I have just received an email from a sales agent in a rather well known Irish IT company, which I’ll quote a snippet from that has be puzzled. It would appear that this mail was sent as part of a mailshot to customers / prospective customers, and contains a lot of in-accuracies about ADSL and firewalls which I shall ignore for now. I’ve labelled [] the relevant bits for comment below
Dear ____,
Bank Of Ireland
Does your company have an Internet Policy ISSUED to ALL staff? This week we were swamped by clients asking where do they get or how do they create an Internet policy. We have a sample of policies that might suit your business and uses – so you can copy or amend them for your own purposes. Just email me a reply and I will forward you these.We have also been asked how does management get reports on what sites are being visited by staff. There are products on the market that will monitor what sites are being visited and what computer visited these sites. However, may I ask, do you REALLY want to know who visited various sites, and what are you going to do with this information? [1]
While everyone has an opinion on Mr. Soden [2] – I felt sorry for the IT manager who got the report of sites visited and then had to go to his boss to say “Mr. Soden you broke internet policy and should resign”. [3] Would your company be able to make this decision?
[1] This has me completely baffled. Every company should be monitoring what their employees are doing, and have an Internet Usage Policy in place to cover themselves in the event of an employee doing something illegal online. Employees should also know that such logging exists on the network.
Management don’t necessarily require visibility on an ongoing basis of what employees are doing, and I’d be suprised if there was a manager out there who had the time to be keeping abreast of every site his employees are visiting. I’m sure however, that management would request, and want to view periodic audits of this data. I believe it may have been such an audit that lead to the recent case reported in the media, as opposed to active monitoring.
[2] I am amazed that a company such as the one that this email originated from would take to naming the persons involved in a particular case, albeit high-profile and widely reported in the media, in a sales pitch. This just seems wrong to me.
[3] Again, as I understand it, based on what has been reported in this case, Mr. Soden was not approached by IT staff, rather, the issue was raised with the governer of the Bank, who then approached Mr. Soden. Given these circumstances, I do not know if Mr. Soden was then asked to consider his position, before the bank authorities were forced to do it for him.
In another situation however, where lets say there was no board or anyone in a more senior position than the person in question, it is the duty of the IT manager to bring it to the attention of the person in question that they have been found breaching company IT policy, and see how things go from there. If a law has been broken, it is the responsibility of the IT manager to take this to the relevant law enforcement agency.
As for what will be done with such information, I’ll leave the argument that analyzing trends with a view to filtering certian sites in order to increase productivity for another time; but, this information can be used to prevent a company becoming mitigated in any legal proceedings that may
