General discussion
-
CreatorTopic
-
April 21, 2005 at 10:35 am #2187226
Creating a Acceptable Use Policy
Lockedby netgeek84 · about 19 years ago
Hi,
I am currently working for a company as Systems Administrator Assistant. We have created this really nice Acceptable Use Policy that we want to get out and have everyone sign and have on record. Our overall manager that this Acceptable Use Policy is not important enough to go to our lawyer to read it over. Is there anyway to convince him otherwise.Thanks
Topic is locked -
CreatorTopic
All Comments
-
AuthorReplies
-
-
April 21, 2005 at 10:45 am #3246314
Quantify
by j.lupo · about 19 years ago
In reply to Creating a Acceptable Use Policy
Well, I am no expert in this area, but the one thing I have learned is to quantify why it should be done. Show how it will benefit the organization. That is the most likely way to convince your manager.
As I see it, intangible benefits do not easily translate to the bottom line. However, when making policy or changes you have to show how the bottom line is influenced (+/-). It is not easy, but necessary.
I am sure there are others that can provide examples. Since I don’t know what your “Acceptable Use Policy” covers it is hard to come up with an example for you. In my case, I had to quantify why a certain internal coding standard should be changed and the cost of the change both with and without it to the exsting applications. The long term cost was worth the change, but the short term costs were not as far as management was concerned. The issue is still being debated, but is going to be implemented “soon”. Good luck.
-
April 22, 2005 at 6:31 am #3244536
More info
by netgeek84 · about 19 years ago
In reply to Quantify
Thanks for your post that definatly will help. To elaberate a little more on the AUP it basically just gives employees the do’s don’ts and repercussions for general computer use.
I will try to get a proposal together about how this can effect the bottomr line.
Another item I was thinking about was how critical is it for a lawyer to look over this policy. I mean the equipment is ours and employees are on company time so should anything we say (within reason of course) regaurding our equipment pretty much go. I believe it is a good idea but I have no clue about the law in this sort of scenario.Thanks for your help
Mike-
April 22, 2005 at 10:30 am #3243329
Legal issues
by j.lupo · about 19 years ago
In reply to More info
Well you answered your own question to a degree. If you don’t know the law that is why you want a legal opinion. In today’s society people are sue happy. You need to make sure that whatever policy you put in place is worded correctly so people can’t take it wrong and sue or file a greivence.
This may be another reason management is concerned about putting a policy in place. They may have been “burned” before.
You know, you might want to ask people in the company about ideas for the policy. Getting other people involved in its creation could create some buy-in from those that have to follow the policy. Which makes me think management doesn’t want to follow it either and is resisting for that reason. Just a thought.
Good Luck.
-
April 25, 2005 at 7:10 pm #3245283
Acceptable?
by bjorgensen · about 18 years, 12 months ago
In reply to Legal issues
It seems that the key word is “Acceptable”. Acceptable to who – obviously the owners and the management. We began with a very simple policy: “Acceptable use is that which directly maintains and furthers the mission and goals of the corporation”. As time has gone on, we have added the specific “Thou Shalt Nots” but only after submitting them to the employees. The “Thou Shalt Not” list serves as orientation describing specific wxamples that we consider to be inappropriate. We refuse to have the network jocks become policemen and have found that this simple statement makes things obvious to anyone. We only have to ask (in writing) a violator to write a brief memo describing how their misuse furthers our mission and goals.
Come on folks, there are certain responsibilities that go with a job – any job. If you want to cofify everything, go to work for the IRS.
-
April 22, 2005 at 12:28 pm #3243234
Just computers?
by ni70 · about 19 years ago
In reply to More info
Why not telephones, fax machines, and copiers too? These are company assests as well and sometimes can be abused like computers. Does your policy mention the Internet? Since you are talking about corporate computers have you thought about creating a logon warning banner? Create a Group Policy for your logon banner or a registry hack.
Here’s the reg hack I’ve used. This will work with Windows 2000 Professional & XP.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“LegalNoticeCaption”=” !!!WARNING!!! !!!Warning!!! !!!WARNING!!!”
“LegalNoticeText”=”This is a Company X computer system, which may be accessed and used only for
official Company X business by authorized personnel. Unauthorized access or use of this computer system may subject violators to criminal, civil, and or administrative action under 18 United States Code 1030 et al. Use of this system constitutes consent to monitoring, retrieval, and disclosure by authorized personnel. USERS HAVE NO REASONABLE EXPECTATION OF PRIVACY IN THE USE OF THIS SYSTEM.”“Welcome”=”:WARNING! Company X System!”
cut n paste the above into a text file and then save as a dot reg file – .reg.Also send this link to your manager http://www.usdoj.gov/criminal/cybercrime/cclaws.html this may change his/her mind about having a lawyer review your AUP.
