Collaboration

Craft your own Internet usage policy with this sample

Mike Mullins provides a general guideline for Internet and intranet usage in your organization and encourages you to educate users by distributing a formal Internet usage policy.

Editor's Note: This article was originally published on TechRepublic January 3, 2007.

The Internet is an important resource for your customers and employees. It is imperative that you inform your users about the purpose and use of the company Intranet and Internet. By educating your users and setting out a clear policy, you'll gain a valuable ally in protecting company assets when users are on the network. The guidelines I present here are generic and should be modified to fit your business model.

Standard Internet guideline

These guidelines will help you find appropriate uses of the Internet for YOURCOMPANY business purposes.

Overview

This guideline does not contain all of the do's and don'ts of Internet usage. While this guideline will list examples of improper usage, your good judgment and common sense are essential to guiding you on the appropriate uses of the Internet and will help protect YOURCOMPANY resources.

Contractors can use the Internet for YOURCOMPANY business purposes in order to fulfill their contracted assignment. Their usage must adhere to the guidelines within this policy.

General principles

Your first obligation as a user is to protect YOURCOMPANY information assets. The assets that comprise the YOURCOMPANY network are business assets and should not be considered personal assets. Here are the general principles for Internet use for YOURCOMPANY business purposes:

  • Material that would be considered inappropriate, offensive or disrespectful to others will not be accessed or stored
  • Any software downloaded or installed on YOURCOMPANY assets must comply with applicable licensing agreements and copyrights
  • Use only network services you have authorization to access
  • Do not send material classified for internal use only via the Internet

Specifically, the Internet should not be used:

  • For personal gain or profit
  • To represent yourself as someone else
  • To provide information about employees to persons or businesses not authorized to possess that information
  • When it interferes with your job or the jobs of other employees
  • When it interferes with the operation of the Internet for other users

Consult with your manager if in doubt about any use of the Internet.

Data classification

Personnel records and financial information that is stored on the network is considered information for internal use only. This information, along with other proprietary information will not be sent via the Internet. Managers can make exceptions for sending YOURCOMPANY internal-use-only material when appropriate encryption is used.

External communication

Electronic mail or e-mail is the most commonly used form of communication on the Internet. When communicating outside YOURCOMPANY, remember:

  • No form of chain letter will be sent using YOURCOMPANY assets
  • Do not send e-mail so that it appears to have come from someone else
  • Do not automatically forward your e-mail to a non-YOURCOMPANY e-mail address
  • Telnet: or trying to remotely access a system you are not authorized to use is not permitted. Unless you have prior authorization, do not run port or vulnerability discovery programs or try to get into open ports.
  • When downloading software, you must comply with YOURCOMPANY procedures for the importation of software, even if it's "public domain." As a courtesy to others, try to do large file transfers during off hours.

If you have any questions regarding Internet usage, contact your manager.

Final thoughts

The guideline I've given you may not cover all the aspects of your network, yet it will give you a good starting point if you don't have a policy in place already. Enlist your user population in your security effort by putting out some simple do's and don'ts on Internet usage. Controlling Internet usage is not a difficult task. It involves putting together some guidelines and distributing those guidelines to the users, then educating your users. Once your users are informed on what they can and can't do on the network, enforce your guidelines. Don't forget to modify your guidelines as your business and network grow.

Do you have a guideline for Internet usage in place? How does your guideline differ from the one that is presented?

17 comments
zendrummer
zendrummer

The email use policy should be extended to what is appropriate for internal email vs. a client's email system. Often consultants are co-located at the client site, on the client's network, using the client's computers and email system. One, I would always recommend against such a situation as it creates a legal liability for your company. Two, the policy should strictly spell out what communications are not appropriate for authoring and transmission on or from a client's email system.

ken.meyerkorth
ken.meyerkorth

Toolbars. Explicitly demand users to not add toolbars from such entities as Yahoo, Google or even MSN to the desktop. For that matter ANYTHING that makes one desktop different from another should be prohibited. In my world I have users explaining to me how the Yahoo toolbar is not Adware or that by removing the Google toolbar they cannot do their job...Even though their job takes place in a Citrix window.

Selena Frye
Selena Frye

This sample policy was first published about a year and a half ago. Have there been any major new developments that would cause you to add a point (or a whole section) to this policy now? Or is this all-purpose enough to do the job without specifics?

zael.e.lutz
zael.e.lutz

As technologies or applications that were not foreseen by the policy writer come along, the policy would have to constantly be changed if it were too specific (e.g., IM, social networking, blogs). This can be avoided by keeping it rather general about technologies, but quite specific about what constitutes inappropriate use.

aaron.harris
aaron.harris

Use of the word "Considered" is ambiguous, something I consider to be inappropriate could be different to many of my colleagues and visa versa.

Pete6677
Pete6677

Some users do legitimately need different desktop tools than others. In fact, I suspect that many of them do. Of course, an orderly process for installing these tools is definitely needed.

ke7bym
ke7bym

Definitely need to add more specifics and it should include potential risks for failing to follow policy. Should also specialty, the channels to add exception for research and other special needs. Simply creating a policy that says don't do this and don't do that ? might help with general network traffic. But other things need to be considered.

bfpower
bfpower

You must work in my office.

callupchuck
callupchuck

Yes, I agree 100% about toolbars and their disruptive nature. I can't tell you how many poor performing machines I have gone to fix and find that that Y toolbar is there causing the whole issue.

bfpower
bfpower

For managerial purposes, a generic policy is not enough, especially if discipline is necessary. It could be dangerous for a manager to discipline an employee when no specific tenets were broken. Our company policy lists quite a few (though not all) examples of what sort of offenses can be disciplined and this is helpful in educating users. For instance, a user might not think twice about bringing video clips in (and viruses) on a jump drive. So, you have to specify "no disks from home." And of course, it all depends on how tight a ship you want to run.

bjennings59
bjennings59

We had to specifically add these as examples to our Internet Usage Policy. Had to explain to our employees that watching their dog at doggie daycare wasn't exactly "work related". Also, had to remind everyone that MP3 on the File Servers and FTP were against policy and would be deleted without warning. We also recently had to block access to Facebook and MySpace because some people were hanging out, out there all day. THAT one went over real big!

RFink
RFink

Need to clarify to specify personal gain or profit not releated to your employement. After all we all work for personal gain otherwise I wouldn't be here.

gladhatter
gladhatter

You said: Use of the word "Considered" is ambiguous, The man indicated he was not writing the policy but a simple guide line that was not all inclusive. Everyone can split hairs if they wish and try to make a negative out of a positive but in general all will know what this means and it can be further developed as it needs to be in each business. Thank the Author for this.

Roger99a
Roger99a

The word "Considered" is all inclusive. It doesn't matter what you as an individual think is appropriate or inappropriate, if ANYONE thinks it's inappropriate then it "can be considered" inappropriate and is banned... except in the case of Christians and southern men. Their opinions don't count.

Selena Frye
Selena Frye

I wonder if companies are starting to crack down on Twitter users (or just want to!), and if it's only a "productivity" problem, or if security considerations are creeping in -- like people Twittering company dirt or other proprietary info...

Editor's Picks