how to write an acceptable use policy

How to write an AcceptableUse Policy (AUP)

T h e W o r l d ’ s # 1 W e b & E - m a i l F i l t e r i n g C o m p a n y

How to write an AcceptableUse Policy (AUP)

T h e W o r l d ’ s # 1 W e b & E - m a i l F i l t e r i n g C o m p a n y

02

06

10

12

13

15

16

Contents Misuse of the Internet - The Issues

Building an Acceptable Use Policy (AUP)

Example Acceptable Use Policy

Informing and Educating Users

Installing Appropriate Technology

Maintaining the Policy

Helpful Resources

02

H O W T O W R I T E A N A C C E P T A B L E U S E P O L I C Y ( A U P )

> 70% of Internet porn traffic occurs between the hours of 9am

and 5pm. (Businessweek.com)

> 32.6% of workers surf the Internet with no specific objective;

men are twice as likely to do this as women.

(emarketer.com)

> 30% to 40% of employees’ Internet activity is not business

related and costs employers millions of dollars in lost

productivity. (IDC research)

> Men are 20 times more likely to download pornography;

employees earning $75K to $100K annually are more than twice

as likely to download pornography as those making less than $35K.

(emarketer.com)

> 1 in 5 men and 1 in 8 women admitted to using their work

computers as their primary lifeline to access sexually explicit

materials online. (MSNBC)

> During work hours, 9% of employees earning under $35k surf

the net for a new job, while 11% of employees earning $75k-

$100k do the same. (Greenfield Online)

> Cyber-skiving accounts for 30% to 40% of lost worker

productivity. (Businessweek.com)

Misuse of the Internet - The Issues

Business has everything to gain from going onto the Web: new customers, more efficientadministration, closer ties with business partners, access to infinite information sources,and keeping in touch with mobile employees. But the Web provides employees with thetemptation to spend their time and use the resources for non-business ends. ControllingInternet usage is only one aspect of the e-business security issue, but it is one that isimportant to all businesses. The typical issues raised by casual surfing on the Internet areas follows:

Employee productivity The information and resources availablethrough the Internet can help employees tobe more productive and effective. Fromvital online market information to lastnight's sports scores, games or chat rooms,you can get there with just a click. Howmany hours of lost productivity can yourcompany afford?

Network resourcesCombine recreational surfing with bandwidth-intensive activities such as streaming audioand video, MP3 downloads and image downloads, and you have a significant impact onyour network performance that impedes business traffic.

SecurityUnless you're careful, opening the door to the Internet also opens your company's door tothe potential security breaches inherent in the cyber world. Network security issuesbecome even more acute when the enterprise is linked to the global public network.Employees can use the Internet to send sensitive company information or to downloadmaterial that could be infected with viruses, etc.

Legal liabilityLetting employees surf anywhere on the Internet can lead them to stray to clearly inappropriate sites, sexually explicit sites and those promoting violence and hate speech.This kind of activity can lead to lawsuits, harassment charges and even criminal prosecution.Protect your employees and your company by promoting responsible Internet use.

Adverse publicity Several major international companies have already been forced to dismiss employees thatwere found guilty of accessing illegal and offensive material through the Internet. Adversepublicity can clearly be very damaging.

03



“The Internet is remaking business… but it’s also the greatestway to waste time that the humanrace has ever invented.”(The Wall Street Journal)

HEADLINE

04

Examples of adverse publicity:

“30 SACKED FOR INTERNET PORN”… fires staff who exchanged sex site images. (Evening Standard)

“SMUTTY COPS CRASH THEIR PCs”The top brass are extremely embarrassed about the computers crashing because it was obviousto the technicians what had been going on. (The Sun)

“NET PORN ALERT AT WORK”… sacking of three Downing Street workers for downloading hardcore images… (The Observer)

Every employee using Internet resources should have a clear understanding of the legalissues involved. These include:

Sexual harassment as a result of bringing objectionable or sexually explicit material into the workplace. If an employee downloads objectionable materials - pornography,for example - and another employee sees it, your company could be liable. Even worse,if a user downloads materials that are illegal, your company might face criminal charges.

Copyright infringement can happen unintentionally. An employee downloads and uses a software program, a photograph or a proprietary document in all innocence, thinking that, because it's available on the Web, it's "free". It's not!

