incommmsec Whitepaper: Increasing role of employee monitoring within public and private sector organisations.

Similar documents
STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

Berwick Academy Policy on E Safety

Essex County Council Policy for Information Management and Security

How To Deal With Social Media At Larks Hill J & I School

TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & POLICY AND CODE

Policy No: 2-B8. Originally Released: Date for Review: 2016

workplace efficiency and compliance with Impero

Virgin Media Business Acceptable Use Policy (Internet)

Internet Use Policy and Code of Conduct

Whistleblower Protection Policy

RIPA (Regulations and Investigatory Powers Act)

AN INFORMATION GOVERNANCE BEST

Social Media Policy. Policies and Procedures. Social Media Policy

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Monitor All Employee Activity Across PCs, Laptops & the Internet

Dundalk Institute of Technology. Acceptable Usage Policy. Version 1.0.1

E Safety Policy. 6 th March Annually. 26 th February 2014

CYBERSAFETY USE AGREEMENT for Cambridge High School Students

U 16 Internet Monitoring Policy & Investigation Protocol

Roles and Responsibilities The following section outlines the e-safety roles and responsibilities of individuals and groups within Heath Farm School:

EASTNOR PAROCHIAL PRIMARY SCHOOL STAFF SOCIAL NETWORKING POLICY. Inspire and Achieve

Cyber-safety Agreements are also an educative tool and shall be used as a resource to support the professional development of the school community.

SCHOOL ONLINE SAFETY SELF REVIEW TOOL

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

If you have any questions about any of our policies, please contact the Customer Services Team.

Conditions of Use. Communications and IT Facilities

How To Protect Children Online From Harm

Bullying. A guide for employers and workers. Bullying A guide for employers and workers 1

TECHNOLOGY USAGE POLICY

Monitoring Employee Communications: Data Protection and Privacy Issues

ONE TO ONE LAPTOP PROGRAMME POLICY

Mitigating and managing cyber risk: ten issues to consider

Raising concerns (Whistleblowing) Policy and Procedure

Performance Management Is performance management really necessary? What techniques are best to use?

nationalcarestandards

Human Rights. Resource Pack

Acceptable Use Policy

HP Laptop & Apple ipads

Guidance on professional conduct. For nursing and midwifery students

Hallett Cove South Primary School Communications/Network Use Policy

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

CEOP Relationship Management Strategy

HUMAN RESOURCES POLICIES & PROCEDURES

Information Governance Strategy & Policy

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

WORTHING COLLEGE STUDENT IT SECURITY POLICY. October 2014

Development / Monitoring / Review of this Policy. Schedule for Development / Monitoring / Review

Social Media Guidance for Staff

The guidance 2. Guidance on professional conduct for nursing and midwifery students. Your guide to practice

COMPUTER USAGE -

Cyber Security - What Would a Breach Really Mean for your Business?

FRAUD PREVENTION STRATEGY FOR UGU DISTRICT MUNICIPALITY (UGU)

The term Broadway Pet Stores refers we to the owner of the website whose registered office is 6-8 Muswell Hill Broadway, London, N10 3RT.

COLLINS FOODS LIMITED (the COMPANY) CODE OF CONDUCT

Fraud and Abuse Policy

Corporate Information Security Management Policy

St. Peter s C.E. Primary School Farnworth , Internet Security and Facsimile Policy

HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

Kenmore State High School Student Laptop Charter

Statement of Business Ethics

33500 POLICY USE OF SOCIAL MEDIA

TCO Certified Self-assessment Questionnaire

S E R V E R C E N T R E H O S T I N G

WHITEPAPER 5 Reasons HR Professionals Are Adopting SaaS Image Filtering

Information Governance Policy

CP3043 Social, Legal and Professional Aspects of Computing. Mr Graham Brown. Assessment 2

How to Monitor Employee Web Browsing and Legally

BUSINESS CONDUCT POLICY

Internet Acceptable Use Policy A council-wide information management policy. Version 1.5 June 2014

Newcastle University Information Security Procedures Version 3

POLICY. Responsible Use of Social Media

APPROPRIATE USE OF INFORMATION POLICY 3511 TECHNOLOGY RESOURCES ADOPTED: 06/17/08 PAGE 1 of 5

Networking and Social Media Policy

Terms & Conditions. In this section you can find: - Website usage terms and conditions 1, 2, 3. - Website disclaimer

We then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.

