Employee Monitoring S/W

Hi,

I'm currently evaluating the employee monitoring software and have
evaluated Spectorsoft and CWAT. I am looking for a software which can
monitor the employee PC activities(programs used, internet surfing,
document printing,screen snapshots etc..), also the data transferred
thru USB drives, CD / DVD RW, files uploaded to the websites with a
copy of the data transferred.

Please let me know if anybody has used / worked on any of such
products.

Regards,

Re: Employee Monitoring S/W

In article <1174894182.494886.105750@p77g2000hsh.googlegroups.com>,
Hesh wrote:
>I'm currently evaluating the employee monitoring software and have
>evaluated Spectorsoft and CWAT. I am looking for a software which can
>monitor the employee PC activities(programs used, internet surfing,
>document printing,screen snapshots etc..), also the data transferred
>thru USB drives, CD / DVD RW, files uploaded to the websites with a
>copy of the data transferred.

>Please let me know if anybody has used / worked on any of such
>products.

In the particular environment I work in, -some- of what you
describe would be deemed an illegal invasion of privacy. The
person doing the monitoring would also be exposed to confidential
email or documents that they did not have a "need to know", possibly
violating laws and probably violating confidentiality contracts.
For example, suppose an employee were (say) preparing a sexual
harassment complaint to be sent to Human Resources: such things
are seldom within the authority of the security manager to view.

Monitoring to the extent you describe could only be justified here
for environments in which employees would not be given unrestricted
internet surfing access, such as for defence department secret work;
what what be called here, "Protected/C" "disclosure of the information
could materially damage the security of the country".

I notice that you do not appear to be on the same continent I am,
so I have no idea what your local laws are; still I suggest that
you pass your plans by your corporate lawyer.

Re: Employee Monitoring S/W

I understand this has always been a topic of debate. However, there
are no documents that I have come across which clearly states whether
it's a privacy violation or not. One of the docs is at
http://csrc.nist.gov/publications/nistbul/csl93-03.txt

The concern here is to monitor the employee activities w.r.t data
theft by the means of pen drives, CD / DVD RW, file uploads etc
largely by the laptop users. we have to enable these as many of them
are sales guys or users who are frequently traveling so this is just a
detective / corrective measure. The data that is carried is of
sensitive nature.

Though the s/w will be functioning in the stealth mode, the employees
will be getting a warning message that all the actions on these
business systems are monitored (as suggested by the most of the docs
available) and the access to the data collected by the monitoring
tools will be restricted to few users( a group of security admins)
only.

Regads,




On Mar 26, 9:01 pm, rober...@hushmail.com (Walter Roberson) wrote:
> In article <1174894182.494886.105...@p77g2000hsh.googlegroups.com>,
>
> Hesh wrote:
> >I'm currently evaluating the employee monitoring software and have
> >evaluated Spectorsoft and CWAT. I am looking for a software which can
> >monitor the employee PC activities(programs used, internet surfing,
> >document printing,screen snapshots etc..), also the data transferred
> >thru USB drives, CD / DVD RW, files uploaded to the websites with a
> >copy of the data transferred.
> >Please let me know if anybody has used / worked on any of such
> >products.
>
> In the particular environment I work in, -some- of what you
> describe would be deemed an illegal invasion of privacy. The
> person doing the monitoring would also be exposed to confidential
> email or documents that they did not have a "need to know", possibly
> violating laws and probably violating confidentiality contracts.
> For example, suppose an employee were (say) preparing a sexual
> harassment complaint to be sent to Human Resources: such things
> are seldom within the authority of the security manager to view.
>
> Monitoring to the extent you describe could only be justified here
> for environments in which employees would not be given unrestricted
> internet surfing access, such as for defence department secret work;
> what what be called here, "Protected/C" "disclosure of the information
> could materially damage the security of the country".
>
> I notice that you do not appear to be on the same continent I am,
> so I have no idea what your local laws are; still I suggest that
> you pass your plans by your corporate lawyer.

