as billing errors). He smiled and said "no," to | which I replied that was a good thing for our shareholders, and | that he should probably properly dispose of that thing toot | sweet. All the processes in the world and yet there was a | literal money-printing machine hanging out with no oversight at | all, prey to anyone with an RS-232 connection. | LinuxBender wrote: | _At a certain level, you can 't fix stupid_ | | This, and laziness in the name of _avoiding friction_ and | _remaining competitive_. In every size organization I have | been in the customer code will be audited by third parties. I | have never seen internal automation audited by third parties. | Not in banks or financial institutions. I 've worked for both | big banks and small financial institutions that grew into big | ones. People get spread thin and fight to maintain control of | the systems and code they are responsible for and this is | only getting worse with time in my experience. With time more | command and control systems are spread out and inter- | connected with on-prem and cloud _solutions_ that delegate | root privs to third parties running entirely closed source | code with very little consequences for damages. Infosec and | security orgs apply very outdated logic that would not even | stop an amateur attacker. | | _If you were able to do that, someone (probably multiple | people) weren 't doing their jobs._ | | By design these jobs do not exist _at least not in a | meaningful manor_. People validate change tickets. People | validate that code does what it says it does but that 's | where they usually stop. Security organizations these days | are being moved under the same orgs that manage code to | reduce friction. This stops _Security Theater_ which is | indeed a real problem but it also curtails people going down | rabbit holes. _Close ticket, move onto other issues, don 't | block a team from getting work done._ Don't like what someone | is trying to implement? No problem, design a better solution. | For 8000+ developers? Yeah nobody scales like that. | | People review individual code snippets. People stopped | looking at big pictures of implementations. Disasters like | Solar Winds don't happen because of one piece of nefarious | code. They happen because a broken framework of thousands of | pieces of poorly thought out code are glued together. There | comes a point where the junk-yard of automation gets so big | and ugly that even if leaders wanted to overhaul it they | could not and if something nefarious was occurring nobody | would see it, probably not even for a long time after damages | were done. It's next to impossible to reverse engineer _junk- | yard_ automation which is what most automation becomes with | time. | [deleted] | montag wrote: | Today I learned "toot sweet" is an eggcorn for "tout de | suite" (very quickly). | thrown_22 wrote: | Yes, but this assumes that the people involved are the everyday | finance idiots who think that excel is the tool of choice for | automation. | LinuxBender wrote: | _Yes, but this assumes that the people involved are the | everyday finance idiots who think that excel is the tool of | choice for automation._ | | There is truth in this but what I am referring to is | happening with principal and senior developers and orgs that | would never touch excel. In fact Microsoft products are | forbidden _by contract_ in the production datacenters I have | worked with in the last couple of decades. | | It's hard to see nefarious behavior when it depends on | thousands of pieces of automation and frameworks that are | poorly glued together. It's even happening _albeit slowly_ in | my favorite operating system that has no shortage of | incredibly intelligent and talented developers. Ironically | these folks won 't see it because they did not experience all | the vulnerable frameworks and bandages that Windows | implemented early on and now history is rhyming with udev + | systemd + debugfs + binfmt + firewalld + ebpf glued together | but that is a long topic in and of itself. | | Another related topic could be vehicle automation and inter- | connectivity. I am intrigued and curious to see how that one | plays out. | bombcar wrote: | Two weeks seems weak; I would think five weeks is the minimum to | catch things that happen monthly; unless part of the two weeks is | specifically checking things. | thrawaburnout wrote: | mcculley wrote: | I have been in peer groups of small and medium sized businesses. | Many of these smaller organizations have only one person in the | role of Controller or Comptroller and are vulnerable to | embezzling. One interesting policy I have seen implemented is | that this person gets extra vacation time in addition to what a | normal employee gets, but never at time of their choosing. The | CEO or COO just comes in one day and says, "Congratulations! Take | the next