Acceptable Use Policy (AUP)

An acceptable use policy (AUP) might logically be included as part of the final security policy. Because of the convergence of technologies, it’s common for AUPs to include telephone, copier, personal digital assistant (PDA), and pager, as well as fax activities. The AUP should spell out specifically what users can and cannot do on the various components that make up the network, including the type of activities and traffic allowed on the networks. The AUP should be as explicit as possible to avoid ambiguity or misunderstanding, particularly if sanctions are imposed for failure to comply. For example, an AUP might list prohibited activities like “browsing and engaging in transactions on web auction sites.” The AUP could be explained at all employee orientation sessions and signed by each user. This agreement and training should be updated periodically as a refresher and definitely any, time a significant change is made.

Unfortunately, it’s not uncommon for new employees to learn about new limitations on access to resources, such as Internet access for personal use only, to find the same information hasn’t been distributed to the existing employees. It’s particularly dysfunctional when the sanctions involved with a policy are implemented against employees who had no way of knowing they were violating a policy. Handled poorly, this can lead to mistrust, lack of support, and even refusal to use certain resources.