The essentials of an acceptable use policy

An Acceptable Use Policy (henceforward mentioned as "AUP") is agreement between two or more parties to a computer network community, expressing in writing their intent to adhere to certain standards of behaviour with respect to the proper usage of specific hardware & software services. More specifically, it is a set of rules created and enforced usually by an owner or manager of a website, network, online service, or larger computer infrastructure that aims to restrict the unseemly ways their information assets may be used. In order to minimize the risk of legal action, business entities such as corporations, ISPs, website owners, schools and universities choose to implement an AUP. Hence, an AUP gives directions on what behaviour and use of technology is approved by the owner or the community as a whole.

Similar to the terms of service

AUP documents often fulfill the same function as the ubiquitous Terms of Service or End-user License Agreement texts that can be found on virtually all software applications. However, there are slight differences between those documents. By comparison, first, AUPs cover larger computing resources, e.g., websites or LAN; second, they emphasize etiquette and respect for fellow users (presumably not applicable to single-user programs or other computer services).

Connection to IT security

There is a great deal of details in an AUP relating to computer security – managing passwords, online intellectual property and software licenses. Other chapters can give an account of basic international etiquette (e.g., a short description of firm's email policy ), or deal with excessive use of system resources, for instance, the superfluous traffic generated by playing computer games.

Intended subjects

AUPs seem handy in situations where new members sign on to join an information system or network. For this reason, an AUP must remain clear and concise, inter alia, and cover the points of vital importance regarding what behaviour is permissible and what is not when it comes to usage of company's IT system. Where relevant, users should be referred to a more comprehensive policy.

In public organizations such as libraries or universities, AUPs may be used to protect young people from profanity, pornography and bad influence. On the other hand, the policies in question at corporate level spread out to include business interests.

To this end, a useful aspect concerning AUPs is that they, as an integral part of the entire monitoring procedure, can be an effective tool in identifying cyber-slackers and abusers among employees within an organization. Human Resources experts and the courts are certain that this measure may provide the needful evidence of a "duty of care" that will reduce the unacceptable employee activity. As a generally accepted rule, monitoring Internet and email services is considered legal provided that the employer has communicated an AUP to his employees. Getting prior consent may allow employers to come off clear and not be held liable for some mischiefs in contravention of the policy done by their employees.

Source: Student Internet/Software Acceptable Use Policy by MSD Decatur Township

Source: How to Create an AUP - Acceptable Use Policy byMitchell Bradley

Moreover, policies like those against racial or religious discrimination and compulsory email archiving are stipulated by law or regulation, and others, such as sexual harassment or prohibition against smoking outside designated areas may be seen as necessary from a common business ethics point of view. What is important is that all of them can be expressed in an AUP – an employee handbook of a kind – simplifying their applicability on the ground and at the same time making them translatable to every worker regardless of rank and status.

Source: How to Create an AUP - Acceptable Use Policy by Mitchell Bradley

This is an introductory part that clarifies the application of what follows in terms of policy text. Basically, it explains why this document is needed, its aims, and perhaps an indirect reference about the motives behind its coming into existence.

Source: Acceptable Use Policy by Brown University

Scope

The range and coverage of AUPs vary more or less. A policy could apply to specific users, departments, regions, systems, components, software or data that are employed or connected to the owner's network/computer systems.

Source: INTERNET Acceptable Use Policy by U.S. Department of the Interior

Policy

That's the policy's pulp (usually the most delicious or essential part of a fruit) in which are accentuated requirements users must observe. Frequently, there will be a list with prohibited activities. It is important to remember that at the heart of the AUP as a regulatory document is the concept of respect and ethical use. Thus, AUPs rely on the good behaviour demonstrated by everyone under its influence, trying to instill what is appropriate "by persuasion". If the power of persuasion proves itself insufficient, then one should face the consequences.

Presumably, the section that outlines the unacceptable uses of given online service has a central part in almost all AUP documents. Unacceptable behaviour may include:

• creation and distribution of material that is indecent, obscene, offensive, or causes inconvenience, annoyance, or anxiety to other users or service providers (i.e., technical staff). Several examples:
  • cyberbullying

  

  Source: Student Use of Technology/Acceptable Use Policy by Fountain Valley School District

  • unsolicited messages, regardless whether of commercial/advertising character or not, sent deliberately to other users

  

  Source: Acceptable Use Policy by Rogers Communications Inc.

  • violating the privacy of others online

  

  Source: Acceptable Use Policy by Brown University

  • misusing the network in such a way to deny the services to all the rest of the users (that is DDoS attacks ).

  

  Source: Acceptable Use Policy by Rogers Communications Inc.

  • "waste of time" activities performed by a malevolent or negligent user that require technical staff to troubleshoot the problem.

  

  Source: ICT Acceptable Use Policy by Training Strategies Ltd.

  • any other kind of technical misuse, such as releasing viruses into the network.

  

  Source: Acceptable Use Policy by Rogers Communications Inc.

  • creation and distribution of any kind of illegal content (e.g., defamatory, infringing copyright acts or such unauthorized by nature).

  

  Source: Acceptable Use Policy by Rogers Communications Inc.

  Disclaimers can be found most of all on AUPs referring to the use of websites. They exonerate an organization from responsibilities under specific circumstances. After all, connection to the Internet or use of a website is a privilege, not a right, as stated by the AUP of the Loughborough Universiy.