X days off." The organization is forced to plan ahead | for the Controller being unavailable and the Controller cannot | hide much. | x55j33 wrote: | IT Audit/Governance manager here. This is still a very common | preventative/detective control in many businesses even outside of | Financial Services, so much so that it is taught as part of many | IT governance certifications such as the ISC2 CISSP and ISACA | CISA. | | Although the provenance of the control is to deter and detect | fraud, it also helps to highlight key-person dependencies (where | a process cannot run without a specific individual present). On | the flip-side, humans are very innovative creatures and you can | use this control to identify where someone has found a way to | bypass parts of the process (the process time suddenly increases | a lot when someone in the team is on their mandatory-vaykay, or | the quality suddently drops). | | I also see it used in smaller companies by bosses who want to | simulate the effects of a person quitting, and how confident the | rest of the team are to take over the running of a task. | warner25 wrote: | Interestingly, I work in DoD IT where everyone is required to | have certifications from ISC2, ISACA, CompTIA, etc. so we all | get taught and tested on knowledge of this and many other | controls, but I haven't actually heard of it formalized or | enforced. In practice, we just rely on ad hoc high turnover as | people change jobs every year or two, or get pulled away into | unrelated projects, or sent away for exercises and deployments. | twawaaay wrote: | I worked a lot for banks and aside from mandatory vacation | there are other rules. | | For example in one bank I worked for there is a 2 year limit on | how long you can work there as a contractor. This is to make | sure that all key personnel is actually employed by the bank | and the assumption being that if somebody worked for 2 years | they become key personnel by default and have to either be | hired as an employee or fired as a contractor. | jagtesh wrote: | One big reason for this is the tax law in US and Canada. | Legally, contractors (esp. when incorporated) are considered | employees if they work exclusively for one client over an | extended period of time without interruption. Occasionally, I | have seen such contractors take a few month sabbatical and | return to work after that (still contracting). | | Note: There are other criteria that have to be met as well | for the govt to consider someone an employee: - if work | happens a the employer's premises - if the employer owns all | equipment needed for work - how is the work instructed - can | denote a manager/employee dynamic) | lazyasciiart wrote: | Microsoft has approximately the same rule, and it's entirely | for the sake of employment law, not because they care about | key personnel being contractors. | formerkrogemp wrote: | > IT Audit/Governance manager here. This is still a very common | preventative/detective control in many businesses even outside | of Financial Services, so much so that it is taught as part of | many IT governance certifications such as the ISC2 CISSP and | ISACA CISA. | | This is covered in accounting and the CPA as well. Not that I'd | necessarily recommend a CPA over an IT auditor in many cases. | csours wrote: | > I also see it used in smaller companies by bosses who want to | simulate the effects of a person quitting, and how confident | the rest of the team are to take over the running of a task. | | Aka the Bus Factor. What if our lead engineer takes a bus out | of town (or the darker version). | | Even in large companies, work is done by teams and those teams | are susceptible to this problem as well. | ok_dad wrote: | I used to say, "in case I fall off a cliff," and then in a | previous job a colleague went mountain climbing and literally | fell to his death off a cliff. Now I just say, "for when I'm | not around." | [deleted] | mgkimsal wrote: | Similar here. 2000/2001(?), I was talking about the bus | factor with a client, indicating that I'd brought on a | couple more folks on my team - one part time, one full | time, to avoid the bus factor. | | "what do you mean?" | | "oh, in case I get hit by a bus" | | Silence. | | Someone in their company had been hit by a bus and died a | couple weeks earlier. Not in their department - it wasn't a | direct friend/colleague - but it was... awkward enough that | I didn't use that phrase again for a long time. And even | when I do, I tend to catch myself before and rephrase it. | csours wrote: | Holy crap! | jedberg wrote: | > What if our lead engineer takes a bus out of town | | HA! I've never heard this version of it. I've only ever heard | the dark version. I like this better. | csours wrote: | Coming up with euphemisms is my hobby. No one can tell when | I'm being mean now. | | disgusting food -> interesting and