How to Monitor Employees for Regulatory Compliance without Violating Employee Privacy

Document Sample
How to Monitor Employees for Regulatory Compliance without Violating Employee Privacy Powered By Docstoc
					                                                                                                                      1


Privacy Matters:
How to Monitor Employees for Regulatory Compliance
without Violating Employee Privacy
An ObserveIT Whitepaper | Gabriel Friedlander


Executive Summary
  Under the increasing burden of regulatory compliance such as PCI, HIPAA, SOX, NERC and ISO 27001, companies
  are more and more seeking some form of monitoring platform for recording employee activity. Not surprisingly,
  this has been met with concern on the part of employees, who fear that employee monitoring is stepping on
  their rights to privacy in the workplace.

  However, a combination of transparency and common sense can bridge these two seemingly diametric
  positions. After all, if an employer seeks to simply meet regulatory compliance, and can do so without infringing
  on employee rights, then both sides will benefit from greater efficiency, clarity and profitability.

  This whitepaper highlights the legal issues driving the employer and employee concerns, and follows that up
  with a detailed checklist of how to effectively deploy a monitoring platform, achieve regulatory compliance and
  maintain employee trust and support, all at once.




Opposing Forces?:
Finding Common Ground in the Employee Monitoring Argument
Employee’s Fears
  The advent of technology in the workplace has made it much more feasible than ever before for employers to
  electronically monitor the activities of their employees, including phone conversation recordings, video
  recordings of the workplace premises and computer activity recording.

  The threat of being constantly monitored immediately brings to mind (thoughts of Big Brother: “We are being
  spied on, so that the boss can squeeze even more work out of us!” And employees indeed are right in being
  concerned about their own personal privacy.

  Unfortunately, these concerns often overshadow the larger issue at hand. For this reason, it is critical that
  employers take great efforts in order to ease the employee concerns.

Employer’s Needs
  In reality, employee efficiency is a much smaller concern to employees than the much more threatening issue of
  corporate accountability and security of sensitive information.


            Privacy Matters: How to Monitor Employees for Regulatory Compliance without Violating Employee Privacy
                                         © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
                                                                                                                     2

  Of course, employees would like to improve efficiency wherever possible. But in more cases than not, employee
  training, trust and standard management oversight are effectively applied to meet these needs.

  Accountability, however, is not so easily managed away. In almost every industry segment, compliance
  regulations such as PCI, SOX, HIPAA, HITECH, NERC, ISO 27001 mandate very explicit accountability of all user
  access to sensitive data. And even where regulations are not applicable, internal security controls will often
  raise the exact same needs.

  Recording user activity is the most straightforward way to answer this need. Here, we focus on the aspect of
  computer activity recording, leaving aside the productivity orientation of phone conversation recording and the
  physical security orientation of closed-circuit video.

Regulatory Mandates for User Tracking
  While each compliance regulation is unique in its requirements, the core need surrounding sensitive data
  typically boils down to: “Make sure your data is secure, and make sure you can show exactly who did what do
  the data.” Some examples of accountability requirements include:

     PCI-DSS
      The Payment Card Industry Data Security Standard regulation provides 12 high-level requirements covering
      a wide range of issues related to credit card and financial information management, from access rights to
      data storage to audit monitoring. These include “Requirement 10: Track and monitor all access to network
      resources and cardholder data”, with explicit details of what must be done. For example, Section 10.2
      requires parties to “Implement automated audit trails for all system components to reconstruct the
      following events: … 10.2.2: All actions taken by any individual with root or administrative privileges …
      10.2.7: Creation and deletion of system-level objects.”

     HIPAA & HITECH
      The U.S. Health Insurance Portability and Accountability Act (HIPAA) specifies how organizations should
      manage Protected Health Information (PHI). This includes Security provisions (Subpart C) and Privacy
      provisions (Subpart E). These requirements are then further detailed in the subsequent Health Information
      Technology for Economic and Clinical Health Act (HITECH), which requires entities to “clearly identify
      employees and business partners” who access PHI, to “ensure that the data within its systems has not been
      changed or erased in an unauthorized manner”, and “make documentation of their HIPAA practices
      available to the government to determine compliance.”

