Eze Castle Integration

Hedge IT Blog

Acceptable Use Policy: A Recipe for Success

By Mary Beth Hamilton,
Tuesday, July 9th, 2013

Here at Eze Castle Integration we have a pantry full of thoughtful policies that help ensure we keep everything in tip-top shape.  In past Hedge IT articles, we’ve shared our recipes for creating security incident policies, BYOD policies and social media policies.
 
Today, we are going to share our recipe for creating an Acceptable Use Policy, which governs how a company and its employees use computing resources.  The SANS Institute, which has policy templates galore, also has an Acceptable Use Policy template that you can find HERE and is the foundation for our award-winning recipe.
 
First, define the purpose and scope of your policy by answering questions including:

  • Why are the rules in place (i.e. protect firm from virus attacks, compromising of the computing network, etc.)?

  • Who does the policy apply to (i.e. employees, consultants, contractors, etc.)?

Next, select the meat for the actual policy.  While every firm’s palate is different, this gives you a taste for the types of ingredients typically included:

General Use and Ownership

  • Users should understand that the data created on the corporate systems is the property of the company, and that the company cannot guarantee the confidentiality of the information stored.

  • Employees must exercise good judgment when it comes to personal use and know that for security purposes, in some cases, authorized company individuals may monitor equipment, data or systems.Acceptable Use Policy - Recipe for Success

  • The company has the right to audit networks and systems on a periodic basis to ensure policy compliance.

Security & Proprietary Information

  • All computers and mobile devices should have password-protected screensavers with an automatic activation feature set to five minutes or less (ideally).  Also, users should be trained to lock their computers and mobile devices when leaving them unattended.

  • Passwords should be kept secure, and employees should not share accounts.  Additionally system-level passwords should be changed at least quarterly, and user level passwords should be changed every 90 – 120 days (ideally).

  • Employees should take all necessary steps to prevent unauthorized access to confidential information that resides on the company’s Internet/Intranet/Extranet-related systems

  • Employees must use caution when opening email attachments from unknown senders as they may contain viruses.

Unacceptable Use

Define what activities are generally prohibited unless necessary for the job function and what activities are 100% prohibited (i.e. illegal activities).  Following is a sample list provided by the SANS Institute:
 
System and Network Activities
The following activities are strictly prohibited, with no exceptions:

  • Introduction of malicious programs into the network or server

  • Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws

  • Unauthorized copying of copyrighted material

  • Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations

  • Revealing your account password to others or allowing use of your account by others

  • Making fraudulent offers of products, items, or services originating from any company account

  • Effecting security breaches or disruptions of network communication

  • Circumventing user authentication or security of any host, network or account

Email and Communications Activities

  • Sending unsolicited email messages, including the sending of "junk mail"

  • Any form of harassment via email, telephone or texting

  • Unauthorized use, or forging, of email header information

  • Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type

Blogging & Social Media

Define your company’s policy on employees’ participation on social media sites while at work.  Be sure to reaffirm that confidential information should never be shared via these outlets.

Enforcement

What disciplinary action will an employee be subject to if they violate this policy?

Definitions

Be sure to define any terms included in the policy that you think employees may be unclear on – better to cater to the lowest common denominator to help ensure there is no confusion.
 
There you have it, a wonderful Acceptable Use Policy recipe.  If we’ve piqued your appetite, be sure to give our other policies a try:

Bon Appetit!

Categorized under: Trends We're Seeing  Hedge Fund Operations  Security 



Recent Posts / All Posts