Let’s open a can of worms and make this week interesting,

shall we? Is e-mail and Web use monitoring good or bad in a government work

place? I bring this topic up because I just read an article that quoted a recent

survey in CSO magazine that said that 61% of survey respondents allow e-mail

content monitoring while 75% allowed monitoring of Web use.

This made me wonder about government use of employee

monitoring. My guess is the percentages would vary depending on the

organization’s mission and amount of regulation that they must work under. For

instance, the Department of Defense and the CIA probably do more monitoring

than a local government, for instance. But before we get into who is monitoring

and why, let’s talk about the basics of monitoring.

Monitoring can be defined as storage and review of employee e-mail, files, and computer

activity. By default we engage in the first part of the definition through our

normal IT activities. E-mail and files are regularly backed up for recovery

purposes and network activities, such as login and logout times, are often part

of log files kept by the network operating system. Our Web activity record is

kept by default in the form of history files, cookies, cache, and logs on

servers, as well as on the clients themselves.

The key then to “do we monitor” is review. Do we allow the review of e-mail, files or Web

use in our organization? I am willing to bet that most of you reading this will

say yes to that question. In fact, I am pretty sure that there are extremely

few government organizations that would disallow the examination of computer

records and e-mail as part of an investigation into harassment, theft, or other

conduct not permitted by the organization. Therefore, the majority of us

participate in monitoring at the lowest level.

But when most of us hear the term monitoring, we aren’t thinking about the passive, low-level

monitoring described above. Most of us think about active monitoring tools and

active/purposeful review of information collected by those tools.

From keystroke loggers to e-mail and Web filtering/blocking,

there is a tool made that we can employ to record/stop the activity. The

question then becomes – should we?

Proponents of active monitoring usually give the following
arguments for doing so:

  • Increases
    employee productivity.
  • Security
    – protects confidential information.
  • Increases
    in network performance.
  • Aids
    in regulatory compliance.
  • Aids
    in network/capacity planning.

Detractors of the practice usually give the following
arguments:

  • Breeds
    contempt amongst the workforce.
  • Lowers
    productivity.
  • Opens
    the organization up to litigation.
  • Can
    create storage and retention issues.
  • Can
    decrease network/computer performance.

First and foremost, the answer to “should we?” should

not come from IT. This is strictly a management and HR decision and the

decision to monitor or not and to what degree has to come from them. That’s not

to say that IT should not play a leadership role in bringing the issue to

management’s attention – after all, the tools and capabilities do reside with

IT.

In fact, IT must play a strong role in making sure that

those who will be making the decisions understand not only the capabilities

regarding employee monitoring but also understand the drawbacks. It is with

this information that management can weigh all the pros and cons associated

with the issue and choose the course that is best for the organization.

No matter what level of monitoring is used, (remember I

argued earlier that we all participate in monitoring) the policy should be

disclosed very clearly. Make sure your acceptable use policy defines what a

violation is and what the consequences are of violating the policy.

Personally, I have always been a big believer of blocking certain

types of activities. I think it is in the best interest of the organization and

its employees to protect the workers from themselves (to a certain degree.) For

example, I would rather proactively block pornography and hate material rather

than check up on people, or deal with the results of complaints that might

arise from inappropriate use.

Secondly, given open records laws, the more you retain

regarding employee behavior, the more fodder there is for unwarranted ill will.

For example; if you log Web site activity for the organization and you allow

“casual surfing of the internet during lunch and breaks,” you will

likely find that non-work related Internet activity comprises a large

percentage of total Web activity. It won’t matter when and how the activity

occurred to the citizenry when they read a headline screaming “Government

Employees spend majority of time on eBay!” Think about that when factoring

in the pros and cons of monitoring.

Keep up with the issues and challenges that uniquely affect

public-sector IT with TechRepublic’s free Government IT newsletter,

delivered each Tuesday. Automatically sign up today!