Three words... "Need to know"...

I know they have access, and CAN access it, but should they?

There's no reason anyone in IT should be reading salaries... that's for HR and MGMT.

Yes, but it goes even further.

The first thing one does in assessing a 'distributed data network' is to examine the trust relationships between individuals and roles withing the community, both internal and external.

This addresses what information is needed by whom and if there is a necessary need for such information.

If there is a justifiable need, policies and procedures determine just how such information is to sourced. And while, to use your example, certain individuals in HR may require access to particular individuals' data, folks such as managers do not. What does this mean? Certain managers may have a legitimate need for such data. But they should not have direct access to such data. Instead, defined trackable procedures are established for the request and delivery of such information. If the legitimate need exists, secure and responsible vectors for the supply of such information are defined and available. Thus you do not have the indiscriminate access to such data.

And that also includes, in this example, those within HR! Simply because they work in the department, they are not offered carte blanche access! In fact, this is the primary source of data compromise! Thus personal information is encrypted and hashed - and only partial social security numbers, for instance, are visible such as the last 4 digits. And information that is not absolutely necessary is not even collected or archived, as it presents little use but a significant liability and risk vector.

There are indeed best practices for the management of internal data, communications, etc. both within and out of a company. The fact that some may nor follow such practices is not exactly surprising. But then, the systems provide a means for the accomplishment of the goals.

And except for some of the laws such as SOX, HiPPA, and other recent developments forced upon companies by significant lapses of such responsibility, it assumes that such companies possess the responsibility to manage their assets and liabilities responsibly. The fact is that the companies are still populated by people - many of whom do not possess the values or discipline to act responsibly - and that such data can present significant risk to the companies.

Risk and trust analysis, coupled with subsequently defined policies and procedures and an auditable system of verification can not only mitigate and reduce such risks, but they can also significantly enhance production efficiencies.

Our company has it clearly stated in the Employee Handbook and Policy documents, All communications taking place on company networks and or company owned equipment is subject to review at any time. It also states that company equipment either issued for off-site use or on-site use is not to be used for personal business or communication.

We also have an extensive website block list and heuristic word scanning of sites being visited. The word filters are not extensive - only the things we consider not work related.

This has worked well for our company and survives legal challenges. Speaking as the poor sod who has to review all communications I can tell you it is often times bloody boring and after awhile you get to know what to look for - the rest blurs into obscurity. Who is doing who is not my concern...

EDIT: I also notice this article is referring in part to SMS Text messages - these are generally made from personal cell phones. I personally have never had to request to view any messages sent via this method. I would assume that since they are personal cell phones, that it would not fall under our Handbook or Policy guidelines...unless of course they use a company issued cell phone.

Ok..i have a disconnect with this article. The opening sentence states 1/3 of all it pros snoop yet further in the article it states that "or 47 percent -- admitted to accessing information that is not "relevant to their roles." " Unless the writer is using Clinton Math, how does 1/3 =47%?

Have a nice day:)

This indicates an UTTER failure of policies, procedures and audit control.

These companies lack any kind of information assurance framework as such a system would effectively limit especially those high level individuals who do not have a specific necessary need to aces such records. As they would have to follow policies and procedures specifically designed to request such information.

Anyone who has spent even a few minutes in this field know that the first thing you do is establish the trust relationships and take away the keys and authorizations from the CEO, department heads and the other whosits that present the most pervasive source of internal compromise and create a trackable authenticated request system.

With all due respect, companies have always been spying on employees. The only thing that has changed is the technology.

Have a nice day:)

what country do you live in because in america, there are 3 policies, one is written and the other is unwritten.

the third is the one used for "what ever it takes to make M-O-N-E-Y" with the caviate of "D-O-N-'T G-E-T C-A-U-G-H-T"

As an IT person, I personally don't want to know what kind of files users get into. Sure, I have glanced at some backups of a machine that I thought "acted funny" just to see if there were any strange .exe files, but other than that, I don't care. All it would do is create problems if I seek to find them.

Der!! IT departments are full of perverted little control freaks. Trust me I have worked with enough of them. If your a cute little office tart you can have access to anything you want. cause they will watch it.

And don't get me started on laptops... OMG. the crap on those supposed WORK machines!!!

