Cyberslacking
Discussion of the Electronic Monitoring and Surveillance Survey
By Ken M. Shaurette, CISSP, CISA, CISM

In 2005, the AMA (American Management Association) and ePolicy Institute conducted an Electronic Monitoring and Surveillance Survey that illustrates how organizations are motivating employee compliance. The survey showed that organizations are putting teeth in their computer policies by using technology to manage productivity and protect resources. The main technology and process consist of monitoring employee use of computer resources in support of acceptable use policies. Regardless of whether they have crafted computer, e-mail or Internet Use policies, the implementation of technology to monitor proper use is becoming prevalent. The survey illustrated that 26% of organizations have fired workers for misusing the Internet, 25% have terminated employees for e-mail misuse and another 6% have fired employees for misusing office phones.

When it comes to workplace computer use, employers are showing a very strong concern focused around Web surfing, with 76% monitoring workers’ website use. Blocking access has become a very acceptable method for increasing productivity and meeting policy compliance showing a 27% increase since 2001 when the last such survey was completed.

An especially rapidly growing area is focused around identification of employee use of computer systems and access to corporate data.  Computer monitoring takes various forms, with 36% of employers tracking content, keystrokes and time spent at the keyboard, while an additional 50% identified that they store and review employees’ computer files. Many companies have begun to keep a closer eye on e-mail, with 55% retaining and reviewing messages.

Most employers are notifying employees that they are being monitored with 80% identifying that they inform employees that the company is monitoring to ensure appropriate business use of computer resources and compliance with policy. Including monitoring in Corporate Information Policy is especially important, but enforcing the policy can be quite time consuming and have varying degrees of effectiveness.

In the financial industry the FFIEC IT Examination Handbook identifies that “Financial institutions can achieve effective employee awareness and understanding through security training, employee certifications of compliance, self-assessments, audits, and monitoring.” Every effective Information Security Program includes an ongoing awareness program that goes beyond just new employee orientation.

Health Care organizations are another industry that must meet detail regulatory requirements around monitoring access to client data as spelled out in the HIPAA Security Rule. Specific requirements from the HIPAA Security Rule are illustrated below:

164.308(a)(1)(ii)

(D) (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports.

164.308(a)(5)(ii)

(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.

(ii) Implementation specification: Response and Reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes

164.312 Technical safeguards

(b)Standard: Audit controls. Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

BY HIPAA regulation definition: “Security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

The need to include in an organization’s policy statements regarding monitoring or auditing of access to applications, systems and ultimately to data are essential to being in compliance with the letter of many regulations. Technology must provide the ability to track access to customer data, financial information or even as due diligence tracking the misuse of access or as Mike Ellie, Independent Systems Security Analyst once described it; “Employee CyberSlacking.” A complete Information Security Program also includes incident management. As such having a way to identify and track incidents often initiated from employee access has become a critical component of the security program and more importantly a necessity to meet the requirements of these various legislative regulations as identified earlier for HIPAA or the statements in the FFIEC handbook, which outlines guidelines for banks to comply with GLBA, the Gramm, Leach, Bliley Act. Monitoring is an important component for compliance. In addition, SOX, the Sarbanes Oxley Act, requires tracking of access against financial related systems and processes.

Proof of control over an organization’s network sometimes makes it necessary to track employee personal computer usage. This is often an unpleasant, undesirable and time-consuming task with potentially negative repercussions for the company. It is very common for monitoring to be seen as a lack of trust or maybe an element of organizational big brother, but in reality it is simply good business practice for managing the confidentiality, integrity and availability of the organization’s network. Monitoring tools and processes, when used properly, can provide compliance with regulations rather than a way to penalize employees.

Employers have found significant concern over litigation and the role that electronic evidence plays in lawsuits and regulatory investigations. This has motivated many to implement electronic technology monitoring policies. Based on the Electronic Monitoring and Surveillance Survey, employers have established policies (often called Acceptable Use Policies) governing personal e-mail use (84%); personal Internet use (81%); personal instant messenger (IM) use (42%); operation of personal websites on company time (34%); personal postings on corporate blogs (weblogs) (23%); and the operation of personal blogs (20%) on company time.