     ISO 27001
      ISO 27001 is an Information Security Management System (ISMS) standard published by the International
      Organization for Standardization (ISO). Businesses that implement ISO 27001 can demonstrate reliable
      security practices to customers and business partners, thus establishing trust, meeting regulatory oversight
      requirements of many nations and saving costs by reducing the needs for ad hoc auditing processes. ISO
      27001 calls on any compliant business to examine information security risks; implement comprehensive
      information security controls for risk treatment; and incorporate management processes in order to ensure
      the controls on an ongoing basis.




            Privacy Matters: How to Monitor Employees for Regulatory Compliance without Violating Employee Privacy
                                         © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
                                                                                                                          3

     SOX
      The U.S. Sarbanes-Oxley Act (SOX) is a wide-ranging act that requires all publicly traded companies to
      deploy internal controls for accountability and integrity of the financial reporting process. This broad issue
      includes Section 404: Assessment of internal control, which many assess to be the most difficult and costly
      to satisfy. Fulfilling Section 404 is often achieved by adopting the COSO Framework, which include methods
      for Risk Assessment, Control Activities, and Monitoring, among others. “If management fails to establish a
      monitoring process for its internal control system, either in the form of independent evaluations or ongoing
      monitoring, then a satisfactory rating for this control component normally would be inappropriate.”

Employee Rights in the Workplace
  The right of employees to a reasonable level of privacy is quite clear, on moral as well as legal grounds. Laws are
  in place in most countries on this matter, including:

     USA (Federal Law): Electronic Communications Privacy Act (ECPA)
      ECPA focuses primarily on the issue of government and law enforcement access to communications, but
      also includes Title II, which protects any electronic communications that are maintained in storage, typically
      in the form of computer-stored messages. Employee communications are protected in theory, but it is
      quite easy for employers to provide notice or show that employee actions are not in the company’s
      “interest”, providing the legal right to monitor employees.

     USA (State law)
      Many states enact additional restrictions or clarification via state laws. While these vary from state to state,
      the heart of most of the restrictions remain in the realm of personal privacy, such as California’s Workplace
      Surveillance Labor Code Section 435, which prohibits video surveillance in areas that employees can
      reasonably expect privacy, such as changing rooms and restrooms. Some regulations extend these privacy
      rights to computer messages, but again a certain vagueness remains regarding what is considered private
      data remains. (ex: Personal messages posted on a private on-line forum during break time may be private,
      but what if the forum is public, or what it is done during work hours, etc.)

     Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
      As in the US laws, PIPEDA also calls for employee privacy rights, but leaves a somewhat vague definition of
      when it is justified to monitor employee computer activity. The Office of the Privacy Commissioner
      provides some guidelines, which call on the employer to show that the surveillance is necessary to meet a
      particular need; that the surveillance will likely be effective; that privacy loss is proportional to the benefit
      gained; and that no reasonable, less-invasive methods exist to meet the need.

     UK: Human Rights Act
      The HRA allows employers monitor communications within the workplace only as the employee is aware of
      the monitoring before it takes place. Furthermore, employees have the right to see any personal
      information held about them.

     European Union: Data Protection Directive 95/46/EC
      This Data Protection Directive provides a wide range of guidelines for privacy assurance, without significant
      focus specifically on the employer-employee relationship within this area. The net result, as in the
      countries listed above, is again a situation where reasonable employee monitoring can be justified as long
      as there is a proper trail of Notification, Purpose, Consent, Security, Disclosure, Access and Accountability.

            Privacy Matters: How to Monitor Employees for Regulatory Compliance without Violating Employee Privacy
                                         © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
                                                                                                                                            4

    User Monitoring Checklist
      Given the push-pull effect of regulatory mandates on one hand and personal privacy protection on the other,
      some balk at the task of implementing a monitoring platform that is legal, compliant and maintains the good will
      of employees.

