Inappropriate use of IT systems puts your organization at risk. That’s why you should develop an acceptable use policy (AUP) that defines the ways in which IT resources may and may not be used.
Too often, AUPs are interminable documents filled with technical and legal language that most employees sign after scanning only the first few paragraphs.
This kind of policy apathy might explain why a Kaspersky study of more than 5,000 companies found that 46 percent of cyberattacks resulted from careless or uninformed employees.
To better secure their networks, all organizations must develop an AUP that both informs and engages.
Note: This article is NOT intended to be an acceptable use policy template-there are plenty of those. Instead, we’ll explore how developing a customized AUP that is coherent, clear, compelling, and current can improve policy engagement and reduce risk.
AUPs are used to administer guidance, manage risk, and increase liability protection. The policy must foster an environment that permits employees the freedom to do their jobs while at the same time reducing the risk of data breaches, cyberattacks, and compliance violations.
All employees play an important role in maintaining a secure business environment. The AUP specifies their responsibilities and guides their behaviors in doing so. Most employees want guidance and will follow policies they feel are practical, relevant, and allow a reasonable amount of flexibility.
The AUP serves as the broadest level of IT security policy for your business.
Its scope should include:
All employees (paid and unpaid, full-time and part-time, technical and non-technical)
Your AUP should apply to all IT systems:
Mobile and IoT devices
Internet and Wi-Fi
It should also concern all handling of sensitive company information:
Proprietary information and trade secrets
Personally identifiable information
Where appropriate, the AUP should reference more comprehensive policies intended for specific purposes or audiences. This allows you to reinforce and expand the AUP while speaking to a general audience.
Also, by keeping the AUP high-level and separating out more specific policies, the document remains concise and more likely to be read in full. Shorter individual policies are also more manageable, simpler to update, and easier to direct at specific audiences.
AUPs are often disjointed and written with the misguided intention of covering every conceivable threat to systems and data. However, to create an effective AUP that is more than just the sum of its parts, you should focus only on likely events, tailor the policy to your industry, and ensure that all points are enforceable.
Don’t waste words on hypothetical or unlikely events; it dilutes the policy and bores the reader. Policies that are needlessly complicated and overly tedious are far less effective than those that are succinct, relevant, and to the point. A formal risk assessment can help to discern threats deserving of inclusion in the AUP.
Every business is different and has unique concerns that should be included in its AUP. For example, companies that process student loan applications must comply with the Family Educational Rights and Privacy Act (FERPA). These businesses must specify their regulated data in the AUP and define how it should and should not be handled.
Members of every department should be consulted during the policy’s development. This can identify gaps and answer questions before they are asked. As an added bonus, employees will be more willing to follow policies on which they’ve had input.
Without enforcement, an AUP won’t be taken seriously. Management must determine the appropriate consequences for violations and apply them consistently. The policy must also be approved by legal and human resources to ensure it is lawful and does not violate workers’ rights.
Remember: Less is more when it comes to an AUP. The more specific the policy, the easier it is to find ways around it. For example, if explaining the parameters of accessing the network with personal equipment, use terms such as device rather than listing specific equipment such as laptop or iPhone.
This will prevent technical loopholes such as users of tablets or Android phones claiming that the policy doesn’t apply to them. Thus, by using broad language, you are covering more detail.
Keep in mind that the policy must be developed so that its enforcement does not interfere with business goals. For example, the public relations team might require access to certain social media websites that have been prohibited by the policy. Make exceptions explicit or couch them in terms such as “unless expressly authorized.”
Clarity is key when writing an AUP. More than any other security policy, the AUP should be written for a general audience. Be sure to minimize jargon and explain all acronyms.
As for content, some rules speak for themselves. For instance, you don’t need to explain why employees shouldn’t access illegal websites or harass other employees through instant messages. Simply telling them not to do those things is sufficient.
But other rules define grey areas, relate to seemingly minor yet impactful behaviors, or refer to specific industry or regulatory concerns. Without context, these types of guidelines might appear arbitrary or less important than they actually are.
For example, some industries are targeted more often for certain types of attacks. In recent years, schools, hospitals, and restaurants have experienced sharp increases in phishing attacks known as W-2 scams.
When addressing this type of situation, you should strive to explain why employees should act in a particular manner, rather than simply telling them to do so.
Telling: Employees must not divulge sensitive information to third parties through email communication.
Explaining: Employees must guard against targeted phishing schemes that request sensitive information (e.g., tax forms) or actions (e.g., wire transfers) through deceptive emails that appear to be sent from a supervisor or some other familiar person. Confirm any unexpected email requests via secondary means (e.g., phone, in-person) and report all targeted phishing emails to security.
Use strong words such as must rather than should when writing policy. Also, avoid passive voice to lend rules more authority.
Weak and passive: Computing devices should be locked when left unattended.
Strong and active: Employees must lock computing devices when leaving them unattended.
Wording and construction should be consistent and balanced to prevent some rules from seeming more important than others.
Inconsistent and uneven: Users must avoid accessing violent or pornographic material. Employees shall refrain from visiting file sharing websites or downloading copyrighted material. The company prohibits employee participation in illegal online activity.
Consistent and balanced: Users are prohibited from using company resources for the following activities:
Accessing violent or pornographic material
Unauthorized downloading of copyrighted material
Participating in illegal online activity
No matter how hard you try to engage your employees by writing a clear and succinct policy, the AUP is going to be a dry read. To make it more interesting and strengthen its impact, incorporate game-based learning into the policy training.
This can be done by splitting a group into small teams, quizzing their policy knowledge, and rewarding correct answers with prizes. It’s also possible to include interactive learning applications that use mobile devices; some examples include Kahoot! or Plickers. You can also find new ways to increase training engagement by browsing GetApp’s learning management system (LMS) software catalog.
Training course creation in LMS software Absorb (Source)
Another option is to develop a supplemental user guide that applies AUP policies to specific situations that might be experienced by your employees. This added context can help make rules feel more tangible. A user guide can be created as a live presentation, interactive learning guide, comic book, or whatever form you feel works best for your group.
As technology shifts and threats evolve, so too must your AUP. References to obsolete technology-or lack of references to new technology-can undermine the policy. IT security policies should be reviewed annually or as circumstances dictate. Situations that might require immediately amending your AUP include:
New regulations affect your business (e.g., GDPR)
New technology is adopted
Employees begin working remotely
Operations begin overseas
Policy requires clarification after repeated violations
Provide an email address for questions or comments related to the AUP. Employees might have concerns that were not addressed in the policy or questions that have crept up since its creation. Keep note of these issues and use them to inform future iterations of the policy.
After the AUP has been distributed, employees must acknowledge its receipt and their understanding of the policy by signing it. The policy needs to be signed each time it is updated. This way, if the policy is breached, the signed record can help protect your company from liability and justify disciplinary action.
Though protecting your business from liability is a valuable result of an AUP, the primary goal of the policy should be to inform employees how to properly use systems and data.
By keeping your AUP coherent, clear, compelling, and current, you can prompt employees to be more conscientious about their security practices and avoid exposing your company to risk in the first place.
Note: The information contained in this article has been obtained from sources believed to be reliable. The applications selected are examples to show a feature in context and are not intended as endorsements or recommendations.