From Ryan Groom,
Your Guide to Business Security.
FREE Newsletter. Sign Up Now!

An Acceptable Use Policy (AUP) is very important as it sets the parameters for your employees web surfing, email usage or any other Internet usage.

It is a good idea to have the acceptable use policy signed at the time the employment contract is signed so what is acceptable is known on day one.

Every organization is different, but the following are sample policy items you can ponder and include when creating or modifying your organization’s AUP.

The following policy example our constructed with the title of the policy, the formal policy and then the commentary and reasoning why the policy was written.

Many polices just state the policy and give no explanation of why the policy was created or why it is important. It is suggested when putting the formal polices on an intranet that the formal policy may have a link to informal language to help the employee understand the policy item.

Personal Use of Internet Facilities Only on Personal Time

Policy: Management encourages workers to explore the Internet, but if this exploration is for personal purposes, it must be done on personal, not company time. Likewise, news feeds, discussion groups, games, and other activities which cannot definitively be linked to an individual's job duties must be performed on personal, not company time.

Commentary: The purpose of this policy is to make sure employees know that they should not be "surfing the 'net" during work hours. With good reason, some managers are concerned that the availability of Internet access will distract workers from their regular duties. This permissive policy allows users to take advantage of facilities for personal purposes, but makes it clear when such use must take place. This policy recognizes that, at many organizations, personal Internet use is already recognized as a fringe benefit. The policy assumes that personal use will help workers become more proficient with Internet, and that this in turn will indirectly assist with business uses of the Internet.

Approved Virus Checking Programs Required On PCs And LAN, Servers

Policy: Virus checking programs approved by the Information Security Department must be continuously enabled on all local area network (LAN) servers and networked personal computers (PCs).

Commentary: This policy does not make distinctions between integrity checkers, virus screening packages, virus behavior detection packages, and the like. Instead, it relies on the internal Information Security Department to identify one or more standard virus detection software packages. The emphasis is on networked machines because a virus or similar program can propagate much faster in a networked environment than it can in a stand-alone computing environment.

Default Copyright Protection For Information Posted To Internet

Policy: Much of the material on the Internet is copyrighted or otherwise protected by intellectual property law (for instance by license agreement). Workers must investigate intellectual property rights for all material they discover on the Internet before using it for any other purpose. One exception to this rule involves internal memos which cite this information.

Commentary: The intention of this policy is to prevent workers from violating the intellectual property rights of other parties. One good example of this involves graphics; unauthorized copying and reuse of computer graphics found on the Internet is an epidemic.

Tools Used To Break Systems Security Prohibited

Policy: Unless specifically authorized by the Information Security Department, workers must not acquire, possess, trade, or use hardware or software tools that could be employed to evaluate or compromise information systems security.

Commentary: Because these tools can be and often are used to circumvent controls, their possession and use should be severely restricted. Possession and use should be allowed only for those who have a need for such powerful tools, such as auditors and tiger-team staff (penetration attack team members). Separately, some users may claim that they never intended to use such tools, that they only acquired them to learn about computers. This policy removes the whole question of the user's intent from the discussion; if users have the tools, they may be disciplined or terminated.

Participation In Pirated Software Bulletin Boards & Related Internet Sites

Policy: Worker participation in any manner with pirated software bulletin boards or related Internet sites is strictly prohibited, even if this participation occurs during non-working hours. This prohibition extends to any other facility or system which exchanges illegal copies of music, books, or other copyrighted material over the Internet or through other communications channels.

Commentary: The intention of this policy is to let workers know that any illegal activity involving unauthorized duplication of copyrighted material is not tolerated.