What Should Be Included in an Acceptable Use Policy?

Every business should have an acceptable use policy so that employees know what the permitted uses of company computers and networks are. Without a clear policy, they don’t know what’s allowed or not. The results can include overuse of resources, bad security practices, and friction between managers and employees. Everyone should understand where the boundaries are.

General restrictions

Certain activities should always be prohibited. They include:

  • Illegal activities, including fraud, threats, and harassment.

  • Spamming by email or any other channel.

  • Making unauthorized representations on behalf of the employer.

  • Circumventing device and network security.

  • Introducing malicious software, such as spyware, worms, and ransomware.

  • Disclosing confidential information, except as permitted in one’s job.

  • Revealing account passwords to anyone else.

  • Actions prohibited by company policies.

Software policies

A company should carefully consider whether and to what extent employees will be allowed to install software. Giving them blanket permission to install software on their assigned machines opens up security risks. A common approach is to allow only authorized IT people to install software on employees’ machines.

BYOD and telecommuting policies

The policy should specify whether employees may use their own devices on the company network. This includes telecommuting as well as smartphones and tablets.

If employees can use personal mobile devices on the network, the AUP needs to specify what security measures are required. This may include installing company-mandated software to separate business and personal use. The policy needs to make it clear that any monitoring applies only to the business side of employee-owned devices and personal use is private.

If the policy allows telecommuting, it should require the use of a VPN and protection of the account associated with it.

Social media and time sinks

The company’s policy on using social media, watching videos, and other potentially time-wasting activities will depend on the business culture and the network’s ability to absorb the bandwidth. Some companies need to be very strict, prohibiting nearly all non-business use. Others will trust their employees not to abuse their privileges.

A policy shouldn’t be so strict that it interferes with necessary work activities. A blanket prohibition on watching video could interfere with work-related education and research. A strict policy should allow usage for purposes that are part of doing one’s job. A few companies have such stringent security requirements that they have to prohibit all nonessential activity; they’re a special case which is beyond the scope of this article.

At the other end, there should always be rules to limit clearly excessive usage. Even a lenient policy should state that social media use is acceptable only if it doesn’t interfere with the employee’s work duties, isn’t detrimental to the employer, and doesn’t involve unauthorized claims to speak for the employer. The company’s policies on trademarks, harassment, discrimination, and so on should be incorporated by reference.


The policy needs to explain how it will be enforced. There are several points it needs to cover.

  • If user activity is monitored, even just occasionally, the AUP needs to say so. If some areas, such as the content of email, are protected from monitoring, it should say that also. Making this point clear protects the employer from ill will and possibly from legal action.

  • The consequences should be made clear with a phrase such as “up to and including termination.”

  • The policy should explain the procedures in case of a suspected violation. The employee should have an opportunity to answer charges of misuse.

The SANS Institute has published an acceptable use policy template, which businesses may freely adapt for their own use. Each business has to consider its own needs and make whatever changes are necessary to fit them.

Please contact us if you need more information or help.

Related Posts

Implement Zero Trust Policies to Combat Ransomware

Yes, Ransomware is Common Enough to Warrant This Measure Ransomware infections, according to recent surveys, have affected three out of four professional organizations in some capacity over the past year. That?s a huge portion of businesses, and it?s no laughing matter. You need to protect yourself in any way you can. Ransomware can have various negative effects on your business, such as the foll...

How to Prepare Your Business for Any Form of Disaster

Assessing Your Data Backup Needs To kickstart your disaster recovery strategy, it is crucial to assess your data backup needs. This involves identifying the types of data you possess, their importance to your operations, and the frequency at which they change. Conducting a thorough data audit will enable you to prioritize your backup efforts and allocate resources effectively. Implementing a Rob...

The Advantages and Disadvantages of a Password Manager

Advantages Enhanced Security - Password managers excel in generating robust, unique passwords for each account, diminishing the threat of security breaches stemming from weak or reused passwords. Convenience - They offer a hassle-free means to store and automatically input login credentials, saving precious time and effort, with just one master password to remember. Organization - Password...

Tip of the Week: Making Your Network VoIP-Friendly

We could go on and on about the benefits of using Voice over Internet Protocol (also known as VoIP) for your business telephone needs. However, it is important that you do everything you can to prepare your network for this kind of utilization. Let’s review a few tips to help make sure your network is properly optimized for VoIP. How to Prepare Your Network for a VoIP Implementation Ensure You...