Misrepresentation can also occur unintentionally, particularly through the use of e-mail.Employees should know, and should make it clear to the people with whom they communicate, that opinions expressed via e-mail and other electronic media are their own, not the company's.

IT managers could face prosecution iftheir corporate networks are used tocarry illegal material from theInternet. “The law on onlineinformation is the same as offline”[said Philip Virgo from the Institutefor the Management of InformationSystems]. “Therefore, IT managers,as well as local general managerswith service providers, face jail if

their networks are used to put illegalmaterial over the Net. The Internet’soperation is subject to national lawthat can be very strict.” Virgo said itwas important for IT managers totake reasonable precautions, so inthe event of a problem they could saythey had tried to prevent misuse oftheir systems. (Computer Weekly)

ILLEGAL NET TRAFFIC PUTS USERS IN THE DOCK



Business impactIn the 2000 Information Security Industry Survey sponsored by ICSNet and Global Integrity,63% of respondents experienced examples of their employees using the company computingresources for illegal or illicit communications or activities, including porn surfing and e-mailharassment.

Although 41% of respondents experiencing misuse of company computing resources did notthink that the business suffered any knock-on impact, a substantial percentage did relatethe behaviour to damage to the business, as shown in the chart below. (Some respondentsidentified multiple types of consequences.) It should be noted that this survey does notinclude the important, but hard to measure, effect on productivity and staff motivation.

SolutionsBusinesses should be alert to some of the pitfalls amid all the business potential of theInternet. The good news is that most, if not all of these pitfalls can be avoided by developingand implementing an effective company Acceptable Use Policy, and through the use ofproven access control technology.

Controlling access to the Internet is no different to managing other resources like thephone, fax and mobile phone: it is a management issue. There are four stages to ensuringthat Internet access is business access:

1. Building an Acceptable Use Policy (AUP)2. Informing and educating the users3. Installing appropriate technology to filter and monitor usage4. Maintaining the policy

05

IMPACT OF ILLICIT EMPLOYEE ACTIVITY

18% Lost business to competitors

12% Temporary loss of website

08% Corruption of information

05% Disclosure of information

05% Temporary loss of Internet access

03% Theft of information or service

01% Public harassment or bad PR

48% Other



06


The goals of an AUP are:

To clarify the company's policy regarding use of the InternetTo shield the organisation against potential liabilityTo avoid security threats by promoting awareness and good practiceTo encourage effective and positive use of the resources

The following are some things to consider when building an AUP:

1. Make it a team effortSetting corporate limits on Internet use can be an emotionally charged subject, linked as itis to issues of personal privacy and individual responsibility. For that reason, it's prudent toavoid any hint of "top-down" policy making.

Rather, it will be better if both thearticulation of the business needs for anAUP, and the policy itself, are developed byrepresentatives from every part of thebusiness: senior management, informationtechnology, business unit managers, humanresources, legal and interested user groups.

Keep in mind that Internet access need not be "all or nothing". You can restrict certainservices, type of access, time of day, length of connection, etc. exactly as you can forinternal network connections. It helps to think of Internet access as a privilege, rather thanan inalienable right (although some users are sure to argue otherwise). Encouragement andleadership are more likely to succeed than a policy based on prohibition, but sometimesboth are needed in unison.

2. Make it clearThe policy should start by specifying the general principles governing Internet use byemployees, both in the course of their business and in other activities. This should befollowed by clear conditions of use for individual services. Finally, employees need tounderstand what the consequences are for non-compliance.

Employees also need to know whether the organisation routinely monitors Internet or e-mailusage and what the consequences are for a breach of the code of conduct. A clearstatement of policy is a strong defence against prosecution. You may also wish to seek legaladvice to clarify what levels of monitoring are acceptable and legal in the workplace. Someinformation regarding the legal issues is provided later on in this guide.

"The separation of creation andimplementation of the policy is arecipe for disaster."(Gartner Group, Strategic Analysis Report)

HEADLINE


3. How much personal use of the Internet is acceptable?Your policy should be quite explicit about the level of personal surfing that is acceptable.Some organisations, especially those whose business places a premium on creativity, mighteven encourage employees to roam cyberspace as part of their jobs. Some may choose tolimit Internet activity to strictly work-related sites and activities. Others may look for the"happy medium".

4. What about out of hours activity?Depending on the type and cost of your physical connection, you may decide to allow, andeven encourage, appropriate personal use of Internet resources during non-work hours. Andyou may or may not choose to place restrictions on the content, types of sites visited andspecific activities.