unique flavor profile | | bad movie -> the director made decisions that challenge | audience expectations | | take your crazy pills -> I had not heard of that before | | and of course the Southern classic | | you idiot -> bless your heart (this one doesn't really work | anymore because people know it) | | Edit: I remembered another one: | | Resting B*tch Face -> Resting Business Face. | [deleted] | rootsudo wrote: | Sigh. | cosmodisk wrote: | Are you planning to live in England by any chance?:) | sokoloff wrote: | "Good For You!" is code for "Go F** Yourself!" in some | circles. (would become the same three-letter acronym) | | I'd heard it through two different management consultancy | sources, but that could easily have a common root, of | course. | tb_technical wrote: | In some communities "Go f** yourself!" is code for "see | ya later!", also. | cosmodisk wrote: | We used to have a Scotsman as a site manager. Every | single day when we were wrapping for a day, he used to | say: well, fuck off now! Nice bloke. | yeasurebut wrote: | With respect; a lot of us out here know and used many of | those the same way; we're silently aware of the intent. I | used to be that way. Over time feeling the need to fake | it fell away; now I just mock everyone through muted | indifference and a shrug, "good job at being a member of | social life like everyone else" kind of energy. | | Emotional archetypes are limited. You have borrowed | others ideas because that's how it works; you memorized | such emotional states from others. Awareness of such | emotional state is not yours alone. | | See. That's how you put someone down. Directly. Not | through passive aggressive southerner classics. You're | far too obvious to those who have diverse real world | experience and just come off as a cliche. But we silently | eye roll rather than validate such antics through | feedback, good or bad. | csours wrote: | I read this comment with a Werner Herzog accent. I hope | that's ok with you. | yeasurebut wrote: | hirundo wrote: | > (or the darker version) | | I default to, what if Bob wins the lottery? | aerostable_slug wrote: | Or moves to China... | | I was working with an IoT company who proudly showed us, | their biggest customer, how the signing keys to particular | actions that could impact many, many people were held on a | rather trick little Spyrus USB stick. Which they displayed. | In the pocket of a person that had the requisite | passphrases to access it all on her own. | | I asked what would prevent the person from hopping a plane | out of nearby SFO and having a pleasant CCP-funded | retirement and they turned all sorts of colors. They | invested in a proper storage mechanism (and key management | processes) after that. | ghaff wrote: | My defined benefit pension was basically handled by one person | through a number of decades (and a couple acquisitions). If you | wanted to start receiving your pension or whatever, you called | so and so. I assume some degree of chaos would have ensued if | something unexpected happened to her one day. | | I assume she eventually retired or something because it was | transferred to one of the big benefits companies a few years | back. | Spooky23 wrote: | That happened to my dad when he retired from a gov agency. He | had an unusual situation and was held hostage for about a | year, and eventually was able to retire with the intervention | of a State Senator. | ghaff wrote: | It was interesting when I joined my current employer about | ten years ago after having worked for a big computer maker | for about a decade (with an in between longish stint at a | couple small to very small companies). | | At the computer maker, where my pension is from, getting | things done tended to be about reaching out to the right | person who knew how to make such and such happen. Of course | at the intervening smaller companies everyone knew everyone | else. Where I am now, personal connections still matter of | course. But when I joined, it was a bit of an adjustment to | just "submit a ticket" rather than tracking down the right | individual to ask a question or do something--at least with | respect to company operations like payroll, benefits, or | legal. | jeffrallen wrote: | assert(busCount > 1); | jedberg wrote: | This is why smart companies offer sabbaticals after 4-5 years. It | forces the senior employees to teach their peers how to do their | jobs and make sure they don't have any critical information or | the only ones who can access a resource. | invalidname wrote: | An Israeli bank was compromised in part because of that... As | this blog post pointed out: https://debugagent.com/internal- | security | killjoywashere wrote: | There's a rather prominent base with a large power footprint. So | large that it has it's own substation right off some main | interstate power lines. The state has a policy that