Having an Acceptable Use Policy (AUP) in your organisation can help strengthen the information security in your organisation. In addition to promoting a strong information security culture, it also ensures that the entire organisation is on the same page and knows how they should handle their digital activities. The goal is to have everybody in the organisation to know what they can and cannot do with confidence.
With this blog, we will guide you though an Acceptable Use Policy example using our template, which you can find further down this page. We will also discuss what to consider when you create these guidelines for your organisation.
There is also a template to create an Information Security Policy, which you can find here. Both documents are vital tools to achieve a good information security culture in your organisation.
When working with cybersecurity in your organisation, it can be very useful to have both an IT security policy and an Acceptable Use Policy. A policy and use policy both provide a clear set of expectations, which will strengthen your security.
The aim of an Information Security Policy is to provide a general set of objectives for the organisation to aim for. Additionally, it emphasises that all staff are responsible for the information security in the organisation. The policy is a small document with only a few pages and is viewed as a management memo with ambitions for the organisation’s information security measures.
The Acceptable Use Policy is more extensive and includes rules and guidelines, which the entire organisation must follow. Where the Information Security Policy is general and strategic, the Acceptable Use Policy is concrete and actionable. (If you would rather see the tutorial for making an Information Security Policy, then click here)
While the Information Security Policy provides a strategic objective, the Acceptable Use Policy (AUP) defines specific rules to follow. Basically, it includes what should be incorporated into one’s daily routine while working. For example, it can include guidelines about the length of passwords, clean desks, or private use of company equipment, like laptops and smartphones.
The purpose of the AUP is to create the field for the organisation to play on. It is to provide clarity for all members of staff, so the guidelines should be easy to understand and follow.
For the AUP to be successful, nobody in the organisation should be debating whether they are breaking the rules. They should be able to easily navigate through their daily work life in a secure way. Additionally, the document should be concise, as too many rules can lead to worse information security, because one could be overwhelmed by the sheer amount.
This template we provide should only serve as an inspiration for your AUP. Your organisation has its own needs and context that perhaps only makes some of the rules relevant. We recommend taking what is relevant to you, add your own guidelines, and removing the rest.
The template contains guidelines on the following aspects:
The template contains two overall points: Purpose statements and guidelines and principles, where guidelines and principles have 10 focus areas for the rules in the organisation. We will go over each point below.
First, we provide a purpose statement to set the tone and communicate the objectives of the Acceptable Use Policy. Generally, this should state that the document is a set of guidelines that are expected to be followed by all staff of the organisation. We give an example here:
“X (name of organisation) focuses on ensuring the availability, the confidentiality, and integrity of its systems and data. All staff must act in a responsible, ethical, and legal manner. All X staff, consultants, and temporary staff are required to manage knowledge with care and discretion, whether written, electronic, or verbal.
Therefore, the handling of must be per X’s information security policy as well as following the listed guidelines and principles. To ensure this, the staff of X are continuously trained and made aware of topics within cybersecurity and the GDPR with continuous training.”
In short, the purpose statement lays down the basic rules for use of IT in your organisation. It should explicitly state the expectation of the staff’s continuous training and awareness.
The guidelines and principles point out specific rules to follow when using IT systems in the organisation. Here, we have added 10 points you can include with some guiding text.
Confidentially is normally included in employment or projects contracts, but it is still useful to state it in the guidelines to emphasise its importance. It states that the organisation expects confidentiality from its employees when it comes to confidential information, e.g., customer information. We give an example here:
“You must handle all of X’s information with discretion and care. Under no circumstances should you access or use information, systems, or networks that are not necessary for your job. Do not share confidential information with colleagues, consultants, or temporary staff who do not have a job-specific need for this information. You may not share confidential information with third parties unless it has a clear business purpose. When working with external parties, they must have signed a declaration of confidentiality. “
In this section, the organisation can set requirements for the users’ access codes. For example, you can state requirements for the length, use of digits, or characters. You can also use this section to discourage staff from reusing passwords. We give an example here:
“All passwords and PIN codes are personal. To create a strong password, we recommend a long password of at least 12 characters, using both uppercase and lowercase letters, numbers, and special digits. When leaving your workstation, you must log off or lock the machine. Never leave passwords written on bulletin boards, paper, or stored on hard disk/email.”
The physical security section deals with how to handle information stored on physical equipment. It also provides some good practices and pointers on what to be aware of in physical settings. We provide an example here:
“Please ensure that your desk is organised and that there are no important documents in plain sight when you are not using them. Confidential information must be placed in locked drawers, cupboards, or the like to avoid unauthorised access. Additionally, be aware of the visibility of your PC screen – you should not have confidential and sensitive data open when unauthorised persons are behind you so that they can watch your activities over your shoulder.”
