"All Acme Company computer systems and related equipment are intended for the communication, transmission, processing, and storage of company business or other authorized information only. All Acme hardware and network data are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of security regulations and for other similar purposes."
Focus of Policy
The focus of the policy should be on what and how you are going to protect your network. A simple "All electronic data is subject to monitoring" is too vague, while on the other extreme, a list breaking down all the applications, devices and tools used can not only over-complicate things, but may even backfire during a legal review. If you write "Acme Company monitors all email traffic over port 25," what happens when you capture someone's personal Gmail forensically, or by monitoring port 80?
The trick here is strike that balance of clarity and comprehensiveness.
I have read a policy that was over 20 pages long, with so many examples it should have covered everything. However, the details corner the company into actually monitoring a limited number of devices. Yesterday's Palm Pilot is today's smartphone and tomorrow's Google Glasses. Keep your policy focused on data and network, not specific devices. Terms like mobile device, electronic systems, network traffic, etc. make it your target generalized yet specific.
"Acme monitors all electronic transmissions, which includes but is not limited to: e-mail systems; computer systems; network traffic (including any electronic system and/or mobile device using an Acme network); and stored data on Acme equipment and/or mobile devices, all of which may contain personal information. Acme reserves the right to access, review and/or monitor all Acme messages and company files on any electronic device accessing Acme systems or storing Acme data at any time and without notice."
Let's test our policy with an investigation use case.
During our investigation we find personal emails from a user's unallocated (deleted) space on a company system. Review of the emails reveals that the employee was planning on selling trade secrets to friend at another company. In response, our firewall is set up to flag any file transfer activity, and a key logger is installed on the company-owned system. We even see, in real time, the employee move company documents from his work computer to an external drive while talking over Skype. At one point he sends a clear-text message from his cell phone that is connected to the company's Wi-Fi.
According to our policy we can clearly monitor all these activities, without much room for debate.
Failure to Abide By
Sign up for Computerworld eNewsletters.