if you | anticipate your electric bill will exceed last year's electric | bill, you can request a waiver. The base facilities person | diligently submitted that from 1967 to 2020 when they retired. | The 2021 bill was more than an order of magnitude larger. | Something like 600K to 20M if I recall. The front office had to | go ask the folks in DC for help. | csense wrote: | > if you anticipate your electric bill will exceed last year's | electric bill, you can request a waiver | | I suspect this was intended to be utilized by poor people who | struggle to afford to power their homes. The US Military is | certainly well funded enough to pay its electric bills. | [deleted] | JCM9 wrote: | I remember this from my time in banking. For those not familiar, | essentially you need to disappear for two weeks a year without | access to anything. This is basically a safeguard to make sure | that operations are robust and won't just fall over if you're not | there. It's also to make sure you're not cooking up something | nefarious that requires you to be there every day and keep an eye | on it. | mooreds wrote: | I think that time away from a job has tremendous value for | everyone. beyond the finance industry. Let's ignore the fun and | regenerative benefits of vacations to the vacation-taker. | | For the business: | | * It's a real life test of what happens if an employee | quits/resigns, with less impact (a team member will probably be | able to reach them in an emergency). | | * You can test your operational robustness (as mentioned by the | parent comment). | | * It exposes holes in processes and documentation that have | been papered over by a human. | | * The vacation may reveal tasks which can be delegated to | others or not done at all (timeline depending, of course). | lupire wrote: | It's bad for the employee, by making them less uniquely | valuable. | ghaff wrote: | There are certainly employees who think that they're so | uniquely valuable that it would be unthinkable for them to | take a 3-4 week vacation. Their employer, for the most | part, does not suffer from the same delusion. | mooreds wrote: | Haha, can't tell if you are being sarcastic or not. | | Here are my general thoughts on that: | https://letterstoanewdeveloper.com/2021/09/13/always-be- | repl... | | tl;dr "...you should always be looking at ways to replace | yourself. This will free you up to work on new tasks and | learn new things." | lmkg wrote: | "Don't be indispensable. If you're indispensable, you | can't be promoted." | | -Flavor text from _Netrunner_ CCG (1996) | __MatrixMan__ wrote: | If you're at that spot where being promoted means that | your life will get worse, it's ok to be indispensable. | csours wrote: | Damn. This just hit home for me really hard. On a | previous team, I would take on tasks, learn what's going | on, and then try to get a team mate up to speed so I | wouldn't be the only one who knew how to run things. I | feel like none of my team mates really took on those | tasks or aspects of the work. | | Over time this made me really angry at the team. It | really shut down my brain because I had so many things to | juggle. I really wish I could have replaced myself. I | wound up just leaving the team, I think they struggled | for a while. | | When you're on a team with someone who seems to know | everything, some people are much less motivated to learn | the system. Also, sometimes things just suck. Sometimes | you just have a team of jaded short-timers about to | leave. Sometimes you have a team of junior employees who | can "make things work" but leave a trail of half baked | decisions. | matwood wrote: | Also, frees someone up to be promoted. | lazyasciiart wrote: | I took a week off recently. My teammates just sat on multiple | "24 hour turnaround" requests until I got back, because they | were too used to thinking of it as my job to bother even | opening them. | thechao wrote: | Lots of large companies (I'm familiar, via friends, with Exxon) | have a strong "rotation" policy in finance & related, for this | exact reason. Many classes of fraudulent activity rely on | _networks_ of people who trust each other. If you break up the | network, you can prevent gross levels of fraud. | | Tangentially related: it's one of the reasons why _government_ | positions should be (randomly) rotated. In many ways, it 's the | same reason why we should choose our elected representatives | randomly. (Also: I'm under the impression that random selection | of representatives is one of the few ways to implement robust, | fair representation.) | ghaff wrote: | While an interesting idea, you're now: | | 1.) Going to throw people into an unfamiliar role for, say, a | couple years. So they're going to _heavily_ lean of whatever | permanent staff /civil service there is because their knowledge | of the job is extremely limited | | 2.) You'd