Technology Use Monitoring Policy

Introduction: How to Use This Tool

It is common practice in many enterprises to monitor technology usage. In some instances, this monitoring is
carried out by IT as part of standard network and system diagnostic and maintenance work. In other instances,
monitoring is done to track user behavior and detect technology use policy violations.

In either circumstance, it’s essential that employees be notified of any monitoring that is taking place on the
systems they use. In the event of a policy violation or even a criminal act, full disclosure of potential monitoring on
the part of the enterprise is essential in advance of the event if you hope to take decisive remedial action against an
individual. Failure to do so could not only leave you unable to act, but also give cause for an employee to launch a
privacy violation suit against the enterprise.

The following policy template outlines key elements to include in a Technology Use Monitoring Policy. In many
instances, you may instead opt to include brief statements in specific policies that are enforced through monitoring
activities. Best practice is to have both a comprehensive monitoring policy in place and embedded monitoring
scope statements in relevant policies.

To use this template, simply fill in the spaces provided. Be sure to delete any remaining introductory or explanatory
text in dark grey and convert all remaining text to black prior to distribution. In addition, it is a best practice to submit
the completed policy to your legal department for review prior to implementation.

Purpose
It is the goal of [company name] to maintain the integrity and security of all data traversing its IT systems. As a
result, data is collected in order to aid in the design, development, and troubleshooting of [company name]’s IT
systems. This data collection may mandate the monitoring and active scanning of applications, network traffic, Web
traffic, systems logs, and user activity.

The purpose of this policy is to define under what circumstances technologies are monitored at [company name]
and under what condition the users of [company name]’s IT systems and services may be monitored as well.

Scope
This policy applies to all users and administrators of [company name] services and systems and all data traversing
those services and systems.

Definitions
 Approval authority – An individual tasked by the enterprise, according to the job description, to grant
approval for the performance of specific actions.
 Authorized monitoring personnel – Individuals tasked by the enterprise, according to their job descriptions
and access level granted, to monitor specific applications, infrastructure, services, or overall network
activity.
 [Insert definition]
 [Insert definition]
 [Insert definition]

1
Governing Laws and Regulations
This policy is in accordance with the laws of [list applicable states/provinces, countries] and is in keeping with the
existing policies of [company name]. [List specific laws, regulations, and policies if required.] Authorized monitoring
personnel will comply with all legal obligations.

Policy
1. All data traversing any [company name] data communications service, infrastructure, system, or application
may be monitored by authorized monitoring personnel.

2. All data transported over [company name] networks is considered private and confidential. Individuals
granted authority to monitor data transported over [company name] networks must treat that data as such.
[Describe any special agreements that must be signed (such as a trust or code of conduct agreement) or
other measures (such as a background check) that must be completed for those authorized to carry out
monitoring.]

3. A range of devices are used by authorized monitoring personnel to conduct routine operations, diagnostics,
and maintenance of IT applications and systems. These devices are approved and configured by [describe
authority]. The following devices are used by authorized monitoring personnel to carrying out monitoring:
a. [List monitoring device and purpose.]
b. [List monitoring device and purpose.]
c. [List monitoring device and purpose.]

4. Use of above-named monitoring devices by unauthorized personnel or any other form of unauthorized
monitoring is strictly prohibited.

5. The following types of data and information are monitored:

a. Packet header information to detect viruses, intrusion, spam, other known patterns of attack or
compromise, and inappropriate release of confidential [company name] information.
b. Activity logs generated by systems and services for problem resolution and traffic optimization.
c. Software licenses on [company name] devices.
d. Overall network performance to troubleshoot and analyze problems.
e. Physical spaces in which computing equipment is housed and/or stored.

6. Monitoring information, such as logs, is kept when the administrative need for them ends or as required by
law. The following lists data that is monitored, what is logged, and relevant retention periods for those logs.

Logged
Data Monitored Retention Period
(Yes/No)
[Describe data type]
[Describe data type]
[Describe data type]
[Describe data type]
[Describe data type]
[Describe data type]
[Describe data type]
[Describe data type]
[Describe data type]

This information must be held in a secure location at all times and cannot be accessible from the Internet.

2
 7. Authorized monitoring personnel can only disclose information discovered during the monitoring process
under the following circumstances:
a. Specific information is requested in writing with signed approval from [name approval authority].
b. [Describe other circumstances.]
c. [Describe other circumstances.]

8. Monitoring is generally not used to collect information for the following circumstances:
a. Individual job performance evaluation.
b. Unofficial investigations.
c. [Describe other circumstances.]
However, collection of information for the above can be carried out with signed approval from [name
approval authority and under what conditions].

9. In the event that an anomaly or suspicious activity is detected, the following individual(s) will be contacted
by authorized monitoring personnel:

Anomaly/Activity Contact
[Name/describe anomaly or activity type] [Name escalation/disciplinary authority]
[Name/describe anomaly or activity type] [Name escalation/disciplinary authority]
[Name/describe anomaly or activity type] [Name escalation/disciplinary authority]
[Name/describe anomaly or activity type] [Name escalation/disciplinary authority]
[Name/describe anomaly or activity type] [Name escalation/disciplinary authority]
[Name/describe anomaly or activity type] [Name escalation/disciplinary authority]
[Name/describe anomaly or activity type] [Name escalation/disciplinary authority]
[Name/describe anomaly or activity type] [Name escalation/disciplinary authority]
[Name/describe anomaly or activity type] [Name escalation/disciplinary authority]

10. Authorized personnel have the right to discontinue any service to any device that is in violation of usage
policies or demonstrates a negative impact on network performance.

11. Individuals performing monitoring activities will not carry out disciplinary duties resulting from policy
violations. Disciplinary duties will be carried out by [describe members of management or HR that are
responsible].

Non-Compliance
Violations of this policy will be treated like other allegations of wrongdoing at [company name]. Allegations of
misconduct will be adjudicated according to established procedures. Sanctions for violation of this policy may
include, but are not limited to, one or more of the following:

1. Temporary or permanent revocation of system access;

2. Disciplinary action according to applicable [company name] policies;
3. Termination of employment; and/or
4. Legal action according to applicable laws and contractual agreements.

Agreement
I have read and understand the Technology Use Monitoring Policy. I understand that if I violate the rules explained
herein, I may face legal or disciplinary action according to applicable laws or company policy.

3
___________________________________________
Employee Name

___________________________________________ _______________________________________
Employee Signature Date

_____________________________________________________

Info-Tech Research Group tools and template documents are provided for the free and unrestricted use of
subscribers to Info-Tech Research Group services. These documents are intended to supply general information
only, not specific professional or personal advice, and are not intended to be used as a substitute for any kind of
professional advice. Use this document either in whole or in part as a basis and guide for document creation. To
customize this document with corporate marks and titles, simply replace the Info-Tech Information in the Header
and Footer fields of this document.