But remember, even during off-hours, the sites your employees visit reflect directly on your company's image. (And any well-equipped Webmaster can determine with a reasonably highdegree of accuracy where traffic is coming from.) Nor does off-hours usage lessen the company's legal responsibility regarding sexual harassment, misrepresentation and other issues.

5. Some things are better not sharedNow that it's possible to send an e-mail to hundreds of people at the touch of an enter key,you'll want to remind employees at all levels about the importance of protecting valuablecompany information. Business plans, marketing strategies, sales results, economicprojections - any and all of these can be sent literally anywhere with a keystroke. Obviously,some things simply shouldn't be shared. And without encryption, employees have to realisethat nothing on the public network is private.

HOW DO COMPANIES LIMIT PERSONAL INTERNET USE?

36% All non-work use prohibited

28% Limited use after business hours

17% Unrestricted personal use any time

13% Limited personal use any time

04% No policy

02% Unresticted use after work hours

07



08

6. Covering your assetsIn general, employers can be held liable for employee actions – because e-mail is a ‘writtenrecord’ - it exists as evidence, even after it is believed to have been deleted! Everyemployee using Internet resources should have a clear understanding of the legal issuesinvolved. These include sexual/racial harassment, libel, copyright infringement, breach ofconfidence, negligent misstatement, publication of obscene material, data protection,negligent virus transmission, inadvertent formation of contracts, and The Computer MisuseAct or similar legislation.

In all of these cases the key is to have aclear and effective policy that iscommunicated to all staff. You can neverguarantee to prevent exposure to legalcharges, but the onus is on the employerto demonstrate reasonable care inpreventing such incidences.

7. Make security part of everybody's job descriptionEven the most secure firewall can be compromised by an employee's accidental disclosure ofa password, or - to a determined hacker - even an IP address. The sad truth is that far moresecurity problems are caused by carelessness and inattention than by malicious hacking.

Also keep in mind that even the best-intentioned employee can inadvertently bring a networkdown with a virus retrieved from "off the Net". If you plan to use any type of virus scanningsoftware - and you should - your users should know that their e-mail and outside connectionswill be scanned as a normal part of network security. On the same subject, it's especiallyimportant to hammer home to all users that directly connecting a modem to an outside line isa breach of security far more serious than leaving all the doors unlocked at night.

8. Taking responsibilityBe sure to clearly spell out who is covered by this AUP, whether it is some or all of youremployees. If you intend the policy to cover all employees, say so.

Whether the people responsible for enforcing your AUP are in Human Resources or in MIS, besure that a responsible group or person is appointed and is fully aware of this responsibility.Extend your policy beyond initial guidelines. Develop a process for handling offences withinyour organisation; for example, what to do in the case of a 1st offence, 2nd offence, 3rdoffence, etc. Clearly outline the consequences of non-conformance with your official AUP.

It goes without saying that full management support - all the way to the top of theorganisation - is essential to implementing a successful AUP. Do whatever it takes toeducate senior management on the finer points of your policy. Make sure they set a goodexample and that you advertise Senior Management’s endorsement of the policy.

27% of Fortune 500 companieshave battled harassment claimsstemming from employee misuseof email and Internet systems.

HEADLINE



09

9. Enforce itThe AUP should become part of yourorganisation's overall policy manual. As withother company policies, you'll want to makesure it's readily available, widely disseminatedand clearly understood by all. In fact, manyorganisations require that employees sign theAUP document as a condition of receivingInternet access privileges.

10. Public policy vs. technical detailsAs well as working on the principles of thepolicy, it is important to work out the technical details in line with your current networksecurity for groups and users. Building a policy is like setting up a customs house: you decidewhat information types you want to allow into the company network and who can accessthose different types. Think about the file types you are going to allow through, the maximumsize of files as well as where they are allowed to come from. Draw up a table to make thisclear and apply your rules and exceptions to the users and groups on your network.

This will need to be worked out in conjunction with managers and user representatives. It isnot necessary to publish all of the details as long as you have the cooperation andagreement from all departments and you agree to review your policy regularly so that it fallsin line with changing user requirements.

