Escolar Documentos
Profissional Documentos
Cultura Documentos
Privacy Matters: How to Monitor Employees for Regulatory Compliance without Violating Employee Privacy
An ObserveIT Whitepaper | Gabriel Friedlander
Executive Summary
Under the increasing burden of regulatory compliance such as PCI, HIPAA, SOX, NERC and ISO 27001, companies are more and more seeking some form of monitoring platform for recording employee activity. Not surprisingly, this has been met with concern on the part of employees, who fear that employee monitoring is stepping on their rights to privacy in the workplace. However, a combination of transparency and common sense can bridge these two seemingly diametric positions. After all, if an employer seeks to simply meet regulatory compliance, and can do so without infringing on employee rights, then both sides will benefit from greater efficiency, clarity and profitability. This whitepaper highlights the legal issues driving the employer and employee concerns, and follows that up with a detailed checklist of how to effectively deploy a monitoring platform, achieve regulatory compliance and maintain employee trust and support, all at once.
Employers Needs
In reality, employee efficiency is a much smaller concern to employees than the much more threatening issue of corporate accountability and security of sensitive information.
Privacy Matters: How to Monitor Employees for Regulatory Compliance without Violating Employee Privacy
Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
2
Of course, employees would like to improve efficiency wherever possible. But in more cases than not, employee training, trust and standard management oversight are effectively applied to meet these needs. Accountability, however, is not so easily managed away. In almost every industry segment, compliance regulations such as PCI, SOX, HIPAA, HITECH, NERC, ISO 27001 mandate very explicit accountability of all user access to sensitive data. And even where regulations are not applicable, internal security controls will often raise the exact same needs. Recording user activity is the most straightforward way to answer this need. Here, we focus on the aspect of computer activity recording, leaving aside the productivity orientation of phone conversation recording and the physical security orientation of closed-circuit video.
Privacy Matters: How to Monitor Employees for Regulatory Compliance without Violating Employee Privacy
Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
3
SOX The U.S. Sarbanes-Oxley Act (SOX) is a wide-ranging act that requires all publicly traded companies to deploy internal controls for accountability and integrity of the financial reporting process. This broad issue includes Section 404: Assessment of internal control, which many assess to be the most difficult and costly to satisfy. Fulfilling Section 404 is often achieved by adopting the COSO Framework, which include methods for Risk Assessment, Control Activities, and Monitoring, among others. If management fails to establish a monitoring process for its internal control system, either in the form of independent evaluations or ongoing monitoring, then a satisfactory rating for this control component normally would be inappropriate.
Reinforce the benefits the company, and tie these to a benefit for each employee
Let your employees know ahead of time why you need to implement some form of monitoring. You get good will when employees understand your needs. To this end, be sure that you communicate in a clear way. Dont distribute a legal-sounding treatise about regulatory oversight. Tell them in your own words, using examples of the type of actions that you must be accountable for to auditors.
Instead of making it a burden, show employees how compliance will make work more efficient or profitable. Highlight points such as the elimination of ad-hoc audit research (which is usually a highlystressful activity) and improved safety of the employees personal data from illegal activities.
Clarify what is acceptable, and when personal activity is OK Show how you respect and even encourage it. If they know that Activity A is a no-no, but Activity B is OK, they will feel more empowered and confident in doing their day-to-day work. Again, avoid the threatening legal-speak, and keep it personal.
Any good will or clarity is lost if the info is hidden among thousands of pages of corporate policy manuals that are rarely looked at. If you can deliver the message in a friendly, informative manner (preferably while the user is initiating a recordable activity), then you can be sure that the employee is aware.
Make sure that everyone knows what will happen if they break corporate policy. You may not care that a particular employee is surprised that s/he is being fired for a particular violation. But what about all the co-workers? You dont want them in shock or angry. It is better for all if their reaction is Well, s/he knew that this would be the result, because we all learned it in our policy training session, and we all click OK every day for the policy reminder!
