Video Surveillance and Data Monitoring: The Basics

1 2 3 Page 3
Page 3 of 3

The Massachusetts Department of Revenue has been practicing data surveillance longer than most. More than a decade ago, top managers at the state agency realized that some employees would be unable to resist the lure of the department's treasure trove of personal taxpayer information. "Sports figures seem to be the biggest draw. It's like a disease. People just can't seem to resist" peeking at athletes' private financial information, says John Moynihan, a 22-year veteran of the department who is now deputy commissioner and internal control officer.

Other people's tax data may be a draw for the curious, but resist they must, as it is against department policy for anyone, including employees, to access taxpayer data without a legitimate business reason. And it's illegal under Massachusetts law for anyone to disclose such data. So in 1992 the agency built a homegrown system that would alert the information security department every time an employee accessed a high-profile resident's income tax file. The system worked well, catching a handful of illegal browsers (some of whom immediately lost their jobs) each year, including a case where an employee accessed the income tax records of one of her husband's coworkers. Seems the husband had been passed over for a promotion (which went to the coworker), and snooping through that person's financial data made the couple feel better.

Eventually, Moynihan—and his boss, the commissioner—realized the DoR had to monitor every access of every taxpayer's personal information on the database. Integrity of the process was not only an ethical matter—a public-sector breach could lead to major political ramifications. "If at any time a confidentiality problem hit the papers and taxpayers felt the system was not protecting their information, it could impact voluntary [income tax] compliance. The consequences could be immeasurable," he says.

In 1997, the Department of Revenue spent $300,000 (out of an overall IT budget of $25 million) to custom develop its Transaction Tracking system based on a Unisys mainframe. The system captures every access of taxpayer data in Massachusetts and creates audit trails for future reference. Once auditors monitoring the database identify a potential violation of the data access policy, such as an anomaly in the audit trail, they give the employee a chance to explain. If there is no reasonable explanation for the data access, the case is referred to internal investigators for further analysis and an interview with the employee. Disciplinary actions that could follow include firing an employee for a first offense.

Today, Moynihan consults with other states and gives presentations to both public- and private-sector audiences on how to take a commonsense approach to data surveillance and privacy policies. He advises clients to create a strong data access policy, train employees on that policy and then enforce violations. Sounds simple enough, but there are many traps for the unwary.

Technology and tools now exist to scan and store just about anything—employee access to databases, as well as e-mails, instant messaging transcripts, Web surfing habits, keywords entered and even each individual keystroke in files. In addition, it's long been established that employees have no expectation of privacy in their use of company systems. But how do you do this well and cost-effectively? It takes an assessment of your organization—the purpose of your business, the kind of data you have, the nature of employees' work, and the culture that allows them to be successful—balanced with the need to secure the integrity of your key information assets.

Remember the insider threat

Information security has for the most part focused on the perimeter of the network. But experts and CISOs agree that the biggest threat to data security comes from insiders who have free and easy access to the data, not outsiders who manage through extraordinary means to penetrate a firewall and various authentication measures.

"I worry most about the insider threat. An unhappy employee is far and away the most difficult to track down and potentially the most dangerous," says David Mortman, CISO for Siebel Systems, a customer relationship management software maker in San Mateo, Calif.

To combat the internal menace, you've got two choices: Lock down data access (not possible or desirable for most companies) or keep watch over what employees are doing with your critical corporate data. If the most valuable intellectual property (IP) your company possesses is about to walk out the door (on a laptop, USB drive, MP3 player or CD, or sent to an FTP site), wouldn't you want to know about it? There might be a perfectly innocent reason the employee did what he did.

Many companies also need to monitor the way employees interact with data to ensure adherence to policies for compliance with Sarbanes-Oxley and other regulations. "We monitor key corporate financial systems to ensure there is no inappropriate activity," says Anne Rogers, director of information safeguards for Waste Management, a $12.5 billion publicly held trash services provider. The company also uses Web filtering software to block access to sites that contain inappropriate material.

Rogers says her job is not made easier by the fact that most of the company's 56,000 employees (such as the garbage collectors) do not use computers. She says that "while only about one-third of our employees work on the computer systems," a number of factors—network and application configurations, the number of company locations, variations in user roles and compliance requirements among them—drive the information access and protection workload.

Know which electronic resources are most valuable

You could make a reasonable case (as the vendors do, every day) that data monitoring is a cost-justified, loss-avoidance tool that every company should employ. Surely all public companies that are subject to Sarbanes-Oxley and similar regulations should use some form of data monitoring to ensure compliance as well as safeguard data. But every company is unique in terms of the kind of data it keeps, the value of different data and its intellectual property. Figure out what you can't afford to lose, and apply the most rigorous monitoring there.

Joe Rizzo, acting CISO at multiplayer online game developer Perpetual Entertainment, acknowledges that it is a continuing struggle for organizations to find the right balance between knowing what's happening with data and maintaining employee morale. "It's touchy because our employees don't want to feel like they're being watched," he says.

Rizzo has arrived at what appears to be a reasonable compromise: Perpetual uses Tablus's Content Monitor Alarm to monitor access of its game source code, especially since it often works with third-party developers. The system makes a digital footprint of the source code. "It's our livelihood. We have to control and monitor that data. If we see our IP leaving, we will take action," he says. But he does not block any websites or curtail the use of IM.

Education is still key

Some CISOs elect not to alert employees that they are being monitored, preferring to watch the activity in its raw state. Others give explicit warnings about the monitoring and consequences of improper behavior.

Moynihan of the Massachusetts Department of Revenue says it is essential to let them know in advance. If there is no legitimate business justification for accessing the taxpayer's file, the employee (any employee) could be dismissed the first time (view copy of the department's seven-page confidentiality memo). He also believes the up-front warning has a deterrent effect.

Moynihan's agency helps workers avoid inadvertent improper behavior. He has set up a training program to educate employees on everything from what constitutes legitimate file access to what employees should do if they access the wrong file by mistake. The agency has gone so far as to show a training video that new hires see during orientation and everyone else can see via the agency's intranet. Every single employee, from the lowest to the highest, must sign the confidentiality memo once a year.

Don't forget contract workers

Companies with poor deprovisioning processes often leave contractor access open longer than necessary. Make sure your contractors know the rules, and then pull the plug on them as soon as their work is done.

This document was compiled from articles published in CSO magazine. Contributing writers include Scott Berinato, Todd Datz, Daintry Duffy, Lauren Gibbons Paul and Sarah D. Scalet. Send feedback to CSO Editor Derek Slater at

Copyright © 2005 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
7 hot cybersecurity trends (and 2 going cold)