Security

Developing An Acceptable Use Policy Employees Will Actually Read

Mar 2, 2021

Inappropriate use of IT systems brings risk to your organization. You must develop an acceptable use policy (AUP) that informs and engages. Here's how to do it.

Zach CapersRupal Bhandari
Developing An Acceptable Use Policy Employees Will Actually Read

Last year, data security concerns increased for 86% of businesses. This increase particularly puts small and midsize businesses at risk because they are an easy target for cybercriminals. Also, the impact of a cyberattack can be devastating for a small business if its operations are disrupted; and the business could take a long time to recover—or worse, never recover at all.

One of the leading causes of cyber attacks? Employee negligence. A single negligent employee can be the weak link in a business’s IT infrastructure, network resources, and information system. This can lead to various types of security breaches and cybersecurity issues such as data and network access breach, malware and phishing attack, denial-of-service attack, and eavesdropping attack.

That’s why you should develop an acceptable use policy (AUP) that defines the ways your business's computer resources may and may not be used by your employees. In this article, we’ll discuss how developing a coherent, clear, compelling, and current AUP can improve policy engagement and reduce risk.

This article is NOT intended to be an acceptable use policy template. Such resources can be found here and here.

Purpose and scope of AUP

An AUP serves as the broadest level of IT security policy for your business. It is used to administer guidance, manage risks, and increase liability protection for your information resource. The policy fosters an environment that gives employees the freedom to do their jobs while reducing the risk of a data breach or unauthorized access due to end-user negligence.

All employees play an important role in maintaining a secure business environment. The AUP specifies their responsibilities and guides their behaviors in doing so. Most employees want guidance and will follow policies they feel are practical, relevant, and allow a reasonable amount of flexibility.

AUP defines the security measures for all your IT systems including computer hardware, mobile and IoT devices, software applications, and internet and Wi-Fi usage. AUP’s scope should include:

  • All authorized users (paid and unpaid employees, full-time and part-time employees, technical and non-technical employees)

  • Vendors

  • Contractors

AUP should also concern all handling of sensitive company information, such as:

  • Proprietary information, intellectual property, and trade secrets

  • Personally identifiable information

  • Regulated data

Where appropriate, the AUP should only reference more comprehensive policies intended for specific purposes or audiences; the AUP itself should not try to be a comprehensive guide on a specific topic or target a certain section/department. This allows you to reinforce and expand the AUP while speaking to a general audience.

Also, by keeping the AUP high-level and separating more specific policies, the document remains concise and more likely to be read in full. Shorter AUP documents are also more manageable and simpler to update.

Making sure AUP is readable

AUPs are usually lengthy documents with a ton of heavy language and technical terminologies. This means they make for very dry reads, and usually, employees don’t fully understand or retain them, increasing the chances of an unknowing violation. But AUPs can be made a lot more understandable with these four Cs.

The-4Cs-of-an-Employee-Friendly-AUP

1. Keep the policy coherent

AUPs are often disjointed and written with the misguided intention of covering every conceivable threat to systems and data. However, to create an effective AUP that is more than just the sum of its parts, you should focus only on likely events, tailor the policy to your industry, and ensure all points are enforceable.

Don’t waste words on hypothetical or unlikely events. Instead, focus on everyday occurrences such as what employees are allowed to browse on the internet, what social media usage is permitted, or how employees can use personal phones for work. Gartner also recommends keeping the policy to six pages at max (full research available to Gartner clients only).

Don’t make the policy too specific because that creates scope for loopholes. For instance, when explaining the parameters of accessing the network with personal equipment, use the term device rather than listing specific equipment such as laptop or iPhone. This will prevent technical loopholes such as tablet or Android phone users claiming the policy doesn’t apply to them. Thus, by using broad language, you would cover more detail.

Also, don’t forget to tailor the policy to your industry. For example, companies that process student loan applications must comply with the Family Educational Rights and Privacy Act (FERPA). Hence, these companies must specify their regulated data in the AUP and define how it should and should not be handled.

2. Keep the policy clear

Clarity is key when writing an AUP. More than any other security policy, the AUP should be written for a general audience. Be sure to minimize jargon and explain all abbreviations/acronyms.

For instance, you don’t need to explain why employees shouldn’t access illegal websites, electronic resources, or pornography. You also don't need to explain why they shouldn't be doing any illegal activity with the business's computer resources, or why they shouldn't harass other employees through instant messages.

