An Acceptable Use Policy or AUP is an integral part of your information security policy.

An Acceptable Use Policy is also one of the few documents that can physically show “due diligence” with regards to the security of your network and the protection of sensitive information and client data in the event of a breach or regulatory audit.

Sometimes referred to as an Internet and E-mail Policy or Acceptable IT Use policy.  An AUP serves many of the same functions as the long winded Terms of Service that you see when signing up for a new service.  Despite the difference in terms, these policies provide statements as to what behavior is acceptable from users that work in or are connected to a network.

The findings of the recently released SANS Institute 2016 Threat Landscape Study and fourth annual Checkpoint Security Report may help to provide some additional perspective on why an Acceptable Use Policy is imperative for your organization.  The study reveals a 400 percent increase in the loss of business data records over the past 3 years.  The most common entry point for threats into a network?  End user actions.

The arguments between productivity, protection and privacy can make mobile device security a difficult topic to address.  Users are now more comfortable blurring the lines between personal and work when it comes to personal mobile devices, not always thinking about the implications.  Most employees do not want to be the cause of a network breach or data loss, yet one in five will do so either through malware or malicious WiFi¹.  All it takes is one infection on one device to impact both corporate and personal data and networks.

We have spoken to clients and prospective clients that respond to our question about having an Acceptable Use Policy with a quizzical look and even indifference.  Depending on the type of data that passes or is stored on your network, and who/what has access to your network – apathy is a recipe for disaster.  Counting on an end user alone to “do the right thing” is not a viable security strategy.

Creating an effective AUP begins by collaborating with personnel from human resources, finance, legal, IT,  and security.  The questions below can provide a good starting point when creating your policy:

When is it OK to send information outside the enterprise via e-mail, blogs and message boards, media sharing and instant messages - When is it not?

What types of information is prohibited in the e-mail system? Personally Identifiable Information? Payment data?  Internal memos? Customer data? 

What procedures will be necessary to discourage risky behavior and enforce established policies? Who will be in charge of enforcing them?

As you create your AUP be sure to:

Have an understanding of what records and data are vital to the survival of your organization and the internal and external forces that can affect them.

Create policies that consider business assets, processes and employee access to files and data.

Address employee-generated content, communication channels and connected devices.

Evaluate security measures (physical and network-related) and potential solutions.

Monitor and enforce policy via security technology and human oversight.

Train employees to recognize risks and refrain from insecure behaviors.

A signed copy of the policy should be included in each employee file, backed up with your vital records and included in your business continuity plan.

If you would like a copy of an Acceptable Use template, help creating your AUP or more information on how Pivotal IT can help keep your network and data secure, don't hesitate to contact us.

  1. Source:  Checkpoint Security Report 2016