-
April 25, 2005 at 8:09 am #3243538
Why are we doing this?
by oregonnative · about 18 years, 12 months ago
In reply to More info
Sounds to me like we are working on an AUP with no clue as to why!!!
I don’t have much time or interest for those individuals who think they own the network and want to control it. IT is a service organization and is only successful to the degree that we facilitate the business of business.
If the AUP is being written to prohibit people from taking their laptops into the shower or pouring coffee into their keyboards, no attorneys are needed. These rules are about the logistics of keeping the company in a state of operational readiness. That is clearly part of our mission.
On the other hand, if those do’s and dont’s are intended to reduce the risk of exposure from people using their computers inappropriately (e.g. porn, instant messaging) or illegally (pirated software), then those are LEGAL ISSUES. IT managers tent to think they know it all (I’m one of them, I KNOW!!!), but they are not as well trained as the lawyers in regards to the law.
-
April 25, 2005 at 2:24 pm #3245364
-
-
-
April 22, 2005 at 7:30 pm #3243125
Review policy with attorney
by craig herberg · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
If your policy states that improper usage of company computer and information resources can result in any sort of punishment, of course you need to have an attorney to review it. Certainly you want a policy that is both fair, enforceable, and legally sound. It will cost your employer far less in attorney fees now to have the policy reviewed than it will to defend itself against law suits, if the policy is not legally sound.
Good luck.
Craig Herberg
-
April 25, 2005 at 2:04 am #3243660
It is a legal document – isn’t it?
by traceyt509 · about 18 years, 12 months ago
In reply to Review policy with attorney
As I understand it, the AUP is effectively a legal document as it lays down policies and procedures that must be followed by an employee and includes punishments for breakingthem. If it isn’t reviewed by a lawyer then it could contain ‘get out’ clauses or worse still, be totally worthless in a court of law. In addition, how do you propose to get an employee to sign it unless you legally make it part of a contract of employment which, in itself, must be a legal document?
-
April 25, 2005 at 4:26 am #3243645
Worse yet
by craig herberg · about 18 years, 12 months ago
In reply to It is a legal document – isn’t it?
If it is used to arbitrarily violate employees’ rights, it could be an illegal document. That is probably not anyone’s intent, but it exemplifies why this needs to be reviewed and blessed.
-
-
April 25, 2005 at 5:16 am #3243627
It’s an agreement
by diego.santos · about 18 years, 12 months ago
In reply to Review policy with attorney
I would say this: this policy is an agreement, therefore any party involved can have it reviewed by an attorney. So, if you have to sign it, you should have it reviewed anyway.
my .02
-
-
April 25, 2005 at 1:58 am #3243662
Reply To: Creating a Acceptable Use Policy
by briancatt · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
I struggled to find a clear top down
management trail for this project. Inititives can
come from anywhere. No such project should
start w/o a plan or directive to justify the
resource and cross organisational impact. If
this is bottom up it will struggle forever.If there isn’t one you need to obtain comitment
and clear objectives before writing a spec so
you know what to deliver. A pretty cool policy
pushed upwards will always get the response
Why? and How much?.It seems to me the two key reasons for this
are1. Things that can get you sued directly/
Comliance issues (from SOX to porn on the
servers, etc., ).
2. Use that would result in disciplinary action.
3. Use that risks the IT systems availability for
the business (see 2)So the support for this activity needs to be
obtained from the compliance manager, HR
and Legal before you start on any detail, so
you know the objectives and constraints they
have and you get their advice on what makes
sense and how to get it across. Unless HR
are basic hire and fire per the bosses
direction then they should be able to help.If you wish to control harmless but system
intensive or potentially resource intensive or
risky use then that shoul be part of HR policy,
you explain why, what the risk to the business
is and make it clear that its “anti-social” in
business terms. The infringements can then
become a disciplinary matter. You could also
just make this unavailable to all except named
individuals through a policy or course.Finally don’t put in policies that are relatively
harmless because its good for you. Credibility
will vanish. Focuss on meeting the needs of
the management and enabling the users.
Manage the rest.Hope this helps. Good luck.
