Good Policy Guide: Acceptable Use Policy

We’ve given general guidance on writing policies in our Akimbo Good Policy Guide, but we’re continuing the series to do some deep dives on policies that we often see that are poorly written.

A common policy that I find weaknesses in, is the Acceptable Use Policy. This policy is key to ensuring that staff members are aware of how resources can and cannot be used. However, I often see a large number of companies falling back on vague requirements such as systems “must not be used in a way that may negatively impact productivity”, where they would be better served being more explicit about certain activities that are prohibited.

Personal Use

That said, the first big decision to be made is whether or not employees may use company IT assets for any personal use. I’d also recommend that whatever decision you make, you enforce the policy as written. It’s very common for me to find policies that state employees may not use company devices for any personal use – and then I see staff members sitting on their personal social media on their lunchbreak. An unenforced policy is useless. If you don’t want staff using devices for personal activities, enforce it; if you don’t mind in some instances, then write your policy to reflect that.

If you do allow personal use, consider putting up some guardrails, such as these activities may only be conducted during breaks and lunchtime.

Policy Scope

Another issue I often find with the Acceptable Use Policy is that it often butts up against the Mobile Device Policy awkwardly. It’s common to find ambiguity in the overlap between these two policies. This is generally due to the scope of the policies being poorly defined, or the terms used like “mobile device” being poorly defined. Is an Apple iPad a mobile device or not? What about a Microsoft Surface tablet? You’ll likely have a clear opinion on which policy should apply to these devices – make sure it’s clear in the policy scope.

You should also be clear about whether the Acceptable Use Policy applies to all devices and the Mobile Device Policy  additional requirements that also apply to mobile devices only, or if the Acceptable Use applies only to non-mobile devices with mobile devices covered separately.

Monitoring Rights

The organisation will no doubt be required to have some degree of monitoring on end user devices – and so you should make that clear within your policies. Consider all reasons the organisation may have to log, monitor, review and disclose contents of an employee issued device and ensure that the policy covers those. This could be for incident response, security testing, or for monitoring compliance with policies – you should let users know.

You should also make it clear that any attempt to interfere with this monitoring, or any security control for that matter, is prohibited.

Prohibited Uses

Your idea of what is acceptable use and your employees idea may not be well aligned. I see a lot of organisations falling back on terms like ‘unlawful’ in ways that are unlikely to be useful. “You must not use company assets for unlawful purposes” is a good statement to have in your Acceptable Use Policy, but it’s not complete. There are a lot of things you can do on a device that are not unlawful.

For example:

  • Are they allowed to run their Etsy shop where they sell artisanal baked goods on their company device?
  • Are staff allowed to visit gambling websites on their company device?
  • Are they allowed to mine cryptocurrencies on their company device?
  • Are they allowed to watch pornography on their company device?

These things are not illegal, but nonetheless you probably don’t want them doing it – so your policy should make that clear.

There are other activities that you will likely want to prohibit, but they may sit within the Acceptable Use Policy or another document – we’re not picky, as long as they’re covered somewhere. For example, you should make it clear that users must not share passwords with anyone. You will also want to make it clear that staff must not share content that is abusive, obscene, discriminatory, harassing, or threatening – but that’s a broader problem, as you would not want them sharing this content via email, written communications, or in person.

Getting Started

The following provided statements are designed to be used as a starting point for writing your Acceptable Use Policy, allowing some personal use but with limitations. Although some companies will prefer to restrict all personal use – and so can strip those clauses out where relevant.

You’ll want to review this process inline with your standard template and ensure it includes all of the details covered in the Akimbo Good Policy Guide, such as a version control table and review process – but hopefully it’s something to get you started:

Purpose

The purpose of this policy is to provide clear guidelines on the permissible use of company assets, ensuring that both company data and intellectual property is protected. This policy aims to ensure business objectives are met whilst ensuring that regulatory requirements are followed.

Violation of this policy may result in disciplinary action, up to and including termination.

Scope

This policy applies to all individuals who have access to the organisation’s IT systems, assets, or data. This includes employees (permanent, temporary, and part-time), as well as contractors, agency workers, interns, and volunteers.

This policy applies to all company owned devices, including servers, laptops, desktops, tablets, and mobile phones. It also applies to all devices connected to a company provided internet connection and all company social media accounts.

Personal Usage of Company Devices

Employees must only use their company devices for personal use during breaks and lunchtime, and that use must not violate any statement within this policy.

General Restrictions

  • You must not use a company device for any activity which interferes with legitimate company business.
  • You must not use a company device to access any computer, program, or data, that you do not have permission to access.
  • You must not use a company device to support any business activity other than that of the company, including but not limited to, buying and selling products online.
  • You must not use a company device for any activity that is illegal, or in violation of any compliance requirements the company has agreed to.
  • You must not share any copyrighted material, without written permission from the copyright holder.
  • You must not use a company device or internet connection for peer-to-peer file sharing.
  • You must not use a company device or network for any activity that is likely to consume excessive resources, including but not limited to the mining of cryptocurrencies.
  • You must not use a company device or network to create, share, or view content that is pornographic or sexual in nature.
  • You must not use a personal email address for any company business.

Security Restrictions

  • You must not intentionally circumvent, or disable, any security measure in place on the device or the network, including but not limited to, internet filtering, anti-virus scanning, encryption, logging, or monitoring software.
  • You must not impair any computer system, including the operation of the system, access to any program or data, or impairing the reliability of any data, without explicit permission.
  • You must report lost or stolen devices to the Security Team immediately.
  • You must not share your password under any circumstances.
  • You must not access, or attempt to access, accounts of other staff or third-parties.
  • You must report compromised passwords or other access credentials, including keys, to the Security Team immediately.

Software Restrictions

  • You must not install any software on a company system without written permission.
  • You must ensure that all software used is supported by the vendor and that it is appropriately licenced.

Communications Restrictions

You must not create or share any content that is fraudulent, defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, insulting, threatening, obscene, harassing, or indecent.

Privileged Accounts

You must not use a highly privileged, or administrative account for any activity that could be completed from a lower privilege user account. Administrative accounts must be used for the shortest period possible to perform the administrative task. Using administrative accounts for accessing email or web browsing is prohibited.

Monitoring

The company may monitor any and all use of company systems, accounts, or devices, to ensure compliance with company policies as well as to ensure their security. This is to allow activities related to security testing, incident response, and to ensure the correct working of company assets and networks. Attempting to circumvent monitoring activity is prohibited.

No doubt there will be extra things you want to include under Prohibited Uses depending on your sector and business context – but hopefully this guide gets you started. Looking to review your policies, or need help writing them? We’re here to help.

Play Cover Track Title
Track Authors