There’s an interesting section in the Wikipedia entry for Acceptable Use Policies called “Is an AUP the best approach?” here.

Here’s an excerpt:

In a well respected essay on the topic of AUP documents, Dave Kinnaman, raises the issue as to whether writing and enforcing AUP documents is the right way to approach the governance as to how Internet connections are to be used at school, at work or in people’s own free time.

In this essay he raises the question with the perspective that the Internet is no different from anywhere we use 3rd party property. Do we write a “users guide” to go to a school, or do we write a user’s guide to shopping in the shopping mall? No, and why we do not is because we are educating young adults to behave in certain ways when at the shopping mall, or at school, or in the library.

Businesses should have a good AUP document that, according to visionGateway, a business implementing secure networks for businesses, should cover the business legally in any situation that the business might need to take to protect its interests. Also privacy and individual rights need to be addressed.

So the question is, do we teach our students at school and encourage our employees at work to maintain self-control, or do we explicitly outline acceptable use policies? Possibly both AUPs and self-control can be encouraged and when used together it could bring the best outcome for both organisations and individuals.

I think it’s an interesting question, but in the end your auditors are going to ask for your AUP. If you don’t have one they’ll probably tell you to get one.

What do you think?

A good example of an Email Acceptable Usage Policy can be found on page 6 of a document at the TechTarget website here.

Here’s an excerpt:

Introduction
This policy covers acceptable email usage when utilizing company information systems.
NOTE: You might want to include more information here such as the purpose and reasoning behind this policy.

Scope
All users of company information systems.

Policy Statement
Email is intended for business purposes only. All use is subject to monitoring, and there is no right to privacy when using company equipment. No user shall at any time send or store email that contains malware, a warning about malware, unsolicited commercial email, or that is considered pornographic or adult content in nature or would otherwise offend any other user of the system.

This document is part of a larger document called The Definitive Guide to Email Management and Security by Kevin Beaver.

Other sections in the document include:

• Email Policy Development and Management
  • User Awareness Training
• Storage Considerations
  • Backups
  • Fault Tolerance
• Email Retention
  • The Problem with Retrieval
  • Creating an Email Retention Policy
  • Enforcing Your Policy

Here’s an archived copy of the document: Email Acceptable Use Policy

Great info! Check it out!

The Ruskwig site has a great example of an Acceptable Use Policy here.

Here’s an excerpt:

DO NOT
9. Do not download text or images which contain material of a pornographic, racist or extreme political nature, or which incites violence, hatred or any illegal activity.
10. Do not download content from Internet sites unless it is work related.
11. Do not download software from the Internet and install it upon the Organisation’s computer equipment.
12. Do not use the Organisation’s computers to make unauthorised entry into any other computer or network.
13. Do not disrupt or interfere with other computers or network users, services, or equipment. Intentional disruption of the operation of computer systems and networks is a crime under the Computer Misuse Act 1990.
14. Do not represent yourself as another person.
15. Do not use Internet access to transmit confidential, political, obscene, threatening, or harassing materials.

Definitely worth checking out if you’re developing your own Acceptable Use Policy.

The SANS Security Policy Project site has a good acceptable use policy sample here.

2.0 Purpose

The purpose of this policy is to outline the acceptable use of computer equipment at <Company Name>. These rules are in place to protect the employee and <Company Name>. Inappropriate use exposes <Company Name> to risks including virus attacks, compromise of network systems and services, and legal issues.

…

4.3. Unacceptable Use

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services). Under no circumstances is an employee of <Company Name> authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing <Company Name>-owned resources.

This is a great resource for anyone developing their own Acceptable Use Policy. Check it out!

The Forum of Incident Response and Security Teams (first.org) has a great Acceptable Use Policy template available for download in their Best Practices Guide Library. You can download it here.

Here’s an excerpt from the Overview:

The purpose of this policy is to establish acceptable and unacceptable use of electronic devices and network resources at [Company Name] in conjunction with its established culture of ethical and lawful behavior, openness, trust, and integrity.

[Company Name] provides computer devices, networks, and other electronic information systems to meet missions, goals, and initiatives and must manage them responsibly to maintain the confidentiality, integrity, and availability of its information assets. This policy requires the users of information assets to comply with company policies and protects the company against damaging legal issues.

Other sections of the policy include:

• General Requirements
• System Accounts
• Computing Assets
• Network Use
• Electronic Communications
• Enforcement

An archived copy of the policy is here.

I found a good example of an Acceptable Use Policy at the Asian School of Cyber Laws site here.

I like the section on Unacceptable Use. Here’s an excerpt:

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).

Under no circumstances is an employee of ASCL authorized to engage in any activity that is illegal under local, state, central or international law while utilizing ASCL-owned resources.

The lists below are by no means exhaustive, but attempt to provide a framework for activities, which fall into the category of unacceptable use.

Check it out!