Creating an acceptable use policy that’ll be followed and enforceable

You can’t police everything users do on company machines, nor should you try to.

But in absence of a Big Brother policy where IT is always watching, you can help users understand what inappropriate use looks like.

4 points that should be addressed

Make sure you’re not creating a policy “just in case.” The policy needs to be fairly and equally enforced so it applies to all persons. Before drafting any policies, check with legal and management about work-specific requirements that need to be addressed in any appropriate use policy.

Any policy you create should clearly define what behavior is inappropriate. It’s not enough to say “inappropriate use is prohibited.” It’s too vague and leaves it up to the user to define what’s inappropriate. Get specific: no gambling, porn or dating sites, etc.

If you don’t want to get specific, you can include activities in broad sweeping statements, such as company computers can’t be used for illegal activities or to send sensitive data.

Someone should be named in the policy who oversees user activities, so elect an enforceable entity. This person is usually the CIO. Then lay out the consequences so no one’s surprised if they’re approached for breaking policy.

Here are some suggestions for what to include in any policy. If you already have an appropriate use policy in place, revisit it to see if these points are included:

  • users should lock down workstations when they walk away or otherwise abandon equipment
  • define the data users can encrypt
  • explain how and to whom to report inappropriate behavior, and
  • outline password and account sharing practices that are accepted.