Brian Catt
-
April 25, 2005 at 2:30 am #3243658
Set Up Policy
by chaz15 · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
I don’t think you need worry about being sued if criminality is involved. If issues arise from ‘grey area’ use / misuse, do you really need to include these in your policy?
However, it IS essential that certain areas are fully covered in your policy, relating to email use, any monitoring of employee IT actions, and what constitutes serious misuse of IT facilities and IT systems.
The reason for setting up this policy is that employees have then been informed, and the COMPANY can take internal disciplinary action, having informed the employee of proper use and improper use.
As far as serious breaches are concerned, if employees act outside of the law, the company AND legal agencies can act with impunity.
Provided policy is clear, stated, and not in breach of human rights or equal opportunity laws, I see little legal grounds for employee redress.
Go ahead, bearing these points in mind, it need not be a legal minefield.
The dangers in not doing so are far far greater and yes it does need to be signed by employees.
You can find policies other companies use or especially those used by government agencies on the Internet.
YOU MUST SET UP AN AUP POLICY AND HAVE THIS SIGNED BY EMPLOYEES.
Your own job will be severely at risk until you do this.
-
April 25, 2005 at 3:19 am #3243655
It realy depends on
by gerald · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
Hi,
it relay depends on what you say in there and where it will be valid. In some countries for example the employees would have to pay extra tax if they are allowed to use company equipment for their personal use (as the law sees it as extra income) so it may hurt them – even if they dont use it.
It may also happen that if one paragraph is against the law you complete AUP is not valid – this also depend on the country it should be valid for,…. -
April 25, 2005 at 4:26 am #3243644
Good Policy Practices
by bigaldepr · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
You have prepared a policy that I assume meets your needs. Having a legal review will greatly reduce any adverse consequences associated with enforcement. Prevention always cost less than the consequential damage.
Another important aspect is training. An employee may retaliate claiming that your interpretation was different than his or hers. Give training on the policy. Give examples of both acceptable and unacceptable use. Finally give a short test that demonstrates that each element of the policy is understood. This documents the fact the employee has read and understands the policy.
Training demonstrates that you are serious about this matter. It also demonstates the company’s interest in the employee. Otherwise the policy will be seen as just another management tool to legally fire anyone they do not like.
-
April 25, 2005 at 4:30 am #3243643
Yes
by tuomo1 · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
Just my experience over 30+ years – yes. (IMHO All policies and contarcts shoud be checked by one ( or more ) lawyers. Now – signing it is another thing, if your empoyees have signed a contract to follow the corporate rules to sign another one isn’t important BUT if you have temporary users, etc.. yes, they should sign any and all. This has saved me (and comrporations I have been working at that time ) a lot of negotiations, work and time later on. And lost time and work when we didn’t do that – some very costly!
-
April 25, 2005 at 4:42 am #3243640
He’s Correct
by afhavemann9 · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
The boss is right; an acceptable use policy doesn?t need to be a legal document, only a statement of what the someone can and cannot do with company owned equipment.
You don?t need a lawyer for this.
-
April 27, 2005 at 10:48 am #3245979
I agree
by jplace · about 18 years, 12 months ago
In reply to He’s Correct
There is abolutely no need to take this to a lawyer. Quite the reverse. Anyone in the legal profession will tend to take a nice clear AUP and turn it into a legal minefield. The purpose of the AUP is to have a document that the person who is signing understands. It has to be in good old plain English – not legal speak.
-
-
April 25, 2005 at 4:49 am #3243636
Legal Advice is Good Advice
by james.august · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
The need for our School District’s Attorney to review the AUP becomes important when children are involved. So in a business environment, this should be treated no different. There are always going to be those bad apples that will make the company look bad by surfing websites they are not suppose to, or sending email that may be deemed untactful. However the poison people pick when it comes to trying to bend the rules of an AUP, they are still rules and they should be followed.
Say for instance, one of your employees secretly creates a rumor, via an email, that the company stock will crash and panic then happens. Everyone sells their stock in mass hysteria and the company starts to take a downfall. If you have the legal backing of this AUP you then can warn people that this AUP will be enforced and legal consequences can happen if they are broken.
I’ve seen a few things happen concerning an AUP. People are getting fired over bad things that are clearly outlined in our AUP. There is no tolerance for these kinds of behaviors.
Good luck in your quest to have your legal department look at it. I had to make the same case when we developed ours. And I’m glad I did.
