800.639.6757

Why Do I Need an Acceptable Use Policy?

Why Do I Need an Acceptable Use Policy?

Organizations of all sizes have to worry about what their employees are doing with company computer equipment and Internet connections. It's no longer just a matter of wasted time that should be spent on job duties or the cost of network bandwidth. In the growing jungle of government regulations, civil lawsuits, and criminal charges for inappropriate online behavior, it's essential that companies cover their assets by establishing and enforcing clear rules governing computer and network usage. Policies are also needed to protect the security of the network and prevent users from introducing viruses or opening their systems and the entire network to attacks.

That's the reason you need an Acceptable Use Policy (AUP). It's not enough to just tell your employees not to use their work machines for non-work-related activities. You need to create and distribute a written policy and have users sign off that they've received and read it. The trick is to design a policy that's effective, fair, and won't be outdated as your organization grows.

Elements of a good acceptable use policy

An AUP sets out a formal set of rules that limit the ways in which network and computer equipment can be used. It should contain explicit statements defining procedural requirements and the responsibilities of users.

Some tips for creating your policy include the following:

  • Prohibited activities should be clearly spelled out. Phrases such as “Inappropriate use is prohibited” are vague and ambiguous. You must define what constitutes inappropriate use. Of course, you probably won't be able to think of every single individual action that would be considered “inappropriate,” but the most common misuses should be specifically named. For example, you can prohibit sending e-mail containing sexually explicit text or images, prohibit using the Web browser to visit online gambling sites, and so forth.
  • Blanket statements can address activities you don't specifically name. For example, you can prohibit engaging in any Internet activity that violates any local, state or federal law, or from sending any e-mail, instant messages, documents, or other communications that disclose any confidential information about the company, its clients, or partners.
  • To be effective and enforceable, the policy must be supported by management and there must be a designated person who has the responsibility for overseeing development and updating of the policy. This is often the Information Technology Director, CIO or other member of management.
  • The policies should be reviewed by the company attorney. Although it may be necessary to include some legal jargon in the policy document, each policy should also include a summary that explains in layman's terms that the average user can be expected to understand.

Consequences and enforcement

The consequences for violation of the policies should be defined in the policy itself. Since violations themselves vary in severity, consequences should also vary depending on the specific violation and the violator's intent. For instance, consequences for sending a short personal e-mail to a friend with innocuous content would not be the same as consequences for using the company network to conduct a part-time (legal) business, which in turn would not be the same as those for downloading child pornography to the company's computers.

Which brings us to another issue: you should only set policies that you intend to enforce. If you create an overly restrictive policy “just in case” you might need to use it against someone, and then proceed to ignore it, users who are subsequently disciplined for violating that or other policies could argue that you had established a conflicting unwritten policy by knowingly permitting violation of policies in the past, and/or that you enforce policies in an arbitrary or discriminatory manner. The disciplined employee might even be able to successfully sue you on those grounds.

Developing Your Policy Content: Need Help?

While there is some content which is normally considered a standard part of an AUP, each organization should customize their policy to fit their unique corporate operations, values and culture. If you would like assistance developing and implementing your acceptable use policy, please contact your Advanced Network Systems account executive for more information.

Resources

Bring Your Own Device (BYOD) Security Survey
Five Ways to Keep Your CEO From Being Fired
How to Spot a Tracking App on Your Phone
Intrusion Prevention vs. Detection
Network Security Essentials for Small Businesses
Policy: the Foundation of Business Security
Seven Tips for Securing Mobile Workers
Ten Ways to Dodge Cyber Bullets
Tips on Choosing a Secure Password
Why Do I Need an Acceptable Use Policy?
Why Your Organization Needs Data Loss Prevention