These days organizations are faced with a higher probability of facing a cyberattack, and attacks can often cause a great deal of damage to an organization’s reputation and operations. This is why organizations must write and implement acceptable use policies – regardless of size. Companies need to establish policies that spell out what employees can and cannot do when using company IT assets, both on and off the corporate network.
A corporate acceptable use policy (AUP) should include everything from the basics – creating strong passwords and defining what software apps can be installed on company devices – to knowing what types of devices employees are allowed to connect to the network.
Keep reading to learn what a corporate acceptable use policy is, the key areas that should be included and some pro tips to enhance your security awareness training.
What Is a Corporate Acceptable Use Policy (AUP)?
A corporate acceptable use policy is a formal document that provides guidance on the rules and guidelines for employees and other stakeholders when using the company’s IT resources. These resources commonly include computers, laptops, mobile devices, networks, software, email accounts and internet access.
The purpose of a corporate acceptable use policy is not only to set the rules for IT security policies, such as passwords, system access and device usage, but to also define acceptable use of corporate assets and communications.
These key stakeholders should develop your policy:
- Executive management
- Legal
- Human resources
- IT
These stakeholders should clearly define who the policy applies to, what is acceptable, what’s not acceptable and the consequences of violation. At the end of the day, it’s about protecting not only the company’s digital assets and reputation, but also the people who work there.
How an AUP Protects IT Assets
Protection of IT assets is a vital element in maintaining the integrity and security of any organization’s IT infrastructure. AUP’s play a pivotal role in this protection by clearly defining what is and isn’t permissible in terms of:
- Hardware: USB drives
- Software: Don’t install unapproved software
- Networks: What devices are allowed to use the network and how to use devices off the network
- Data access: Define what devices can/cannot access company data and how it’s to be used
By explicitly stating the types of hardware that can be used, who is authorized to use them and under what circumstances, you are minimizing the risks associated with physical devices.
4 Key Areas to Include in Your AUP
When creating or revising an AUP, there are four key areas your stakeholders will need to consider. These areas can set the security posture and internal security culture for your organization and your employees.
1. USB Drives
USB drives are often used in cyberattacks. If an employee wants to access files from a USB drive, have them work with the IT department to test it on a segmented machine. If it is an infected USB drive, then the virus will be contained and business can continue as usual.
Encourage employees to always throw out any free USB drives they may receive – especially those received at conferences or industry-related trade shows. It’s not worth the risk. And don’t forget to remind them to never plug a USB drive into a company computer.
If employees need to use USB drives on corporate devices, provide them with safe, company-supplied drives only. Having a supply from a reputable source is a good idea because they are inexpensive and the peace of mind is worth it alone. This can also be part of your overall security awareness training.
2. Approved Software
When it comes to software, an AUP is imperative in verifying that only approved programs are installed on corporate devices. This policy should outline the process for software approval and the ramifications of deploying unapproved software. Unverified software can pose significant security risks, creating vulnerabilities that could lead to cyberattacks and other security breaches.
The goal of an AUP is to reduce these risks by controlling what software can be installed based on user access needs. You AUP can also intertwine security procedures that include valid use cases for software approval for employees based on their roles within the company. This ensures that all software goes through a thorough security review and verification prior to approval. This safeguards the organization’s IT infrastructure while maintaining industry compliance with legal and regulatory standards.
3. Bring Your Own Device (BYOD)
When an employee brings their personal phone, tablet or laptop to work for use, what is the process for them to access the network with it? If you don’t have a BYOD policy, you need to start thinking about how your organization can better protect your assets.
A few questions to explore when implementing this can include:
- What types of devices can employees use on the corporate network?
- Can employees connect their personal devices to the corporate network or Wi-Fi?
- Can guests use the network or Wi-Fi?
- If employees and guests can connect their own devices to the corporate network, are there any restrictions about what they can do on the network?
- Is there a designated guest network for devices not issued by the company?
The idea of a BYOD policy is that IT should have the ability to quarantine any device regardless of who purchased it. Make sure your employees know that their personal devices can be quarantined and confiscated in case of an incident. HR should ensure employees who use their own devices have signed off on this policy, as it may have an effect on their devices.
4. External Networks
Similar to the BYOD policy, you’ll also want to provide guidelines around how employees use company-issued devices on other networks.
These guidelines can include:
- Can employees connect company-owned devices to other networks at all?
- What types of networks can company-owned devices be connected to? For example, a private home network, a private network operated by another company or a public coffee shop network.
- Are there legal safeguards and protection in place in the event an employee misuses company resources for nefarious reasons? It’s important to remember employees are often your company’s spokespeople and damaging behavior from an employee can negatively impact the organization.
- Is the BYOD or IT policy promoting a digitally safe and productive environment for all employees? By taking the time to review user activity on the network with regards to personal usage, non-business web activity or the viewership of offensive content, you can ensure a collaborative and secure work environment.
- Will there be any compliance issues with regulatory requirements within your company’s industry for your AUP? Many companies must still ensure that implementing their AUP will adhere to regulatory requirements for multiple government regulations including HIPAA, PCI/DSS and GDPR. These must be considered when building out your AUP.
Pro Tips for Security Awareness Training
To start, create acceptable use policies, or refresh the ones you already have to reflect the suggestions in this article. Then, share the policies with employees and train them on how to put them into action.
Here are some tips to reinforce that training:
Acceptable Use Polices
- Make it interactive
- Use real-world examples that mirror your business
- Make it relevant by adapting training to your company’s roles and responsibilities
- Regularly update and reinforce the training
Put these plans into action with our free guide: 7 Security Hacks to Use Now
Check out our entire series on security awareness training:
- Passwords Are a Pain: But They are Critical to IT Security
- How to Detect Phishing Attacks
- What Does a Phishing Email Look Like?
- What is an Incident Response Plan and How to Create One
- What Is Network Segmentation and Why Does It Matter?
Get career advice and tech tips sent straight to your inbox with CompTIA’s IT Career News. Sign up today.