Page 287 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide

P. 287

the way—you have a reasonable expectation of privacy. On the

other hand, if you send your message on a postcard, you do so with
the awareness that one or more people might read your note before
it arrives at the other end—you do not have a reasonable
expectation of privacy.

Recent court rulings have found that employees do not have a
reasonable expectation of privacy while using employer-owned
communications equipment in the workplace. If you send a

message using an employer’s computer, internet connection,
telephone, or other communications device, your employer can
monitor it as a routine business procedure.

That said, if you’re planning to monitor the communications of
your employees, you should take reasonable precautions to ensure
that there is no implied expectation of privacy. Here are some
common measures to consider:

Clauses in employment contracts that state the employee has

no expectation of privacy while using corporate equipment

Similar written statements in corporate acceptable use and
privacy policies

Logon banners warning that all communications are subject to
monitoring

Warning labels on computers and telephones warning of
monitoring

As with many of the issues discussed in this chapter, it’s a good

idea to consult with your legal counsel before undertaking any
communications-monitoring efforts.

European Union Privacy Law

On October 24, 1995, the European Union (EU) Parliament passed a
sweeping directive outlining privacy measures that must be in place
for protecting personal data processed by information systems. The
directive went into effect three years later in October 1998. The
directive requires that all processing of personal data meet one of the

282 283 284 285 286 287 288 289 290 291 292