But other rules in the AUP define grey areas, relate to seemingly minor yet impactful behaviors, or refer to specific industry or regulatory concerns. Without context, these types of guidelines might appear arbitrary or less important than they actually are. When addressing this type of situation, you should strive to explain why employees should act in a particular manner, rather than simply telling them to do so.

Here are some examples of the kind sentences that can be considered unclear in an AUP, and what to use instead:

Unclear AUP sentencesClear AUP sentencesLesson
Employees must not divulge sensitive information to third parties through email communication.Employees must guard against targeted phishing schemes that request sensitive information (e.g., tax forms) or actions (e.g., wire transfers) through deceptive emails that appear to be sent from a supervisor or some other familiar person.Don’t just tell. Explain.
Computing devices should be locked when left unattended.Employees must lock computing resources and devices when leaving them unattended.Don’t use weak and passive language. Make it strong and active.
Users must avoid accessing violent or pornographic material. Employees shall refrain from visiting file-sharing websites or downloading copyrighted material.Users are prohibited from using company resources for activities such as accessing pornography and violent material, or unauthorized downloading of copyrighted material.Don’t use inconsistent language. Use consistent wordings and balanced language.

3. Keep the policy compelling

To make the AUP interesting and strengthen its impact, incorporate game-based learning into the policy training.

This can be done by splitting a group into small teams, quizzing their policy knowledge, and rewarding correct answers with prizes. It’s also possible to include interactive learning applications such as Kahoot! that use mobile devices.

Another way to get the AUP across to your employees is to use a learning management system to create bite-size modules. This will help you track which modules your employees have covered and what their engagement rate has been. You can also create mini assignments at the end of each module to check retention.

You can also consider making a succinct video of the AUP as IBM did.

Via a video, you can clearly convey the importance of following the AUP as well as all the essential steps required of employees. This video can be used as an add-on to the policy document. 

4. Keep the policy current

As technology shifts and threats evolve, so too must your AUP. References to obsolete technology or lack of references to new technology will undermine the policy.

IT security policies should be reviewed annually or as circumstances dictate. Situations that might require immediate amendments to your AUP include:

  • New regulations affecting your business (e.g. GDPR)

  • New technology being adopted

  • Employees begin working remotely

  • Operations begin overseas

  • Policy requires clarification after repeated violations

Provide an email address for questions or comments related to the AUP. Employees might have concerns that were not addressed in the policy or questions that have crept up since its creation. Keep note of these issues and use them to inform future iterations of the policy.

After the AUP has been distributed, employees must acknowledge its receipt and their understanding of the policy by signing it. The policy needs to be signed each time it is updated. This way, if the policy is breached, the signed record can help protect your company from liability and justify disciplinary action.

Next steps

AUP represents a critical component of a business’s information security and risk management program. Though protecting your business from liability is a valuable result of an AUP, the primary goal of the policy should be to inform employees how to properly use systems and data.

Once you have started creating the AUP for your business, Gartner recommends some of the following best practices (full report available to Gartner clients only):

  • Design a phased policy-publishing schedule that will allow users to adapt slowly over time—especially when policies result in significant changes to business activities.

  • Isolate policy statements, standards, and processes into separate documents.

  • Be clear about who is accountable for following a policy element and verifying compliance.

Ready to take the next step in developing an effective AUP? Visit our policy management software catalog.

Note:

The applications selected in this article are examples to show a feature in context and are not intended as endorsements or recommendations. They have been obtained from sources believed to be reliable at the time of publication.

avatar
About the author

Zach Capers

Sr Specialist Analyst
Zach Capers is a senior analyst at GetApp, covering IT security, data privacy, and emerging technology trends. A former internal investigator for a Fortune 50 company and researcher for the Association of Certified Fraud Examiners (ACFE), his work has been featured in publications such as Forbes, Business Insider, and Journal of Accountancy.
Visit author's page
avatar
About the author

Rupal Bhandari

Content Writer
I’m Rupal, a Content Writer at GetApp. I bring you insights about digital marketing, sales, and customer engagement. I have an MA in English Literature from the University of Delhi, India and have been creating thought-leadership content for leading technology products and companies for over five years. I live in Gurgaon, India, and I love dogs and trying my hand at new recipes. The tech trends I think you should keep an eye on: use of AI in marketing, personalization, and chat bots.
Visit author's page