Legal Ethical Issues Of Employee Monitoring â€Myassignmenthelp.Com

Question: Discuss About The Legal Ethical Issues Of Employee Monitoring? Answer: Introducation Professionally run organizations consistently carry out risk assessments on their business operations so that they can identify and deal with threats to their business. Beyond undertaking risk assessment and management as a mere good corporate governance measure, there is the more important need to identify the potential risks that a business faces, and its capacity to respond to them in case they do occur. Businesses also need to properly map out the risk areas in their businesses, so that they can adopt appropriate strategies to deal with these risks while dedicating the required resources for this task. Risk emanates from the unauthorized access or utilisation of information which is transacted or stored using technological tools such as phones and computers. Organizations constantly worry about being victims of hacking schemes perpetrated by cyber criminals. For this, they come up with complex security systems that try their best to keep up with developments in cybercrime. The risk does not always emanate from the outside, however. Internally, employees may be guilty of acts of omission or commission which expose their organizations to risk. This may include negligently or maliciously disclosing confidential information, or failing to secure the information in their care appropriately, causing it to fall into the wrong hands. Risk assessments encompass several factors involved in the IT framework. The factors include the people who use the system, including the users, administrators and managers, as well as the hardware used. Networks used to pass information, and software which runs the hardware is also important factors, as is the overall system governance that the company has adopted. A vast majority of Australians have cell phones, which they carry to work. A significant number of these phones are Smartphones, which are able to perform several roles akin to those of a computer. At the same time, a big number of Australians own laptops, tablets and other gadgets which can be used for communication, in addition to performing many tasks at the workplace. A company may be tempted to allow employees to bring in their devices and use them to work, for several reasons. First, this saves the company cost. Instead of having to acquire the said gadgets, the company can easily utilize what the employees already have, and only engage in routine maintenance and monitoring. A second reason for allowing this is to enable connectivity between employees if it is an important part of the work that they do, and where the same connectivity cannot easily be provided by the companys assets. The employees may in such circumstances be more productive using their own devices, as opposed to having company provided infrastructure. This decision may, however, be laden with several risks, that at times force companies just to opt to equip their employees with company assets, which can easily be maintained and monitored, in addition to providing for uniformity. Review of project The project to allow employees use their devices to work has several merits and challenges, as described before. The benefits mainly refer to the increased connectivity and ease of work, which may improve morale and productivity in some instances. On the other hand, unwanted access to information, irregular use of company resources and difficulty in monitoring activity are some of the challenges. According to Derks and Bakker (2010), the organization must be in well understanding of its priorities. Only then will it be able to make the right decision about allowing the use. Technology has dramatically changed the way businesses conduct their affairs, mostly making communication faster and easier. It has also provided companies with powerful tools to communicate with their customer's conduct market research and facilitate intra-organizational transactions. The development of information technology has not been without its own risks and challenges. For instance, the field is constantly changing, sometimes dramatically. Organisations have to constantly check their assets to ensure they are up to the task and change what is no longer well equipped for current and future business needs. According to Yelby (2013), employee monitoring is a controversial practice, which is undoubtedly on the rise. Companies find themselves monitoring their employees as a way of managing risks emanating to employees use of communication tools such as laptops and phones. Technological advances, for instance, mean that employees can more easily use work resources for personal chores, such as communicating with friends and entertaining themselves, at the expense of the company. By using company resources, it is easier to monitor such instances, since they should exclusively be used for work-related duties. With personal gadgets equipped with organizational software applications and connection, it becomes much harder, sometimes bordering on invasion of privacy to monitor the same employees. In the financial services sector, where dedicated secure applications are usual used to effect transactions, the ability to control every device accessing the system becomes even more important (Olalere, Abdullah Mahmod, 2015). Generally, organizations require their employees not to create or exchange messages which may be found to be offensive, obscene or inappropriate in the workplace. They should also not visit websites which carry inappropriate information for the workplace. Sending confidential information is also regulated, such