BUSINESS CONTINUITY POLICY

Acceptable Use Policy ("AUP")

Small businesses: What you need to know about cyber security

Acceptable Use Policy

Sibford School Student Computer Acceptable Use Policy

ATHLONE INSTITUTE OF TECHNOLOGY. I.T Acceptable Usage Staff Policy

SENIORS ONLINE SECURITY

Presidency conclusions on establishing a strategy to combat the manipulation of sport results

The best advice before you decide on what action to take is to seek the advice of one of the specialist Whistleblowing teams.

The Wellcome Trust Sanger Institute IT Acceptable Use Policy (AUP) Version 1.8

Acceptable Use of ICT Policy. Learner School Policy

Guide to Penetration Testing

Use of Social Networking Websites Policy. Joint Management Trade Union Committee. ENDORSED BY: Consultative Committee DATE: 14 February 2013

SKY S WAYS OF WORKING. Believe in better

Liberty s Briefing: Forced Marriage (Civil Protection) Bill

Information Services. Regulations for the Use of Information Technology (IT) Facilities at the University of Kent

2.1 It is an offence under UK law to transmit, receive or store certain types of files.

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

Online Research and Investigation

itg CloudBase is a suite of fully managed Hybrid & Private Cloud Services ready to support your business onwards and upwards into the future.

1.4 To overcome this biasness, this Policy is in place to ensure all Maxis customers have a good experience.

Acceptable Usage Policy

How To Protect Decd Information From Harm

Transcription:

Whitepaper: Increasing role of employee monitoring within public and private sector organisations. GOOD GOVERNANCE OR BIG BROTHER STATE? So what do we mean by Network or Employee monitoring? For the purpose of this Whitepaper we have given it the definition of: To monitor, review and report on the traffic that is carried across an organisational LAN for the benefit of ensuring sound governance and corporate responsibility. There are a number of ways a network can be monitored, both as a managed process, or a malicious invasion. Monitoring can occur at a client level (the desktop/laptop) or at a network level (switch/server fabric). Regardless of where, or how traffic is monitored, it is good governance to be aware of the nature of the network and how your staff are conducting themselves as they represent the organisation you are responsible for. Or is it an imposition of the organisation and an infringement of the rights of the employee? We will look at the infringement of civil liberties and the invasion of privacy balanced against the organisation remaining compliant with the regulations, protecting data security and managing staff productivity. REASONS FOR USING NETWORK MONITORING: Broadly speaking, there are, two reasons for network monitoring; firstly, that a reasonable balance is maintained in the social management of staff, the protection of the company assets such as database records, brand and the highest levels of productivity. Secondly, to ensure the correct technical management of the network from the system administration point of view and that the optimum value for money is being realised by the ICT team for the organisation. Value for Money: A network is the balance of proven technology and cutting edge development aimed at increasing the speed of the network and thus productivity of the organisation. Knowing how traffic is flowing across the network, where bottlenecks occur, where potential risks that may cause disruption may arise is a constant task for the ICT team. Managing this process ensures value for money as investment can be made in areas that are most in need of development. 1

