SECURITY POLICY - MONITORING
Many countries in the world have implemented Human Rights Conventions. These often create a right to privacy for the individual. Whilst, monitoring employees email and Internet activity it is important not to breach the individuals right to privacy.
Countries also often have legislation in place governing the interception and monitoring of communications. It is important not to breach this legislation whilst monitoring employees.
Is is usually acceptable to undertake the monitoring of communications where it is reasonably required for business purposes.
Reasonable steps should be taken to inform employees that monitoring is taking place and that their communications might be intercepted. The monitoring should be carried to:
- record evidence of business transactions,
- ensure compliance with regulatory guidelines
- maintain the effective functioning of the organisations systems, by preventing spyware, trojans and viruses for example,
- monitor standards of training and service,
- prevent criminal activity,
- prevent the unauthorised use of the organsisations IT infrastructure,
- to ensure the employeee does not breach the organisations acceptable use policies.
A reasonable organisation should also carry out monitoring in a way which limits unnecessary intrusion of the employee's privacy. Organisations should:
- limit monitoring to traffic data rather than the contents of communications,
- undertake periodic checks rather than carrying out continuous monitoring,
- automate monitoring to reduce the viewing of personal data by a third party to the communication,
- target monitoring at areas of high risk.
To ensure that monitoring is effective and efficient the organisation should consider implementing one of the commercial monitoring packages or appliances available from security vendors.