that employees may not send a confidential client or other information without clearance first (Vorakulpipat et al., 2017). In creating, storing and exchanging information, existing copyright law must be considered. The employee must ensure such activities do not go on. It is also improper to create adverts, chain letters or other communication that is unauthorized by the organization, especially if it is to be used for personal ends (Arregui, Maynard Ahmad, 2016). The standards above do not form any regulatory framework in the country. But they are part of industry best practice that must be adhered to in order to properly secure organizational resources. The organization may refer o the stated standards and find that it is possible to achieve them while still allowing for the use of personal computers for organizational tasks. However, this may prove to be a difficult undertaking, especially in light of privacy laws, as well as the resources to be expended in ensuring compliance with company requirements. Financial institutions operate within a strict framework of regulations meant to ensure the privacy of client information and to ensure compliance with statutory laws. These laws observance should not be limited in application by the use of personal devices that could well act as a means of breaching the law (Gajar, Ghosh Rai, 2013). Project impact on Aztec security posture In assessing the security risks and other impacts that the project will have on the security posture at Aztek, it is important to note that the gadgets will be bought by the employees, and will be used for personal as well as organizational tasks. However, the organization will be responsible for the rest of the infrastructural and network issues. It will need to ensure that the devices are well serviced so that they do not impact on organizational efficiency. At the same time, the organization will be tasked with monitoring their use, to ensure that they are not used to transfer information contrary to company policy (Coenescu, 2016). Organizations are right to want more form technology, in the form presented by Smartphones and other gadgets. They may also not be in a position to provide these devices to their employees for official use. In rushing to reap the benefits of smart technology, as well as the cost savings of having employees shoulder the initial acquisition of the device, the firm should not be blind to the huge security problems that this portends. For instance, the infrastructural costs to monitor and maintain the devices will be much higher than if they were company owned. This is because the devices bought will have individual preferences (Vorakulpipat et al., 2017). They may be of different operating systems, model, capabilities and other differences. The main reason behind the project to allow employees use their devices for organizational duties is to make them pore productive, by giving them the ability to better streamline their working routines. However, the streamlining steps were taken, such as the use of passwords to access sensitive information, and secondary use of the devices, such as accessing unsecured websites, may have an adverse effect on the organizations security. This will further jeopardize the organization's security systems (Yeboah-Boateng Boaten, 2016). In the hypothetical scenario whereby the organization does allow the project to continue, it needs to understand that the security posture then adopted will have to also conform to employee preferences. After all, it will be selected so that they feel more at ease working while saving initial acquisition costs of the gadgets. The safeguards which have been instituted by the company to manage security better will have to be revised so that they can be better adapted to the employees needs, while simultaneously addressing any security concerns (Keyes, 2013). The importance of connectivity cannot be downplayed. Employees need to be connected with fellow employees, their managers, and with clients. Organization provided gadgets may not be able to provide this in the seamless way that the personal devices can. Due to this, the trend has been gaining speed in the market, with more and more organizations allowing their employees to use personal gadgets for work. This presents an advantage for Aztek, were it to adopt the project. It will have several other organizations to look up to in devising its own mechanisms to deal with the security challenges presented. The performance of the network must be another consideration in determining whether the project goes ahead or not. An assessment of the potential effect on the networks performance regarding efficiency and security must be done before the project goes ahead. If the prognosis is poor, the organization must then decide on whether to shelve the plan, or additionally invest in the network in line with recommendations, and therefore make it better placed to handle the new development. In other instances, it may make the network perform better, especially when specific safeguards are put in place to limit their access to the network (Brodin, Rose Ahlfedt, 2015). The management of employees in terms of their security clearance and access, as well as the management of the ICT platform in the organization, will be drastically altered. The organization must be alive to new challenges that were previously not part of its risk management portfolio. It must increasingly worry about what employees do privately since this has a real effect on the security of the organization. In relation to this, the question on the security of the devices used to access the system must be posed and be satisfactorily answered. The