-
April 25, 2005 at 4:50 am #3243635
The Truth about AUP
by techrepublic · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
If you provide somebody the equipment and opportunity to commit a crime such as child porn or software piracy, and don’t forbid it, your company may be held liable. That’s not a joke, it’s happened. I didn’t say it makes sense.
To protect your compmany from liability for crimes committed with company computers and equipment, including fines for unlicensed software or child porn posession, it is NOT neccessary to have people sign an agreement. In fact, if they dispute signing it, you have no recourse because you are effectively trying to change their employment contract mid-stream.
Even if they agree to it, if it comes to a court case, you must prove that they *understand* it, not that they agreed to it.
So what you must do is create it, get it blessed, train it, test on it, and prove that everyone has understood it. Bad scores that don’t get fixed in a re-test go against their performance records at review time. Good scores (easily achieved) prove they understand the policy. Then, if they go afoul, they are legally responsible, not the company.
Many lawyers won’t know what to make of it anyway, and will have to engage an expert to help them understand it. You don’t need a lawyer necessarily, if you do a good job of crafting it. But, once your employer realises how serious this can potentially get, and that the policy can in fact be brought into a litigation proceeding as a key peice of evidence, they would be crazy not to pass it by a lawyer for the sake of saving a few hundred dollars. Cases such as this go into the thousands easily in legal fees.
-Russ.
-
April 25, 2005 at 6:09 am #3243600
$$ now or $$$$$$$$$$ later
by my mac is faster than your pc · about 18 years, 12 months ago
In reply to The Truth about AUP
Simply put you can do it cheap or you can do it right.
If your employer has a lawyer on retainer then this will have a
very minimal cost since the time has been payed for. If they pay
per use for their lawyer then explain how an hour of time now to
make the document airtight will be cheaper than having to pay
for your lawyer to defend against a suit and ultimately have to
review the document anyway. It may be to late to find out a
comma was misplaced or the circumstances under which an
employee was made to sign the document make it null and void.How big is your organization anyway you may be able to use the
amortization of cost per employee to show how inexpensive this
process really is. -
April 25, 2005 at 6:17 am #3243597
AUP: Use and Purpose
by resotko · about 18 years, 12 months ago
In reply to The Truth about AUP
Since I work surrounded by lawyers, but I am not one myself, everything here is In My Humble Opinion, nothing more.
I’m most familiar with AUPs at academic institutions, since that’s where I work. However, in researching college and university AUP documents, I’ve also read some Law Review articles about AUPs for business. Almost all of them say how you intend to use the AUP, and what it’s purpose is, govern how useful it is as a legal document. Most go on to say that in a business, the most useful AUP is one that protects the business first, period.
That being said, I can see two uses for such a document:
1) if the AUP is a social contract (ie best behavior, acting like a responsible net citizen, not spamming others, etc.) then it is more a set of guidelines than policy. Nice to have, but would be difficult to enforce as a legal document. In many cases, I’ve seen this kind of document refer back to a legally enforcable document to have some power over users and management (ie, an AUP that refers to the parts of the union or employment contract stating that people can be fired for breaking the law on the job, and reminding folks that illegally sharing copyrighted material is breaking the law to discourage file sharing, etc.) In this case, the AUP points to the legal documents that would be used to enforce that policy, so you don’t “reinvent the wheel.” This kind of AUP is really pointing to behaviors and actions that are disallowed as an interpretation of those pre-existing policies and agreements (ie, the existing HR policies, in the context of information technology in use in your office.)
2) if the AUP is meant to be a legally enforcable part of company policy, then legal review is needed for many reasons. First and foremost, you need to make sure the AUP doesn’t contradict any other legal policy or contract already in place. If the AUP allows something that the emplyment contract disallows, and you dicipline an employee for it, you may have quite a fight making it stick. All the other reasons for a legal review mentioned in the preceding posts should be enough reason to have a lawyer review it IF you plan on educating users AND enforcing the policy strictly. A legal review of such an agreement protects management and employees alike.
That’s just my two cents. My view is somewhat skewed, as I’ve done a little research in the field. If you’d like to read a critical examination of academic AUPs, check out my paper at:
http://www.giac.org/certified_professionals/listing/gsec_100_4118.php
The first of my footnoted references is a Law Journal article I found with some good practical advice about AUPs for businesses. I hope this helps.
-
April 25, 2005 at 6:30 am #3243586
Not a Lawyer?!?
by ex-military nut · about 18 years, 12 months ago
In reply to AUP: Use and Purpose
You sound like one 🙂
As long as HR is involved doing as they should, the AUP would get the legal review as a matter of due course. Because this company has an IT department, there is obviously an HR department. It’s that or they are taking a tremedous risk.
