Re: Program to monitor employee internet usage

[Jayson Anderson <sonick () sonick com>]

I'm afraid I must deviate a bit, but not in order to cast moral
judgement; rather a results-based argument based on personal experience
through the years. 
And my deviation is to say that instead of, or at least prior to moving
into a portsuck/reporting application, it is worth paying attention to
the fact that the quantity/type of internet use per-user has absolutely
no bearing on the quality, quantity or timeliness of their expected work
output. Unless your product or man hours is not output-centric
per-employee, I would first consider an anonymous peer review system in
which peer groups submit anonymous review of their peers. It has been
proven time and time again that even in the most cohesive/protective
group environment; counterproductive habits of any one user WILL BE
pointed out by the others. If this is an internet-related weakness or
deviation from job description, then the internet issue can be addressed
more granular for that user(s). This costs only the time it takes a 1st
level manager to flesh out a workable questionnaire (of which many free
templates are available.)  
To expect a coloured, collated report to be accurately indicative of
reduced workload output by any one or group of employees as a result of
their internet usage, is pure myth and has no basis in reality. 
The software vendors will conjure statistics, but they are fabricated. 

While I do not fundamentally agree with the concept of dropping dimes on
cubemates, a sterilized and de-stigmatized version is appropriate and
necessary where company profits and product must be protected against
direct or attrite degradation. Time and time again I have seen this
formula work and accurately identify counter-productive habits of
individual or groups of employees, be it internet based or a host of
other sources; again multiplying the return on development and time to
cull the surveys.  6-month intervals seem to be about perfect. 

On the technology front, the most effective policies for internet usage
in my experience are either:
A: Default Deny. Permitted sites are explicitly configured. Per-case
consideration/approval must remain streamlined in order to prevent
becoming counterproductive vs. expenditures on employee internet
access. 
B: Default permit with filtering against illicit content + anonymous
peer reviews. 

The largest consumer groups i've seen for the logging of all usage
minutia and tiered reporting lies in the 100-or-less employee shops,
usually ending up being reviewed by a manager with a degree of voyeurism
beyond what would be acceptible in any system with distributed checks
and balances on what any single person or persons know about all
employees. Further, IT employees often use the data in a manner for
which it was unintended. As much fun as it can be, it's not acceptable
for the server hermit to live vicariously through the obnoxious sales
hero. 

A majority of what i've said is rooted in truth, though a bit is tongue
in cheek. However, it all exists in the marketplace and due to the
workflow bottom-line aspect at the heart of this matter, I recommend
anon. peer reviews long before these types of reporting packages. 
I didn't even begin with the resentment factor.....

If you do have a unique model where it's much more important for you to
monitor any and all access (which is unlikely in any default-permit
policy!), then I suggest doing extensive reading in books dedicated to
the can of worms that is micro-monitoring of user internet usage. 

Block the smut, identify those with hindered workflow output and several
worm cans as well as powderkegs will be eliminated. 

Just my opinion (based on extensive experience.)

Best Regards, 
Jayson

5k
-

On Fri, 2005-12-23 at 16:49 +0000, invstg8r () hotmail com wrote:
> A member of management has asked me to research available programs to log internet usage (web surfing) on our 
> corporate network.
>
> We are running a Windows server with a mix of XP and 2K clients.
>
> What have some of you used to provide this in a report that management can use to show that a user is spending too 
> much time on the internet?
>
> I don't have a Linux box up and running, but if the right Linux based app is suggested, I would consider going that 
> route.
>
> Thanks in advance.
>
> - Mark A.
>
> P.S. Please try and keep this on topic, I've seen questions like this before degrade into a privacy violation, "big 
> brother" type of debate.
>
> ---------------------------------------------------------------------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec management 
> education and the case study affords you unmatched consulting experience. 
> Tailor your education to your own professional goals with degree 
> customizations including Emergency Management, Business Continuity Planning, 
> Computer Emergency Response Teams, and Digital Investigations. 
>
> http://www.msia.norwich.edu/secfocus
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------