What’s Considered “Acceptable Use” For Your Small Business?
Creating an acceptable use policy establishes rules for everyone using the company network
All small companies need an acceptable use policy (AUP). An integral part of any company’s network security program, an AUP is a set of rules that describes how everyone may use the company’s network and network resources, including the Internet. An AUP also spells out the consequences for not following these rules. With an AUP in place, you can protect your company from dangerous behavior online and hold those responsible for their actions. It’s relatively easy to create an acceptable use policy. To be truly useful, though, it must be tailored to your company’s specific needs and business operations.
The simplest way to get started is with a template. You can find free AUP templates online from a variety of sources, including security forums and state technology agencies. Most AUP templates include details about computer and network security as well as use of network resources. You can cover everything from how often employees need to change their passwords to the applications allowed on company computers.
Once you’ve chosen a template, you need to decide what rules to keep, what rules to customize, and what rules to add. For instance, the template may be vague when it comes to network usage, and the language may be overly legal for your small business. You should customize the template and language to reflect your company’s needs and culture, such as: “No employee may consume more than 25 percent of available bandwidth for an extended period of time.”
When customizing the AUP template, you may also want to consider specifying the types of websites employees are not allowed to access from the company network. Some of these are obvious, such as pornography sites or real-time online gaming sites, but other sites might seem fine to allow at first glance. For example, think carefully about social media sites, especially potentially bandwidth-intensive ones like YouTube.com.
The important thing is to make sure you’re not writing the AUP to be so specific that rule-breakers can wiggle through a loophole or so vague than the policy isn’t meaningful. When determining what to include in your AUP, for example, consider rules for preventing employees from using network resources for personal use, such as setting up their own websites.
Your AUP should also include information about how you plan to enforce the policy. Employees should know that you’re monitoring the network to ensure the rules are being followed. You can set up network monitoring fairly easily with tools you may already have at your disposal. For example, you can monitor usage with the admin console included with some small business networking devices, such as managed switches, some routers, and security appliances. If you don’t have any network devices with built-in monitoring capabilities, you can install security software such as Cisco ProtectLink Security Solutions to help enforce your network for any violations of your AUP.
Once you’ve written a draft of your AUP, share it with different employees in your company and get their input. This is a great way to get employee buy-in. Also, your employees are more likely to abide by the rules if they’ve had a chance to influence them. Finally, make sure the AUP is reviewed by your company’s legal counsel and human resources to ensure it aligns with company policies and labor laws.
The last step in developing an AUP is educating employees. Make sure everyone, including contractors, in your company has read the document, had their questions answered, and fully understands it. Then, and this is critical, require each person to sign their copy of the AUP. A signature proves that the person understands the rules, which will help protect your company in case you need to take disciplinary action.
Your AUP should change as your business grows. Review your policy at least once a year and follow these same steps for making revisions, reviewing the rules, and educating staff.
What details have you included in an acceptable use policy?