-
-
April 25, 2005 at 6:17 am #3243596
AUP – legal AND personnel concerns
by breathe · about 18 years, 12 months ago
In reply to The Truth about AUP
In all of the discussions, I noticed that there is no mention of the HR / personnel side of the equation related to AUP. Given the potential issues mentioned by Russ and others related to training and personnel actions if someone is suspected of “going afoul” of the AUP, it is also essential that HR review and approve of the policy and given the potential litigation issues, they may also support the need to have the policy reviewed and “blessed” by legal counsel.
Good luck.
-
-
April 25, 2005 at 6:20 am #3243595
Does it matter if it holds up in court?
by ponderworks · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
Interesting question. The only point in having a legal review is if the company intends to enforce it. Enforcement assumes that you have a “legal leg to stand on” meaning that the agreement will likely hold up in court. In my view, that would only be possible if one or more lawyers who are experienced with that type of agreement review it carefully and confirm it will hold up. Otherwise, the agreement may not be worth the paper it is written on.
So the question really is, what does the company intend to use the agreement for? To scare people or to truly protect their rights? With the first one, you’ll need to hope no one calls your bluff.
-
April 25, 2005 at 6:22 am #3243592
How bad do they want to use the computers?
by ex-military nut · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
Mr. Catt managed to hit the nail head: Enforcement of an AUP is the job of HR (Human Resource Department). HR handles all procedures and routine legal issues dealing with employees (which is ALL people, top to bottom, working for a company).
For the government, the end user – anyone using a government computer – is required to have a profile (granted access) on the installation’s domain. This covers email and all resources. As part of the application process, the prospective users must read and sign an AUP. Just as ‘NetGeek84’ described, the AUP I signed to accept my profile spells out what and where a user can go and do as well as how and when. You want to work using a government computer? You must sign the AUP. These stay on file with the first-line Information Management Officer (IMO) and is a legal document because it is signed and dated. When I log on to the computer I use, I must accept a warning before proceding. When you stop and think about it, by using the computer, I am accepting an implied contract because it was my choice to use the computer or not.
So, if the use of a computer is a condition of employment, then an AUP falls under the HR department’s control. However, ‘NetGeek84’, you and your IT department are still responsible for its content because you are the subject matter experts.
-
April 25, 2005 at 6:23 am #3243591
Abolutely!
by br-549 · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
Anytime you threaten termination or the capture of information for forensic analysis (privacy issue?) you should have both HR and Legal “buy-in” on the policy as they are the ones that are going to have stand behind it and enforce it. IT only thinks its the enforcer. If you do catch a violator, but, HR and Legal won’t take action you have been made irrelevant.
-
April 25, 2005 at 6:33 am #3243584
Show him the Various Laws
by robert_m_knight · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
There are varying laws such as reporting pornography and such that it is vitally important to have a policy in place. The policy protects your organization from employees that will use the “well I did not know defense.” with the policy everyone knows the rules up front, and if the FBI comes knocking at the company door, the company has a leg to stand on and the employee, not the company, will have to do most of the question answering.
-
April 25, 2005 at 6:48 am #3243574
Accountability
by jboyd · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
Let your manager know that without an Acceptable Use Policy, the company can not hold a user accountable for any malfeasance (accidental or intentional). Let them know what is expected, what’s prohibited and what the consequences could be if the policy is violated. General counsel at my company was uncomfortable with the part about having the users sign something so we simply posted the policy on our intranet and alerted everyone to it. From time to time, we send security reminders and also referrence the policy.
-
April 25, 2005 at 7:06 am #3243561
Yes!!!
by angry_white_male · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
There are a myriad of local, state and federal laws that touch upon computers, networks and the information stored within. Penal law covering computer crime, SOX, HIPAA, etc… Violation of these laws can have very serious consequences.
Should a rouge employee leak, compromise or otherwise destroy information, download inappropriate material, etc – what do you as an IT manager have in your toolbelt to start the ball rolling to terminate or prosecute this individual?? An AUP is one step towards protecting the company’s most valuable, yet most intangible asset – data and information. All it takes is a ten cent blank CD-ROM and an emlpoyee with an axe to grind and all your dirt will be in the hands of the local paper. If you have nothing – then the employee’s defense will only be that much stronger.
