Naked CIO: Should you monitor staff?

Keeping watch over employees' online activities can be a slippery slope, says Naked CIO. Here's the right way to do it.

I often get asked whether or not it is best to implement a strict, penal environment in the office for email and internet monitoring.

Simply put: do you block content and police the environment? Or do you allow access but discipline staff and employees when they cross the line of what is acceptable?

Certainly there exist questions with respect to privacy in any environment and monitoring emails and internet usage is a slippery slope. Who polices the police?

Even though I am an IT guy, I believe we as a department are left with too much power and access to information when it comes to monitoring. The old saying that absolute power corrupts absolutely has a distinct element of truth.

Then there is what I call the 'witch hunt policy' when a manager asks either for access to view what an employee has been up to or asks the IT guy to check for 'suspicious' activity. When I have encountered these requests, I have always asked for documentation and specifics to what should be investigated. I would then instruct a technician to only investigate what was asked for - and any activities whether suspicious or not outside of what has been requested are not to be reported.

My thoughts are: if you want to find dirt on just about any individual with respect to email and internet use, you can. And you are opening a liability Pandora's box if you condone or are complicit in requests that reek of bias and are obviously witch hunts against an individual, as opposed to searches for evidence to support a specific disciplinary incident.

Much of this discussion thus far may sound like it supports a locked-down environment where online activities can be minimised. Yet I have always believed in giving employees freedom to do what they need to and also to know what they shouldn't.

With respect to ensuring proper processes are followed, all organisations should have a 'right to search' policy that includes computer activities. To back this up all employees should sign a computer misuse document that gives specific information on what is allowed and what isn't.

These policies should be reviewed and updated regularly to include evolving technologies such as social networking, Twitter and mobile communications. They should also be re-communicated twice yearly to employees to ensure that they continue to be aware of what is acceptable computer use.

Having employees agree to a 'right to search' is imperative in order to overcome privacy arguments and possibly liability relating to infringing someone's personal privacy. It also clearly defines to employees that their activities are subject to monitoring, which is a deterrent to activities that may contravene policy. It is equally important to set up a specific process for monitoring that ensures it is done randomly as a matter of course and that all employees are subject to the same conditions.

For example, if you take samples of activity make sure you use a random number generator program to select the employees so that there is no question that an individual could be targeted, or overlooked.

As I suggested earlier, for specific incidents ensure that the issue is documented and that there is a formal request process to request the monitoring of an employee. Ensure that this process is audited regularly by your governance department or IT security and compliance area.

This may sound complex but it's important - it protects you and the employees from inappropriate conduct and accusations.

Privacy should be something that we as IT practitioners safeguard with vigour. When it comes to privacy policies, we should not only enforce but also follow them. Equally as gate keepers we have an even higher moral stake in ensuring our actions are unbiased, consistent with policy and above all applied objectively throughout the entire organisation.