Lets open a can of worms and make this week interesting,
shall we? Is e-mail and Web use monitoring good or bad in a government work
place? I bring this topic up because I just read an article that quoted a recent
survey in CSO magazine that said that 61% of survey respondents allow e-mail
content monitoring while 75% allowed monitoring of Web use.
This made me wonder about government use of employee
monitoring. My guess is the percentages would vary depending on the
organization’s mission and amount of regulation that they must work under. For
instance, the Department of Defense and the CIA probably do more monitoring
than a local government, for instance. But before we get into who is monitoring
and why, lets talk about the basics of monitoring.
Monitoring can be defined as storage and review of employee e-mail, files, and computer
activity. By default we engage in the first part of the definition through our
normal IT activities. E-mail and files are regularly backed up for recovery
purposes and network activities, such as login and logout times, are often part
of log files kept by the network operating system. Our Web activity record is
kept by default in the form of history files, cookies, cache, and logs on
servers, as well as on the clients themselves.
The key then to “do we monitor” is review. Do we allow the review of e-mail, files or Web
use in our organization? I am willing to bet that most of you reading this will
say yes to that question. In fact, I am pretty sure that there are extremely
few government organizations that would disallow the examination of computer
records and e-mail as part of an investigation into harassment, theft, or other
conduct not permitted by the organization. Therefore, the majority of us
participate in monitoring at the lowest level.
But when most of us hear the term monitoring, we arent thinking about the passive, low-level
monitoring described above. Most of us think about active monitoring tools and
active/purposeful review of information collected by those tools.
From keystroke loggers to e-mail and Web filtering/blocking,
there is a tool made that we can employ to record/stop the activity. The
question then becomes should we?
Proponents of active monitoring usually give the following
arguments for doing so:
protects confidential information.
in network performance.
in regulatory compliance.
in network/capacity planning.
Detractors of the practice usually give the following
contempt amongst the workforce.
the organization up to litigation.
create storage and retention issues.
decrease network/computer performance.
First and foremost, the answer to “should we?” should
not come from IT. This is strictly a management and HR decision and the
decision to monitor or not and to what degree has to come from them. Thats not
to say that IT should not play a leadership role in bringing the issue to
management’s attention after all, the tools and capabilities do reside with
In fact, IT must play a strong role in making sure that
those who will be making the decisions understand not only the capabilities
regarding employee monitoring but also understand the drawbacks. It is with
this information that management can weigh all the pros and cons associated
with the issue and choose the course that is best for the organization.
No matter what level of monitoring is used, (remember I
argued earlier that we all participate in monitoring) the policy should be
disclosed very clearly. Make sure your acceptable use policy defines what a
violation is and what the consequences are of violating the policy.
Personally, I have always been a big believer of blocking certain
types of activities. I think it is in the best interest of the organization and
its employees to protect the workers from themselves (to a certain degree.) For
example, I would rather proactively block pornography and hate material rather
than check up on people, or deal with the results of complaints that might
arise from inappropriate use.
Secondly, given open records laws, the more you retain
regarding employee behavior, the more fodder there is for unwarranted ill will.
For example; if you log Web site activity for the organization and you allow
“casual surfing of the internet during lunch and breaks,” you will
likely find that non-work related Internet activity comprises a large
percentage of total Web activity. It wont matter when and how the activity
occurred to the citizenry when they read a headline screaming “Government
Employees spend majority of time on eBay!” Think about that when factoring
in the pros and cons of monitoring.
Keep up with the issues and challenges that uniquely affect
public-sector IT with TechRepublic’s free Government IT newsletter,
delivered each Tuesday. Automatically sign up today!