Posted By LB Hi, I am new to the forum and have a rather unusual query. I work in occ health for a large software development company. I have been asked to complete a RA on employees who are required to access offensive sites as a security measure for the company (i.e to block these sites from accidental access by public).I am aware of most of the areas of concern like ensuring EAP services / good communication etc but does anyone have any advice as to what else needs to be included or where to start? HR are now going to ensure potential employees are aware at interview stage. The big concern is that an employee may cite stress as a result of this requirement. Any help would be great. LB

Posted By LB Thanks Dave, Good advice. Yes I suppose once the company begin notifying employees at recruitment it reduces the risk. One other thing, it is an open plan office (large area). I am told it is not an option having the employees work in one particular area when accessing this info / sites. There is no definate list of employees who do this so it is difficult to track who is at risk. The RA will apply to all employees. Do you have any suggestion how to address the risk of ? an employee who is not working on this accidently viewing it. I know the likelihood of anyone reporting a problem is low but it is a possibility. Finally the company also allows teleworking - this reduces the control even further. LB

Posted By steve e ashton LB: You write: "...is an open plan office (large area). I am told it is not an option having the employees work in one particular area when accessing this info / sites. There is no definate (sic) list of employees who do this so it is difficult to track who is at risk. The RA will apply to all employees" If I read this correctly, you appear to be suggesting that some / any / all of your employees are accessing web-sites which some / most people would find offensive (or do you have a different meaning for 'sensitive'?). My take on this would be that your risk assessment must address the controls which will ensure that your employees do not get arrested for accessing and accumulating material which should not be accessed or accumulated. This includes both 'terrorist' type material (jihadist literature, bomb making, images of beheadings etc) and pornography (child / bestial etc etc). If you are seen to be aiding and abetting the crimes then your company is at serious risk!!! A 'red team' set up specifically to test security of any IT system (sometimes past the breaking point) must have extremely well developed internal checks and balances. Most commonly, it would be impossible for any team member to operate independently. If a 'red team' member discovers an entry protocol for a supposedly secure system, then it should be axiomatic that his green team colleagues/opponents know about it asap and begin preparing patches and additional defences. Otherwise, the information could (would!) be used in anger! You need to speak with one of the IT security Companies. They will sell you (and keep updating) a ready-made 'ban list' based on your required specifications. It avoids the potential risks discussed by other posters, but more importantly it avoids any suggestion that your firm has been aiding and abetting the commission of an offence. Steve