How To Develop an Acceptable Use Policy
Your employees are simultaneously your organization’s greatest asset and its greatest weakness. Personnel actions represent the greatest cybersecurity threat facing an organization—whether it’s a user clicking on a phishing email, intentional theft of computing resources or intellectual property, or general poor cyber-hygiene of “bring your own device” (BYOD). Developing an Acceptable Use Policy (AUP) will help prevent attacks.
Employees and other personnel cyber-related actions can have dire consequences for the entire organization. Whether you like it or not, the “insider threat”—whether intentional or not—needs to be addressed by your organization.
Since my business is small, should I develop an Acceptable Use Policy?
Developing an IT Acceptable Use Policy is the first and easiest method to address the insider threat in any organization. You’d be surprised at how many organizations don’t maintain an Acceptable Use Policy. Most small businesses don’t. Others rely on a boilerplate Acceptable Use Policy full of legalese that no one reads or pays attention to. This is understandable: we want to trust our employees to do the right thing. But what if they don’t know what the right thing is? A quick, easy-to-read Acceptable Use Policy is low-hanging fruit for any organization to realize quick gains in their cybersecurity program. Develop an Acceptable Use Policy and have employees read and acknowledge the Acceptable Use Policy will foster an awareness of the threats they face and the organizational policies in place to defend against those threats. It also makes them cognizant that they are responsible for securing their little piece of the organization.
Here are some features to keep in mind when developing an Acceptable Use Policy:
• short: 3-4 pages
• easy-to-read: think bulleted lists, no “walls of text”, no legalese
• coherent: organized into sections
• outlines the organizational IT use policies
• references the threats these policies are designed to address, where appropriate
• gives examples of acceptable behavior: e.g. “you will forward suspected phishing emails to the IT department with *PHISH SUSPECT* in the subject line”
• gives example of unacceptable behavior: e.g. “you will not leave your corporate laptop on the front seat of your car”
• informs users of corporate oversight strategy: e.g. “you and the information you process are subject to monitoring at all times”
• informs users of consequences of their actions: e.g. “failure to follow this Acceptable Use Policy may result in suspension or termination”.
Totem's Cybersecurity Experts can help develop an Acceptable Use Policy and create culture change with our employee cyber awareness training.
Acceptable Use Policy and Employee Cyber Awareness Training
An easy way of generating an Acceptable Use Policy is to go through your organization’s System Security Plan (SSP), and earmark for inclusion in the Acceptable Use Policy any policies or processes that require some help from the end users. (Don’t have an SSP? We can help with that!) Also: don’t forget to include your IT administrators in the Acceptable Use Policy distribution; they need to understand policies as well as the consequences of their actions.
To really make the Acceptable Use Policy effective, we recommend aligning your organization cybersecurity training to the Acceptable Use Policy. This helps reinforce the threat-consciousness, user responsibilities, and give the users a chance to ask questions about the Acceptable Use Policy. These trainings, if executed properly, can turn your biggest threat into an effective first line of defense—a human Intrusion Detection System (IDS). Your users are now conscious of the threat and on the lookout for indicators of compromise, because they understand the consequences of their actions for both them and the organization.
Totem Technologies specializes in developing Acceptable Use Policies that are efficient and effective We also follow up by conducting Acceptable Use Policy-specific training. We offer a free Acceptable Use Policy template you can adapt to your organization. Let us help you develop an Acceptable Use Policy, and then institute a cybersecurity training program with the Acceptable Use Policy as the foundation.
