Defining the way your IT resources may and may not be used is an essential part of ensuring your IT systems aren’t placed in any undue risk. Developing an acceptable use policy (AUP) can reduce the inappropriate usage that could end up compromising your business, establishing rules for using the company network and devices.
However, AUPs are so often impenetrable documents stuffed with technical and legal language that employees often take a cursory look at before consigning to a draw. Unfortunately, these overwrought documents mean that many employees are prone to careless practices as a result.
So, how do organisations develop an AUP that touches on the most important aspects of usage while still being engaging to read? Here, we’ll explain some of the best practices that businesses can use when creating an acceptable use policy for its employees.
- The key elements of an AUP
- The purpose of an AUP
- The scope of an AUP
- Tailoring an AUP policy to your industry
- How to enforce an acceptable use policy
- Reviewing an AUP policy
The key elements of an AUP
It’s recommended that every policy includes the following sections:
- Overview – a high-level description of the document’s purpose and takeaways.
- Definitions – clarifying any terms that employees may find confusing, and explaining technical words or phrases that are unique to your business.
- Scope – what the policy does and does not cover, as well as the scenarios and people it applies to.
- Policies – the main part of the document, with sections that cover use and behaviour.
- Enforcement – the consequences for failing to adhere to standards and how employees will be held accountable.
- Revisions and tracking – a schedule that details when the document should be revisited, with notes that track any changes and amendments.
The purpose of an AUP
AUPs are used to administer guidance, manage risk and increase liability protection. The finished document must allow employees to carry out their jobs while also reducing the risk of data breaches, cyberattacks and compliance violations in the process.
As employees have a degree of responsibility in maintaining a secure business environment, the AUP should specify what is required of them and provide guidance on the behaviour you expect. If the policies featured within are practical, relevant and have a certain amount of flexibility, then employees will be more likely to follow them.
The scope of an AUP
As the AUP is the broadest level of IT security for your business, its scope should be suitably far-reaching. Your AUP should be relevant for the following:
- All employees (paid and unpaid, full-time and part-time, technical and non-technical)
In terms of IT systems, your AUP should apply to the following:
- Computer hardware
- Mobile devices
- Software applications
- Internet and Wi-Fi
Sensitive company information, such as the following, should also be covered:
- Proprietary information and trade secrets
- Personally identifiable information
- Regulated data
Separate specific policies into other documents; that way the document will be comparatively more concise, increasing the likelihood of your employees reading it. Shorter individual policies tailored to specific teams created in addition to your AUP are more manageable and easier to update.
Tailoring an AUP policy to your industry
A lot of AUPs falter when they try to cover every conceivable threat to systems and data. Not only is this going to increase the length – your employees are unlikely to ever get through it all.
Instead, you should focus on likely events, tailoring the policy to industry-specific scenarios and ensure that all points are enforceable as a result. Anything hypothetical or unlikely can be removed from your policy; we want things to be streamlined and succinct. Stay relevant, on topic and forego anything that might over-complicate things.
Every business will have concerns that are unique to them; these are the things that should be included in their AUPs. Any business that deals with financial data, for example, needs to define how it should and should not be handled. Consult members of every department during the policy’s development; here you’ll be able to identify gaps and answer questions that can then be included in the document. Additionally, if employees have their input included, they’re more willing to follow the policies.
How to enforce an acceptable use policy
Without the appropriate enforcement, your employees won’t take the AUP seriously. What consequences for violations will be put in place and how will they be applied? At the same time, the policy must get HR and legal sign-off to ensure it’s not in violation of any workers’ rights.
Additionally, the policy must be developed in a way that its enforcement does not interfere with business goals. If certain teams need access to social media sites that are otherwise blocked by the policy, this will need to be addressed. Any exceptions should be made explicit using clear terms such as “unless expressly authorised”.
Here are a few other tips on enforcing your AUP policy.
Use clear, unambiguous language.
You want to minimise confusion and be as clear with your wording as possible when writing an AUP. Remove jargon and explain all acronyms; don’t forget that you’re writing for a general audience.
That said, not everything needs explaining; some things will speak for themselves. Any not-safe-for-work websites or inappropriate behaviour through your business’ instant messaging platform requires little explanation as to why employees shouldn’t be doing these things. Telling them not to engage in these activities will suffice.
However, some aspects that are industry-specific will need outlining and placing in context. In recent years, schools, hospitals and restaurants have experienced an increase in phishing attacks. The problems that relate specifically to your business will need thoroughly explaining, touching on how employees should act in a particular manner.
Your choice of language should reflect this specificity. Be sure you’re explaining, rather than telling your employees what to do. Take for instance the difference in the below:
- Telling: “Employees should not divulge sensitive information through email communication to any third parties”.
- Explaining: “Employees must guard against any targeted phishing schemes that request sensitive information (e.g. tax forms) or actions (e.g. wire transfers) through deceptive emails. Confirm any expected email requests via secondary means (e.g. phone, in person) and report all targeted phishing emails to security”.
Note the use of stronger modal verbs such as must as opposed to should.
Additionally, avoiding the passive voice in favour of an active one provides a more emphatic, authoritative tone:
- Weak and passive: “Computers should be locked when unattended”.
- Strong and active: “Employees must lock computers when leaving them unattended”.
Keep an eye out for how things look on the page. A digestible, more readable layout will make for easier understanding without making things seem more important than others. You want to achieve a consistent and balanced layout that breaks up dense chunks of text. Aim for something like the following, for instance:
Employees are prohibited from using company resources for any of the following:
- Accessing violent and/or pornographic material
- Unauthorised downloading of copyrighted material
- Participating in illegal online activity
Reviewing an AUP policy
Before you publish your policy and make it available to your employees, you should review it with HR and legal teams to make sure it’s not in violation of any employment laws and workers’ rights.
When you do hand it out, it’s good to get feedback from both managers and employees at every level. Encourage them to point out anything that’s been left out and provide suggestions on how to improve certain policies. While protecting your company’s assets is important, it’s also important to make sure your team’s productivity is the best it can be. The last thing you want is for your AUP to stand in the way of someone being able to do their job.
Lastly, when your AUP has been reviewed, approved and distributed, have every staff member sign a copy of the document. In the event a policy gets broken, you can hold the offender accountable.
For more of the latest news, guides and features from the CDL team, click here to visit our blog. If you’d like to find out more about our IT disposal solutions, visit our homepage or call our team now on 0333 060 5623.