What Should Be Included in an Acceptable Use Policy?
Every business should have an acceptable use policy so that employees know what the permitted uses of company computers and networks are. Without a clear policy, they don't know what's allowed or not. The results can include overuse of resources, bad security practices, and friction between managers and employees. Everyone should understand where the boundaries are.
Certain activities should always be prohibited. They include:
Illegal activities, including fraud, threats, and harassment.
Spamming by email or any other channel.
Making unauthorized representations on behalf of the employer.
Circumventing device and network security.
Introducing malicious software, such as spyware, worms, and ransomware.
Disclosing confidential information, except as permitted in one's job.
Revealing account passwords to anyone else.
- Actions prohibited by company policies.
A company should carefully consider whether and to what extent employees will be allowed to install software. Giving them blanket permission to install software on their assigned machines opens up security risks. A common approach is to allow only authorized IT people to install software on employees' machines.
BYOD and telecommuting policies
The policy should specify whether employees may use their own devices on the company network. This includes telecommuting as well as smartphones and tablets.
If employees can use personal mobile devices on the network, the AUP needs to specify what security measures are required. This may include installing company-mandated software to separate business and personal use. The policy needs to make it clear that any monitoring applies only to the business side of employee-owned devices and personal use is private.
If the policy allows telecommuting, it should require the use of a VPN and protection of the account associated with it.
Social media and time sinks
The company's policy on using social media, watching videos, and other potentially time-wasting activities will depend on the business culture and the network's ability to absorb the bandwidth. Some companies need to be very strict, prohibiting nearly all non-business use. Others will trust their employees not to abuse their privileges.
A policy shouldn't be so strict that it interferes with necessary work activities. A blanket prohibition on watching video could interfere with work-related education and research. A strict policy should allow usage for purposes that are part of doing one's job. A few companies have such stringent security requirements that they have to prohibit all nonessential activity; they're a special case which is beyond the scope of this article.
At the other end, there should always be rules to limit clearly excessive usage. Even a lenient policy should state that social media use is acceptable only if it doesn't interfere with the employee's work duties, isn't detrimental to the employer, and doesn't involve unauthorized claims to speak for the employer. The company's policies on trademarks, harassment, discrimination, and so on should be incorporated by reference.
The policy needs to explain how it will be enforced. There are several points it needs to cover.
If user activity is monitored, even just occasionally, the AUP needs to say so. If some areas, such as the content of email, are protected from monitoring, it should say that also. Making this point clear protects the employer from ill will and possibly from legal action.
The consequences should be made clear with a phrase such as "up to and including termination."
The policy should explain the procedures in case of a suspected violation. The employee should have an opportunity to answer charges of misuse.
The SANS Institute has published an acceptable use policy template, which businesses may freely adapt for their own use. Each business has to consider its own needs and make whatever changes are necessary to fit them.
Please contact us if you need more information or help.