In this paper I will describe the purpose of an Acceptable Use Policy I have selected and explain how the AUP help provide confidentiality, integrity, and availability within the organization. I will critique the AUP I selected and provide recommendations for improving the AUP. I will explain methods that organizations can implement to help ensure compliance with the AUP, mitigate their risk exposure, and minimize liability. Additionally I will describe how my selected AUP accomplishes these goals. Finally, I will describe the methods for increasing the awareness of the AUP, and other policies, within the organization.
An acceptable use policy (AUP) is the policy document that provides the stipulations, constraints and practices that user’s must agree to in order to access their respective organizations network or the Internet. It defines the rules and serves as the agreement between the employee and the organization. Most all organizations require their employees to sign an acceptable use policy. Once signed, employees are given a network ID and access to the network.
The acceptable use policy I selected is the Joint Services Support policy. I chose this policy because it is a very comprehensive and well put together policy. Upfront it informs the employee of the type of information system that they are accessing, and detailed conditions. It clearly details the difference between private and personal information. Furthermore, it informs the employee know that their content is subject to screening at any time to verify acceptable use. Essentially, it’s lets the employee know that the use of the systems is a privilege, not a right, that information is subject to review and scrutiny and asserts the organizations power in order to protect integrity.
Immediately following this, it jumps into the security rules of the policy. Again they are very clear, concise and detailed. The rules are the direct, black and white acknowledgements or promises by the employee to the employer that they will use the systems in a professional manner. Signing the policy is a binding agreement between the employee and the organization for which the employee will be held accountable for unacceptable use.
Although the AUP I selected was robust, it did not go into much detail regarding personal surfing. One way that I would improve the AUP would be to address acceptable from unacceptable sites that employees could use for personal surfing. Another recommendation I would make for improvement would be to add verbiage on taking devices home. This way employees will know that when they take their devices home, although they won’t be connected to their organizations network, the rules still apply to their home network.
One method that organizations can implement would be to conduct an annual review of the policy. This will help organizations to identify flaws in policy so the organization can make updates. Running a scan to assess network usage will show the amount of time employees spend during a workday for work related use and how much time is spent for personal use, as well as excessive use. This information can then be analyzed and changes to the current policy as well as network can be suggested.
All suggestions can then be reviewed and then incorporated into to the new draft policy. From here the organization can draft the implementation roll out plan for the new policy. Sending out communications prior to roll out, to employees informing them of updates can be a useful tool.
Once roll out has begun, the organization can ensure employees are aware and comply by locking down the network until each employee accepts the new policy. Simultaneously at this time, the changes to the network security can be implemented as needed to ensure compliance with new policy. From here the organization will need to monitor employee use so they can enforce compliance. Rather than hire a new employee to perform the monitoring, software can be installed on the network to do this. This software will also make it easier for management to pull reports as needed. To further mitigate risk, the organization needs to control downloads.
To increase awareness, the organization should host training sessions for their employees. These sessions can be either in person or via an online training session. During these sessions, the policy can be reviewed and questions can be asked and answered. Agency notices can also be sent out to employees via an all hands email message. Finally, related challenge questions can be asked when accessing systems to maintain employee awareness.
In conclusion, the Joint Services Support policy I chose to review was very robust. It did however have a little room for improvement such as addressing home use. There are several methods that can be used to implement the policy as well as ensure compliance. Finally, I also noted the means in which awareness can be increased throughout the organization.
Margaret Rouse (July, 2014). “Acceptable Use Policy (AUP)”. Retrieved from
Jef Hughes (July, 2004). “Ten tips for implementing an acceptable internet use policy”.
Retrieved from http://www.computerworld.com/article/2565677/security0/ten-
No author (April, 2017). “Getting Started on the Internet: Developing an Acceptable
Use Policy (AUP)”. Retrieved from http://www.educationworld.com/
Brad Dinerman. “Acceptable use policy for internet usage helps data protection efforts”.
Retrieved from http://searchmidmarketsecurity.techtarget.com/tip/Acceptable-