Articles List

Information Security and Privacy Best Practices
By Chris Banescu - May 10, 2003

A good understanding of the responsible and effective use and management of information systems is critical for business managers in today's global information society. Organizations increasingly find themselves having to acquire, save/backup, import, export, and exchange different types of information and data on a continuous basis. Keeping this data both secure and private is a vital responsibility of the organization.

Businesses constantly deal with different types of information about their employees, vendors, suppliers, partners, and customers. This data is a vital resource, which needs to be managed like any other important business asset. Enterprises could not succeed or survive without information about their internal and external operations. Managers of today's technologically savvy organizations need to be familiar with data resource management, security, and privacy; without such critical skills, they will not be able to be effective in your roles.

Information is a valuable resource within the company, and every possible effort must be made to store and protect it from both internal and external exploitation. Organizations must apply effective management controls and practices to ensure that their data is protected from fraud, hacking, theft, and destruction. These policies and controls must be setup to protect the data from internal and external unauthorized use or access and insure the privacy of the employees, customers, and any other business partners with which the business exchanges critical information.

With the proliferation of electronic communications, computer technology and networks, and the Internet, the issue of privacy has become prominent and controversial. Many employees view the use of their employer's e-mail systems as the equivalent of making personal telephone calls using the company's exchanges. Individuals feel that e-mail messages they send, receive, and store on their company's email systems (or servers) is private and should be free from any type of intrusion.

Employers on the other hand believe that careful monitoring of employees is an important management tool that can stop loafing, improve productivity, and prevent unethical or illegal activity. Since the tools being used by the employees belong to the business, employers believe it is perfectly permissible to monitor and control all the information being sent in and out of the organization. As a manager how do you address this perception discrepancy? The best solution management can devise is establish a "use policy" that unmistakably delineates what is acceptable use of company resources and clearly communicate that policy across the entire organization.

By instituting an "acceptable use" policy, organizations can set the proper expectations for all their employees and reduce the potential for abuse by individuals. Such a policy would ideally be developed in conjunction with feedback from all parts of the business to promote a feeling of shared ownership and buy-in to the policy.

How does a business go about developing such a policy? The organization must first define what exactly is meant by "acceptable use". The wording should be precise and clearly spell out that company resources (computers, networks, servers, email, Internet access, etc.) are to be used solely for work-related purposes. Policy may be amended so that employees may send and receive personal email messages provided that a disclaimer shall accompany any email with a company email address. The same conditions above apply when reading and posting personal messages on bulleting boards, when accessing the Internet for personal purposes, and when utilizing any other Internet service or protocol for personal purposes; after obtaining express permission to do so from the company.

Workplace monitoring should be performed in a way that facilitates employee autonomy while at the same time providing the employer the assurance that security will not be breached and productivity will not be affected. Accordingly, employees expect the existence of a policy that would oblige the employer to clearly indicate when and on the basis of which criteria the employee is being monitored. The policy should also be flexible enough to grant employees some leeway during their breaks and allow them access for personal tasks, notify them of the purpose for the use of the colleted information, and clearly state that information is gathered for a valid and specific purpose.

Appropriate policies for the use of company equipment should be prominent in the workplace. These policies should not be left to wide interpretation and should be revisited regularly. Otherwise, employees may act beyond the fuzzy policy boundaries, thus hampering the increase of productivity expected from the use of the existing technology.

Employees need to be protected from indiscriminate intrusions into their workplace privacy, as the possibility of abuse does exist with workplace monitoring; but they have to act ethically and not fail to produce while using company assets and resources. On the other hand, the employers need to have a fiduciary relationship with their employees, and build trust to foster a healthy work environment. Workplace monitoring should not be seen as against workplace privacy, but as a tool for better management.

Employees expect that the occasional use of the equipment for personal reasons is accepted, with the understanding that it does not conflict with work, illegal or immoral behavior, and does not harm or offend anyone. Developing a professional work ethic should be the approach for use of company equipment on company time rather than the use of a strict set of guidelines. In doing so, employees expect the emergence of an atmosphere free of fear that would build trust between them, management, and the company as a whole.