I'm like GUYS! common now just remirror the thing and get that done. I'm constantly whapping them on the back of the head for looking through internet histories and temp files on the cute office chicks computers.

Essentially Our job in this one regard is suppose to be to monitor for content not work related, and to not allow internal file espionage. IE giving internal documents to outside sources without authorization.

Thats part of the reason you can't use USB drives in our machines(though you really can if you know how, I just watch for machines with new USB devices popping up), Can't access hotmail type accounts, or Myspace type accounts, ect.

No need to monitor through that stuff, just block it entirely, it does not belong on an OFFICE machine.

Lately I have seen a rash of people using Remote desktops to go to their home machines... So I have been monitoring packets being sent to those as well for LARGE file transfers only. But as far as actually LOOKING at it. I have too much other stuff to do. But if there is a suspicious transfer to a remote location, At times that access may be restricted until its explained, and we review our company policy on such activity with them again. We allow remote desktop from home to work, so restricting the other way, doesn't seem necessary YET. but at some point it may become that way. We will see...

The interns on the other hand. Whap! They have a ton of stuff to do as well, but common, they are interns! lol You don't get but a 1/3 of the days work out of them anyway.

Der!! IT departments are full of perverted little control freaks.

Whose fault is that? To give you a hint, my company doesn't make a habit of hiring "perverted control freaks".

I suppose in some geographical areas it may be difficult to find IT folk who aren't like that, but over here there are far too many IT people for hire...

'my company doesn't make a habit of hiring "perverted control freaks"'

Exactly the right answer.

If one does sneak in the door, one warning and then they are out. Prosecute at will.

'nuff said

Without policies and procedures in place - you can't.

You manage by the establishment of policies and procedures and their subsequent verification (audit). Such a framework would also expose such improper monitoring behavior. They are not above it - they are 'of' it as well!

You do not manage by attempting to ascertain the psychological proclivities of prospective employees. That makes you as wacko as the idiots abusing the standards of behavior.

No wonder this occurs.

Everthing you mention indicates that your company is not only failing to abide by SOX (and or HIPAA if you are involed with the healthcare industry) but your company completely lacks any sort of policies and procedures.

Everything you mention can and should be effectively managed in a company without much problem at all if such a structure is in place.

Your company is a mess. And the liability of working their is substantial, not only for the company itself, but for you personally if are involved with the systems. And you have already acknowledged your awareness and subsequently your complicity. Just complaining to colleagues is not sufficient to absolve yourself of legal responsibility.

The legal precedent for such personal and enterprise exposure is legend.

You Idiot, SOX Compliance has nothing to do with Private companies... And this statement from you explains a ton of your viewpoints, Your a freaking MULE boy working for the uptight of the world. BINGO!! For the people of the REAL world that have REAL jobs and not those living in Gestopo land, We don't have to have as much oversight because we don't have such a problem with insider trading practices as companies such as yours.

Personally I would rather be shot then work for such an organization.

Yes every company typically has a internet use policy of some kind but not all companies are SOX compliance Mandatory. Good god there would be NO internet at all, No webpages, no email, nothing if all companies were, because every page and packet and file would be Encrypted and access to them unattainable unless you already worked there or were subcontracting with them and retained a decryption key.

Give me a break. you have no idea what some of the employees under you are really like at times. and when you find out you either dismiss them and start over training someone new, or deal with it and discipline them if it gets really bad or to a point it causes disruption of some kind. Thats their job at that point... But most of the time if they know they are getting caught at it it reduces to nothing over time. But these are 20 somethings young geeks normally... Least its been the case in my market. The pickings are few and far between to say the least for qualified people.

Saying you are not going to hire anyone like this or fire them for doing it on first notice is like saying your going to shoot your dog if you ever witness them sniffing another dogs hind end. Its going to happen. Deal with it and educate them. Thats all you can do...

Wrong wrong wrong. But then you are the one who decribes an out of control playpen in which you work!

Companies, their divisions and wholly owned subsidiaries that are publicly traded in the United States are subject to SOX regulations. Any non-US public multinational company doing business in the United States is also responsible for meeting SOX requirements.

Private companies that provide or are part of an integrated supply chain to public companies may also be required to comply with SOX by the public company.

