Management, compliance & auditing

The essentials of an acceptable use policy

Dimitar Kostadinov
September 23, 2014 by
Dimitar Kostadinov

What is an acceptable use policy?

An Acceptable Use Policy (henceforward mentioned as "AUP") is agreement between two or more parties to a computer network community, expressing in writing their intent to adhere to certain standards of behaviour with respect to the proper usage of specific hardware & software services. More specifically, it is a set of rules created and enforced usually by an owner or manager of a website, network, online service, or larger computer infrastructure that aims to restrict the unseemly ways their information assets may be used. In order to minimize the risk of legal action, business entities such as corporations, ISPs, website owners, schools and universities choose to implement an AUP. Hence, an AUP gives directions on what behaviour and use of technology is approved by the owner or the community as a whole.

Similar to the terms of service

AUP documents often fulfill the same function as the ubiquitous Terms of Service or End-user License Agreement texts that can be found on virtually all software applications. However, there are slight differences between those documents. By comparison, first, AUPs cover larger computing resources, e.g., websites or LAN; second, they emphasize etiquette and respect for fellow users (presumably not applicable to single-user programs or other computer services).

Connection to IT security

There is a great deal of details in an AUP relating to computer security – managing passwords, online intellectual property and software licenses. Other chapters can give an account of basic international etiquette (e.g., a short description of firm's email policy), or deal with excessive use of system resources, for instance, the superfluous traffic generated by playing computer games.

Intended subjects

AUPs seem handy in situations where new members sign on to join an information system or network. For this reason, an AUP must remain clear and concise, inter alia, and cover the points of vital importance regarding what behaviour is permissible and what is not when it comes to usage of company's IT system. Where relevant, users should be referred to a more comprehensive policy.

In public organizations such as libraries or universities, AUPs may be used to protect young people from profanity, pornography and bad influence. On the other hand, the policies in question at corporate level spread out to include business interests.

To this end, a useful aspect concerning AUPs is that they, as an integral part of the entire monitoring procedure, can be an effective tool in identifying cyber-slackers and abusers among employees within an organization. Human Resources experts and the courts are certain that this measure may provide the needful evidence of a "duty of care" that will reduce the unacceptable employee activity. As a generally accepted rule, monitoring Internet and email services is considered legal provided that the employer has communicated an AUP to his employees. Getting prior consent may allow employers to come off clear and not be held liable for some mischiefs in contravention of the policy done by their employees.

Source: Student Internet/Software Acceptable Use Policy by MSD Decatur Township

Source: How to Create an AUP - Acceptable Use Policy byMitchell Bradley

Moreover, policies like those against racial or religious discrimination and compulsory email archiving are stipulated by law or regulation, and others, such as sexual harassment or prohibition against smoking outside designated areas may be seen as necessary from a common business ethics point of view. What is important is that all of them can be expressed in an AUP – an employee handbook of a kind – simplifying their applicability on the ground and at the same time making them translatable to every worker regardless of rank and status.

Source: How to Create an AUP - Acceptable Use Policy by Mitchell Bradley

  • Structure
  • Preamble or Purpose

This is an introductory part that clarifies the application of what follows in terms of policy text. Basically, it explains why this document is needed, its aims, and perhaps an indirect reference about the motives behind its coming into existence.

Source: Acceptable Use Policy by Brown University

Scope

The range and coverage of AUPs vary more or less. A policy could apply to specific users, departments, regions, systems, components, software or data that are employed or connected to the owner's network/computer systems.

Source: INTERNET Acceptable Use Policy by U.S. Department of the Interior

Policy

That's the policy's pulp (usually the most delicious or essential part of a fruit) in which are accentuated requirements users must observe. Frequently, there will be a list with prohibited activities. It is important to remember that at the heart of the AUP as a regulatory document is the concept of respect and ethical use. Thus, AUPs rely on the good behaviour demonstrated by everyone under its influence, trying to instill what is appropriate "by persuasion". If the power of persuasion proves itself insufficient, then one should face the consequences.

  1. Enforceability The AUP statement should make clear which jurisdiction decided what laws the AUP must conform to. Naming the exact jurisdiction could spare a negative experience when it comes to interpretation of the right legal action necessary to enforce provisos embedded into the policy. Seen from another point of view, this kind of policy is usually enforceable at all times.
  2. Standards There is a certain collection of standards through which the policy is administered in order to make it a complete product that will provide timely and consistent rules of use. These standards should be made known to the users, and the users are expected to familiarize themselves and comply with them.
  3. The code of conduct — Violations of Policy — Sanctions Any deviation from the right course of behaviour would mean that there will be a sanction seeking to redress the wrong.
  4. Presumably, the section that outlines the unacceptable uses of given online service has a central part in almost all AUP documents. Unacceptable behaviour may include:

    • creation and distribution of material that is indecent, obscene, offensive, or causes inconvenience, annoyance, or anxiety to other users or service providers (i.e., technical staff). Several examples:

    Source: Student Use of Technology/Acceptable Use Policy by Fountain Valley School District

    • unsolicited messages, regardless whether of commercial/advertising character or not, sent deliberately to other users

    Source: Acceptable Use Policy by Rogers Communications Inc.

    • violating the privacy of others online

    Source: Acceptable Use Policy by Brown University

    • misusing the network in such a way to deny the services to all the rest of the users (that is DDoS attacks).

    Source: Acceptable Use Policy by Rogers Communications Inc.

    • "waste of time" activities performed by a malevolent or negligent user that require technical staff to troubleshoot the problem.

    Source: ICT Acceptable Use Policy by Training Strategies Ltd.

    • any other kind of technical misuse, such as releasing viruses into the network.

    Source: Acceptable Use Policy by Rogers Communications Inc.

    • creation and distribution of any kind of illegal content (e.g., defamatory, infringing copyright acts or such unauthorized by nature).

    Source: Acceptable Use Policy by Rogers Communications Inc.

    Disclaimers can be found most of all on AUPs referring to the use of websites. They exonerate an organization from responsibilities under specific circumstances. After all, connection to the Internet or use of a website is a privilege, not a right, as stated by the AUP of the Loughborough Universiy.

    Sanctions

    In many AUP statements there is a text that sets forth the consequences of violating the policy – sanctions applicable to everyone that breaks the AUP. For instance, subscribers to broadband Internet service may be subject to either bandwidth limitation, suspension, or termination of contract on a variety of grounds. If the activities are illegal, the company may call on law enforcement authorities. When the violator is an employee, then the company may terminate the employment. It is important to note that the policy has pretty much direct effect and could be enforced without legal proceedings.

    Source: Acceptable Use Policy by Rogers Communications Inc.

    Conclusion

    Ideally, an AUP should do the following:

    Clearly specify the owner(s);

    Define the exact components covered by the policy: Internet, email, voice mail, computer systems and files;

    Underline that these components are for business purposes only;

    Incorporate "use cases," "situational analyses," or "what if" scenarios illustrating how the policy works in reality;

    Ban content that is harassing, offensive, defamatory, insulting, discriminatory, pornographic or obscene;

    Prohibit distributing confidential or proprietary information, including copyrighted software, or unauthorized access by electronic means performed by employees;

    Underline the repercussions non-compliance would entail. Warn policy's recipients that they may be subject to disciplinary measures in case of violation of the policy.

    Sources

    Dimitar Kostadinov
    Dimitar Kostadinov

    Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.