particular and nature of applications accessed by the devices will be thoroughly scrutinised. Changes may need to be adapted to make them better equipped to handle the increased risk level from cyberspace (Assing Cale, 2013). Recreational apps must be cleared after their interaction and effect on the organizations security have been assessed. For instance, some games that employees enjoy privately may have security loopholes that can be used to access company data, putting it at risk. Besides the clearance, the use of these devices both at the workplace and elsewhere will be a source of concern for the organization. A new framework of management must be formulated balancing between organizational security, business needs and individual privacy (Brodin, Rose Ahlfedt, 2015). Risk assessment threats, vulnerabilities, and consequences Risk assessment is never about creating so much paperwork but rather identifying reasonable measures that that will control the risks at the workplace.It should above all help to decide if a company has covered all its needs not only its employees.It involves the determination of quantitative or qualitative estimation of a risk related to the defined situation and a recognized hazard and or threat.Application of the risk assessment is common in several fields and these sometimes may have specific legal obligations, codes of practice and standardized procedures. One of the major threats facing the project is the presence of bugs which are able to bypass standard security features adopted by operating systems developers such as Android or Apple. These bugs may not be easily discovered in the case of personal devices, putting the company at a bigger risk than if a more easily manageable system was in place. At the same time, the organizations employees will bring a broad range of gadgets to the workplace (Assing Cale, 2013). Without specifying the recommended or approved devices, the organization may be stretched in trying to come up with a system that addresses all the likely bugs and other threats presented to them. This also involves bug-prone apps that may be installed in phones. These apps may have security issues, making information insecure. At the same time, information the apps are extremely hard to track, unless such tracking is voluntary by the owners of the gadgets (Yeboah-Boateng Boaten, 2016). Another eventuality that organizations have to face is the possibility of devices being lost. Since they are not organizational property, they may not be open to the type of security measures that would normally secure organization property, such as requiring that their movement is cleared, or that their usage is in a specific area of the office. At the same time, lost gadgets mean that a trove of information may easily fall into the wrong hands, jeopardizing the organization (Brodin, Rose Ahlfedt, 2015). Some procedures, known as jail breaking, may undo the security features that a gadget manufacturer has placed in the machine. In some instances, this may mean that the gadget becomes a powerful tool to get information for malicious people outside, who may be using a weakness in the gadget that the organization's security apparatus is still not able to address. Compromised devices in this away are different than bugged ones, which can be resolved through antivirus or normal scanning mechanisms (Gajar, Ghosh Rai, 2013). As with any organization, there may be the risk of dishonest employees at the company. These employees are likely to try everything to gain, at the expense of the company. With a gadget whose monitoring is as compromised as personal devices, this becomes a simple affair for the employee. The device is primarily under the control of the employee, who may not voluntarily give details of their activities on the phone, and, with the right skills, disable any attempts by the organization to rein in on unauthorised activity on the system. It may be difficult not only to pinpoint the culprit of breaches perpetrated by these people, but also difficult to come up with remedies which better address the issue without limiting the use of personal devices (Garba, Armarego Murray, 2015). Vulnerabilities The vulnerability is the inability of a system or even a unit to withstand the results or impacts of a hostile environment.A window of vulnerability is a period of time where a defensive measure is low or even lacking in some situations.Vulnerability expresses the several dimensionalities of disaster by mainly focusing on the fullness of relationships in a given environment and situation which gives forth a disaster. There is an increased vulnerability in terms of losing data. The variety of gadgets used as well as the inability of the organization to provide a thorough security system may mean that leakages will become more prevalent. At the same time, the organization may be required to regularly provide updates for software and operating systems to ensure they are not vulnerable to attack. This will mean an aggressive and costly posture by the firm in terms of how it manages security (Keyes, 2013). As discussed before, it is difficult to determine conclusively whether employees will voluntarily place the required security protocols before the engage in a unmonitored online activity, such as accessing unsecured WIFI away from the office and visiting websites which are not well secured. A huge number of devices have issues related to privacy and security settings. People may think it is not important to secure them, but the story changes when the employee has been entrusted with highly valuable and sensitive information. Gadgets may sometimes be used by more than one person