basically be asking/telling people to take two years | off their job--for probably quite limited pay. (Sort of federal | grand jury duty on steroids.) Which I can't believe would be | very popular. | ianbutler wrote: | For 2 just have it be you're paid the max of the roles | minimum or your old salary for those two years, maybe with a | good bonus to make it even more palatable. | | The government has the benefit of being able to eschew normal | market pricing for things including job pay. | thechao wrote: | By case: | | (1.A) Yes. As I said in another comment, though, it turns out | that in the limited research that's been done, the average | person is somewhat better at doing the job than the average | career politician. The argument is that the sort of person | who wants to be a career-politician is uniquely unsuited to | actually running a government. | | (1.B) The civil servants should be randomly rotated. | | (2) There's normally a mechanism to preselect a pool of | applicants. Universal sortition is interesting, but has | drawbacks. I am drawn to a nomination mechanism: you have to | get enough (unique) nominations before you're allowed in the | sortition pool. | yamtaddle wrote: | > (1.B) The civil servants should be randomly rotated. | | Institutional knowledge in civil service is the only reason | our government functions even as well as it does. I'm not | sure that's a great idea. | | Also, it's a job like any other, and the more unpleasant | you make it, the more workers with options will leave. And | the workers with options will tend to be your best ones. | merely-unlikely wrote: | Could start by rotating the members of Congressional | committees. Effectively making Congress the pool. | pirate787 wrote: | This is a major reform, as the politicians who are | captured by various interests have STRONG incentives to | join that Committee. For example, look at the Senate | Energy & Natural Resources Committee -- there's only two | Senators from states east of the Mississippi River, and | one is West Virginia (a major energy provider as well). | An elected official requesting a spot on the committee | from an energy consuming state will have a very hard | time. | | https://www.energy.senate.gov/members | | The Republican party is somewhat better than the | Democrats on this-- Committee reform was a major plank of | the 1994 Contract With America and the GOP still has term | limits for Committee Chairmen. | | https://about.bgov.com/news/frustrated-democrats-mount- | push-... | ghaff wrote: | It probably somewhat depends on the level. I don't really | expect random state reps or other local elected officials | have any particular qualifications. They certainly aren't | paid as if they did. In some states, such are basically | part-time jobs. I do think it's a job a fair number of | people would hate. | Retric wrote: | Low pay at the state/local level basically guarantees | some level of corruption as the pool of applicants gets | very tight when you combine small districts with minimum | wealth requirements. How much that's a feature or a bug | is debatable. | cwmma wrote: | Isn't this sort of how ministries work in the UK, you have a | dedicated civil service that does most of the work and then a | politician that may or may not know whats going on setting | direction? | | Source: have watched "The Think of It" | scarby2 wrote: | > Isn't this sort of how ministries work in the UK | | yes | | > you have a dedicated civil service that does most of the | work and then a politician that may or may not know whats | going on setting direction? | | this is the ministers and their private secretary. | | > have watched "The Think of It" | | you should also watch "Yes Minister" i find it a bit more | charming if a little dated, but also quite real. | cosmodisk wrote: | >you should also watch "Yes Minister" i find it a bit | more charming if a little dated, but also quite real. | | It has aged well and is arguably more relevant than it | was when they released it. | Loic wrote: | For people interested in random selection of representatives: | https://en.wikipedia.org/wiki/Sortition | toss1 wrote: | YES! | | I've long thought that once a person attains a certain level | of success, _roughly_ including college degree, certain | military rank, managerial position of certain scope at | medium-large company, etc., they should be subject to random | political service in state or federal legislature or | executive branches. Perhaps after one term, they can stand | for re-election for maximum of two terms, 10 years max, to | take advantage of experience gained. Pay should be greater of | a set level or 110% of their max earnings in previous 5yrs | (so service is not punitive). | | There would of course be some random evil and grifters, but | their concentration and ability to embed for life would be | very limited. | | How we