Why You Need an Acceptable Use Policy
February 07, 2018 in Managed IT
Organizations of all sizes have to worry about what their employees are doing with company computer equipment and Internet connections. It's no longer just a matter of wasted time that should be spent on job duties or the cost of network bandwidth. In the growing jungle of government regulations, civil lawsuits, and criminal charges for inappropriate online behavior, it's essential that companies cover their assets by establishing and enforcing clear rules governing computer and network usage. Policies are also needed to protect the security of the network and prevent users from introducing viruses or opening their systems and the entire network to attacks.
That's the reason you need an Acceptable Use Policy (AUP). It's not enough to just tell your employees not to use their work machines for non-work-related activities. You need to create and distribute a written policy and have users sign off that they've received and read it. The trick is to design a policy that's effective, fair, and won't be outdated as your organization grows.
Elements of a Good Acceptable Use Policy
An AUP sets out a formal set of rules that limit the ways in which network and computer equipment can be used. It should contain explicit statements defining procedural requirements and the responsibilities of users.
Some tips for creating your policy include the following:
- Prohibited activities should be clearly spelled out. Phrases such as “Inappropriate use is prohibited” are vague and ambiguous. You must define what constitutes inappropriate use. Of course, you probably won't be able to think of every single individual action that would be considered “inappropriate,” but the most common misuses should be specifically named. For example, you can prohibit sending e-mail containing sexually explicit text or images, prohibit using the Web browser to visit online gambling sites, and so forth.
- Blanket statements can address activities you don't specifically name. For example, you can prohibit engaging in any Internet activity that violates any local, state or federal law, or from sending any e-mail, instant messages, documents, or other communications that disclose any confidential information about the company, its clients, or partners.
- To be effective and enforceable, the policy must be supported by management and there must be a designated person who has the responsibility for overseeing development and updating of the policy. This is often the Information Technology Director, CIO or other member of management.
- The policies should be reviewed by the company attorney. Although it may be necessary to include some legal jargon in the policy document, each policy should also include a summary that explains in layman's terms that the average user can be expected to understand.
Consequences and Enforcement
It would be nice to think that, once your AUP is put in place, all employees will fully comply and use their network resources solely for business purposes; but, they won’t. This means that a monitoring/enforcement mechanism, and consequences for infringement, have to be built into the policy implementation process. Implementing a policy without these two elements not only leaves you open to continued risk of dangerous scenarios, but also to serious liability issues.
The consequences for violation of the policies should be defined in the policy itself. Since violations themselves vary in severity, consequences should also vary depending on the specific violation and the violator's intent. For instance, consequences for sending a short personal e-mail to a friend with innocuous content would not be the same as consequences for using the company network to conduct a part-time (legal) business, which in turn would not be the same as those for downloading child pornography to the company's computers.
Which brings us to another issue: you should only set policies that you intend to enforce. If you create an overly restrictive policy “just in case” you might need to use it against someone, and then proceed to ignore it, users who are subsequently disciplined for violating that or other policies could argue that you had established a conflicting unwritten policy by knowingly permitting violation of policies in the past, and/or that you enforce policies in an arbitrary or discriminatory manner. The disciplined employee might even be able to successfully sue you on those grounds.
Enforcement should have teeth, but doesn't necessarily have to be confrontational. Organizations have a number of options for discreetly enforcing acceptable use policies. For example, your IT department or vendor can use firewall rule sets, blacklists, and content filters to block prohibited activity. The implementation of sound network security practices, to prevent theft and unauthorized use of sensitive or confidential information, is also important. This should include things like restricting access to sensitive resources, locking down file directories and configuring desktops and laptops to prevent the installation of unauthorized applications.
Despite all the various preventive measures a company can take, users will invariably find ways to violate security policies. As more organizations adopt stronger policies and enforcement, employees should know and understand their organization’s security policies—and to expect punishment, up to and including termination of employment, that come with violations.
Developing your policy content
While there is some content which is normally considered a standard part of an AUP, each organization should customize their policy to fit their unique corporate operations, values and culture. If you would like assistance developing and implementing your acceptable use policy, please contact your Advanced Network Systems account executive for more information.