Compliance: Whether the regulations are ISO, PCI-DSS, Sarbanes Oxley, HiPPA, or any other industry sector requirement, compliance is a set of rules, a standard, a process. The organisation, when audited, needs to be able to show it has a clear process. It follows the process, reviews the process, can measure the process, can monitor, report and cross check the process, so that it can take action when needed. Otherwise compliance may not be attained. A good network monitoring tool will ensure this can happen. 1 in 5 employees would remove company data at least 5 days prior to resigning. Staff Productivity: Is often quoted as a benefit of many technologies, however it is very hard to prove. With the right tool, actual activity can be measured and performance can be quantified. This works as both a positive influence for the awarding of bonuses for management by objectives and a deterrent and guardian against inappropriate use of organisational property and resources. In some instances assessing staff productivity through activity, document and application usage, organisations are able to deal with redundancies in a fair and just way. Data Security: With modern Anti-Virus, Anti-SPAM, filtering and external threat management tools being so effective, the biggest risk to an organisation is from within. 1 in 5 employees would remove company data at least 5 days prior to resigning. Without real time reporting how else will your organisation be able to be aware of breaches in security? In the worst-case examples, would your organisation rather have a forensic archive of activity for proof? Billing and Fraud: Organisations that have fee-earning practitioners must be able to prove the value of the service to their clients. Specific applications have been designed to help in this, however, being able to prove without question can only enhance the client perception of your organisation, which in turn builds increased customer relations and trust. In the unlikely event that a member of staff claims for work that hasn t been done due to the employee being distracted with other tasks, or personal activities. This would open the organisation to accusations of fraud. Monitoring will ensure this rarely progresses to become an issue. 2

MYTHS OF NETWORK MONITORING: Common misleading statements that are heard when discussing network monitoring are: It s a bit Big Brother, isn t it? This is an invasion of privacy. This is an abuse of civil liberties. All three revolve around the idea of the individual being spied upon. Network monitoring does not spy on anyone individual, but looks at the network as a whole. The fact that a good system can provide granular analysis at an individual level is a reflection that a network is made of many individual machines and users. Invasion of Privacy: Regulation or statute that protects a person s right to be left alone, and governs collection, storage, and release of his or her financial, medical, and other personal information. http://www.businessdictionary.com/definition/privacy-law.html Of all the human rights in the international catalogue, privacy is perhaps the most difficult to define. Definitions of privacy vary widely according to context and environment. In many countries, the concept has been fused with data protection, which interprets privacy in terms of management of personal information. https://www.privacyinternational.org/survey/phr2003/overview.htm No one should be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks on his honour or reputation. Everyone has the right to the protection of the law against such interferences or attacks. 1948; Universal Declaration of Human Rights, Article 12. (1) Everyone has the right to respect for his private and family life, his home and his correspondence. (2) There shall be no interference by a public authority with the exercise of this right except as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health of morals, or for the protection of the rights and freedoms of others. 1950; European Convention for the Protection of Human Rights and Fundamental Freedoms, Article 8. 3

What all these quotes illustrate is the notion of home and privacy. Without roaming into a wider dialogue of the intricacies of legal definition the exceptions are considered for crime, morals, rights and freedoms of others. But this is still within the home environment. Network monitoring is in the sole area of the business context and does not extend into the home. If someone is working from home they are in context at work, being paid by the organisation to fulfil their responsibilities as an employee. When at work we are contracted to be at work and accept the remunerations awarded to us for representing our organisation, not to undertake our own activities, post CVs, visit job websites, take company data and use social media for personal gain. Privacy is for us as individuals, when we join a company, we become part of that organisation, utilising our knowledge and character, accepting a salary so that our actions will benefit the whole. Big Brother: George Orwell s story 1984, of the state controlling, conditioning and organising the life of an individual, leaving them without choice of action and subjugating them through fear of retribution, is not what network monitoring does. There is more concern with the number of CCTV cameras that are currently in operation in the UK. At present the figure varies between 1 for every 30 to 40 people depending on whose figures you read. https://www.cctvusergroup.com/art.php?art=94 A general understanding is that rules, laws, the monitoring and policing of them are of no concern for those that keep them, they only bother those who break them. Children understand the meaning of words and actions as black and white. Adults will rationalise shades of grey relative to their own social environmental and educational upbringing. What might be right for one person might not be for another. Network Monitoring should only be used to monitor staff under suspicion: Ironically, this is more Orwellian than simply monitoring the whole network. It jeopardises the HR function and can open the organisation to discrimination tribunals, constructive dismissal and victimisation claim. All of which are voided when everyone is included in the process of network monitoring. 4

