Watch What You’re Doing: Surveillance and Monitoring Policy Survey

Early surveillance monitors (like early TVs and computers) didn’t have solid-state transistors; they used thermionic valves, also known as vacuum tubes. To amplify the incoming signal, you had to heat a filament and get it to release electrons. The key here is the heat; CCTV equipment even into the ’70s was filled with thermionic valves. It was cumbersome and clunky and ran hot. Very, very hot. Stuff broke a lot. As a result, surveillance equipment needed constant attention and repair, and early CCTV installers did a brisk maintenance business.

The technology, of course, has come a long way. But the practice of surveillance in many companies appears to be, well, thermionic.

While cameras are getting smaller and more plentiful, and image quality is getting better, and more video is running over standard IP networks (instead of proprietary closed circuits), a good percentage of the 169 respondents to the “CSO Surveillance and Monitoring Survey” indicated that the way they manage video surveillance hasn’t changed much since CCTV’s early days. Even though 58 percent of respondents said their use of video surveillance is on the rise, many have no clear overarching policy on camera usage (44 percent), do no ROI measurement (49 percent), get no benefit other than security from their surveillance system (66 percent) and have no staff members trained in the possible legal pitfalls of surveillance (45 percent). Articles in this special report aim to help remedy those shortfalls.

The news is a bit better in the world of bits; at least more companies have an official policy on data monitoring of employees than have such a policy governing their use of surveillance cameras. But given the rapid advance of video technology, CSOs would do well to play catchup with video policies and practices. Otherwise, it’s likely to get hot, and stuff’s going to start breaking.

Most companies have a data monitoring policy; video surveillance is less rigorously governed.

Do you have an official company policy that allows video surveillance (except where illegal) of everyone on company premises?

Yes 51%

No 44%

Don’t know 5%

Do you have an official, written policy that allows monitoring of employee computer and network contents?

Yes 86%

No 12%

Don’t know 2%

While use of video surveillance is rising, practices seem relatively unsophisticated.

Has your use of video surveillance changed since this time last year?

Grown dramatically 19%

Grown slightly 39%

Stayed the same 41%

Decreased 1%

Do you use fake or deactivated cameras as part of your surveillance practices?

Yes 23%

No 77%

How do you measure the ROI of your surveillance systems? (Check all that apply)

Improved employee productivity 6%

Improved workflow/supply chain 7%

Increased safety for employees/consumers 45%

Prevention of theft of physical property or data 46%

Prevention of crime/vandalism 43%

Do not measure ROI 49%

Where is your surveillance monitored?

Centralized/located in a corporate office not at your location 5%

Monitored on-site 50%

Combination of central and local monitoring 45%

How long do you store surveillance footage?

Less than 1 month 33%

16 months 50%

7 months to 1 year 7%

More than 1 year 10%

How often is your surveillance footage reviewed by a person?

Footage constantly monitored 25%

At least once a day 10%

At least once a week 3%

At least once a month 5%

Stored only, viewed on an as-needed basis 48%

Viewed only when electronic alarms go off 9%

Employees’ use of the Web is widely tracked; other data-monitoring practices are significantly less common.

Which of the following types of employee data-monitoring does your company allow?

Real-time e-mail content monitoring (such as scanning for keywords) 61%

Real-time content monitoring of instant messaging (for example, scanning for keywords) 36%

Examination of archived e-mail/IM only 46%

Real-time Web usage tracking (such as for pornography or sports sites) 78%

Real-time packet monitoring (for file types such as MP3) 45%

Keystroke logging 11%

Hard-disk forensics 40%

How long do you retain central archives of e-mail messages?

Less than 6 months 29%

6 months to 1 year 24%

13 years 15%

47 years 13%

More than 7 years 9%

Do not retain messages centrally 9%

34% …use video surveillance for purposes other than security

45%…have been trained in the legalities of video surveillance

24% …capture and archive instant messaging conversations

Methodology:

The “CSO Surveillance and Monitoring Survey,” conducted by CSO, was administered online during May and June 2005. CSO subscribers were invited by e-mail to take the survey. Results shown here are based on the responses of 169 security professionals. (Not all respondents answered all questions.)

Survey respondents represent a range of industries, including finance (21%); health care (10%); state, local and federal government (11%); manufacturing (7%); and education (5%).

In terms of title, 38% of the respondents held senior-level security titles including CSO, CISO or vice president of security. Eighteen percent were CIOs or CTOs, 8% held other C-level titles including CEO, COO and CFO. And 12% were directors or managers of security.