Guide to Acceptable Use Policies

{LANG_NAVORIGIN} Security Policies Policy Guides
Keith Palmgren 02/04/2005



Only a handful of years ago, companies with an Internet connection were a rarity. Today, the reverse is true – virtually every company has access. In addition to all of the perfectly valid business benefits Internet connectivity brings, there are significant drawbacks. Many of these drawbacks come in the form of Internet Misuse – leading some managers to dub it, the “World Wide Waste.” Employees don’t gather around the proverbial water cooler to exchange gossip, news, and jokes as they once did. Today, they use e-mail. They have stock market tickers, updated news reports, and their favorite radio show running continuously. The amount of time employees spend in non-work related Internet use adds up quickly. (And those examples don’t even begin to look at the non-business uses possible with the shadier side of the Internet including pornography and other less-than-appropriate content.) These problems squander employee time as well as expensive bandwidth, which add up to significant financial impact.

Controlling issues such as these have thrust the typical IT department into unfamiliar territory. IT departments are perfectly comfortable with technology issues, not with more social issues such as inappropriate web surfing. While it is true that technology such as content filters and mail scanners can help with control, the real issue is mostly one of policy. Specifically, most companies employ Acceptable Use Policies to address the issue.

Simply stated, corporate policies are formal statements senior management use to inform the rest of the company of their desires. More specifically, the acceptable use policy addresses exactly what is and is not appropriate use of company IT resources.

While there are many categories of security policy and each is important, some are conceivably more critical as they provide the foundation for many other sections of the policy. Perhaps no category does more to provide that foundation than acceptable use. Policies dealing with software download, access requirements, and many others find their roots, rational and support in the acceptable use policy. If another company policy conflicts (or even just seems to conflict) with the acceptable use policy, employees can potentially play one policy against the other.

One of the key purposes of a solid security policy (and company policy in general) is to provide litigation protection and defense. The acceptable use policy is, arguably, the most important single element of that defense, particularly in light of its close ties to Human Resource and sexual harassment policies.

Providing a definition of acceptable use policy is fine, but what exactly do they cover? Take the following examples:

• The use of company computers to do college level homework is an excellent example of an acceptable use policy missing in many companies. It is also an example of a policy every company needs. In some companies, doing college homework on company time is perfectly acceptable even if the course is totally unrelated to the employee’s job. In other companies, only if the college course directly relates to the job is it permissible (i.e. an IT professional taking a course in computer programming). In still other companies, it is never acceptable and may even be a fire-able offense. What we are really discussing is corporate culture, which varies widely from one company to the next. Further, the typical propagation mechanism of corporate culture is word-of-mouth, leading to each employee having a slightly different version. Acceptable use policies provide a mechanism to formally advise company personnel of exactly what the culture is. They also provide supervisors with standardized guidance in controlling activity. Many acceptable use policies fall into this category of formalizing defacto corporate culture.
  
  
• The discussion of college homework leads us to examine of other non-work related activities. For example, is it acceptable to use company computer systems for activities involving employee union or similar employee activist groups? Many senior managers who have no problem with the college homework issue have a significant problem with this one. However, there is legal precedent that once company systems are allowed for any non-work related activity, they must be allowed for all such activity – including creating, printing, copying, and distributing labor union or similar materials. This serves to illustrate the point that no policy exists in a vacuum – we must weigh each against the others, as well as view them all as a whole.
  
  
• For some time, many companies attempted to issue lists of sites to users containing inappropriate material such as pornography. This quickly becomes unwieldy as the lists can easily fill entire books and change with incredible frequency. Partly to avoid the work force black hole of maintaining such lists, many companies turn to acceptable use policies. Such policies typically state that sites containing certain types of material are not appropriate and will not be visited using company time or resources. Many times, the policy may provide a list of example sites. While this is a perfect application of the acceptable use policy (and perhaps the most common), there are things to consider. For example, it is important that the Human Resources Department review the policy to ensure it is in line with the company’s sexual harassment policy. Having these two policies in contradiction could have a negative impact. In addition, the policy should clearly state that intent is required for violation. It is far too easy to miss-type a URL and land on a site that is anything but appropriate. A single such incident is probably not an intentional violation. Several dozen such “typographical errors” in an eight-hour period may well be another story entirely.

The litigious society we live in demands that we take two more steps once the policies are in place. First, all policies should undergo legal review by the company’s legal advisor. Second, training every employee on the content and meaning of the policy is necessary. Be sure to document the training, preferably with the employee’s signature included in the documentation. The corporation simply cannot afford a poorly worded phrase or lack of training documentation with these policies. Violation of acceptable use policy frequently leads to disciplinary action and can be grounds for dismissal. Wrongful discharge lawsuits and similar litigation are on the rise. As the well-known saying goes, “If it isn’t documented, it didn’t happen.” Providing proof of a well written, adequately trained policy is critical in litigation situations.

Finally, to illustrate the potential for problems with acceptable use policy, take the following real-world example: A company has both an acceptable use policy stating that employees can do any college homework and a Sexual Harassment Policy prohibiting activity that causes an “uncomfortable” environment. Both policies underwent legal review and documented training for all employees. Employee A receives permission from his supervisor to attend a college Art Appreciation class. One assignment involves going to the web site of a well-respected art museum and preparing a report on several paintings – many of which are of nudes. Employee B sees some of these paintings on employee A’s screen and files a sexual harassment claim. Employee A suddenly finds himself facing serious disciplinary action, which could include dismissal. He feels he was doing nothing wrong since the acceptable use policy sanctioned homework. Which policy wins?

Luckily, in the above case, common sense prevailed. Employee A agreed to do his homework after hours when other employees were not around and employee B chose to drop the charge since the activity was not intended to cause distress to anyone. While this particular case worked out well, there is an obvious potential for problems. Always ensure all policies support one another and apply common sense when an unforeseen situation arises.


Copyright http://www.netip.com/

NetIP, Inc. is a small company totally devoted to Knowledge Transfer. The President of the company, Keith Palmgren, divides his time between writing articles and teaching classes on Information Protection, Network Security, and Computer Security.














Your IP address will be sent with this e-mail

From e-mail to e-mail