Acceptable Use Policies

Employees should know how an organization's assets can be used. These policies should be documented in an acceptable use policy.

AUP

Learning Objectives

You should be able to:

  • Describe concerns that should be addressed in an acceptable use policy
  • Describe how training should reinforce the acceptable use policy

Acceptable Use Policies

Acceptable use policies are written documents that describe the appropriate use of organizations' computer systems. Many templates are available for free online and can serve as good starting points for developing acceptable use policies. The SANS Insitute has policies available here: https://www.sans.org/information-security-policy/. The following are key elements of acceptable use policies.

  • Description of the policy's purpose. This is a brief overview introducing the document.
  • Scope. Does the policy apply to employees, contractors, vendors, or others? What about guests?
  • Polices. Expected behaviors are listed in detail. Allowed and disallowed behaviors should be explicit.
    • What is allowed or required? Examples might include:
      • Labeling the sensitivity of information (such as proprietary or public use)
      • Using passwords that comply with company policy
      • Use caution when opening email attachments
    • What is forbidden? Examples might include:
      • Sharing passwords
      • Putting data on external storage
      • Intentionally causing service disruptions
      • Attempting to access unauthorized information
  • Compliance. Employees are expected to comply. The consequences of non-compliance should be clear.

Employees should be required to review the acceptable use policy as part of onboarding. Employees should be informed about any changes to the acceptable use policy. Regularly scheduled training should ensure that employees clearly understand what is expected of them.

Real Acceptable Use Policy

Review Northern Michigan University's Acceptable Use Policy.

  • What is the scope?
  • What is required of users?
  • What actions are forbidden?
  • What are the consequences of non-compliance?

Sample Case #1

Joe is an ACME employee. ACME's acceptable use policy says that employees should not download and run malicious email attachments. One day, Joe thought he got an email from an important client. The email said that Joe needed to adjust the client's project. Joe opened the attachment which contained malware. Joe's computer was infected and had to be destroyed. Later, Joe was visited by the information security chief and was told that he violated company policy by abusing email.

What should Joe's consequences be?

Sample Case #2

Beth works for ACME. ACME's acceptable use policy says that documents labeled, "Proprietary" should not be shared outside of the company without express consent from the company president. Beth read a proprietary document that describes ACME's intention to buy land to build a warehouse. Beth thought the community would be happy about job creation in the region, so she emailed a copy of the document to the local newspaper. It turns out that the community was indeed pleased and ACME was praised for its investment in the community. The information security chief confronted Beth about the leak, and Beth admitted that she gave the proprietary information to the newspaper.

Should Beth face consequences for leaking proprietary information?

Challenge: Create an Acceptable Use Policy

Use the SANS Institute's Acceptable Use Policy as a starting point.

Choose one of the following organizations and create an acceptable use policy for it.

  • A hospital
  • A K-12 school
  • A manufacturing company

Reflection

  • When is it okay to violate acceptable use policies?
  • What should penalties be for violating acceptable use policies?

Key Terms

  • Acceptable Use Policy (AUP): Organizational policy that describes the expected user behaviors and penalties for violations
  • Acceptable Use Policy Scope: The people to whom the acceptable use policy applies. The scope could include employees, vendors, guests, and others.
  • Acceptable Use Policy Policies: Expected behaviors are described. Policies could include password selection, use of social media, access reviews, and more.
  • Acceptable Use Policy Compliance: Expectations for compliance are explained. Consequences for violations of the policy are communicated.