Project Management

Get a policy in writing before you start policing Web surfers

You may have the technical expertise and the tools to police Web access from company computers, but don't put the bullet in your gun just yet, Officer Fife. You need a policy in writing first.


Your network performance is sluggish, and you suspect your end users are causing the problem. Do you: (a) run a report to see what domain names your users are visiting; (b) install a program to monitor and restrict Web activity; or (c) talk to your boss to see what your company’s policy is regarding these activities?

The best answer is (c). Here’s why.

Tread only on solid ground
Policing the network is part of your job. After all, the computers belong to the company, and the company has put you in charge of the computers. So if your end users are playing Quake, listening to streaming media, or downloading files from inappropriate sources, you have a responsibility to shut them down, right?

Maybe. You don’t want to accuse an end user of an inappropriate behavior unless the company is behind you. You don’t want to restrict Web access without authorization by an officer of the company. More than anything, you don’t want to get sued or fired because you were overzealous or tried to enforce a policy that didn’t exist.
Each Tuesday, Jeff Davis tells it like he sees it from the trenches of the IT battle. And you can get his report from the frontlines delivered straight to your e-mail front door. Subscribe to Jeff's View from Ground Zero TechMail, and you'll get a bonus of Jeff's picks for the best Web stuff—exclusively for our TechMail subscribers.
Get it in writing
Every company I’ve ever worked for has published a written employee handbook. That document contains rules and guidelines for professional behavior. The most important rules define what constitutes grounds for termination. You know, “You may be terminated if you steal, if you lie, if you show up for work drunk as a skunk, if you are absent for three days and you don’t call in.” Most of those rules are grounded in common sense, and we (employees) generally accept and abide by them.

However, most of those handbooks were written long before personal computers became as common as staplers in our organizations. Unfortunately, many human resources departments haven’t bothered to update the rules of employment to reflect the company’s policy on what’s appropriate or inappropriate use of Internet access.

Let’s say the president of your company has said in a company meeting, “Use common sense, people. Don’t surf to pornographic Web sites and don’t play Web-based games on company time.” Does that announcement constitute a policy empowering the IT department to start policing Web activity? Not necessarily.

That’s why companies have human resources departments and lawyers. If a policy on appropriate Web access has been approved by the attorneys and put in place by the HR people, then and only then should the IT department start monitoring Web activity and reporting abuses of that policy by end users.
Do you have a written, formal policy on Web access in your organization? Are you restricting access to certain Web sites or running reports that identify what sites your end users are accessing? Please post a comment below or send me a note to share your experiences.

Editor's Picks

Free Newsletters, In your Inbox