Re: Employee Monitoring S/W

On Mar 27, 7:17 am, "Hesh" wrote:
> I understand this has always been a topic of debate. However, there
> are no documents that I have come across which clearly states whether
> it's a privacy violation or not. One of the docs is athttp://csrc.nist.gov/publications/nistbul/csl93-03.txt
>
> The concern here is to monitor the employee activities w.r.t data
> theft by the means of pen drives, CD / DVD RW, file uploads etc
> largely by the laptop users. we have to enable these as many of them
> are sales guys or users who are frequently traveling so this is just a
> detective / corrective measure. The data that is carried is of
> sensitive nature.
>
> Though the s/w will be functioning in the stealth mode, the employees
> will be getting a warning message that all the actions on these
> business systems are monitored (as suggested by the most of the docs
> available) and the access to the data collected by the monitoring
> tools will be restricted to few users( a group of security admins)
> only.
>
> Regads,
>
> On Mar 26, 9:01 pm, rober...@hushmail.com (Walter Roberson) wrote:
>
>
>
> > In article <1174894182.494886.105...@p77g2000hsh.googlegroups.com>,
>
> > Hesh wrote:
> > >I'm currently evaluating the employee monitoring software and have
> > >evaluated Spectorsoft and CWAT. I am looking for a software which can
> > >monitor the employee PC activities(programs used, internet surfing,
> > >document printing,screen snapshots etc..), also the data transferred
> > >thru USB drives, CD / DVD RW, files uploaded to the websites with a
> > >copy of the data transferred.
> > >Please let me know if anybody has used / worked on any of such
> > >products.
>
> > In the particular environment I work in, -some- of what you
> > describe would be deemed an illegal invasion of privacy. The
> > person doing the monitoring would also be exposed to confidential
> > email or documents that they did not have a "need to know", possibly
> > violating laws and probably violating confidentiality contracts.
> > For example, suppose an employee were (say) preparing a sexual
> > harassment complaint to be sent to Human Resources: such things
> > are seldom within the authority of the security manager to view.
>
> > Monitoring to the extent you describe could only be justified here
> > for environments in which employees would not be given unrestricted
> > internet surfing access, such as for defence department secret work;
> > what what be called here, "Protected/C" "disclosure of the information
> > could materially damage the security of the country".
>
> > I notice that you do not appear to be on the same continent I am,
> > so I have no idea what your local laws are; still I suggest that
> > you pass your plans by your corporate lawyer.- Hide quoted text -
>
> - Show quoted text -

Whilst I can see what you mean, you're going about this the wrong way,
and the vendors of such "security software" are not going to tell you
this.

You should use a combination of Active Directory policies (assuming
Windows) and code of conduct policies to achieve this: viz:
* lock down the PC so users cannot alter network settings. Force
connection to internet to only go via a work VPN thru a web proxy.
Use filtering software to block undesirable sites, or just monitor
this periodically. Check for HTTP uploads, FTP access, etc.
* give them a firm code of conduct to physically sign that states
exactly what their work laptop is to be used for and what the
consequences of not adhering to that policy are, and what your
monitoring policy is. Get a lawyer to help write this or it's a
liability waiting to happen
* if you're worried about preventing print screen and the like, you
have the wrong employees. Nothing is going to stop them printing out
or taking a digital photo, or just writing out the data by hand.

In short, whilst it's tempting to try and put in a draconian system of
control, you need sensible restrictions backed up by a clear policy
document.

Ric

Re: Employee Monitoring S/W

On Mar 27, 7:17 am, "Hesh" wrote:
> I understand this has always been a topic of debate. However, there
> are no documents that I have come across which clearly states whether
> it's a privacy violation or not. One of the docs is athttp://csrc.nist.gov/publications/nistbul/csl93-03.txt
>
> The concern here is to monitor the employee activities w.r.t data
> theft by the means of pen drives, CD / DVD RW, file uploads etc
> largely by the laptop users. we have to enable these as many of them
> are sales guys or users who are frequently traveling so this is just a
> detective / corrective measure. The data that is carried is of
> sensitive nature.
>
> Though the s/w will be functioning in the stealth mode, the employees
> will be getting a warning message that all the actions on these
> business systems are monitored (as suggested by the most of the docs
> available) and the access to the data collected by the monitoring
> tools will be restricted to few users( a group of security admins)
> only.
>
> Regads,
>
> On Mar 26, 9:01 pm, rober...@hushmail.com (Walter Roberson) wrote:
>
>
>
> > In article <1174894182.494886.105...@p77g2000hsh.googlegroups.com>,
>
> > Hesh wrote:
> > >I'm currently evaluating the employee monitoring software and have
> > >evaluated Spectorsoft and CWAT. I am looking for a software which can
> > >monitor the employee PC activities(programs used, internet surfing,
> > >document printing,screen snapshots etc..), also the data transferred
> > >thru USB drives, CD / DVD RW, files uploaded to the websites with a
> > >copy of the data transferred.
> > >Please let me know if anybody has used / worked on any of such
> > >products.
>
> > In the particular environment I work in, -some- of what you
> > describe would be deemed an illegal invasion of privacy. The
> > person doing the monitoring would also be exposed to confidential
> > email or documents that they did not have a "need to know", possibly
> > violating laws and probably violating confidentiality contracts.
> > For example, suppose an employee were (say) preparing a sexual
> > harassment complaint to be sent to Human Resources: such things
> > are seldom within the authority of the security manager to view.
>
> > Monitoring to the extent you describe could only be justified here
> > for environments in which employees would not be given unrestricted
> > internet surfing access, such as for defence department secret work;
> > what what be called here, "Protected/C" "disclosure of the information
> > could materially damage the security of the country".
>
> > I notice that you do not appear to be on the same continent I am,
> > so I have no idea what your local laws are; still I suggest that
> > you pass your plans by your corporate lawyer.- Hide quoted text -
>
> - Show quoted text -

Oh, and you will also want to think about full disk encryption if the
data's that sensitive. Apocryphal stats suggest that some 40% of
laptops are stolen at some point in their life. I like Pointsec for
this, but it's commercial and expensive.

Ric