  Sanctions

  In many AUP statements there is a text that sets forth the consequences of violating the policy – sanctions applicable to everyone that breaks the AUP. For instance, subscribers to broadband Internet service may be subject to either bandwidth limitation, suspension, or termination of contract on a variety of grounds. If the activities are illegal, the company may call on law enforcement authorities. When the violator is an employee, then the company may terminate the employment. It is important to note that the policy has pretty much direct effect and could be enforced without legal proceedings.

  

  Source: Acceptable Use Policy by Rogers Communications Inc.

  Conclusion

  Ideally, an AUP should do the following:

  

  Clearly specify the owner(s);

  

  Define the exact components covered by the policy: Internet, email, voice mail, computer systems and files;

  

  Underline that these components are for business purposes only;

  

  Incorporate "use cases," "situational analyses," or "what if" scenarios illustrating how the policy works in reality;

  

  Ban content that is harassing, offensive, defamatory, insulting, discriminatory, pornographic or obscene;

  

  Prohibit distributing confidential or proprietary information, including copyrighted software, or unauthorized access by electronic means performed by employees;

  

  Underline the repercussions non-compliance would entail. Warn policy's recipients that they may be subject to disciplinary measures in case of violation of the policy.

  Sources

  • Brown University (2003). Acceptable Use Policy
  • Education World Inc. Getting Started on the Internet: Developing an Acceptable Use Policy (AUP).
  • Fountain Valley School District (2010).Student Use of Technology/Acceptable Use Policy
  • GFI (2011). The Importance of an Acceptable Use Policy
  • Mitchell Bradley.Acceptable Use Policy – AUP
  • Mitchell Bradley.How to Create an AUP - Acceptable Use Policy
  • Techopedia. Acceptable Use Policy (AUP)
  • Training Strategies Ltd. ICT Acceptable Use Policy
  • Rogers Communications Inc. Acceptable Use Policy
  • U.S. Department of the Interior (1997). INTERNET Acceptable Use Policy
  • Wikipedia. Acceptable Use Policy.
  • Worcester Polytechnic Institute (2008). Acceptable Use Policy (AUP).
  Posted: September 23, 2014

  

  Dimitar Kostadinov

  Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.

  • The essentials of an acceptable use policy
  • Top 10 cybersecurity best practices: Secure your organization’s data
  • Is AI cybersecurity in your policies?
  • The top security architect interview questions you need to know
  • Federal privacy and cybersecurity enforcement — an overview
  • U.S. privacy and cybersecurity laws — an overview
  • Common misperceptions about PCI DSS: Let’s dispel a few myths
  • How PCI DSS acts as an (informal) insurance policy
  • Keeping your team fresh: How to prevent employee burnout
  • How foundations of U.S. law apply to information security
  • Data protection Pandora's Box: Get privacy right the first time, or else
  • Privacy dos and don'ts: Privacy policies and the right to transparency
  • Starr McFarland talks privacy: 5 things to know about the new, online IAPP CIPT learning path
  • Data protection vs. data privacy: What’s the difference?
  • NIST 800-171: 6 things you need to know about this new learning path
  • Working as a data privacy consultant: Cleaning up other people’s mess
  • 6 ways that U.S. and EU data privacy laws differ
  • Navigating local data privacy standards in a global world
  • Building your FedRAMP certification and compliance team
  • SOC 3 compliance: Everything your organization needs to know
  • SOC 2 compliance: Everything your organization needs to know
  • SOC 1 compliance: Everything your organization needs to know
  • Overview: Understanding SOC compliance: SOC 1 vs. SOC 2 vs. SOC 3
  • How to comply with FCPA regulation – 5 Tips
  • ISO 27001 framework: What it is and how to comply
  • Why data classification is important for security
  • Threat Modeling 101: Getting started with application security threat modeling [2021 update]
  • VLAN network segmentation and security- chapter five [updated 2021]
  • CCPA vs CalOPPA: Which one applies to you and how to ensure data security compliance
  • IT auditing and controls – planning the IT audit [updated 2021]
  • Finding security defects early in the SDLC with STRIDE threat modeling [updated 2021]
  • Cyber threat analysis [updated 2021]
  • Rapid threat model prototyping: Introduction and overview
  • Commercial off-the-shelf IoT system solutions: A risk assessment
  • A school district's guide for Education Law §2-d compliance
  • IT auditing and controls: A look at application controls [updated 2021]
  • 6 key elements of a threat model
  • Top threat modeling frameworks: STRIDE, OWASP Top 10, MITRE ATT&CK framework and more
  • Average IT manager salary in 2021
  • Security vs. usability: Pros and cons of risk-based authentication
  • Threat modeling: Technical walkthrough and tutorial
  • Comparing endpoint security: EPP vs. EDR vs. XDR
  • Role and purpose of threat modeling in software development
  • 5 changes the CPRA makes to the CCPA that you need to know
  • 6 benefits of cyber threat modeling
  • What is threat modeling?
  • First Safe Harbor, then Privacy Shield: What EU-US data-sharing agreement is next?
  • How to make cybersecurity budget cuts without sacrificing security
  • How to mitigate security risk in international business environments
  • Security theatrics or strategy? Optimizing security budget efficiency and effectiveness
  • NY SHIELD Act: Security awareness and training requirements for New York businesses

  

  Management, compliance & auditing

  

  Management, compliance & auditing

  November 18, 2023

  

  Management, compliance & auditing

  

  Management, compliance & auditing