One popular method for this sort of Management Assessment is called RISK, an acronym that stands for requirements, identify, select and know.
Employing RISK to build an effective AUP is important whether an organization is publicly or privately held.
Even family-owned businesses need an AUP if their employees have access to the Internet.
The requirement of their RISK policy includes understanding that the company’s reputation and assets could be endangered by employee abuse, misuse or threat roll of the company’s network or computers.
When a company understands that email, instant messaging, peer-to-peer and web surfing technology can leave them vulnerable to exploitation or network and system damage, they have identified the key elements around which they must design their AUP.
Once the basic requirements have been identified, the next step is to construct a policy that will protect both their network security and the company’s reputation.
Since breaches in computer network security can lead to substantial regulatory fines judicial settlements that can cost billions and negative media attention that can seriously damage a company’s reputation, the design of a comprehensive and relevant AUP is more important than ever.
Design & Educate
First of all, the AUP should be explicitly written and clearly presented to all employees. It should be comprehensive, covering all rules, polices and procedures appertaining to P2P, Internet, Instant Messaging and email activities.
The use of any vague language should be strictly avoided in an effective AUP. For example, stating that email is to be used for business purposes can leaves wiggle room for an employee to state he was using his email for business when he actually means “personal” business rather than correspondence pertaining to his job.
Employees should be notified that all communications whether of a personal or business nature are monitored and stored. The need for such monitoring should be explained as well as the penalty for employee abuse.
Employees should be made to understand that use of company computers and protocols such as email, IM and P2P are not rights, but rather privilege given to them by the company.
Penalties ranging from written warnings all the way up to termination should be clearly explained. The comprehensive nature of the policies and procedures should be updated regularly in order to govern developing concerns such as blogging.
New technologies and communication protocols are appearing daily – a company’s best acceptable usage policy should be flexible enough to accommodate these emerging threats.
Monitor & Enforce
Developing the AUP and educating employees is only the first step. The implementation system should also include how the company will monitor and enforce their internal AUP.
In an ideal world, simply telling an employee to not exercise bad judgment might be enough.
But employees can be mislead themselves and endanger a host network security system despite good intentions.
Although the education of employees will assist in the enforcement of the AUP because the judicial system could find that a corporation has made a reasonable effort to keep their corporation free of hostility, harassment and other abusive behaviors, it will not be enough to keep your networks safe from outside intrusion, whether intentional or not
The AUP will reduce the vicarious liability that a company may endure but the vicarious liability factor is further protected when the written AUP is enforced through disciplinary actions and filtering solutions.
A filtering solution can prevent employees from accessing sites, software and other connections that may violate the company’s AUP and endanger its networks and systems.
This will eliminate employee error on many levels.
Whatever the chosen filtering solution, it should also monitor behavior in order to provide for disciplinary action on the part of the company as needed.
As previously mentioned, disciplinary action can be applied in stages from written warnings to suspensions to termination of employment.
These rules should be detailed specifically in the AUP and presented clearly to the employees so that expectations and rulings are clearly defined prior to any action being taken.
The Solution is the Solution
Defining the AUP requires identifying the risk management issues, key software vulnerabilities and required employee behavior.
When an effective AUP is combined with disciplinary action that is clearly stated and effectively enforced, companies are protecting their employees, networks and finances.
However, an AUP’s ultimate success will hinge a great deal on the type of filtering solution a company chooses.
A filter that not only enforces the AUP, but also monitors the behavior of the employees provides a double layer of protection.
A powerful and effective filtering solution is the final piece of the puzzle to developing, maintaining and enforcing the company AUP.