ETHICS AND NETWORK MONITORING: It is a de facto standard in that all organisations to some degree have got a level of monitoring already in place, such as: Anti-Virus Anti-SPAM Web filtering All of which can monitor traffic and report on activity. Acceptable Use Policy (AUP): All organisations have an AUP now that email and Internet usage is so common place. Within a standard AUP it clearly states what is expected of an employee and that the system will be monitored. So much so that the Department for Trade and Industry via Business Link have given guidelines stating what an acceptable AUP should contain, see the link for details. http://www.businesslink.gov.uk/bdotg/action/detail?itemid=1076142227&type =RESOURCES To quote directly from the text: Use of email by employees of [business name] is permitted and encouraged where such use supports the goals and objectives of the business. Supporting the goals and objectives of the business does not include personal use. The document then goes on to say. the employee must ensure that they: comply with current legislation; use email in an acceptable way; do not create unnecessary business risk to the company by their misuse of the Internet. Not creating unnecessary business risk, any business has the right to protect itself from malicious attack whether from the outside or from within. The text then goes on to list what is considered unacceptable behaviour including: personal business, breach of confidentiality, distribution of indecent material, hacking, breaking, or wasting network resources etc. Finally the document recognises the valuable use of email but that misuse will have a negative impact on the productivity and reputation of the business. To this end quoting the text again... In order to ensure compliance with this policy, the company also reserves the right to use monitoring software in order to check upon the use and content of emails. 5

Contract of Employment: Every member of staff would normally have signed a contract of employment, which binds them in agreement to working for your organisation during certain times with a remuneration package in return. This contract will include AUP, confidentiality, equal opportunities, health and safety clauses. So how do organisations police breaching this contract? Most organisations don t and only realise this after the event when it is often too late to take effective action. As part of the daily log on process a popup window can appear informing the user that they are using a system that is monitored as part of company procedure. Thus ensuring compliance, AUP, confidentiality at a corporate level. EXAMPLES OF NETWORK MONITORING: For the purpose of this Whitepaper we will not name names of companies, or organisations involved, but will relay their experiences. Monitoring of the network is widespread within both the public and private sectors. We have seen it effectively working within education from primary through secondary to university level. In law enforcement, agencies have used this for analysis of data traffic and the elimination of potential corruption. In legal and accountancy firms the use of monitoring to prove billable hours. In banks the implementation of software as a combatant to illegal trading. In firms generally spotting when a member of staff is looking at job sites and posting their CV whilst at work. Being able to see that the company as a whole spends a disproportionate amount of time using the Internet, seeing who and when is doing what can save an organisation time and increase productivity. The anguish of low quality lingers long after the sweetness of low cost is forgotten. Peter Gregory, CISSP, CISA 6

SUMMARY: Monitoring the network is a necessary part of modern communications. Primarily from the point of view of the organisation ensuring it gets as quick a return on investment as possible so that it realises the greatest value for money from the technology it purchases. In addition protecting company assets whether from internal or external threat is good practice; to ignore either threat is negligent. To know how to do it is simple, the difficulty is doing it. Chinese Proverb For those that worry about the social impact of network monitoring it does depend on how the information is used once a picture of who is doing what, within the network is gained. If the organisation sees there is a trend of private email, surfing Internet and inactivity during the work hours, it has a choice of either removing staff members (which will only cost more money to replace) or embarking on a social capital investment with motivation, coaching, team-building development programmes. The technology we offer will monitor your network conclusively, we are also able to offer Employment Law specialists for free consultations once the software is in place and we are able to do the same for social capital programmes in people development. 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information