A good acceptable use policy protects an organisation from intentional or inadvertent breaches of information security.
For the acceptable use policy to be effective it should be drawn up jointly by IT, human resources, legal, and security staff to ensure that it mitigates a companies risks as much as possible.
An acceptable use policy should deal with several key issues.
The acceptable use policy should attempt to limit the organisations vicarious liability for something illegal on the organisations network. This could be a breach of confidentiality, libel or illegal content. The acceptable use policy should state that breaching any law, or contract is strictly forbidden. In order to prevent actions based on sexual or racial harrasment the policy needs to address the issue of offensive material.
The acceptable use policy should also deal with the issue of the distribution of intellectual property and confidential information.
The following elements should be included in a good acceptable use policy:
In the event of a security incident the organisation may need to rely on the acceptable use policy to dismiss an employee. To ensure that the policy can be relied upon in these circumstances the policy should comply with the following requirements:
To be effective the acceptable use policy needs to be clearly communicated to staff. It should be included in the staff handbook and dealt with as part the induction process. Ideally staff should be asked to sign that they have read and understood the acceptable use policy.
Security Policies © C.Stone 1996 - 2011