And SOX and HiPAA are simply factors that are driving more companies to develop defined policies and procedures.

The purpose of guidelines such as COBIT or ISO17799 is to provide management and business process owners with an information technology governance model that helps in delivering value from IT and understanding and managing the risks associated with IT. COBIT/ISO17799 helps bridge the gaps amongst business requirements, control needs and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems.

Exactly what you describe that is out of control. But the exposure goes far beyond what you have described. And systems demonstrated to exhibit problems such as yours do suffer from significant legal liabilities.

Your little hole in the ground may not be. But by your own description, we already know that it is an out of control hole dominated by irresponsible and unprofessional idiots. Take a bow.

Determining and applying the necessary resources and processes needed to implement, maintain and validate internal controls can be time consuming, labor-intensive and expensive. Again, applying the appropriate IT framework and selecting the right solution will keep these issues under control.

Employing an IT framework like COBiT, ITIL, or ISO17799 can take a significant amount of work, but the alternative to not choosing an IT framework is problematic at best.

And your nonsensical observation that "there would be NO internet at all, No webpages, no email, nothing if all companies were, because every page and packet and file would be Encrypted and access to them unattainable unless you already worked there or were subcontracting with them and retained a decryption key" is one of the MOST asinine statments I have yet read on thi site. And that is saying quite a lot!

OBVIOUSLY you have no idea as to how establishing formal policies and defined procedures works (obviously - look at your little self-described sandbox filled with idiots).

Enjoy your out of control workplace dominated by folks just like you. ROFLMAO!

"Gestapo land?" LOL! Keep talking. You demonstrate your complete ignorance of what constitutes the best practices of Information Assurance which simply analyzes and mitigates risk as well as delegates responsibility and accountability with each and every word.

I can fix it so they can't snoop on you.

Just need your password to get started.

so 1/3rd of them admit to snooping.

the other 2/3's have nothing to do all day except to snoop and eat nachos and they don't have to admit to "nothin".

and if they happen to come across something of value or juicy for their bosses, then the snooping will be rewarded.

perhaps the worst case scenerio is an employee with a secret desease and the snooping gives the management the advantage with planning to rid that employee(s).

No the worst is when I start hearing about internal office affairs from interns and I'm like WTF? How the hell do you know? and they clam up cause they know they are about to get a whap on the head.

its not cool! I have to remind people in the office ALL THE TIME to keep the private crap OUT of the system. And Management really really frowns on any of that stuff taking up corporate time. But yea IMHO the worst of it is when the nasty garbage starts and it becomes gossip among the younger employees...

If a company machine is being used for anything including company related and non-related work, the employer or rightful owner of the machine should have every right to check everything and anything they want on their property or goods.

This ruling is for the birds. Pretty soon a thief will walk into a house, steal something and walk out because we have no warrant
and we cannot stop them.

The problem is that these sysadmins DIDN'T have the right to look at personal files. The employer (i.e. management) never gave them either specific instructions or carte blanche to do so. I'm seeing this more and more often lately and I'm convinced its partly an age issue. The generations behind me have very little ethical grounding and even less moral fiber. I would love to see a breakdown of those survey answers by age bracket.

They already give thieves, liars, and rapists the keys to do what they want anyway.

Let's be realistic here. Most Admins have access to everything, for a good reason. So, you'd hire someone to control the admins access? Maybe you should also hire someone to follow the guy who's watching the admins, just to be sure.

It's like radio scanners. You hear some weird stuff, fine, but you can't tell anyone about it.

Anyway, you're not supposed to have PERSONAL files on your office computer, nor read your personal emails.

Confidential data, geez. Is there such a thing? A lot of companies exchange confidential data by emails (unencrypted).

Think about all the employees connecting at work from home using remote desktop. Their 16 yo boy installing cracked apps downloaded from torrents, then they get infected by nice trojans.. "My son is good with computers, don't worry about that! We also have a good antivirus!" Yeah right.

Let's not even talk about encryption, employees can barely remember their own login password.

Admins need access to everything. This is not even an option. It also helps to catch people trying to run P2P apps on the network. I hate employees uploading personal files/photos/videos to their home directory. It's a personal drive (networked/backup'ed) but not THAT personal.