ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > 4 Ways to Honor User Privacy (While Avoiding User Threats)

4 Ways to Honor User Privacy (While Avoiding User Threats)

| Published: 1/26/2015 3:21 PM | Category: Privacy | Permalink | Email this Post | Comments (0)

Dimitri Vlachos

Did you know that 69 percent of reported breaches involve someone inside the organization? Whether by mistake or malice, users are the biggest threat to a company’s data. Therefore having forensics and analytics on your users’ actions is the best way to audit and respond to a data breach. But how will users feel about you collecting these forensics?

On the one hand, organizations need to monitor user activity for potential threats. On the other hand, employees do not want to feel like their privacy is being violated. So, how do you protect your company from data breaches without employees seeing you as being intrusive? Here are a few suggestions:

  • Clearly communicate monitoring policies—When giving employees or third-party users access to the system, notify them that their actions will be monitored. Create a “policies and procedures” document that clearly outlines why user behavior is monitored, what will be monitored, and what behaviors are considered illegal or unacceptable. Give this document to all users when they first receive their login credentials. Discovering this monitoring policy later may leave employees or vendors feeling like their privacy has been violated.
  • Explain the goal of user activity monitoring—To help employees feel like they are trusted members of the company, it is important to explain the goal of user monitoring. Monitoring simply records actions to flag down potential illegal activity or threats to the company. The standard employee should have nothing to be concerned about. In fact, this software will help protect them from blame if a breach does occur.
  • Explain what activities are monitored—Unfortunately, all action taken on a company system must be monitored, recorded and stored. While it does not seem necessary to record someone browsing Facebook or checking personal email, stopping the recording during these times would open up opportunities for disguising illegal behaviors. To ease employees’ minds, explain that while every action—including individual keystrokes—is being recorded, they are not necessarily being monitored. Only suspicious or illegal activity will trigger alerts.
  • Remind users they are being monitored—Even after explaining the monitoring policies fully, it is a good idea to regularly remind employees of these policies. Notifications and policy messages can be built into your monitoring software to remind users every time they log in so they never feel caught off guard. It can also act as a constant deterrent for anyone attempting any illegal acts.

User activity monitoring is the best defense for the inside threat companies face. But companies should be smart about it. Follow these tips to keep users feeling happy and safe while keeping the company protected.

Read Dimitri Vlachos’ recent Journal article:
User Threats Vs. User Privacy,” ISACA Journal, volume 1, 2015.

Comments

There are no comments yet for this post.
Email