28 January 2020
An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network or the Internet. Many businesses and educational facilities require that employees or students sign an acceptable use policy before being granted a network ID.
An acceptable use policy is an integral part of your information security policy.
An Acceptable Use Policy is an important document that can demonstrate due diligence with regards to the security of your IT network and the protection of sensitive data in the event of a breach or regulatory audit. This importantly protects the organisation from legal actions.
Sometimes referred to as an Internet Usage and E-mail Policy or Acceptable IT Use policy, an AUP policy provide statements as to what behaviour is acceptable from users that work in or are connected to a network.
Many surveys across the IT / IT Security sector such as SANS Institute and from vendors on the threat landscape help provide additional perspective on why an Acceptable Use Policy is critical for your organization. Many of these studies reveal an increase in the loss of business data records over the past 3 years. The most common entry point for threats into a network? End user actions.
The arguments between productivity, protection and privacy can make mobile device security a difficult topic to address. Users are now more comfortable blurring the lines between personal and work when it comes to personal mobile devices, not always thinking about the implications. Most employees do not want to be the cause of a network breach or data loss, yet one in five will do so either through malware or malicious WiFi. All it takes is one infection on one device to impact both corporate and personal data and networks.
We find many in the life-science / biotech sector either have basic UAP or not one at all. Depending on the type of data that passes or is stored on your network, and who/what has access to your network – being lax on this, is a recipe for disaster. An Acceptable Use Policy not enforced with appropriate systems relying on the end user alone to “do the right thing”, affords little protection.
Creating an effective AUP begins by collaborating with relevant stakeholders from human resources, finance, legal, IT, and security. The questions below can provide a good starting point when creating your policy:
- When is it OK to send information outside the enterprise via e-mail, blogs and message boards, media sharing and instant messages – When is it not?
- What types of information is prohibited in the e-mail system? Personally, Identifiable Information? Payment data? Internal memos? Customer / patient / supplier data?
- What procedures will be necessary to discourage risky behaviour and enforce established policies? Who will be in charge of enforcing them?
As you create your AUP be sure to:
- Have an understanding of what records and data are vital to the survival of your organization and the internal and external forces that can affect them.
- Create policies that consider business assets, processes and employee access to files and data.
- Address employee-generated content, communication channels and connected devices.
- Evaluate security measures (physical and network-related) and potential solutions.
- Monitor and enforce policy via security technology and human oversight.
- Train employees to recognize risks and refrain from insecure behaviours.
A signed copy of the policy should be included in each employee file, backed up with your vital records and included in your business continuity plan.
If you need more info or would like your existing Acceptable Use Policies reviewed, please contact Exigence on 03-9568-5437 or services@exigence.com.au
Sources: SANS Institute, ASD, Exigence, Pivotal, Australian Cyber Security Centre, Techtarget