Not only should a lawyer review the document to ensure it passes legal muster, but you should have absolute buy-in from management. Otherwise, it’s worth less than the paper it’s printed on.
-
April 25, 2005 at 11:42 am #3243445
Reviewing policies
by j.lupo · about 18 years, 12 months ago
In reply to Yes!!!
Yes having legal look to make sure it complies with law is important. I forgot in an earlier post – mainly because I was focused on the question of getting the posters manager to buy-in on the idea – that HR is very important.
After reading the responses and doing a little more thinking, it is important to have a concensus from a lot of company parties – Management, HR, Legal, Operations (especial those that will have to enforce the policy), and Training if a training group exists.
Any policy should be easy to read and understand. A Training department representative can assist with that.
-
-
April 25, 2005 at 7:20 am #3243557
Reply To: Creating a Acceptable Use Policy
by mskala · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
Violations of an Acceptable Use Policy can result in disciplinary action up to and including termination of employment. Should that happen at your company and the terminated employee sues for wrongful termination, and the corporate lawyers come looking for your manager, he’d better have a damn good reason why that policy didn’t go through the appropriate review. If the policy was established for all employees across your enterprise, then senior executive review and approval is imperative. Establishing security policy without appropriate review is not intelligent and could be interpreted as arrogant.
-
April 25, 2005 at 7:24 am #3243555
HR
by jagershot · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
Bottom line…Leave the decision to the HR director, that is what they get paid to do.
-
April 25, 2005 at 3:29 pm #3245340
get hr involved.
by 32bitswide · about 18 years, 12 months ago
In reply to HR
I agree. When I worked an AUP at a previous company I worked with our HR department, especially since there is “if you do this then this will happen”
Punt to HR, they have easier access to atty and are better able to handle the employement law maze.
-
April 26, 2005 at 2:03 am #3245218
i agree
by hmx · about 18 years, 12 months ago
In reply to get hr involved.
they will, at some level, have to enforce the most onerous of sanctions that are called for in your policy, so get them involved and let them show it to the lawyers. they’ll be more pro-active about it than your manager, imho.
-
-
-
April 25, 2005 at 7:57 am #3243543
Some states
by rockymtnman · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
It’s always a good idea to have things reviewed by lawyers but then some things are not as vital as others. An acceptable use policy is just taking care of some of your company’s owned resources. Some small and most medium to large companies already have employee handbooks or something to that effect that covers most foreseeable violations. An acceptable use policy is essentially taking care of one area of the work place and applying very specific rules. It’s probably not a big deal if you get it reviewed or not.
If it deals with termination issues, that may be more prudent to have it reviewed. I’d have HR look at it in the case of a termination statement since that’s their realm of expertise. It may be more important in some states then others. In Nebraska, for instance, you don’t have to give or even have a reason to fire someone. Obviously the normal race, religion, etc. rules always apply but those won’t be applicable in an acceptable use policy anyway.
-
April 25, 2005 at 8:24 am #3243532
Simple matter of cost
by lwebb · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
Our Acceptable Use Policy was FORCED to go to the Attorney by our HR dept.
It’s pretty easy to find out some nice (and true) round numbers of what it costs to be sued, as opposed to the meagre (in comparison) cost of sending it to an attorney for review.
-
April 25, 2005 at 9:09 am #3243511
No AUP = Head in the sand!
by jtlatmcl · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
If you want the AUP signed and put in emplyee files it should be reviewed by management and by legal counsel. It should not be that big of a deal if you are using standard language. This site has some boilerplate.
For most things, there are laws in place that protect the company. Maybe having a “reminder” AUP that doesn’t get signed will suffice.
If the AUP talks about punishment, I would say it should go through HR/legal with complete management backing.
The fact that your company doesn’t see this as an important issue is a little scary! This is a definate “ounce of prevention” type of scenario. -
April 25, 2005 at 9:22 am #3243507
How else would you enforce
by hibbard_p · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
Yes, being a past IT director lawyers eyes will ensure enforceability. Also usage clients must be reminded of the policy they are bound to otherwise not enforcable. My team put a pop up after clients logged in. They were asked to accept the policy by clicking yes and if they did not they were not able to use the company’s it tools (pc’s). Also the copy of the it policy must be available to everyone to read at all times. I also emailed it to everyone with a read receipt, if they did read it I sent it again and saved all the read receipts as prove that they had received the policy and had the opportunity of reading it.
-
April 25, 2005 at 9:45 am #3243498
depends on the teeth
by jeffersnet · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
I’ve read a lot of the replies but not all of them and I didn’t see this anywhere.
