What Is an Acceptable Use Policy?

By
3 Minutes Read

By Haley Vicknair, Information Security Analyst, TraceSecurity

The human element causes a significant risk to an organization’s sensitive information being exposed to cybersecurity attacks. While data breaches can occur from an accidental click on a phishing email or a sophisticated network exploitation, a potential attack vector that is often overlooked is employee misuse of company-owned network resources. One important way that your organization can reduce the risk of improper technology use and hold employees accountable is to document and require all employees to sign an acceptable use policy (AUP). An AUP documents an organization’s defined permitted and non-permitted use of its network equipment and resources. Below, we will discuss why having an AUP is important and what you should include within your policy.

The Importance of an AUP

Clear Expectations and User Awareness

Defining the permitted and non-permitted use of company devices and network resources effectively reduces any misunderstandings about what an end-user can and cannot do on their company-owned device, personal device, or when using company-owned networks. This increases user awareness of secure practices to support your information security program and sets clear expectations of non-permitted use that could lead to disciplinary action. Setting clear expectations educates your personnel on safe practices for using network resources and handling sensitive company information, deters potentially malicious or unlawful activity, establishes clear expectations for resource use, and can even help improve productivity in your environment.

Reduced Security Threats

By setting secure boundaries on your technology resources, you, in turn, reduce the chance of accidental or intentional cyberattacks. Activities such as password sharing, unauthorized use of sensitive information, unsafe internet browsing, or using company laptops on a public internet without a VPN significantly increase the likelihood of security breaches occurring. While the human element remains inherent, the AUP ensures that users understand their role in protecting the organization’s systems and data, making them a proactive part of the overall security posture.

Legal and Regulatory Compliance

Regulatory bodies may require that an AUP be in place for an organization’s operations. By implementing a clearly defined policy, the organization demonstrates its due diligence to applicable regulatory bodies and/or adherence to frameworks such as NIST, HIPAA, PCI-DSS, FFIEC, and others. Additionally, requiring employees to sign the acknowledgement binds them to the terms of use and can be used for any legal disputes caused by a breach of the policy.

What to Include Within Your AUP

Organizations should collaborate with the appropriate internal personnel to create their AUP. These groups may include HR, legal/compliance, and IT personnel. While this list is not comprehensive, the following elements are a key part of any AUP:

Purpose Statement

Define why the AUP exists and the overall goal of the policies and standards you will outline for your organization’s personnel.

Scope

Include who the policy applies to and what system resources are applicable to the agreement.

Acceptable Use of Systems and Resources

Here, you will specify the permitted use of equipment, network resources, data handling, communication methods, remote work arrangements, and BYOD standards. This will ensure that your end users can clearly understand how to be an active participant in your organization’s Information Security Program and contribute to a positive company culture overall.

Prohibited Activities

Specifies activities not allowed, which might include bypassing security controls, downloading unapproved software, inappropriate use of the internet, sharing credentials, or utilizing company resources for personal gain.

Disciplinary Action

Having acceptable and non-acceptable use defined sets an expectation that your personnel will not intentionally misuse systems and resources, which could cause reputational or regulatory damage to your company. Failure to abide by the policy guidelines should result in the employee receiving remedial action, which may include additional training, removal of specific access, or even termination.

Employee Acknowledgement and Signature

Whether you choose to create a separate document or include the AUP within your employee handbook, all employees should be required to review and acknowledge the policy. By having employees sign the document, the organization then binds the employee to the expectations set within.

An acceptable use policy plays a vital role in an organization’s overall information security program. Setting clear expectations for your personnel promotes user awareness and helps maintain the overall confidentiality and integrity of your systems and information. By ensuring employees sign the agreement, your organization can foster a culture of accountability and assurance that users are actively engaged in your security program.

Connect with TraceSecurity to learn more.
Picture of TraceSecurity

TraceSecurity

TraceSecurity has provided over 30,000 examiner approved reports, helping credit unions of all sizes maintain compliance year after year. A CUNA Strategic Services provider since 2006, TraceSecurity helps credit unions with a range of cybersecurity services, including risk assessments, penetration testing and IT audits. With a combination of software and services, TraceSecurity can help credit unions manage their information security program and supplement it with third-party validation.

Author

Recommended For You