Organizations of all sizes need to worry about what their employees are doing with company computer equipment and internet connections. It's no longer just a matter of the cost of extra network bandwidth or tracking wasted time that should be spent on job duties. Organizations are now facing a growing jungle of cyber threats, government regulations, civil lawsuits, and criminal charges associated with inappropriate online behavior.
An effective way to reduce these risks is by gaining better control over the use of network assets. This involves establishing and enforcing clear policies that govern computer and network usage along with controlling the use of network resources. These policies play a key role in protecting network security by preventing users from engaging in inappropriate behavior, introducing malware, and opening other avenues to attack.
Is an Acceptable Use Policy (AUP) Really Necessary?
Yes! It's not enough to just tell employees to refrain from using their company-issued devices for non-work-related activities or to refrain from downloading and using software unsanctioned by IT. First, you need to create and distribute a fair, effective policy and have users read and sign it. Next, adopt a way to enforce these policies so they have a real impact on day-to-day behaviors. This means writing a formal set of rules that contain explicit statements defining procedural requirements and user responsibilities. And lastly, update them annually to ensure you’re covered as your organization changes and grows.
5 Considerations for Developing an AUP
- Prohibited activities should be clearly spelled out. Avoid vague phrases such as “Inappropriate use is prohibited.” You must clearly define what constitutes inappropriate use. For example, prohibit sending emails containing sexually explicit or other offensive messages, downloading and using unsanctioned applications, and using personal devices for business.
- Blanket statements can address activities you don't specifically name. For example, prohibit engaging in any internet activity that violates any local, state, or federal law. Also, unless specifically authorized to do so, employees should refrain from sending emails, instant messages, documents, or other communications that disclose any confidential information about the company, its clients, or partners.
- Choose user-friendly language. Although it may be necessary to include some legal jargon, the AUP should also include a summary that the average user can understand.
- The policy should be reviewed by the company attorney. Having your organizational policies reviewed by your attorney is highly recommended. Using an attorney can help you achieve that all-important balance between employee instruction and organizational protection.
- The policy must be supported by management to be effective and enforceable. There must also be a designated person who has the responsibility for overseeing the development of the policy, updating, and enforcing it, such as an IT Director, HR Manager, or other members of management.
It’s nice to think that once your AUP is put in place, all employees will fully comply and use their network resources solely for intended business purposes. But they won’t. You must build a monitoring/enforcement mechanism and consequences for infringement into the policy implementation process.
The implementation of an AUP without back-end enforcement is worse than not implementing a policy at all. Not only does it continue to leave you open to continued risk and liability, but it also sends a message to users that they don’t have to take organizational policies seriously.
The consequences of violating your AUP should be clearly defined in the policy. Since violations will vary in severity, the consequences should match depending on the specific violation and intent. For example, the consequences for sending a short personal email to a friend with innocuous content would not be on the same level as using the company network to conduct a side business or downloading pornography onto a company device.
Only Include Policy Restrictions That You’ll Enforce
Creating a “just in case” restriction that you may or may not need can cause big problems. Users who are subsequently disciplined for violating a policy restriction that has been ignored could lead to confusion. Your organization can then be accused of knowingly permitting violations of certain policies and/or enforcing policies in an arbitrary or discriminatory manner. The disciplined employee may be able to take legal action on those grounds and potentially win in court.
Enforcement should have teeth, but it doesn’t need to be confrontational. Organizations have options for discreetly enforcing acceptable use policies. For example, your IT department or service provider can implement rule sets within your firewall, create blacklists, and set content filters to block prohibited activities. The implementation of sound network security practices and technologies can also help to prevent data theft and unauthorized use of sensitive or confidential information.
Restricting access to sensitive resources, monitoring the movement of sensitive data, and configuring devices to prevent the unauthorized installation of software applications should also be included.
Despite all the preventive measures a company can take, AUPs are not a panacea for all issues. Users will invariably find ways to violate security policies, no matter how well they’re crafted. The biggest takeaway is that an AUP is an important, fundamental element of a best-practices approach to network security. With that said, employees should know and understand them, and they should also expect punishment, including termination for severe violations.
Developing Your Own Policy Content
While there is some content usually considered as “standard,” each organization should customize their policy to fit their unique organizational operations, values, and culture.
If you need help developing an Acceptable Use Policy for your organization, contact us today.