How To
Web Monitoring: How to Track Employee Data Access (Without Going Overboard)
Monitoring access to corporate data can be an effective way to keep the crown jewels from walking out the door, but it requires a careful balancing act.
By Lauren Gibbons Paul
Many companies fail to take a critical step toward safeguarding employee morale: Making sure the policies regarding data malfeasance are applied evenhandedly. Often due to political pressures, security officers choose to look the other way when the violator happens to occupy the corner suite. That's understandable, but not advisable. "You can't pick and choose who will be fired for violating [electronic data] policies," says Flynn. Doing so could leave you legally vulnerable if an employee sued. She applauds Boeing for its widely publicized ousting in March of its CEO⬠can't get much higher than that⬠for violating e-mail and ethics policies in carrying on an affair with a female employee.
Don't Forget Contract Workers
In addition to making sure employees are on the straight and narrow and proving compliance with regulations, many companies are finding data monitoring to be an excellent way to keep tabs on business partners such as outsourcers.
Seth Birnbaum, CEO of Verdasys, says many customers are using its Digital Guardian software tool to track and archive what outsourcers are doing. In one case a customer was able to prove a point with an outsourcer by going back to the logs generated by Digital Guardian.
"It circumvented the whole back-and-forth 'You have a problem,' 'No we don't' cycle," says Birnbaum. "The customer came in to them with proof in hand, so the outsourcer was forced to simply acknowledge the issue and do something about it."
Companies that work with skilled contractors (such as software developers, technical writers, product designers and engineers) should consider using data monitoring to verify that the hired gun's intentions (and actions) are pure.
Data surveillance is one of the few data protection techniques that do not restrict employee access to that data. Veteran Moynihan of the Massachusetts Department of Revenue would rather watch behind the scenes and simply verify employee access and see what files employees access as opposed to curbing their ability to get at the data (and do their jobs). With the comfort of a successful deployment under his belt, Moynihan takes the high road. Sensitive data will always be at risk. "But this is highly confidential stuff, and damn it, if we can't protect the data, we shouldn't be doing this job."
(This story originally ran in CSO as "Keystroke Cops.")
Other stories by Lauren Gibbons Paul
web monitoring
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
