Developing and implementing an Acceptable Use Policy is one of the first steps in creating a company wide culture of technology risk management.
Sometimes referred to as an Internet Policy, an Acceptable Use Policy (AUP) is a formal set of rules governing computer, network and data usage that can help limit your exposure to data breaches, minimize cyber risks and protect your business’ reputation. We’ve talked about the Importance of an Acceptable Use Policy in our earlier blog posts, but recent technology developments, laws and regulations have made creating an effective AUP more challenging than it was just a few years ago, so we want to provide you a with more detailed suggestions for creating an Acceptable Use Policy.
While there is some content considered a standard part of an AUP, it is important to arm yourself with as much information as possible to customize your policy to fit your unique processes and operations. An effective policy not only outlines the rules (and the potential consequences for breaking them), but also explains why the rules exist. Including these details in Acceptable Use Policy can help your staff to better understand the vital role they play in the security of your network.
Below are important elements to consider including when creating and customizing an effective Acceptable Use Policy:
Your AUP should clearly define the systems, devices, communications and information that fall within the policy’s scope. Don’t forget to include often overlooked items such as password requirements, corporate text messaging, voice-mail,storage media, company software and cloud computing accounts.
CODE OF CONDUCT
One of the most important parts of your Acceptable Use Policy is the Code of Conduct, which outlines the expectations and behavior for end users while connected to your network. Prohibited activities should be clearly defined and include items such as activities that violate any local, state or federal laws, disclosing or sharing confidential information about your company, its clients or partners,using appropriate language online, ensuring activities do not disturb or disrupt other users on the network.
As an employer, you are providing technology resources to help advance your business interests. Your policy should include a clear definition of business use, inform employees of expected ethical conduct while using these resources, and their accountability for all use of corporate accounts.
Cybersecruity training can help to ensure end-users adhere to your AUP. When the reasoning behind your policy is understood, employees are more likely to recognize the value of it and to adhere to it. By educating your employees about how quickly your entire network can be infected by irresponsible browsing, a stealthily malware downloaded onto a single computer or connecting an unauthorized personal device, you are also helping them understand your policies are not meant to “micro-manage” or deny them all access rights to the internet.
COMPLIANCE & LEGAL REQUIREMENTS
Specific regulations, requirements and accrediting organizations vary from field to field, such HIPAA for the healthcare industry, GLB Act for financial and insurance industries and the General Data Protection Regulation (GDPR) for any industry that collects or processes information from clients in the European Union. Some fields must adhere to more than one compliance standard. For example, a healthcare provider that accepts credit card payments and processes them internally would fall under both HIPAA and PCI compliance. In any case, your Acceptable Use Policy should address both, recommend best practices, and clearly outline all compliance requirements.
Small businesses make up more than 90% of business in the United Sates and play a central role in the supply chain. Even the smallest networks can provide a hacker access to credit card data, bank accounts, employee financial and personal data, intellectual property, supplier networks and connected organizations.
Defining what data your company collects and how that data is processed, stored, accessed and disposed of is an important part of your Acceptable Use Policy. Why is the data valuable? What data should be backed up? What data should be encrypted in transit and at rest? Examining your internal data processes can help you identify and address any weaknesses that may exist in how sensitive data is currently being handled and accessed. By defining what data is important and why you can create an expectation that your staff can apply generally if they forget a specific rule defined in your Acceptable Use Policy.
If you allow personal devices of any kind they need to be included as part of your Acceptable Use Policy. Rules for what organizational data is allowed on personal devices and expectations for how that data is accessed, transmitted and stored should be clearly outlined. You should also address any required mobile device management software, antivirus software, security controls, identity management measures and remote wipe tools.
Social Media platforms can offer tremendous benefits for marketing and communication, but they can also pose serious security risks. Some of the greatest risks are the accidental disclosure of sensitive information, and accounts being compromised by phishing/malware attacks either directly or though password reuse and single sign on. Your Acceptable Use Policy can provide you the ability to actively put restrictions in place to help you mitigate security risks and limit the amount sensitive information shared on social sites.
INDUSTRY SPECIFIC THREATS
While it may seem like cyber criminals send malicious emails to businesses on a whim, research illustrates that is not the case. There are many factors that can make a small business a lucrative target, including the data and information a company processes and stores, to an organization’s place in the industry supply chain. The most targeted industries can change drastically from year to year. Arming yourself with industry specific security information can help you craft an acceptable use policy to addresses your specific risk factors. Knowing that your industry may be a target can also help you advise and educate your employees accordingly which can help to lessen the chances of a successful attack.
ENFORCEMENT AND CONSEQUENCES
There are many options to help you discreetly enforce your Acceptable Use Policy such as restricting access to sensitive information,configuring laptops and desktops to prevent installation of applications and content filters and/or firewall rules to block prohibited activities.
Having employees sign your Acceptable Use Policy does not guarantee all employees will fully comply and use your network resources only for business purposes, which is why you should only create polices that you intend to enforce and include the consequences for violating the policy in the policy itself. Since violations can vary in extent, consequences should as well – depending the severity of the violation and the end user’s intent.
Your Acceptable Use Policy should be reviewed by an attorney before being distributed to your staff. Once complete, a signed copy of the policy should be included in each employee file, backed up with your vital records and included in your business continuity plan.
If you would like a copy of an Acceptable Use template or more information on how Pivotal IT can help you enforce your security policies and keep your data secure, contact us.