Administrative Security: The Acceptable Use Policy
Sign in

Administrative Security: The Acceptable Use Policy

Information Security Professiona
Though they are not as exciting as the high-tech infosec toys--like firewalls and IPS--policies are an important component of your information security program.

One common policy that you might have butted heads with over the years has a name along the lines of “acceptable use,” and states, in brief, that the computer on your desk and all other resources are to be used for furthering the company’s mission, and nothing else.  To some extent, that is a fair request.  Time spent surfing the Web for personal reasons is time spent not doing your job.  Also, in many cases a corporation pays for its Internet use, perhaps not literally by the bit, but based on the volume of traffic which flows over the circuit.  

Mind you, this policy easily can be taken too literally.  Imagine an analogy with your work phone.  Your wife calls, but since it’s a personal call you immediately quote your company’s policy on acceptable use of your business phone and ask her to call you back on your personal phone during your lunch hour.  And all she wanted was to ask you to pick up the kid after work, which would have taken 30 seconds.   Also, imagine the situation in reverse, with your boss busting into your house one night and demanding that you stop logging in from the comfort of your home to get caught up on some time-critical work because it’s not “acceptable use” of your home.   It’s just not going to happen.  Businesses are frequently delighted to have employees use their own time, money, and other resources for the benefit of the company.  

Strictly speaking, a corporation has every right to mandate that the company’s resources are to be used for the company’s mission.  Having said that, companies that enforce “acceptable use” to an extreme run the risk of alienating dedicated workers, especially those so-called “Millennials,” who see only a hazy distinction between work and personal life.  A business which operates in the real world must realize that its employees are going to surf a little and send some personal emails, just as they will stand around the coffee pot not working, but chatting about the game last night.  (In fact, water-cooler conversations build relationships that can further team effectiveness, so much so that some companies bring in snacks every day as a ploy to get people out of their offices and talking with each other!)  Any corporation which does not allow for some personal use is either delusional, or truly draconian.

In addition to what’s cool and what’s not when using company assets, your organization’s policy manual, I would wager, also addresses a security blizzard of other fascinating administrative security topics.  Those which I will cover in future posts are:

 

  • Passwords
  • Email & Spam
  • Malware
  • Phishing, And All Of Its Cousins
  • Safe Surfing
  • Wireless
  • Laptop Security
  • Social Engineering
  • Business Contingency Planning

 

start_blog_img