Workers’ e-mail, instant messaging, blogs and various Internet content are written business records. As such, they are the electronic equivalent of DNA evidence. Triggered by improper employee use of e-mail or IM, lawsuits involving sexual harassment (pornography in the workplace), cyber-stalking or even child enticement can result. According to the 2004 workplace E-Mail & IM Survey from AMA and ePolicy Institute the trend is becoming more prevalent. One in five employers has had e-mail subpoenaed by courts and regulators, and another 13% have battled workplace lawsuits. To help control the risk of litigation, security breaches and other electronic disasters, employers take advantage of technology tools. Tools can help organizations battle people problems including the accidental and intentional misuse of computer systems, telephones and other electronic resources.

So how does an organization provide compliance with corporate policy, meet these regulatory requirements and support the need for forensic evidence? Consider an appliance-based solution that helps automate that process, protects employee’s privacy and dignity, plus protects company assets. Few solutions help meet compliance requirements for monitoring and auditing confidential customer information and corporate data without heavy administrative burdens and application modifications. The right solution can track fraudulent activity perpetrated using computer systems and provide the forensic quality evidence needed for litigation.

A company in La Crosse, Wisconsin called Sergeant Laboratories has created a solution that provides the right solution for easy tracking named Aristotle™. With Aristotle™ an organization has the ability to encourage appropriate computer use and monitor cyberslacking. It frees technicians from being the “compliance police.” Implementing a tracking solution such as Aristotle™ provides an assured approach to tracking, policy enforcement, compliance with monitoring and auditing access often required by various regulations. Aristotle™ can provide the forensic quality evidence to support litigation. It can do this all with real-time notification, which can become a critical component in a company’s in-depth defense strategy, by providing the necessary early notification and tracking for incident management. Custom tailored “security events” when triggered, can be routed directly to the personnel responsible such as department managers, auditors or compliance coordinators. The comprehensive reporting allows management to perform proactive incident management by providing the ability to see everything that is done on company computers, down to the keystroke. Through the use of custom security events based on company-defined key words, an organization will be alerted when an incident occurs. If there is previous inappropriate behavior, simply search for keywords or events and an investigator will have the data needed at their fingertips thanks to Aristotle’s™ DataVault™.

By tracking and reporting on user behavior, the Aristotle™ solution provides a window into the network including real-time alerts and historical reporting on user behavior and policy violations. This level of monitoring and reporting provides the support necessary for regulatory compliance without the application modifications often necessary, especially in legacy computer systems. Tracking activity at the workstation level becomes a bit of a change in philosophy for many organizations. With these kinds of tools available, it is now possible to do all this without compromising users’ privacy or work efficiency. Most importantly, organizations can now document an incident without needing to touch the individual workstation.

Aristotle™, as an asset-reporting tool, will tell how, when and why computers are being used. It will even identify if Trojan programs have opened back doors in systems. All in an easy-to- use and install network appliance. In fact, the system is so easy to use that most installations are online in under an hour.

From the time of installation, Aristotle™ is recording all desktop activity down to the keystroke. From this data, countless historical reports can be created and made available for usage analysis, documentation, purchasing decisions, legal protection, monitoring of compliance and simply understanding how computers are being used. This Incident Reporting and Policy Compliance Monitoring Solution comes with pre-designed reports, a data mining feature and the ability to download the information into spreadsheets or other formats for company customized reporting.

Let’s look at some sample cases that could happen in your organization.

[Case Study #1: "Password Security"]
[Case Study #2: "Harassment in the Workplace"]
[Case Study #3: "Tracking Software"]

Surveys have shown that tracking employee activity has become acceptable practice among many organizations. Recent regulations have documented the need to monitor access to data incuding who is accessing what and when. The cases illustrated are but a few examples of the situations that many organizations can relate to. Organizations are challenged with how to support incident management without adding significant technician or system, application or database processing overhead. Making the information available in a timely manner without impacting employee performance is a challenge that Aristotle™ can solve.