11. Example e-mail disclaimerIn light of numerous recent litigations you should also consider a disclaimer to be attachedat the end of e-mails. An example disclaimer could be:

Image files: bmp, dwg, dxf, fli, gif,pcx, psp, png, tif, etc.Movie files: avi, mpg, qtm, rt, etc.Compressed files: arj, cab, cmp,gzip, lzh, tar, rar, zip, etc.Executable files: dll, exe, com, etc.Document files: doc, etc.

WHAT SHOULD CROSS YOUR BORDER?



10


This Acceptable Use Policy (AUP) applies to all company staff of thiscompany and to those others offered access to company resources.

General Principles

Use of the Internet by company employees is permitted and encouraged where such use issuitable for business purposes and supports the goals and objectives of the company and itsbusiness units. The Internet is to be used in a manner that is consistent with the company’sstandards of business conduct and as part of the normal execution of an employee’s jobresponsibilities.

Corporate e-mail accounts, Internet IDs and web pages should not be used for anything other than corporate-sanctioned communications.

Use of Internet/intranet and e-mail may be subject to monitoring for security and/or network management reasons. Users may also be subject to limitations on their useof such resources.

The distribution of any information through the Internet, computer-based services, e-mail, and messaging systems is subject to the scrutiny of the company. The company reserves the right to determine the suitability of this information.

The use of computing resources is subject to UK law and any illegal use will be dealt with appropriately.

Users shall not:

Internet

Visit Internet sites that contain obscene, hateful or other objectionable materials.

Make or post indecent remarks, proposals, or materials on the Internet.

E-mail

Solicit e-mails that are unrelated to business activities or for personal gain.

Send or receive any material that is obscene or defamatory or which is intended to annoy, harass or intimidate another person.

Represent personal opinions as those of the company.


11

Confidentiality

Upload, download, or otherwise transmit commercial software or any copyrighted materials belonging to parties outside of the company, or the company itself.

Reveal or publicise confidential or proprietary information which includes, but is not limited to: financial information, new business and product ideas, marketing strategiesand plans, databases and the information contained therein, customer lists, technicalproduct information, computer software source codes, computer/network access codes, and business relationships.

Send confidential e-mails without suitable encryption.

Security

Download any software or electronic files without implementing virus protection measures that have been approved by the company.

Intentionally interfere with the normal operation of the network, including the propagation of computer viruses and sustained high volume network traffic that substantially hinders others in their use of the network.

Examine, change, or use another person's files, output, or user name for which theydo not have explicit authorisation.

General

Perform any other inappropriate uses identified by the network administrator.

Waste time on non-company business.

Protect your reputation and career

Follow your organisation’s Internet AUP, or risk disciplinary action and termination of employment. The company also retains the right to report any illegal violations to the appropriate authorities.



94% Agree

04% Disagree

02% Not Sure

1312


Start as you mean to go onTraining should be considered a prerequisite for Internet access, not only in the mechanicsof using e-mail and browsers, but in the ethical, legal and security aspects associated withparticipation in a global public network.

Bad habits die hardEmployees often come with bad Internet habits from college, previous employers or homeInternet use. It is therefore vital that everyone understands how the company expects itsemployees to act over the Internet. This requires continuous training until the culture andexpectations within the company change.

Regular updatesYou may also want to consider regular company-wide e-mails to remind employees ofparticular aspects of the policy. Being aware of viruses and how to protect yourself is a keyarea, but don’t forsake other aspects of the policy that may seem less important but couldnevertheless cost the company dearly if unheeded.

InformIn a PC World Online survey, most respondents agree that their employer has the right tomonitor how they use the Internet connection at work - provided they know if the boss ispeering over their virtual shoulder. You get better response from users if you inform them ofwhat you are doing.

Informing and Educating Users

MY EMPLOYER HAS THE RIGHT TO MONITOR...

66%Agree

27%Disagree

07%Not Sure

...BUT I SHOULD BE INFORMED FIRST.

(PC World Online Survey) (PC World Online Survey)

Don't let technology dictate your AUP - develop policy first and then findthe right technology to meet your needs. Just about anything you needto do to implement a workable AUP can be accomplished with existingtechnology. In fact, you'll probably find that there are several ways to getthe job done.

Flexible monitoringYour filtering software should enable you to implement any AUP you choose. Don’t writeyour policy around constraints of limited tools and what they enable you to do. Select onewith the flexibility to help you enforce ‘your’ policy - whatever it is.