I’ve written or helped to write a lot of rules for my last organization and I’ve learned that rules or policies that do not have teeth or a punishment usually don’t need involvment from legal. If someone isn’t going to get into trouble they don’t really challenge the rule. Why would someone make a rule without punishment? Usually it is really meant as a guidline or as a reference for other rules, this happens all the time and I didn’t see anything about punishment so I was thinking this may be one of them. Any rule that can get people fired, suspended or something else that affects their paycheck really needs a legal review.
I hope this helps a little.-
April 26, 2005 at 3:37 am #3245178
Reviews from all sides ….
by gadgetgirl · about 18 years, 12 months ago
In reply to depends on the teeth
Agree totally that all policies need teeth, preferably sharp ones. Unless the level of punishment is discussed in accordance with both legal and HR, the employment laws could be contravened.
In my experience, this usually means holding both the legal and HR departments hands, and “walking and talking” them through the AUP in the first place. They need to realise the “knock on” effects of allowing or disallowing certain programs, levels of access etc. My skills as a semi tech translator normally come in quite useful …. If the other departments don’t understand (specifically) the consequences, you’ll have hard work getting the buy in you need.
-
-
April 25, 2005 at 10:08 am #3243484
“achieving expectations for regulatory compliance” ™ (c) 2005
by howard_nyc · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
“achieving expectations for regulatory compliance” ™(c)2005 Howard Wertenteil …to coin a phrase, must be formalized, and it sounds like your IT team has managed to avoid what everyone else has been obliged to do: get formal about “achieving expectations for regulatory compliance”
at the very least, HR must see it… even if they are not granted edit/change rights…
you can justify lawyer reviewing in response to regulatory compliance expectations… what industry is your company in? does your firm already have a CMO (compliance management office, akin to a PMO)? if so they should be “in the loop”…
if nothing else, establish measurable, objective critieria — “metrics” — by which compliance can be tracked… example of that sort of stuff can be found in the following government documentation (which makes it public domain, and therefore exploitable without royalities nor plagrism headaches)… http://www.osec.doc.gov/cio/oipr/ITSec/DOC%20Compliance%20Review%20Metrics%20MSWord.pdf#search=’compliance%20metrics’
-
April 25, 2005 at 11:49 am #3243439
permission by ommission!
by bhunsinger · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
LAWYER ALERT (in a prior incarnation in this life, I was an attorney)
Requiring someone to sign a policy like this in order to keep their job (that is what you are talking about) is called a contract of adhesion; in layman’s terms something you are forced to do without any chance to negotiate. The rule in interpreting such contracts is the underdog always gets the benefir of the doubt. Any thing you have not expressly prohibited- is permitted. Did you forget something permitted. Do you have a progressive diciplinary procedure in effect? How does this fit into that proceedure, what level of misconduct gets a warning what level is mandatory dismisal. Is there a charge for mistreating the equipment?
I’ll bet that one of the rules you are including is that no one should install unvetted software on corporate servers without at least consultation with the IT department. Don’t inject programs into the legal/HR department’s area without the same. -
April 25, 2005 at 1:08 pm #3245417
Reply To: Creating a Acceptable Use Policy
by the admiral · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
Absoloutely.
THe simple fact that an acceptable use policy forbidding programs like Limewire on a system, protecting the corporation from a potential lawsuit from the RIAA is a good enough justification.
Since they are attacking the ISP’s, corporations are next.
-
April 25, 2005 at 4:30 pm #3245324
It’s all down to money … in the end
by brian.walters2@btinternet · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
This problem is not unlike that of convincing management to invest in a safety policy.
For “this Acceptable Use Policy is not important enough to go to our lawyer” read we not going to spend money on policies that might not be needed.
If he can’t budget for checking out the policy, ask him to try budgetting for when something goes wrong with it and somebody sues!Regards, Brian
-
April 25, 2005 at 7:37 pm #3245278
One word — UNION
by kaceyr · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
If the company you work for has *ANY* union employees in *ANY* capacity, you can be assured that the Union will review the policy and have changes to be made to it.
I’ve seen several (not enough to say many) mid-level managers terminated for ticking off a (no so) strong union.
In every case, the manager could have side stepped the problems by simply requesting that the Union itself have a degree of input to the policy, and would therefore require you to use legal council for your own review.
