The first step to crafting an employee monitoring policy is taking a baseline assessment of exactly the kinds of behavior that are going on within the confines of the corporate network. The survey should reveal the problem areas to be addressed and should provide excellent ammunition for convincing everyone of the need for monitoring. "It allows you to say, Here's what's going on in the absence of any policy: People are averaging 3.5 hours a day day-trading," says Frederick Lane, author of The Naked Employee: How Technology Is Compromising Workplace Privacy (Amacom, 2003). "Now that you've established the state of the business, you can go back to people and say, Here's our problem, and here's our fix. You can present the policy as a reasonable compromise." The fundamental building blocks of a complete policy should include the following: Notify employees you will monitor their use of proprietary assets. Discourage the expectation of privacy on the corporate network. Detail inappropriate uses of the company's systems. Describe allowable uses of those systems. Educate employees about handling proprietary information. Establish parameters of disciplinary action. Provide an employee-signed copy of the policy to acknowledge their understanding and acceptance of its tenets.The first two elements communicate to employees the kinds of monitoring that are going on and how they will be done. "Companies need to create a policy that explains in clear language what type of surveillance is taking place and distribute it so that employees know what they're getting into," says Lane. Such information can save the company legal headaches down the road. "A lot of litigation arises out of the shock of employees discovering that they are under surveillance" rather than the actual surveillance itself, Lane says. The policy should clearly define the nature of appropriate (and inappropriate) use of computer systems. One of the murkiest problems that CSOs encounter is the general time drainage that occurs when every employee has e-mail and Internet access. For some companies, the answer is to prohibit any personal use of e-mail or Internet, but the vast majority of companies are acknowledging that as employee workdays grow longer, some incidental use of e-mail and the Internet is necessary. The key: Be explicit about what the company considers reasonableis it use only during lunch or for making doctor's appointments?At National Cooperative Bank, Managing Director of IT Russell Schofield uses a product from SurfControl to track where his employees are going on the Internet. The product blocks all the usual socially taboo sites and also monitors time spent online. Every month he pulls a report of the company's top 30 users, and if certain employees seem to be spending inordinately long periods surfing, he forwards the information to their supervisor. "Most individuals that show up on that report never show up again, and those that do don't show up for very long," he says. He has watched the time spent online for top users go from as much as 16 hours a week to a current average of about five hours, which he says are probably just during lunch.