Monitoring Practices

and Policies of

Selected Companies




GAO-02-717 September 27, 2002



Letter 1

Results in Brief 3

Background 4

Private Sector Companies Gathered Information on Employees’ Computer Use and Some Read and Reviewed Contents 6

Companies Developed Comprehensive Computer-Use Policies and Informed Their Employees 9

Companies Have Not Changed Their Computer-Use Policies or Monitoring Practices as a Result of the September 11 Terrorist Attacks 13

Appendix I GAO Contacts and Staff Acknowledgments 15

GAO Contacts 15

Staff Acknowledgments 15


Table 1: Key Elements of a Computer-Use Policy 10

Table 2: Company Notification Practices 11


Results in Brief


All 14 companies we reviewed store their employees’ electronic

transactions: e-mail messages, information of Internet sites visited, and

computer file activity. These companies reported they collect this

information to create duplicate or back-up files in case of system

disruptions; to manage computer resources such as system capacity to

handle routine e-mail and Internet traffic; and to hold employees

accountable for company policies. Eight of these companies reported that

they would read and review these electronic transactions if they receive

other information that an individual may have violated company policies.

When such circumstances arise, these employers can review employees’

electronic transactions to find if violations of company computer-use

policies such as visits to sites containing offensive or disruptive material

and improper protection of proprietary information have occurred. On the

other hand, 6 companies we contacted routinely analyzed their employees’

transactions to find possible inappropriate uses of company computer

resources. While all the companies we contacted have investigated

employees for misuse of computer resources, company officials told us

that such investigations are rare and, if violations of company policies are

found, result in a range of disciplinary actions.


Representatives from all of the companies we contacted had policies that

contained most of the elements experts agreed should be included in

company computer-use policies. For example, all company policies

affirmed their rights to review employee use of company computer assets,

described appropriate employee uses of these assets, and detailed

penalties for misuse. We also found that all companies disseminated

information about these policies, although in a variety of ways. For

example, 8 companies require new employees to attend training that

includes the review of companies’ computer-use policies. Some companies

required employees to complete on-line training while others used

videotapes. Another company we reviewed conducted biannual sessions

on appropriate business conduct, which included appropriate e-mail and

Internet behavior.


We found that none of the companies we studied had changed any of their

employee computer-use policies or monitoring practices after the

September 11 terrorist attacks. Most companies did, however, report a

growing concern about electronic intrusion into their computer systems

from outside trespassers or viruses and had increased their vigilance by

strengthening their surveillance of incoming electronic transmissions.

Most companies had, for instance, begun to delete certain attachments

from incoming e-mail, and some block incoming e-mails based on certain

words or phrases in the subject line or text. This apprehensiveness

concerning possible threats did not lead company officials to increase

either their suspicion of employees or the information they collected from

them. But new vigilance against demonstrated dangers and nuisance is

leading companies to tighten control over their computer systems.