15 November 2019
Defining the way your IT resources may and may not be used is an essential part of ensuring your IT systems aren’t placed in any undue risk. Developing an acceptable use policy (AUP) can reduce the inappropriate usage that could end up compromising your business, establishing rules for using the company network and devices.
However, AUPs are so often impenetrable documents stuffed with technical and legal language that employees often take a cursory look at before consigning to a draw. Unfortunately, these overwrought documents mean that many employees are prone to careless practices as a result.
So, how do organisations develop an AUP that touches on the most important aspects of usage while still being engaging to read? Here, we’ll explain some of the best practices that businesses can use when creating an acceptable use policy for its employees.
It’s recommended that every policy includes the following sections:
AUPs are used to administer guidance, manage risk and increase liability protection. The finished document must allow employees to carry out their jobs while also reducing the risk of data breaches, cyberattacks and compliance violations in the process.
As employees have a degree of responsibility in maintaining a secure business environment, the AUP should specify what is required of them and provide guidance on the behaviour you expect. If the policies featured within are practical, relevant and have a certain amount of flexibility, then employees will be more likely to follow them.
As the AUP is the broadest level of IT security for your business, its scope should be suitably far-reaching. Your AUP should be relevant for the following:
In terms of IT systems, your AUP should apply to the following:
Sensitive company information, such as the following, should also be covered:
Separate specific policies into other documents; that way the document will be comparatively more concise, increasing the likelihood of your employees reading it. Shorter individual policies tailored to specific teams created in addition to your AUP are more manageable and easier to update.
Instead, you should focus on likely events, tailoring the policy to industry-specific scenarios and ensure that all points are enforceable as a result. Anything hypothetical or unlikely can be removed from your policy; we want things to be streamlined and succinct. Stay relevant, on topic and forego anything that might over-complicate things.
Every business will have concerns that are unique to them; these are the things that should be included in their AUPs. Any business that deals with financial data, for example, needs to define how it should and should not be handled. Consult members of every department during the policy’s development; here you’ll be able to identify gaps and answer questions that can then be included in the document. Additionally, if employees have their input included, they’re more willing to follow the policies.
Without the appropriate enforcement, your employees won’t take the AUP seriously. What consequences for violations will be put in place and how will they be applied? At the same time, the policy must get HR and legal sign-off to ensure it’s not in violation of any workers’ rights.
Additionally, the policy must be developed in a way that its enforcement does not interfere with business goals. If certain teams need access to social media sites that are otherwise blocked by the policy, this will need to be addressed. Any exceptions should be made explicit using clear terms such as “unless expressly authorised”.
Here are a few other tips on enforcing your AUP policy.
Use clear, unambiguous language.
You want to minimise confusion and be as clear with your wording as possible when writing an AUP. Remove jargon and explain all acronyms; don’t forget that you’re writing for a general audience.
That said, not everything needs explaining; some things will speak for themselves. Any not-safe-for-work websites or inappropriate behaviour through your business’ instant messaging platform requires little explanation as to why employees shouldn’t be doing these things. Telling them not to engage in these activities will suffice.
However, some aspects that are industry-specific will need outlining and placing in context. In recent years, schools, hospitals and restaurants have experienced an increase in phishing attacks. The problems that relate specifically to your business will need thoroughly explaining, touching on how employees should act in a particular manner.
Your choice of language should reflect this specificity. Be sure you’re explaining, rather than telling your employees what to do. Take for instance the difference in the below:
Note the use of stronger modal verbs such as must as opposed to should.
Additionally, avoiding the passive voice in favour of an active one provides a more emphatic, authoritative tone:
Keep an eye out for how things look on the page. A digestible, more readable layout will make for easier understanding without making things seem more important than others. You want to achieve a consistent and balanced layout that breaks up dense chunks of text. Aim for something like the following, for instance:
Employees are prohibited from using company resources for any of the following:
Before you publish your policy and make it available to your employees, you should review it with HR and legal teams to make sure it’s not in violation of any employment laws and workers’ rights.
When you do hand it out, it’s good to get feedback from both managers and employees at every level. Encourage them to point out anything that’s been left out and provide suggestions on how to improve certain policies. While protecting your company’s assets is important, it’s also important to make sure your team’s productivity is the best it can be. The last thing you want is for your AUP to stand in the way of someone being able to do their job.
Lastly, when your AUP has been reviewed, approved and distributed, have every staff member sign a copy of the document. In the event a policy gets broken, you can hold the offender accountable.
For more of the latest news, guides and features from the CDL team, click here to visit our blog. If you’d like to find out more about our IT disposal solutions, visit our homepage or call our team now on 0333 060 5623.