21St Century Technologies Surveillance Policy Guidelines

IT500 Information Technology
Dr. Robert Elliot

Victoria Nagy

TO: Human Resources
From: Victoria Nagy President of 21st Century Technologies
Re: Constructing a Surveillance Policy
Date: January 25, 2015

This memorandum is in reference to the construction of companywide surveillance policy. A surveillance policy is critical within our organization for the purpose of protecting client data and our resources. The surveillance policy is not to act as a draconian tool to ensure employee productivity. Studies have shown when an employee feels that they are constantly monitored their employee productivity decreases. (Stanton and Stam, 2006.) Our surveillance policy has to be constructed with complete transparency to establish trust within our organization and employees. Our acceptable use policy needs to cover the areas for which we will monitor our employee’s activities. The Sarbanes-Oxley act of 2002 indirectly mandates all communications between our employees and customers. The act dictates that we institute internal controls to detect and report fraudulent activities. Monitoring of client-employee communications serves as an internal control. The control is as much as a protection for the employee as it is for the health of the firm. The Gramm-Leach-Bliley Financial Services Modernization Act of 1999 mandates that we protect the privacy of our client’s financial data. We cannot provide adequate protection to our clients without monitoring who is accessing the data. The data should be accessed on a need to know basis and any unauthorized access should be corrected immediately. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 which protects access and privacy of our clients health data also needs to be monitored to avert any HIPAA violations. We need to monitor our employee’s emails not for content however for issues such as spam and phishing. When an employee inadvertently responds to an external email they could be putting our organization at risk by exposing our firm to a virus or spyware. We will not set a policy against personal use of emails for the following reasons. First, email is replacing the telephone as a means of communication. Inadvertently life will sometimes interfere with work matters. An employee should be able to handle their personal matters within limits. For instance, a few years ago I was in meetings all day and I was not receiving a signal on my cellular phone and I never hand out my work telephone number for matters outside of work. My daughter had a 104 degree temperature. The school nurse emailed me when she exhausted the phone communications. My daughter would have been left in a grave predicament without email communication. Second, some areas such as collective bargaining fall outside of the work purview however Section 7 of the National Labor Relations Act gives the employee the right to air grievances and unionize. We do not want to enter any grey areas of the National Labor Relations Act. Third, internet email websites will be blocked to avert employees feeling as though to gain privacy they have to use an authorized means of communication for work related matters. Our firm is unaware of the spam controls used by internet email so for an employee to use such email puts our firm at risk. The area of emails where we will state is prohibited are internet spam chain letters. Spam chain letters are designed to forward to as many users as possible to drain on the resources of our servers and can leave our systems open to a vulnerability. We will be monitoring computer logon and system access attempts by users. Multiple attempts can be seen as a brute force method to gain unauthorized access. We need to identify both internal and external threats. For internet use monitoring the obvious pornography and internet web mail will be black listed. However, we will not black list social