Corporate officials told the GAO they took the step:
- so they could provide duplicate copies in case of a system disruption
- to better manage system sources to handle e-mail and Internet access
- to make sure employees weren’t breeching company computer policies.
Eight of the 14 companies contacted by the GAO also said they would review an employee’s email if they had separate indication of a company policy violation. If they get such an indication, they would check to see if the employee accessed a forbidden Internet site or improperly transmitted proprietary material, they said.
Company officials told the GAO that such an investigation isn’t frequent and that a computer use violation could result in a variety of consequences, GAO researchers said in their study report .
The GAO researchers were generally pleased with the content of the computer use policies they reviewed, which they said contained the appropriate elements:
- an affirmation of the company’s right to review electronic transmissions
- a description of appropriate uses of company computers
- a list of penalties for computer misuse.
Companies publicized the policies in different ways; eight of the companies in the GAO study required employees to attend special training. One company in the study conducted biannual sessions on appropriate business behavior, which the GAO said included a section on appropriate Internet use.
None of the companies changed their computer policies post 9/11, but the GAO said most reported they were more concerned than before about computer system intrusion including by viruses.