Let everyone know what is being recorded. Dont worry about exposing potential workarounds, and dont try to keep the recording policy a secret, in hopes of improving security. Anyone who might try to work around the system will find the weak points anyway, so you are better off being upfront in letting everyone know exactly how it works.
Compliance issues are a company-wide concern, not a specific IT concern or a Legal Department concern. Plus, many employees are scared of the technology team, and also of the lawyers. So make all the communications from a corporate perspective, not from any specific department. This delivers a clear message that this is a clearly defined business goal, not something driven by some crazy IT manager just because s/he has the ability to do so.
Be Consistent
Make sure that your monitoring activities, as well as any enforcement of policy violation, are all implemented on a completely transparent and evenhanded manner. Employees should know that they are not being singled out for any reason.
Privacy Matters: How to Monitor Employees for Regulatory Compliance without Violating Employee Privacy
Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
Solving both compliance and privacy: An effective solution for monitoring user activity that meets legal requirements
Visual On-Screen Recording + Textual Summary Logs: Capturing the information you need
The purpose of deploying a monitoring platform is to know what took place. With ObserveIT, you have instant audit logs and video replay that show precisely what occurred. For any issue investigation, each log entry event is linked to a full video replay of the user session. View an exact playback of user activity, as if you were looking over the users shoulder as it took place. With this level of accountability, there is no question as to what transpired, making any attempts of repudiation or denial utterly groundless.
WHAT DID THE USER DO?
A human-understandable list of every user action
Salesforce.com UPS.com Quantum View MagicISO CD/DVD Manager Microsoft Visual Studio 2010 Skype CustomerDetails CRM
PLAYBACK NAVIGATION:
Move quickly between apps that the user ran
REMINDER: All activities on this computer a being recorded. NOTE: Corporate policy states that employees should not open any Customer Details pages unless necessary for handling an explicit customer request.
POLICY MESSAGING:
User must acknowledge
Privacy Matters: How to Monitor Employees for Regulatory Compliance without Violating Employee Privacy
Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
Privacy Matters: How to Monitor Employees for Regulatory Compliance without Violating Employee Privacy
Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
Conclusion
Meeting compliance regulations requires a detailed and orderly audit of user activity that can affect sensitive data. Achieving this level of audit details requires a certain level of employee monitoring. However, this can be achieved without losing trust of employees and without infringing on their right to privacy. Successful implementation of such an auditing process requires building trust and faith among employees. This can be achieved with transparency and clarity of all monitoring policies, combined with a monitoring solution that delivers explicit audit details but allows for proper policy rules and security oversight. ObserveITs software platform for user activity recording is a central pillar in any such monitoring strategy. Benefits of using ObserveIT include: Accountability of all activities that can affect sensitive data. Reduced costs to generate compliance reports, with less effort, and faster turnaround time Unequivocal proof of user activity, guaranteeing authentication and non-repudiation Greater employee trust that comes from a transparent and consistent platform
About ObserveIT
ObserveIT auditing software acts like a security camera on your servers. It provides bulletproof video evidence of user sessions, significantly shortening investigation time. Every action performed by remote vendors, developers, sysadmins, business users or privileged users is recorded. Video recordings include mouse click, app usage and keystrokes. Each time a security event is unclear, simply replay the video, just as if you were looking over the users shoulder. ObserveIT is the perfect solution for 3rd Party Vendor Monitoring, Compliance Report Automation and Root Cause Analysis. Founded in 2006, ObserveIT has a worldwide customer base that spans many industry segments including finance, healthcare, manufacturing, telecom, government and IT services.
For more information, please contact ObserveIT at: www.observeit-sys.com sales@observeit-sys.com US Phone: 1-800-687-0137 Intl Phone: +972-3-648-0614
Privacy Matters: How to Monitor Employees for Regulatory Compliance without Violating Employee Privacy
Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com