Personally, I recommend you have a legal-eagle review it no matter what. If you don’t, you can rest assured that the employee who gets terminated or otherwise disciplined over a violation of the policy will have legal council to blow you out of the water, and pay for their court costs.
Just my 2?
-
April 25, 2005 at 11:55 pm #3245228
AUP Approval
by nrdickens · about 18 years, 12 months ago
In reply to Creating a Acceptable Use Policy
The simple answer is to produce a gap assessment of the cost of your lawyers time against the potential cost of a lost employment court case. I suspect that this will be a convincing argument.
-
April 26, 2005 at 11:29 am #3244093
Some other thoughts
by royaeinarson · about 18 years, 12 months ago
In reply to AUP Approval
Not knowing the particular industry for which the AUP is being created, I would suggest that the developer could check other sources in the same industry for examples that are used in other people’s AUP’s. This could be done with 1 or 2 others from the shop or business. A second thing would be to do some searches to find out what legal or financial punishments have been meted on similar organizations which did not have an AUP. I know of one or two which have been in the public eye after employees were caught “in the act”. The third consideration is whether after going to all this effort to protect the company whether there is a “will to follow through” with the penalties written into the AUP. If there is no follow through then there is no point in developing an AUP until a penalty arrives and then whose neck is on the chopping block?
-
-
April 28, 2005 at 8:34 am #3262413
I would like to see this.
by tonythetiger · about 18 years, 11 months ago
In reply to Creating a Acceptable Use Policy
Don’t do anything illegal, or which would potentially embarass the company.
Get the work done in the manner and within the time assigned to you by your supervisor.
That should just about cover it shouldn’t it?
-
April 28, 2005 at 12:37 pm #3262737
Why didn’t
by craig herberg · about 18 years, 11 months ago
In reply to I would like to see this.
anyone else think of that? The part about potentially embarassing the company couldn’t possibly leave any differences of opinion 🙂
-
May 3, 2005 at 1:45 pm #3260826
Reply To: Creating a Acceptable Use Policy
by tonythetiger · about 18 years, 11 months ago
In reply to Why didn’t
What I meant was that managers get so bogged down trying to cover every possible contingency with a policy, they forget why they needed one in the first place.
Management here is currently in the midst of handing out dozens of reprimands, days off, firings, etc, for “internet abuse”. And even then the way they go about it is stupid. They use Surf Control, and scrutinize the top ten browsers every month. Well, number 10 could be 10 hours work related and a half hour goofing off and get wrote up, while number 11 could be 8 hours goofing off and never be on the list!
Of course this also keeps them from having to notice the other (bigger) time wasters, personal phone calls, visits to others’ offices, sick leave abuse, etc.
And why is IT even involved? Shouldn’t it be the person’s supervisor who decides when an employee isn’t performing as expected, and if the employee isn’t, and the supervisor does nothing, shouldn’t
the supervisor’s butt be in the sling?
-
-
-
May 18, 2005 at 11:44 am #3237362
No need to reinvent the wheel
by trevora · about 18 years, 11 months ago
In reply to Creating a Acceptable Use Policy
I disagree with your “overall manager’s” comment that the AUP “is not important enough”. A written, distributed, and SIGNED info sec AUP is **very** important for ANY organization.
However, I work AT a law firm. When I started as IT Manager, we had no formal, written IS AUP document. So I began drafting a document, based on the cream of the crop concepts from SANS, NASA, and other freely available docs, templates, white papers available via the web. If you read enough docs, you will come across common concepts that you can fine tune and apply to your specific organization.
Once I felt I had an acceptable draft ready, I had a committee of attorneys in my own law firm review my draft Info Sec AUP doc for end-users: there were little to no major edits / adds / etc. So you can definitely prepare and distribute a good AUP doc to your organizations users now, although you may want your attorney(s) to review it in the future as well.
Since that time, I’ve actually had our attorneys and other law firms want to use my AUP doc to draft templates for clients or formalize their own.
– ensure there is both buy-in and input from critical decision makers / departments that also influence your information systems: e.g. senior management / executive; HR, etc.
– make it clear for the end user. It shouldn’t be a bunch of techno-gobbly-gook or legalize that will just overwhelm the user (read as: they won’t read your AUP doc).
– make sure EVERY new computer user joining your organization receives a copy BEFORE they are allowed to logon to your private network.
– the AUP doc MUST include an acknowledgement / signature page with wording showing their will be repercussions for willfully ignoring the security policies of your organization. Follow up to ensure you get the signed page back for your and/or HR’s personnel records.
-
-
AuthorReplies