Today organizations of all sizes have to worry about what
their employees are doing with company computer equipment and Internet
connections. It’s no longer just a matter of wasted time that should be spent
on job duties or the cost of network bandwidth. In the growing jungle of
government regulations, civil lawsuits, and criminal charges for inappropriate
online behavior, it’s essential that companies cover their assets by
establishing and enforcing clear rules governing computer and network usage.
Policies are also needed to protect the security of the network and prevent
users from introducing viruses or opening their systems and the entire network
to attacks.

That’s the reason you need an acceptable use policy (AUP)
from the very beginning. It’s not enough to just tell your employees not to use
their work machines for non-work-related activities. You need to create and
distribute a written policy and have users sign off that they’ve received and
read it. The trick is to design a policy that’s effective, fair, and won’t be
outdated as your organization grows.

Tips in your inbox

TechRepublic’s free Strategies that Scale newsletter, delivered each Tuesday, covers topics such as how to structure purchasing, when to outsource, negotiating software licensing or SLAs, and budgeting for growth.

Automatically sign up today!

Elements of a good acceptable use policy

An AUP sets out a formal set of rules that limit the ways in
which network and computer equipment can be used. It should contain explicit
statements defining procedural requirements and the responsibilities of users.

Some tips for creating your policy include the following:

  • Prohibited
    activities should be clearly spelled out. Phrases such as “Inappropriate
    use is prohibited” are vague and ambiguous. You must define what
    constitutes inappropriate use. Of course, you probably won’t be able to
    think of every single individual action that would be considered “inappropriate,”
    but the most common misuses should be specifically named. For example, you
    can prohibit sending e-mail containing sexually explicit or pornographic
    text or images, prohibit using the Web browser to visit online gambling
    sites, and so forth.
  • Blanket
    statements can address activities you don’t specifically name. For
    example, you can prohibit engaging in any Internet activity that violates any local, state or federal law, or from
    sending any e-mail, instant messages, documents, or other communications
    that disclose any confidential information about the company, its clients,
    or partners.
  • To be
    effective and enforceable, the policy must be supported by management and
    there must be a designated person who has the responsibility for
    overseeing development and updating of the policy. This is often the Chief
    Information Officer (CIO).

The policies should be reviewed by the company attorney.
Although it may be necessary to include some legal jargon in the policy
document, each policy should also include a summary that “dumbs down”
any difficult language into layman’s terms that the average user can be
expected to understand.

Policy content

Some things normally included in UAPs include:

  • The
    company’s privacy policy regarding network users and a statement that all
    communications stored on or sent to or from company computers or the
    company network may be monitored by the company for security purposes.
  • Policy
    regarding proprietary company information.
  • Policy
    regarding sharing of passwords and account information: prohibiting users
    from logging onto any account other than their own, or allowing anyone
    else to log on with their credentials or use their systems when they are
    logged on.
  • Security
    policies such as requirements to lock down workstations when away from the
    desk; policies regarding email attachments; prohibiting users from
    disabling or circumventing security features and mechanisms on the
    computers and network; prohibiting unauthorized installation of software; prohibiting
    unauthorized copying of company information to removable media, or sending
    it outside the network.
  • Policies
    regarding use of encryption.
  • Policies
    regarding posting to newsgroups and discussion boards, requirements for
    disclaimers stating that personal opinions of the sender do not represent
    the company’s position.
  • Policies
    regarding attaching personally owned laptops, handheld computers, and
    smart phones to the company network. Prohibitions on attaching
    unauthorized modems, wireless access points, and other devices to the
    company network.
  • Definitions
    of inappropriate use and behavior, such as pornography, copyright
    violations, and illegal file sharing; sending harassing or threatening
    content; sending spam; engaging in phishing and other fraudulent
    activities; hacking into another system within or outside the network;
    distributing malicious code, accessing data on the network without
    permission; intercepting data on the network intended for others (using “sniffers”
    or otherwise); using spoofing techniques to disguise email addresses or
    other network activity.

These are examples of topics commonly addressed by AUPs. It
is not complete, and will differ from company to company.

Consequences and enforcement

The consequences for violation of the policies should be
defined in the policy itself. Since violations themselves vary in severity,
consequences should also vary depending on the specific violation and the
violator’s intent. For instance, consequences for sending a short personal e-mail
to a friend with innocuous content would not be the same as consequences for
using the company network to conduct a part-time (legal) business, which in
turn would not be the same as those for downloading child pornography to the
company’s computers.

In fact, the first instance might or might not be defined as
a violation of policy at all. Some companies permit limited personal use of
company e-mail accounts, just as they permit limited personal use of company
phones. Which brings us to another issue: you should only set policies that you
intend to enforce.

If you create an overly restrictive policy “just in
case” you might need to use it against someone, and then proceed to ignore
it, users who are subsequently disciplined for violating that or other policies
could argue that you had established a conflicting unwritten policy by knowingly
permitting violation of policies in the past, and/or that you enforce policies
in an arbitrary or discriminatory manner. The disciplined employee might even
be able to successfully sue you on those grounds.

Thus, enforcement of policies should be applied equally.
That doesn’t mean some people can’t be exempted from certain policies, but if
that’s the case, the exemptions should be spelled out in the policy itself. For
instance, your policy might prohibit sending e-mail outside the company that
discusses the company’s financial information, with a clause stating that the
policy doesn’t apply to the company financial officer, CEO, and others who may
have a legitimate business need to do so.

Structuring policies for scalability

Your policies should be reviewed and updated on a regular
basis. As the company grows, management philosophies change and technology
evolves, some policies will need to be modified.

To make your policy document more scalable, consider
structuring it so that each policy prohibition is a separate sub-document, with
related sub-documents gathered into chapters. Each sub-document would be
identified by its chapter and section number. Policies can then be kept in ring
binders. When changes are necessary, only the section has to be removed and
replaced.