As we explore the challenges organizations face in achieving and maintaining compliance, we find that an acceptable use policy is a critical step in risk mitigation. An acceptable use policy (AUP) is not a legislated compliance regulation, but it is a necessity for most organizations. More often now than ever before, insurance companies are requiring that organizations have an AUP in place to obtain business coverage.
What Is an Acceptable Use Policy?
An acceptable use policy, as defined by TechTarget, is a document stipulating constraints and practices that a user must agree to for access to a corporate network, the internet, or other IT resources. Many businesses and educational institutions require employees or students to sign an AUP before being granted a network ID. AUPs are a subsection of information governance and are an essential component of overall data security.
Why Does Your Organization Need an AUP?
In addition to being a requirement from most insurance companies, an AUP establishes network access standards and gives organizations leverage for holding employees, third-party vendors, and other incidental users accountable for responsible use of the network. Subsequently, the AUP gives organizations the power to suspend access should users violate the terms of use. It becomes a legal agreement between your organization and the person being granted access to your network. An AUP is one of the ways in which an organization can demonstrate due diligence when faced with a regulatory audit or in the event of a breach.
How to Create an AUP
Creating an acceptable use policy begins by identifying the information within your organization that is considered sensitive, private, or proprietary, and then determining how that information is to be protected. An effective AUP requires input from the organizational leadership team and should address specific actions, such as:
- The types of information allowed to be shared outside of the network or with third parties
- Information that is not allowed to be sent via email, SMS, or on social media, including personally identifiable information (PII), payment information, customer or patient data, and proprietary information
- Consequences for violations of the AUP, including who will enforce the policy
- How employee personal devices are used to access the network
Acceptable use policies specify rules that govern the sharing of private information, but they should also address security requirements, such as password management, device security, and Wi-Fi access in public spaces (requiring the use of a company-approved VPN). The AUP can also address phishing risks, by establishing rules about clicking on URLs or opening attachments from unfamiliar sources, reporting potential phishing attacks, and mitigating these risks. Finally, the AUP should clearly state that employee activity on the network may be monitored.
Implementing the AUP
Employees should be required to sign the AUP as part of their onboarding process, and a copy should be kept with their employment files. However, regular reminders about acceptable use should be included with ongoing employee awareness training, to ensure continued compliance. While it is easy to consider an AUP to be an inconsequential document or an exercise to obtain insurance coverage, a properly constructed AUP can, in some instances, help protect the organization from facing legal action.
From better compliance to creating an acceptable use policy to enhancing your cybersecurity, thinkCSC is here to help.
Get in touch to learn more about how we can help you protect your data from risk.