This section recommends how to handle equipment and files when outside of company/organisation premises, e.g., when working remotely. An increasing number of companies recently have had to concretely define this, as working from home has become a necessity.
Here, you can include how expectations can differ compare to being on premises. This section mainly focuses on securing the organisation’s IT equipment. We provide an example here:
“If you bring IT equipment outside of X’s premises, it must be secured with a pin or password that ensures a sufficient amount of security against access by unauthorised persons. When flying, mobile equipment (I.e., laptop and mobile device) and documents must always be carried as hand luggage. “
Nowadays, we use cloud services and software which can be quickly accessed and downloaded from the internet. Therefore, it is essential to make some general rules on what types of services may be used and downloaded, as it can be incredibly difficult to control and keep track of your team’s activity. We give an example here:
“All IT systems, equipment, or memory storage devices must be approved by X and follow company standards as issued. Never connect unauthorised equipment to workstations or networks. This also applies to USB keys and smartphones. Additionally, you may only install or download programs if you have been permitted to do so.
Software and equipment are the property of X and must be treated accordingly. Therefore, they must not be lent to others, including family. For data handling, you must use X’s internal file server. Use of cloud-based services such as Google Drive, Dropbox, and web-based file sharing is only allowed if receiving data from external parties. It is not permitted to upload X’s data to unauthorised services. The software must always be used according to the license terms entered by X.”
One way to keep track of your team’s activity is through Asset management – here’s how to get started
User credentials deal with usernames and passwords that are used for logging in to the organisation’s IT systems. For example, multiple users could share user information and make use of each other’s logins. However, we recommend that you may only use your own user credentials so that you do not get into trouble because of the actions of others. We give an example of the guideline here:
“User rights must be respected, therefore only use your own user credentials to log in. Never share your user information with others, including your employer. Misuse of credentials and digital activity can leave digital traces that have a negative impact on X.”
Here, you can discuss best practices and limitations for digital activity on company-owned equipment. It is important to set realistic expectations, and some of these can include what we normally consider common sense. For example, it would be outrageous to ban visiting specific public websites or checking one’s private emails, but you can limit the level of private consumption during work hours. Needless to say, illegal websites and activity should be banned. However, it is up to your organisation to specify these rules where your team still have some freedom, but you draw a line somewhere. We provide an example here:
“Please minimise the private use of the Internet and email on X’s equipment. For personal documents, save it locally in a folder on your computer and label it ‘Private’. Personal data must not be sent by email. Under no circumstances, may work-related online correspondence take place through anonymised communication channels. It is strictly forbidden to use X’s email accounts, computers, tablets, and mobile phones to view pornographic, racist, extremist, or criminal content. When receiving an email, the sender’s email address must be checked before unknown links and documents are opened.”
This is to communicate that you as the organisation can log and monitor your team’s digital activities for security purposes. It does not necessarily mean that it is routinely done and more importantly, you respect your team’s privacy. But by bringing it up to their attention, you could encourage them to conduct their digital activities within reason. We provide an example here:
“X respect the individual employee’s privacy and complies with local laws and regulation. However, we reserve the right to log IT use and in special circumstances, require access to an employee’s email and files.”
The handling of personal data is one part of organisations being GDPR compliant. Normally, compliance with the GDPR requires more elaborate processes than a set of rules in a document for IT use. However, the guidelines are still a place where employees can be made aware of the handling of personal data with some general requirements. These requirements do not say much about the processes that make you comply with the requirements but can create awareness of the importance of handling personal data. We give an example here:
“At X, we are very careful to take good care of and protect the personal information that our customers, members, employees, and partners have entrusted us with. We work continuously to develop and implement secure processes, which must ensure the legal and secure processing of personal data.
We have established the following basic principles for the processing of personal data:
The last point is to illustrate the importance of reporting security incidents. As clear communication is the only way to warn and protect everybody else of the incident, it should be required for staff to report safety incidents that they observe or are exposed to. In this section, you can provide examples of what a security incident might involve and to whom they should report. The important thing is that your team is aware of when to act and who to address. We give an example here:
“If you suspect of any security incidents, you must immediately report this to your immediate manager and the IT department.”
Examples of security incidents:
The guidelines make it possible for your team to easily check what they can or cannot do. However, it is important to point out that this effort cannot stand alone; you cannot just write down the rules and expect everyone to abide to them. Your team must be trained on a continuous basis to ensure that awareness is always there.
The Acceptable Use Policy provides a strong foundation for creating a strong information security culture in your organisation. If you have now prepared and would like to get started with the Information Security policy, you can find a similar guide here.
It is important that the documents do not just lie around and collect dust when you have filled them out, but that you continuously review and update them. We recommend that you do this annually. Additionally, we must work actively with the objectives and guidelines from the two documents, so that the information security culture in your organisation is enforced.
We hope you found the template and guide useful!
Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.