As we’ve been speaking with clients and prospects about their cybersecurity posture we’ve learned that many don’t have an updated Acceptable Use Policy at their organization.
In our 33 years of experience we’ve seen first-hand how something as simple as one policy document can do wonders to unify an organization around shared goals, provide comfort to employees who have good intentions but incomplete knowledge, bolster confidence in clients or members who value their privacy, and maybe even give scammers some well-deserved grief.
Below we’ll walk you through what this policy consists of, why it matters, and how you can create your own.
What is an Acceptable Use Policy (AUP)?
An Acceptable Use Policy is a formal written document that includes clear guidelines on how employees are able to use company equipment, systems, and data. It sets a wide range of boundaries such as:
- If and how employees can use personal devices for corporate purposes
- If and how employees can use corporate devices for personal purposes
- What level of monitoring and inspection the company may perform
- The types of corproate data handled and how to handle each type
- What baseline security protocol to enable on services and applications
- What to consider a security incident and how to report it
In most cases the policy is presented to each employee as part of their onboarding and asked to sign their acknowlegment as a condition of their employment.
An AUP is one of a set of recommended baseline IT policies, but we believe it to be the cornerstone.
Why should you care?
The purpose of an AUP is to mitigate the risks of (1) a cybersecurity incident, and (2) legal liability on the part of the organization.
To the first point, the policy serves to educate and instruct employees on how to safely engage with the company’s information systems. Of all the successful data breaches analyzed in Verizon’s 2023 investigation, 74% involved human error. And of all the successful data breaches analyzed in IBM’s 2023 report, the average cost settled at an all-time high of $4.45MM. The better you can educate your team, the more insulated you are from that ever-growing price tag.
From a liability perspective, a written, signed AUP protects the company if an employee crosses those boundaries—whether the transgression is accidental or intentional.
If your organization places value on mitigating these risks, this policy is worth putting together.
What should an AUP include?
Acceptable Use Policies can (and should) vary widely from one organization to another. Since the purpose of this policy is to mitigate risk, it needs to be responsive to your unique tolerance for risk.
It should also take into account your corporate culture given the impact on employee behavior. If your organization promotes an overtly casual go-with-the-flow environment while also publishing a highly restrictive AUP, the dissonance may cause your team to doubt the sincerity of both.
With both risk tolerance and corporate culture to consider, we can’t offer a one-size-fits-all template here. We can, however, offer a sample outline that you can pare down as appropriate for your needs. A comprehensive AUP would include:
- Acceptable Use of Resources: Authorized users; proper use of computers and network; reporting of security incidents; security awareness training and compliance; information systems awareness; personal use of company resources; non-company-owned equipment; security of external storage media.
- Prohibited Activities
- Email And Communications Guidelines: Email use; confidentiality; email etiquette; ownership, privacy, and monitoring.
- Data and Information Handling: Data classification; appropriate treatment of information; intellectual property rights; storing and archiving information; network access; clean desk and clear screen.
- Social Media and Online Presence: Blogging and social networking; instant messaging and chat; web browsing; peer-to-peer file sharing; streaming media; monitoring and privacy; bandwidth usage.
- Remote Access: Public Wi-Fi; software installation.
- Communication with the Media
- Enforcement and Disciplinary Actions
It’s important to note that while this policy does deal heavily with the components of your information technology systems, writing and codifying it does not fall within the scope of a network engineer or system administrator’s responsibilities.
Rather, as the AUP will dictate the behavior of all employees and the liability of the organization as a whole, your executive team needs to be involved and bought in. If you have a CIO (internal or outsourced), this would be a perfect initiative for them to see through.
How often should you update your AUP?
We recommend making a habit of reviewing all of your company policies annually.
Since an AUP deals specifically with network access and the like, you’ll also want to factor a review into any large-scale change to your technology systems.
Need help?
Our team of CIO consultants has helped law firms, associations, and consulting firms create and update their Acceptable Use Policies. It is not a large investment of time or money, especially within the context of the return. If you’re interested in discussing an engagement, let’s chat!