Insiders remain a top security concern for the enterprise, and the tools available to keep an eye on them to protect company data are plentiful. While you have to monitor employee activity to be able to detect the bad apples, you don't have to make the majority of honest workers feel like someone is watching them over their shoulders, advises Rich Mogull, founder of Securosis.

Other than a handful of industries that have to monitor all computer activity, most businesses only have to keep an eye out for violations of policies, Mogull writes in a post at Dark Reading. The way to protect information while giving employees their due privacy is to deploy event-driven policies that have technical triggers, he writes.

"Investigators and managers shouldn't be allowed to track everything an employee is doing and peek in whenever they want. This is where you open yourself up to legal risk or make your employees feel like they are living in a bad reality TV show," he writes.

If there are particular activities that require more monitoring, such as database activity, it's critical that you have limits on who can access the data and how it is handled. Mogull recommends that business unit managers not be given access to it for the purpose of measuring productivity. You also have to be sure that monitoring doesn't violate any employment contracts, which is a question for the legal department.  If you are dealing with offices overseas, you first need to be sure that employee monitoring is legal and that your system doesn't violate national limitations or restrictions. 

Once you have determined that monitoring is legal, you establish policies and procedures and then match them up with your technologies to make sure you can enforce them. As an example, Mogull points out that if you filter websites, you need to know what activities would violate the policy and what processes you have for dealing with violations.

Event-driven policies generally involve the type of data that is collected, how it is collected, who has access to it, how it is handled, how long it is store and what to do in the case of violations.

"Once you set those up, document everything in human-readable language and notify employees what you are about to do...No one likes anyone sitting over their shoulder, so in that notice be VERY clear that you are only watching for things that put the business at risk, you strive to minimize what data you are collecting to respect their privacy, and you have tight controls over the data," Mogull recommends. "As much as people still might not enjoy knowing activity is being watched, at least they know you are making the greatest effort possible to balance personal privacy with business needs."

For more:
- see Rich Mogull's post at Dark Reading

Related Articles:
Should you be the cop on the compliance beat?
Tools that let workers know they're being watched
Some IT pros uneasy about employee monitoring