Employee Monitoring
Information security
risks –
- 33% of attacks from
current employees
- 28% from ex-employees
and business partners
- 38% from unrelated
outsiders (per 2005 PWC survey)
General monitoring – monitoring and blocking of certain processes throughout the
organization
- E-mail, telephone,
internet use, physical access, productivity analysis
Targeted monitoring – monitoring of specific types of personnel, actions, or activities
- Physical activities
- Video monitoring of
retail sales, shipping & receiving areas
- External communication
- Scanning of e-mail and
attachments for content violating company policies
- Monitoring of
non-company e-mail accounts (e.g. Hotmail)
- Quality monitoring
and/or recording of telephone, e-mail and other customer interactions
- Internal communication
- Monitoring and
limitations on company data transfer to personal storage devices (USB
drives, CDs, non-company laptops, etc.)
- Monitoring of desktops
for out-of-approved uses of company information
- Network monitoring of
movement of data over the network
- Securing data
- Greater limitations on
access to sensitive data
- Data “locking” –
Digital rights management or similar
- “Expiration dates on
documents
- Encryption (password
issues and limits)
Process –
- Identify specific risks
- How does monitoring
reduce those risks
- Communication of
expectations and consequences
Legal issues
–
- Expectation of privacy
- Informing employees on
a continuing basis
- Actually monitoring
what you said you would - consistency
Training and culture
–