Are you constantly worried about what your users are doing on the network and how they are using/abusing your computers? If the answer is yes, then it's time to start looking at an AUP (Acceptable Usage Policy), a framework that defines computer usage in an organization. As technology usage increases in an organization, one needs to look at ways of controlling it for maximum benefit. An AUP is quite often a part of the employee handbook, and very clearly defines what the IT infrastructure in the organization can be used for.
An AUP is very specific to an organization and its overall philosophy, meaning one shoe does not fit all. So, a working AUP can only be developed by the organization itself. The AUP needs endorsement of the management and complete support of the employees. If either doesn't agree it just won't work.
Why an AUP?
There are several reasons for this, and the most important ones are:
w Clearly define to employees what is "out of bounds"
w Reduce wasted bandwidth and optimize network resources
w Protect against the risk of legal liability
w Create a safer work environment
w Reduce misuse of company resources
Having stated that, we'll build an AUP for the Internet and e-mail usage for a fictitious company called ACME India Pvt Ltd, hereafter referred to as
AIPL.
E-mail usage and security policy
The first and most important component of an AUP is the statement of purpose or objective. Everything else just follows this objective. So, the policy statement for e-mail would look something like this:
Purpose
This policy statement provides specific instructions on the usage of e-mail and the best methods of securing it for
AIPL.
Scope
The policy applies to all e-mail related to AIPL, on the servers, workstations, personal laptops and any other method of access that AIPL permits. It covers e-mail of the employees, contractors and any other associates on equipment, which is owned and is in the jurisdiction of
AIPL.
Specific policy
As a productivity enhancer, AIPL encourages the use of e-mail for all company communications. E-mail generated using AIPL's resources is considered to be the property of
AIPL.
This includes all incoming, outgoing, and backup copies of e-mail.
Authorized usage
Use of AIPL's mail systems and e-mail is restricted to employees, contractors and associates of AIPL. Although usage is primarily for business purposes, incidental personal usage is also permitted. Personal usage is restricted to trivial use of resources, sending of large attachments, jokes etc are not
permitted and may be blocked. Personal usage must not also interfere with productivity and must definitely not preempt any business activity.
User accountability
AIPL prohibits sharing of passwords, no matter what the reason. If employees need to share data, this needs to be done using the company LAN or through mail forwarding. At all times, the accountability and responsibility of all email will be that of the user.
Message monitoring and privacy AIPL respects the privacy of its employees. However, to protect its business interests, AIPL needs to monitor all electronic communications. In the normal course of business, all messages may not be read or shared but in the event of an audit or any other investigation, the messages would be shared with the appropriate authorities. (On the issue of privacy, sometimes an organization may monitor e-mail without informing the employees. This is a complete breach of privacy and must not be encouraged or supported. It is fair for a business to want to monitor what goes on but it must clearly state this to its employees and they must be aware that this monitoring is being done.)
Mail forwarding
AIPL recognizes the fact that not all electronic communication is appropriate for general distribution. With this is mind, users are advised to exercise control when forwarding messages. Any critical or sensitive data being forwarded will require permission of a supervisor. Since AIPL provides remote access to its e-mail servers, it prohibits the use of "free" e-mail accounts by its employees for business purposes and employees are not permitted to forward messages to such accounts.
Purging
Messages no longer required for business purposes must be regularly purged by users from their storage area. For archival purposes, messages will be transferred to backup media such as CD-ROMs, and tapes by the IT department, and then deleted from the users storage.
So as you can see developing an AUP is not a difficult task and if we were to continue with this, we would probably fill up several issues of the magazine.
Rather than that we will now shift to a few elements of the AUP for Internet access. Here also the basic purpose and scope of the policy needs to mentioned and then concentrate on the specifics.
Internet usage policy
The use of the Internet by company employees is both permitted and encouraged where this is usage is for business purposes, research and market intelligence.
Authorized users
All desktops at AIPL are authorized for accessing the Internet as are all employees. Employees will require a password to access the Internet. Sharing of passwords is prohibited and any misuse will be the responsibility of the employee.
Proxy and cache
AIPL uses a proxy server for Internet access. This also uses caching and all access is via the proxy. No override or by-pass of the proxy is permitted.
Content filtering
To block access to obscene, hateful and other objectionable material, AIPL uses various content-filtering technologies and products. Content filtering is essential both from the legal risk liability as well as for creating a productive work environment.
AIPL reserves the right to control access to websites being accessed using company resources and time. So any non-business related websites shall be blocked.
Monitoring
All Internet traffic will be subject to being monitored. Users will be sent warnings if they try and access "banned" websites and from time to time AIPL will publish not only a list of all non-productive sites being accessed but also a list of users accessing them. These reports are available with the management and supervisory staff and will be published on the company Intranet and notice board.
Instant messengers
Considered to be an essential communications tool, Instant Messengers are also one of the biggest productivity killers. Several organizations have banned their usage since employees are found to be chatting all the time rather than doing any work. AIPL prohibits the use of Instant Messengers, except for the messaging system provided by AIPL. Access to the messaging system is currently restricted.
Cyber café
Recognizing the need for employees to have access to the Internet for personal work as well, AIPL has installed Internet Kiosks in the staff cafeteria. All employees have access to these kiosks.
Though access from the kiosks is not controlled, the basic guidelines for usage will still be applicable. Webmail, instant messengers, hobby sites, etc can all be accessed from the kiosks. Access to objectionable and pornographic material is prohibited even from the kiosks.
Apart from this do ensure that your policy is aligned with the laws of the land. Most ISPs in India also provide you with an AUP for usage of their network. Make sure that your AUP includes the guidelines of the ISP as well. An example of this would be "voice over IP". For several years India's largest ISP VSNL did not permit the use of VoIP on its networks. Any company found using VoIP would risk paying a huge penalty apart from being disconnected. Make sure that your AUP prohibits the use of
VoIP.
Kishore Bhargava Is a technology consultant with Linkaxis Technologies