away from work. This again raises the vulnerability of this project, since such persons cannot be reasonably cleared before viewing privileged information (Yeboah-Boateng Boaten, 2016). The nature of a persona device, when it is employed for work purposes, means that it is impossible to divide personal issues form business affairs. The vulnerability, in this case, relates to the danger of the employee inadvertently sharing privileged information, as well as malicious bugs. These bugs can then easily be introduced into the system by the device, a factor which will jeopardize the security of the whole system (Garba, Armarego Murray, 2015). Some employees do not properly take care of their devices, the way an organization with a dedicated team of IT experts would. This means that the devices are sometimes not even locked, nor are there any updates to ensure the security system is up to date. Employees may also leave their devices unattended, raising the risk of the device being used maliciously be others to transact business and frame an innocent but negligent person (Priyadarshi, 2013). The nature of the project is such that the organization will have to make modifications to its IT infrastructure. These modifications are meant to ensure that the system is able to handle the new model of operation while maintaining the safety and integrity of the system.thi may involve securing data, while also ensuring it conforms to current IT policy. In the process of doing this, some security measures may be removed or otherwise ignored, despite their importance under the previous regime, to enable the utilization of personal devices. This likewise opens up the system to more vulnerability (Priyadarshi, 2013). Consequences The vulnerabilities and consequences presented above bring about far-reaching consequences for the organization and its posture to security risks. The organization will save on the acquisition of devices brought by its own employees. However, it will need to spend more to manage better them, and the threats they pose. This involves regular and rigorous training to employees, as well as monitoring to the permissible standards, to identify the unauthorised or malicious use of devices within the network (Dhingra, 2016). Another consequence is the need for a modified network and IT infrastructure sop that the nature of the devices can be accommodated, as well as the range of threats and vulnerabilities they present to the organization (Dhingra, 2016). Existing recommendations There are several recommendations on how organizations can better address the issues which face them. A policy change is necessary, to enable a better response to the stated threats. A VPN is necessary to ensure that prior to enabling access; data transferred to and from the device is encrypted and otherwise secured. The procurement of an Enterprise mobility management is also recommended so that the organization can easily monitor and manage risks in devices before they can compromise the system. Training is recommended to help employees manage their devices better, and whistle blows on any unbecoming behavior by others. Investment should also be made to ensure the system is able to handle the new project (Garba, Armarego Murray, 2015). Garba, Armarego, and Murray (2015) appreciate the fact that the bring your own device trend is picking steam, even with all the threats pointed out. Organizations, therefore, need to proactively look for the environment and come up with a well-defined policy regarding the devices, rather than hurriedly formulating one after a project such as the one discussed in this paper is eventually approved. This will give all the relevant parties sufficient time to consider any loopholes and fix them. Risks for Data security Protecting your business means protecting your data.Organisations of all sizes whether small or big worry about the constant barrage of data security threats.To prioritize these data, a company must identify the information assets by considering the types of information the company handles on a daily basis.Locate these information assets and listing where each resides and classifying it.Conducting a threat modeling exercise by rating the threats that each type of information each faces. Finally, start planning to depend with the set security thresholds. To mitigate the risks which may emanate from using personal devices, the type of information processed should be strictly limited to what is needed. Email use can be allowed, but access to systems which are used to pass transactions should only be limited to a specific number of people. The information on email should also not be open to all employees. This would create a management nightmare, due to the inability of the company to guarantee the adherence of every employee granted access to the use of personal devices at work (Garba, Armarego Murray, 2015). It is imperative that employees who are given access be cleared first. This clearance will be done on the basis of their grasp of the security risks that the organization faces as a result of granting this access, as well as the steps they need to undertake to mitigate better or avoid these risks. They should be of a minimum level of the hierarchy of the system, so that they actually need the function, and can be personally held liable for any misuse or other misconduct (Olalere, Abdullah Mahmod, 2015). The type of data should be in such a way that it is not possible to complete a transaction while using devices over another network. For instance, making or verifying transactions can only be done at the organizations premises, at particular times of the day. There should be no exceptions to