Problem solve Get help with specific problems with your technologies, process and projects.

Acceptable use policy for Internet usage helps data protection efforts

Acceptable use policies are an inexpensive, yet effective, control in limiting exposure to data breaches.

Midmarket companies are not immune to data breaches, nor are they exempt from the 40-plus state data breach notification laws. Many times, smaller IT organizations do not have the employee bandwidth, money or security know-how to monitor systems and networks in order to prevent breaches.

One inexpensive, yet effective way, to counter the lack of resources is with an acceptable use policy (AUP). While placing restrictions that might inconvenience your employees, it is essential to have procedures and policies in place to protect your organization.

Security Policy Resources

Consider a policy-driven security framework: Midmarket companies bound to regulations such as PCI DSS, HIPAA and Sarbanes-Oxley should consider using these requirements as the basis for their security programs.

How should a company's security program define roles and responsibilities? How can a CISO bring physical security, legal, and IT security departments together.

An acceptable use policy for Internet usage describes what employees may do on a company's network. The policy usually includes items such as the kinds of websites employees may visit and which are off limits, as well as what constitutes acceptable personal Web surfing.

Having an AUP ensures employees are following directives that serve to safeguard their work environment and the IT network infrastructure. All employees should sign an AUP and if they disregard the terms of the policy, it can be grounds for discipline or dismissal.

How to implement an acceptable use policy

An AUP is usually created in collaboration between human resources and IT. This helps to ensure a comprehensive AUP is formulated according to the needs of the company and then enforced.

AUPs typically cover all employees who have Internet access. However, while most policies cover the same grounds, each company will have its own terms and conditions according to the company infrastructure. Certain employees may be exempt from certain clauses in the policy depending on factors such as their specific role or hierarchical position. Should there be no extraordinary circumstances, then it's advisable for the AUP to apply across the board.

The scope of an AUP is not to snoop on employees or deny them all access rights to the Internet while at work, but rather it aims to educate users about Web-borne threats and how irresponsible browsing can result in malware being unknowingly downloaded onto a computer, which in turn could infect the whole network. The implementation of rules needs to be explained so the user understands why visiting certain sites or downloading software onto their workstation could be detrimental to the company's network. A training session about Internet security is essential to ensuring users abide by the policy. Once they understand the reasoning behind it, they are more likely to understand the value of it and to follow it.

Employees must be made aware that their Internet access at work is a privilege and not a right and that they are expected to abide by the AUP put in place by management. Action must be taken against an employee if they continuously ignore the policy. This underscores to employees that Internet security is not something that can be ignored or will be taken lightly. Penalties for improper Internet usage could start with a verbal warning, increase to a written reprimand, demotion and eventual termination.

How to enforce an acceptable use policy

Once the Internet usage policy is drawn up and employees are made aware of its existence, it is important to ensure monitoring employee use is automated through Web monitoring software. It would be a waste of human resources to assign a person or team to monitor the Internet activities of all company employees. Further, Web monitoring software provides efficient and comprehensive reports and data can be accessed within minutes. Automation allows management to set boundaries for site browsing, prevent downloading and installing of software and has multiple scanning engines to ensure that allowed downloads are free of viruses and other malware. By controlling downloads and browsing in real-time, the network is protected from malware. There is also the prevention of data leakage through socially-engineered websites and it also helps reduce cyberslacking, thus boosting employee and business productivity.

AUPs protect a company's data assets and confidential information while also safeguarding employees and maintaining standards concerning the use of the Internet during working hours. Implementing Web monitoring software is an investment in security and could prevent employees from cyberslacking or abusing the company's trust with work-related information. By implementing and enforcing a solid AUP and providing ongoing, end-user education, companies can minimize risk, allowing them to focus on growing their business rather than repairing it.

Brad Dinerman is the president of Fieldbrook Solutions LLC, an IT, MIS and security consulting firm in Massachusetts. He is a Microsoft MVP in enterprise security as well as a Microsoft Certified Systems Engineer (MCSE), a Certified SonicWall Security Administrator and a Certified 3Com IP Telephony Expert.

Send comments on this technical tip [email protected].

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.

This was last published in July 2009

Dig Deeper on Information security policies, procedures and guidelines