The Case for Building a Cyber Incident Response Plan
January 26, 2018 in Cybersecurity
A strong defense is critical to fighting the battle against cybercrime. But having a plan to deal with a cyber incident—should one occur—is equally as important. Why? Because when it comes to preventing a cyber-attack, there is no such thing as guaranteed protection. That’s right, there is no “silver bullet.” We live and do business in a world marked by increasing cyber-attacks, and all new rules. Beyond the increase in frequency of attacks, we also face an increase in the types of organizations that have become targets. As you can see, from the onslaught of daily news reports, no organization—even ones with the best defended networks—are immune.
A quick and effective response to a cybersecurity event can go a long way when it comes to minimizing the financial damage and most importantly, protecting your organization and its reputation. In short, how you plan and respond to security incidents can make the difference between a “crisis” and an “event.”
Having a cybersecurity incident response plan builds on your overall information security program by establishing a set of response tactics and tools to ensure that when an attack does happen, you have the people, processes, and technologies in place to respond effectively.
In the event of an attack, time is of the essence, and being able to respond to both the attack itself and the people impacted are key strategies for mitigating the damage in cost and reputation to your organization.
While each organization should always have a cybersecurity incident response plan tailored to their specific business operations and industry requirements, a response plan should include these general components:
- Management support and buy-in.
- A designated incident response team made up of staff from all functional departments.
- Identification of all critical IT resources (systems, applications, data, IT services), who needs access, and where they reside.
- A plan that defines how critical systems and data files will be backed up or made redundant
- A plan describing how critical systems and services will be restored
- A plan that defines how data files and applications will be restored
- A relationship with qualified cybersecurity vendors who may be required to assist in remediation and restoration
- A communications plan that helps you talk to your staff.
- A communications plan that addresses how external communications (customers, vendors, media, etc.) will be handled.
- A clear definition of what constitutes a cyber incident.
- Processes and procedures that are in-line with, and support, your organization’s overall business continuity plan.
- A clearly defined protocol for how a response will be handled (action steps) and who is responsible for each required task.
- Having cyber-liability policy in place for your own organization.
- The incorporation of cyber-risk/cyber-liability insurance and liability language in contracts with outsourced service providers.
- A method and schedule to practice your incident response plan.
When it comes to cyberthreats, the only things that are really certain are the increased probability of becoming a victim of cybercrime, and the exponential rise in bad actors capable of successfully attacking even the most reputable, well defended organizations. This makes an extremely strong case for every organization to develop its own incident response plan, along with a solid defense strategy, more important than ever. Start yours today.
Why Being Compliant Is Not the Same as Being Secure
January 12, 2018 in Cybersecurity
There is a dangerous misperception that often comes up, regardless of which regulatory standard we talk about (PCI, HIPAA, etc.). The misperception is that compliance equals security. Sometimes organizations think they’re the same thing; sometimes they get so consumed by complicated regulations that they stop focusing on security altogether.
To be clear, compliance does not equal security — it’s basically just a snapshot of how your security program meets a specific set of security requirements at a given moment in time.
What’s critical to understand is that in order to truly protect sensitive data, having both the proper security program in place, AND being compliant are critical. Without a complete and active security program, paired with a solid compliance plan, any organization is at significant risk of being breached. To keep your entire network environment protected from the criminals targeting your data every day, you have to build and manage an advanced security program that goes far beyond specific sets of compliance requirements.
Security and Compliance Are NOT the Same
Security and compliance play different roles, both in your internal and external environments. The right cybersecurity measures protect your information from threats by controlling how that information is used, consumed and provided. Compliance, on the other hand, is a demonstration — a reporting function — of how your security program meets specific security standards as laid out by regulatory organizations.
Beware of the "Checkbox Mentality"
Meeting compliance regulations will never cover all of your security needs. This “checkbox” mentality results in inadequate protection. Why? Because compliance only ensures that a specific set of requirements that change slowly (typically only once a year) are in place. As a result, it can’t possibly keep pace with the changes that are occurring daily in the world of cybersecurity.
To truly safeguard against the growing number of sophisticated threats, organizations have to elevate security and develop an overall approach that integrates all the necessary controls with each other to create a cohesive, multilayered web of security. This isn’t something that satisfying a regulatory standard can ever provide.
Don’t Use Compliance as Your Security Blueprint
Using compliance requirements as a plan for building a security program is another common mistake. An effective cyber security program should be built from the ground up and be based on an organization’s needs. Focusing on compliance first is putting the virtual cart before the horse. Compliance should be a byproduct of a solid security program, not the source of it.
Remember, investing in a proper, thorough and ongoing cybersecurity strategy now will make future compliance audits easier, save money in the long term, and protect your data, business and brand.