SECURITY POLICY - DEVELOPING AN ACCEPTABLE USE POLICY
A good acceptable use policy protects an organisation from intentional or inadvertent breaches of information security.
For the acceptable use policy to be effective it should be drawn up jointly by IT, human resources, legal, and security staff to ensure that it mitigates a companies risks as much as possible.
An acceptable use policy should deal with several key issues.
The acceptable use policy should attempt to limit the organisations vicarious liability for something illegal on the organisations network. This could be a breach of confidentiality, libel or illegal content. The acceptable use policy should state that breaching any law, or contract is strictly forbidden. In order to prevent actions based on sexual or racial harrasment the policy needs to address the issue of offensive material.
The acceptable use policy should also deal with the issue of the distribution of intellectual property and confidential information.
The following elements should be included in a good acceptable use policy:
- No pornography at any time,
- Advise employees to protect their privacy by deleting personal emails,
- Restricts the storage of emails and implements the archiving of important messages,
- State that personal emails should not be opened unless dealing with a specific complaint,
- Ideally it should restrict the use of the organisations facilities to business use only,
- Inform employees that the organisation reserves the right to monitor email and Internet communications,
- Allows employees the chance to explain their conduct.
In the event of a security incident the organisation may need to rely on the acceptable use policy to dismiss an employee. To ensure that the policy can be relied upon in these circumstances the policy should comply with the following requirements:
- It is in writing
- It is clearly communicated to all employees
- Sets out the permissable uses of both email and Internet use
- Specifies inappropriate uses of both email and the Internet
- Defines acceptable online behaviour
- Sets out privacy rules
- States what monitoring will take place
- Stipulates the possible disciplinary consequences for breaching the policy
To be effective the acceptable use policy needs to be clearly communicated to staff. It should be included in the staff handbook and dealt with as part the induction process. Ideally staff should be asked to sign that they have read and understood the acceptable use policy.