      But threading this needle isn’t as hard as it may sound. Here’s how:

   State upfront the exact goals                                               Reinforce the benefits the company, and tie
    Let your employees know ahead of time why you need                           these to a benefit for each employee
    to implement some form of monitoring. You get good                           Instead of making it a burden, show employees how
    will when employees understand your needs. To this                           compliance will make work more efficient or
    end, be sure that you communicate in a clear way.                            profitable. Highlight points such as the elimination of
    Don’t distribute a legal-sounding treatise about                             ad-hoc audit research (which is usually a highly-
    regulatory oversight. Tell them in your own words,                           stressful activity) and improved safety of the
    using examples of the type of actions that you must be                       employee’s personal data from illegal activities.
    accountable for to auditors.
                                                                                Document the downside
   Let them know what is OK, and establish trust                                Make sure that everyone knows what will happen if
    Clarify what is acceptable, and when personal activity                       they break corporate policy. You may not care that a
    is OK Show how you respect and even encourage it. If                         particular employee is surprised that s/he is being
    they know that Activity A is a no-no, but Activity B is                      fired for a particular violation. But what about all the
    OK, they will feel more empowered and confident in                           co-workers? You don’t want them in shock or angry. It
    doing their day-to-day work. Again, avoid the                                is better for all if their reaction is “Well, s/he knew
    threatening legal-speak, and keep it personal.                               that this would be the result, because we all learned it
                                                                                 in our policy training session, and we all click ‘OK’
   Continuously remind employees about policies
                                                                                 every day for the policy reminder!”
    Any good will or clarity is lost if the info is hidden
    among thousands of pages of corporate policy                                Make all communications a corporate message
    manuals that are rarely looked at. If you can deliver                        (and NOT an IT or Legal message!)
    the message in a friendly, informative manner                                Compliance issues are a company-wide concern, not a
    (preferably while the user is initiating a recordable                        specific IT concern or a Legal Department concern.
    activity), then you can be sure that the employee is                         Plus, many employees are scared of the technology
    aware.                                                                       team, and also of the lawyers. So make all the
                                                                                 communications from a corporate perspective, not
   Tell employees how you will be monitoring them
                                                                                 from any specific department. This delivers a clear
    Let everyone know what is being recorded. Don’t
                                                                                 message that this is a clearly defined business goal,
    worry about exposing potential workarounds, and
                                                                                 not something driven by some crazy IT manager just
    don’t try to keep the recording policy a secret, in
                                                                                 because s/he has the ability to do so.
    hopes of improving security. Anyone who might try to
    work around the system will find the weak points                            Be Consistent
    anyway, so you are better off being upfront in letting                       Make sure that your monitoring activities, as well as
    everyone know exactly how it works.                                          any enforcement of policy violation, are all
                                                                                 implemented on a completely transparent and even-
                                                                                 handed manner. Employees should know that they
                                                                                 are not being singled out for any reason.


                 Privacy Matters: How to Monitor Employees for Regulatory Compliance without Violating Employee Privacy
                                              © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
                                                                                                                                                                                              5

Solving both compliance and privacy:
An effective solution for monitoring user activity that meets legal requirements
Visual On-Screen Recording + Textual Summary Logs: Capturing the information you need
  The purpose of deploying a monitoring platform is to know what took place. With ObserveIT, you have instant
  audit logs and video replay that show precisely what occurred. For any issue investigation, each log entry event
  is linked to a full video replay of the user session. View an exact playback of user activity, as if you were looking
  over the user’s shoulder as it took place. With this level of accountability, there is no question as to what
  transpired, making any attempts of repudiation or denial utterly groundless.

             WHAT DID THE USER DO?
                 A human-understandable list
                     of every user action




    Salesforce.com
    UPS.com Quantum View
                                   Cloud Apps
                                   Cloud Apps
    MagicISO CD/DVD Manager
    Microsoft Visual Studio 2010
                                   Commercial S/W with no logs
    Skype
    CustomerDetails CRM             Legacy software
                                                                                                                                               USER SESSION REPLAY:
                                                                                                                                                     Bulletproof evidence
                                                          Who, When, Where




                                                                                                                                                    CAPTURES ALL ACTIONS:
                                                                                                                                                Mouse movement, text entry, UI interaction,
                                                                                                                                                           window activity




                                                                                                                                    PLAYBACK NAVIGATION:
                                                                                                                                      Move quickly between apps
                                                                                                                                          that the user ran



Just-in-time policy reminders
  Before authorizing the user to access the system, ObserveIT requires that policy status information be read and
  confirmed. This eliminates the need to handle policy update validation in a separate process: No more email
  trees, no more tracking spreadsheets to make sure everyone got it.