get from constitutional structure to there is another | question. | thechao wrote: | The research I've seen (slight) is that a random person is, | on average, a more competent statesman than the average | politician. (This is a result of the self-selection bias in | people choosing a political career.) | | The major downside is a lack of accountability; however, at | least in large parts of the US, factionalism & gerrymandering | have almost completely removed accountability, so we're not | really losing anything. | rocqua wrote: | Links to the research? | Supermancho wrote: | I don't know if this helps: https://www.researchgate.net/ | publication/344163235_Sortition... | | MP means Member of Parliament (or equivalent | representative of a democratic government). Belgium has | been a hot-spot for this kind of initiative. | pdabbadabba wrote: | Can you point us to any of that research? I'd be very | interested to see how they managed to measure people's | competence to serve as government officials. I'm frankly | skeptical that can be done in a useful way. | [deleted] | 0cf8612b2e1e wrote: | ChrisMarshallNY wrote: | The Japanese company that I worked for, for almost 27 years, | had a similar policy. | | _Everyone_ in Japan, rotated, at least, every two years. | Often, more frequently. This included very senior-level | executives. | | I'm not sure that it was to combat fraud, but I'm sure that was | a knock-on effect. | | I would work with engineers for many years, but they would be | working on different projects, and might suddenly appear in the | project I was on, many years after the last time I saw them. | | They also had a _lot_ of vacation /holiday time, but the | company told them when they would take it. I think that more | seniority gave you more discretion. | toss1 wrote: | Groups indeed! | | When I worked at IBM just out of college, my manager introduced | me to someone who was getting promoted three levels up. It | turned out that he had some months previously figured out how | four people working together could evade the accounting | controls and transfer $25 million out of the company on a | Friday afternoon and be in Brazil or wherever (never to be seen | again, presumably) before Monday. He reported the flaw in the | controls and the promotion was the recognition of his acumen... | mhb wrote: | tldr: | | _Such a policy is considered an important internal safeguard | largely because of the fact that perpetration of an embezzlement | of any substantial size usually requires the constant presence of | the embezzler in order to manipulate records, respond to | inquiries from customers or other employees, and otherwise | prevent detection._ | cafard wrote: | Where my wife used to work, the CFO seldom took vacations. A | department head who loathed the CFO thought this very suspicious. | As far as I ever heard, though, the CFO, whatever her faults, was | honest. | seanhunter wrote: | Fun related anecdote: I used to be involved with doing data | analysis of rogue traders in financial services and was involved | in discovering and investigating several of these incidents. | | In every case that I was personally involved in | uncovering/investigating, suspicions were initially raised when | the employee went on compulsory block leave. | nonethewiser wrote: | Do you have any more details/stories you could share on that? | Sounds fascinating. What clues emerged when one of these | employees left? | seanhunter wrote: | Not that much detail I can share publicly about detection | methods etc although some of it is public because I have | patents. | | The reason block leave is important is that some of the | coverup behaviour has ponzi-like characteristics. So say you | have a hole in one account because you've lost a lot of | money. You find a way to cover that up by booking fake trades | say. Well trades have a settlement and some gnome in the back | office is going to contact the counterparty on the fake trade | when the trade fails to settle and your fraud will be | discovered so you have to cover that up before the trade | settles. So maybe you move some money from another account | (by booking a trade) and cancel your first fake trade, then | you need to book a fake trade in your second account which | you will then need to cancel and cover hp in the same way. | | Basically the perpetrator often ends up on the coverup merry | go round which falls apart if the take time away. | moron4hire wrote: | You have to also make sure everyone is not taking vacation at the | same time. In most of the places I've worked, nothing gets done | in December because everyone is using up their vacation over the | holidays. If something untoward were going on, nobody would be | around to notice the absence of the bad actor. ___________________________________________________________________ (page generated 2022-10-14 23:01 UTC)