What is Acceptable?

Every organization needs an Acceptable Use Policy (AUP) to define how their employees are expected to use IT facilities and handle information, and the consequences of not following the rules. In 2010 research claimed that the majority of traffic to NSFW sites occurred during working hours, productivity for more than a third of employees suffered as they constantly surfed the web and a quarter of corporate Internet traffic was considered to be “unrelated to work”. From personal experience I know it wasn’t uncommon for some people to routinely set up their work computer to download gigabytes of non work related files overnight. This was several years ago when high-capacity internet connections were not available. There was one occasion when someone needed to remotely access the network at 10pm to investigate an urgent issue. The response time was very slow, what should have been a ten minute job took nearly 2 hours. If we had an AUP, and people actually followed it, that wouldn’t have happened.

In the past creating an AUP wasn’t too complex. A risk assessment would identify threats to information security, based of course on the confidentiality, integrity and availability of assets. Include necessary references for actually doing work and not spending time searching for bargains on auction sites, and the policy was created. Some final checks with HR that it didn’t contradict anything in the employment contracts and you were ready to issue it and do some road shows to make sure everyone knew what it meant.

Now that (almost) everyone has a smartphone and varying degrees of addiction for checking emails and keeping people informed of what they are doing throughout the day, it is more complex. Banning people from spending any time on personal emails, twitter updates etc. isn’t practical. It is a question of deciding what is acceptable, and finding a way to measure it. Traffic related to personal activities could be kept off the corporate network as most people seem to have an almost endless data allowance. But access times could be faster using the high-speed work WiFi, so having them on that is going to reduce time away from their work. Consider having separate WiFi networks for general/guest use and for internal work-related use. There has to be strict rules on what cannot be viewed, downloaded or sent, how to protect information outside of the office, and to let people know what is being monitored. But you never know what the next big thing/time waster will be, so avoid having definitive lists of what is, and isn’t allowed. Keep them as generic as possible. Always bear in mind that your AUP has to be effective, fair, cope with business growth and complement other policies.

Two final points. The first is to review your AUP at least once a year to check it covers current risks to information security and what the business sees as being acceptable. The second is to remind everyone about the AUP. Ideally get them to sign a document each year, or send an email, to acknowledge their responsibilities.