 Re: Employee Monitoring S/W
On Mar 27, 7:17 am, "Hesh" wrote:
> I understand this has always been a topic of debate. However, there
> are no documents that I have come across which clearly states whether
> it's a privacy violation or not. One of the docs is athttp://csrc.nist.gov/publications/nistbul/csl93-03.txt
>
> The concern here is to monitor the employee activities w.r.t data
> theft by the means of pen drives, CD / DVD RW, file uploads etc
> largely by the laptop users. we have to enable these as many of them
> are sales guys or users who are frequently traveling so this is just a
> detective / corrective measure. The data that is carried is of
> sensitive nature.
>
> Though the s/w will be functioning in the stealth mode, the employees
> will be getting a warning message that all the actions on these
> business systems are monitored (as suggested by the most of the docs
> available) and the access to the data collected by the monitoring
> tools will be restricted to few users( a group of security admins)
> only.
>
> Regads,
>
> On Mar 26, 9:01 pm, rober...@hushmail.com (Walter Roberson) wrote:
>
>
>
> > In article <1174894182.494886.105...@p77g2000hsh.googlegroups. com>,
>
> > Hesh wrote:
> > >I'm currently evaluating the employee monitoring software and have
> > >evaluated Spectorsoft and CWAT. I am looking for a software which can
> > >monitor the employee PC activities(programs used, internet surfing,
> > >document printing,screen snapshots etc..), also the data transferred
> > >thru USB drives, CD / DVD RW, files uploaded to the websites with a
> > >copy of the data transferred.
> > >Please let me know if anybody has used / worked on any of such
> > >products.
>
> > In the particular environment I work in, -some- of what you
> > describe would be deemed an illegal invasion of privacy. The
> > person doing the monitoring would also be exposed to confidential
> > email or documents that they did not have a "need to know", possibly
> > violating laws and probably violating confidentiality contracts.
> > For example, suppose an employee were (say) preparing a sexual
> > harassment complaint to be sent to Human Resources: such things
> > are seldom within the authority of the security manager to view.
>
> > Monitoring to the extent you describe could only be justified here
> > for environments in which employees would not be given unrestricted
> > internet surfing access, such as for defence department secret work;
> > what what be called here, "Protected/C" "disclosure of the information
> > could materially damage the security of the country".
>
> > I notice that you do not appear to be on the same continent I am,
> > so I have no idea what your local laws are; still I suggest that
> > you pass your plans by your corporate lawyer.- Hide quoted text -
>
> - Show quoted text -
Whilst I can see what you mean, you're going about this the wrong way,
and the vendors of such "security software" are not going to tell you
this.
You should use a combination of Active Directory policies (assuming
Windows) and code of conduct policies to achieve this: viz:
* lock down the PC so users cannot alter network settings. Force
connection to internet to only go via a work VPN thru a web proxy.
Use filtering software to block undesirable sites, or just monitor
this periodically. Check for HTTP uploads, FTP access, etc.
* give them a firm code of conduct to physically sign that states
exactly what their work laptop is to be used for and what the
consequences of not adhering to that policy are, and what your
monitoring policy is. Get a lawyer to help write this or it's a
liability waiting to happen
* if you're worried about preventing print screen and the like, you
have the wrong employees. Nothing is going to stop them printing out
or taking a digital photo, or just writing out the data by hand.
In short, whilst it's tempting to try and put in a draconian system of
control, you need sensible restrictions backed up by a clear policy
document.
Ric
 |