1 / 0

Employee Privacy and Organizational Security:

Employee Privacy and Organizational Security:. August 8th, 2013. Addressing Employee's Personal Use of the Internet at Work. Balancing Security and Individual Privacy: An ongoing public global debate. US: National Security Agency (NSA ) operated PRISM (surveillance program )

astrid
Download Presentation

Employee Privacy and Organizational Security:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Employee Privacy and Organizational Security:

    August 8th, 2013 Addressing Employee's Personal Use of the Internet at Work
  2. Balancing Security and Individual Privacy: An ongoing public global debate US: National Security Agency (NSA) operated PRISM (surveillance program) EU: Data Protection Directive - employee privacy and electronic surveillance in the workplace Asia-Pacific: China, Singapore’s PDPA, Japan, Hong Kong and the Philippines
  3. In the US, Security trumps Privacy for now: Snowden/PRISM triggers a national debate Security and privacy viewed as competing To achieve security and address liability, Employer policies often assert no-employee-right-to-privacy Security: Malware and other Cyber Threats Liability: Employer responsibility for employee actions Global Companies must address EU obligations
  4. The European Union’s right to privacy, directly impacts employer monitoring “Everyone has the right to respect for his private and family life, his home and correspondence.”1 “Court has made it clear that the protection of private life enshrined in Article 8 does not exclude the professional life as a worker…”2 Requirements freeze DLP implementations European Convention for the Protection of Human Rights… Article 8.1 Article 29 Working Party working document on surveillance of electronic communications in the workplace
  5. Asia-Pacific region reflects multiple views on security and privacy debate Elevating consideration of privacy with new laws and guidenlines1 Security remains driving consideration2 Singapore's recent PDPA requires notice; Hong Kong Privacy Commissioner sets non-binding guidelines on employer monitoring Chinese govt./employers have authority to monitor; Japan law requires notice, but limited expectation of employee privacy at work; and Philippines, like the US, enables surveillance and focuses on security/anti-terrorism (Human Security Act of 2007)Baker & McKenzie, 51st issue of The Global Employer entitled “The Social Media Issue”, September 2012Philippines Human Security Act of 2007 (http://www.congress.gov.ph/download/ra_13/RA09372.pdf )
  6. Prevailing approach to employee personal web use: Prevent, Detect, & Respond Prevent employees from personal web browsing Establish acceptable use-policies (AUP) Implement secure web-filtering to limit access Detect employee personal activity Extend employee monitoring solutions Respond to enforce policies Enforce discipline and termination policies
  7. Despite attempts to limit personal Internet use at work employees continue to browse Corporate Response Acceptable Use Policy Employee Monitoring Website Blocking Enforcement Actions
  8. Organization’s security focus has developed to address a range of issues Employee
  9. * Selecting and Deploying Secure Web Gateway, Gartner December 10, 2012 Employee Internet Management has matured over the past 15 years The Early Days Web Security Tools Mature Big Brother Present Day 20th Century Per Gartner*, the market addresses Web-use liability, malware and data loss to cyber attacks through: Acceptable-use protection (AUP), i.e. URL filtering Anti-malware Data loss prevention (DLP) on the Web channel
  10. Current strategies for controlling the risks of employee web-use are not sufficient Personal activity remains a cyber threat vector Personal web-use continues to expand Privacy obligations limit security deployments Web-use restrictions impact employee morale
  11. Striking a new balance between security and employee privacy Organizational Security Organizational monitoring (DLP, Spyware) Individual activity control (Anti-Malware, AUP) Individual Privacy Global right-to-privacylaws(EU Data Protection Directive) Increased reliance on the Internet for personal use Reductions in Individual Access & Privacy Growing Outcry for Internet Freedom & Privacy
  12. Use Case: A New Approach Separate personal & professional web-use Strengthen security and reduce risk by providing employee privacy Not security vs. privacy Not employee vs. employer
  13. Use Case: A New Approach Benefits of secure separation of personal and professional activity - Compliance - - Legal - Privacy - Human Resources Reduce employee liability risk Internet as recruiting & retention tool Enhance Privacy Compliance Extend monitoring capabilities Reduce vulnerability to Phishing Limit malware infection - IT - Security -
  14. Questions and Answers David Melnick CISSP, CIPP, CISA Board Member, (ISC)2 dave@melnick.com Los Angeles, CA USA A managed web portal protecting employee privacy & organizational asset info@weblifebalance.com
More Related