                                                             REMINDER: All activities on this computer a
                                                             being recorded.
                                                             NOTE: Corporate policy states that
                                                             employees should not open any Customer
                                                             Details pages unless necessary for handling
                                                                                                           POLICY MESSAGING:
                                                             an explicit customer request.                  User must acknowledge




                Privacy Matters: How to Monitor Employees for Regulatory Compliance without Violating Employee Privacy
                                                      © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
                                                                                                                     6

Excluding private activities from being recorded
 In order to maintain employee trust and to meet the legal rights of employees, you may want to enable
 employees to use certain applications, such as Skype or instant messaging apps, without fear of being recorded.
 ObserveIT offers fully granular policy rules that give you the monitoring oversight that you need, while ensuring
 that employees still have necessary privacy.

                                                   GRANULAR RULES
                                                    Include / Exclude policy
                                                  per user group or application




Consistent monitoring policy rules
 The policy rules that are defined in ObserveIT are deployed consistently across all user groups, users, computers
 and applications. It is easy to specify balanced rules that ensure consistency and prevent any sense of singling
 out a particular employee or group of employees.

Protecting access to user recordings
 ObserveIT provides a secure platform for storing all user recordings, and it also provides a fully-auditable
 process for accessing these recordings.

 A clearly-defined access control hierarchy explicitly specifies who can replay which recordings. Thus, some
 administrators can have access to only some recordings, according to what application was being used, or by
 which employee, or on what computers.

 ObserveIT monitors itself as well, so any user access to view an employee recording will also be logged and
 reviewable.

Enabling employee enquiries
 ObserveIT enables you to create detailed reports per user or per computer that can be delivered by email. In
 addition, user session recordings can be exported and delivered to employees, thus documenting exactly what is
 being recorded when they explicitly request details, as per their rights according to the the UK WRA and other
 similar laws.




           Privacy Matters: How to Monitor Employees for Regulatory Compliance without Violating Employee Privacy
                                        © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
                                                                                                                       7

Conclusion
  Meeting compliance regulations requires a detailed and orderly audit of user activity that can affect sensitive
  data. Achieving this level of audit details requires a certain level of employee monitoring. However, this can be
  achieved without losing trust of employees and without infringing on their right to privacy.

  Successful implementation of such an auditing process requires building trust and faith among employees. This
  can be achieved with transparency and clarity of all monitoring policies, combined with a monitoring solution
  that delivers explicit audit details but allows for proper policy rules and security oversight.

  ObserveIT’s software platform for user activity recording is a central pillar in any such monitoring strategy.

  Benefits of using ObserveIT include:

      Accountability of all activities that can affect sensitive data.
      Reduced costs to generate compliance reports, with less effort, and faster turnaround time
      Unequivocal proof of user activity, guaranteeing authentication and non-repudiation
      Greater employee trust that comes from a transparent and consistent platform




About ObserveIT
  ObserveIT auditing software acts like a security camera on your servers. It provides bulletproof video evidence
  of user sessions, significantly shortening investigation time.

  Every action performed by remote vendors, developers, sysadmins, business users or privileged users is
  recorded. Video recordings include mouse click, app usage and keystrokes. Each time a security event is
  unclear, simply replay the video, just as if you were looking over the user’s shoulder.

  ObserveIT is the perfect solution for 3rd Party Vendor Monitoring, Compliance Report Automation and Root
  Cause Analysis.

  Founded in 2006, ObserveIT has a worldwide customer base that spans many industry segments including
  finance, healthcare, manufacturing, telecom, government and IT services.


                                                                  For more information, please contact ObserveIT at:
                                                                  www.observeit-sys.com
                                                                  sales@observeit-sys.com
                                                                  US Phone: 1-800-687-0137
                                                                  Int’l Phone: +972-3-648-0614




            Privacy Matters: How to Monitor Employees for Regulatory Compliance without Violating Employee Privacy
                                         © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com

				
DOCUMENT INFO
Description: Under the increasing burden of regulatory compliance such as PCI, HIPAA, SOX, NERC and ISO 27001, companies are more and more seeking some form of monitoring platform for recording employee activity. Not surprisingly, this has been met with concern on the part of employees, who fear that employee monitoring is stepping on their rights to privacy in the workplace. However, a combination of transparency and common sense can bridge these two seemingly diametric positions. After all, if an employer seeks to simply meet regulatory compliance, and can do so without infringing on employee rights, then both sides will benefit from greater efficiency, clarity and profitability….