You should be able to implement varying levels of filtering restrictions depending on the dayof the week or the time of day: for example, it could be more stringent between 8am and6pm, and more lenient after 6pm and on weekends. You’ll want to look for software thatalso lets you configure access by user and group; for example, you may want to give topmanagement more access than others, or you may want to set up different levels of filteringfor one department compared to another, due to specific job needs.

Complete reportingGraphs and reports will enable you to know when and how many sites not conforming toyour AUP are requested, whether you choose to block them or simply monitor thoserequests. And once you’ve identified possible problems, you want to be able to track thoseusers more closely and work with them to enforce the policy. So find out how many reportsare available, whether you can customise them, and how the reports are distributed, suchas by automatic e-mail or an internal website.

Intelligent filteringThe software should include a clear statement of the criteria used to block sites so you cananswer any questions that arise internally, and be able to explain what is and isn’t blockedand why. Put the software to the test to ensure that blocked sites are sites that should beblocked, while access is allowed to sites that should not be blocked. Too many filteringpackages “throw out the baby with the bathwater”: it’s easier to over-block than to blockcarefully and accurately, and that may result in the inability to access useful sites. Thefiltering software should enhance employee productivity, not frustrate users trying to work.

13



14

Regular content updatesThe Internet grows every hour. Some reports suggest that each day, 10,000 new Web pagescome online. You should be able to update frequently - even daily if you choose - to ensureup-to-date protection against newly posted sites.

High scalability and strong performanceThe software should be able to handle thousands of users, so you can run the monitoringeasily from one location on your network. And it should be able to handle thousands of userswithout affecting network performance. Investigate supported network topologies, servers,and firewalls to make sure the software will be able to work with your network and handlethe number of users.

Reliable supportAn established vendor will be there to support you in the future as your company grows.Look for a technically strong, well-respected company with extensive knowledge of theInternet that gives it staying power.



15

Producing the policy and installing the software is not the end of the matter. Changes occurin staffing, business practice, Internet technology and management expectations, so yourpolicy will need to keep up with these in order to be relevant. You should implement aregular review of the policy. Here are some things to consider in your reviews:

Are new staff being trained adequately, are they being given sufficient information and do they understand the policy?

Are you getting feedback from users and maintaining an open channel of communication?

Is your policy or the restrictions preventing anyone from doing company business more efficiently? You will need to consult line managers to find out.

Analyse Web and e-mail activity for new trends that may indicate time spent on non-business activities by large numbers of users.

New e-mail jokes, viruses and new websites come out every month so make sure you are up-to-date restricting these.

Review your e-mail disclaimer. Is it up-to-date and sufficiently protecting the company and its employees?

Maintain your lists of users and groups and ensure they have appropriate security levels.

Have any temporary staff left and have you revoked their privileges?

Ensure you are getting regular updates from your anti-virus and filtering software vendor.

Check for file types or e-mail attachments that are causing bandwidth bottlenecks.

Have there been any incidents that require a change of policy, monitoring or security?

Review those areas of your business that require special attention to security.

Do employees require different types of access to websites or external e-mails so that youneed to change your policy or rules?


Maintaining the Policy

16

Online Resources

Return on Investment Calculator. How much is casual surfing costing your company?www.surfcontrol.com/resources/roi_calculator.aspx

SurfControl – 5 case studies showing what other companies have done and the benefits obtainedwww.surfcontrol.com/resources/business/case_studies/

Gartner - Internet Access Policy: Deterring Abuse (10 Apr 98) Resource ID: 297695 Gartner - Internet Appropriate Use Policy Guidelines (16 Nov 98) Resource ID: 298525www.gartner.com

Guide to e-mail and Internet use in the workplace (March 99)www.info-law.com/guide.html

Information Week Online - Web Surfers Beware: Someone's Watching (7 Feb 2000)www.informationweek.com/bizint/biz772/72bzweb.htm

Nielsen//Netratings - At-work Internet users do double-time online as compared to at-home web surfers (22 Feb 2000)www.nielsen-netratings.com/press_releases/pr_000222_work.htm

BusinessWeek Online – Workers, Surf at Your Own Risk (12 June 2000)www.businessweek.com/2000/00_24/b3685257.htm

Internet Watch Foundation – established October 1996 by UK Internet Service Providers to combat criminal content on the Internet and to advise Internet users on how best to restrict access to harmful or offensive content on the Internet generally. www.iwf.org.uk

Information Commission Website www.dataprotection.gov.uk


Helpful Resources

how to write an acceptable use policy

Documents