the policy. Attempts to use other networks should be reported by the system, for future investigation either of violation of policy or of suspicious activity by malicious parties. For those employees who normally have the rights to make and verify transactions or other entries in the banking system, the rights should be withdrawn in instances where the employee is using mobile devices such as phones, tablets or others using easily compromised systems. In connection with the risks identified above, it is important to identify some of the risks associated with the proposed structure, and how they can mitigate. The management of employees to ensure responsible use of information and interaction with the network was covered before as being a huge managerial challenge, due to the nature of devices being used, as well as existing laws on infringement of privacy. For instance, it would be impossible to obtain a log of all the websites that an individual has visited, which would be easy in the case of a company owned device (Yelby, 2013). The inability by the organisation to conclusively guarantee the security of information emanates from the actions of omission or omission by the employees, normal threats that would have still need to be dealt with, as well as the fluidity of threats facing the organisation from the viewpoint of a hacker, there will be more numerous channels to attack the organization to gain information that would have been the case before. With this in mind, it is critical that the organization first builds capacity by upgrading its network capacity, as well as its security infrastructure. Only then will it be able to set the project rolling (Keyes, 2013) finally. Even then, the organization and its employees must always be ever vigilant to address any vulnerability and mitigate any risks. This includes having the professional conduct expected of the employees, as well as an understanding of what the risk is, and what is at stake (Keyes, 2013). While these are essentially personal devices, of which the organization has no legal right over, it can still require that employees take some steps to secure their devices. Besides the tracking tools and lock mechanisms, it is important for the organization to facilitate insurance cover for the machines, so that their possible loss does not injure the organizations interests. Additionally, there should be a clear and policy on the conduct required from employees when they are in poseccon of devices linked to the organization, such as personal recreation. Finally, the risks associated with employees using their devices at work are explored, with a view of establishing a practical way of treating the issue, while ensuring that organizations system security is maintained. Where the organisation is reasonably unable to guarantee the security of these devices, it should not allow their use for work activities, regardless of the accompanying efficiency and cost savings considerations. References Arregui, D., Maynard, S., Ahmad, A. (2016). Mitigating BYOD Information Security Risks. Australasian Conference on Information Systems, 1-11. Assing, D., Cale, S. (2013). Mobile Access Safety: Beyond BYOD. London: John Wiley Sons. Brodin, M., Rose, J., hlfeldt, R. (2015). Management issues for Bring Your Own Device. In: Proceedings of 12th European, Mediterranean Middle Eastern Conference on Information Systems 2015 (EMCIS2015) Carvalho, M., Rabechini, R. (2015). Impact of risk management on project performance: the importance of soft skills. International Journal of Production Research, 53(2), 321-340. Cotenescu, V. (2016). People, process, and technology; a blend to increase an organization security posture. Naval Academy Scientific Bulletin, 19(2), 394-396. Derks, D., Bakker, A. (2010). The impact of email communication on organizational life. Journal of Psychosocial Research on Cyber Space, 4(1), 4. Dhingra, M. (2016). Legal Issues in Secure Implementation of Bring Your Own Device (BYOD). Procedia Computer Science, 78, 1790184. Gajar, P., Ghosh, A., Rai, S. (2013). bring your own device (byod): security risks and mitigating strategies. Journal of Global Research in Computer Science, 4(4), 62-70. Garba, A., Armarego, J., Murray, D. (2015). Bring your own device organisational information security and privacy. ARPN Journal of Engineering and Applied Sciences, 10(3), 1279-1287. Kaplan, R., Mikes, A. (2016). Risk Managementthe Revealing Hand. Journal of applied Corporate Finance, 28(1), 8-18. Keyes, J. (2013). Bring Your Own Devices (BYOD) Survival Guide. Boca Raton: Taylor Francis Group. Olalere, M., Abdullah, M., Mahmod, R. (2015). A Review of Bring Your Own Device on Security Issues. Sage Open, 5(2), DOI: 10.1177/2158244015580372 Pimchangthong, D., Boonjing, V. (2017). Effects of Risk Management Practice on the Success of IT Project. Procedia Engineering, 182, 579-586. Priyadarshi, G. (2013). Leveraging and Securing the Bring Your Own Device and Technology Approach. ISACA Journal, 4, 1-5. Teymouri, M., Ashoori, M. (2011). The impact of information technology on risk management. Procedia Computer Science, 3, 1602-1608. Vorakulpipat, C et al. (2017). A Policy-Based Framework for Preserving Confidentiality in BYOD Environments: A Review of Information Security Perspectives. Security and Communication Networks, DOI: 10.1155/2017/2057260 Yeboah-Boateng, E., Boaten, F. (2016). Bring-Your-Own-Device (BYOD): An Evaluation of Associated Risks to Corporate Information Security. International Journal in IT and Engineering, Impact Factor, 4(8), 12-30. Yelby, J. (2013). Legal and ethical issues of employee monitoring. Online Journal of Applied Knowledge Management, 1(2), 44-55.