Acceptable Use Policy: Best Practices and Template
Posted by Superadmin on September 16 2022 06:45:03

Acceptable Use Policy: Best Practices and Template

 PUBLISHED DATE:JANUARY 15, 2019
Acceptable Use Policy Best Practices

An acceptable use policy or access agreement should been adopted to ensure uniform and appropriate use of an organization’s network, computer, information assets, and other electronic resources. The rules, obligations, and standards described in this policy and other policies/procedures should apply to all employees, temporary workers, independent contractors, vendors, and other electronic users wherever they may be located. The guidance and best practices in this article may be incorporated into your own template to create your own version of the acceptable use policy for your organization.

What is the purpose of the acceptable use policy?

The purpose of this policy should be to define end-user acceptable use criteria for organizational systems. Information systems provide access to both data and processes required to support most business functions. They have contributed to substantial improvements in both productivity and customer service; however, the use of information systems to access customer or financial data, electronic mail (E-mail), the Internet, and remote access to business systems introduces risk.

Why is acceptable use policy important?

Computers and networks can provide access to information resources both internal and external networks. To ensure this data is handled responsibly, users are to respect the rights of other users, protect the confidentiality and integrity of the systems and related physical resources, and observe all relevant laws, requirements, and regulationsIt is the responsibility of every users, independent contractor, vendors, and other electronic users to use information systems and information assets, including protected health information, in a professional, ethical, and lawful manner. In addition, users are to ensure the security of information systems and information assets. All employees (and others) agree to assist in investigating any potential or actual violations of policies and procedures.

How are acceptable use policies implemented?

Acceptable usage should be appropriately defined and usage is explicitly authorized. Rules should be defined to describe user responsibilities and acceptable behavior regarding information system usage, including at a minimum, rules for email, Internet, mobile devices, social media and facility usage. Management approves the use of information assets and takes appropriate action when unauthorized activity occurs. All employees, temporary staff, independent contractors, vendors, and other electronic users should sign an acceptable use agreement prior to being granted access to information and system assets. All employees and contractors should be informed in writing through the acceptable use agreement that violations of the security policies will result in sanctions or disciplinary action.

How access is granted

Access to systems and data should be dependent upon the job requirements or the third party’s “need to know”. Management should review job requirements and approve access on a “need to know” basis. Users should be limited to only the minimum amount of access required to perform assigned duties.

Only those employees, contractors, vendors, and other third party users (referred to as users) should be authorized by management to access systems may do so by first obtaining permission to access those systems by designated supervisors or managers. Authorized access may occur only after the user understands the information security policies, signs and submits an Access Request Form and a Statement of Understanding form to the appropriate manager, and is granted access to systems by management.

By default, users should be assigned the following privileges when granted access to systems:

Remote Access

Since remote access to systems introduces a higher level of risk, only management should grant remote access to users, partners, vendors or other third parties according to the following standards:

Systems Acceptable Use

All devices should require authentication with username and password or other authentication item (e.g., token). The IT Department should maintain a list of devices and personnel authorized to use the devices. All devices should be labeled with owner, contact information, and purpose.

Remote Control Software Acceptable Use

Use of remote control software should be limited to technical support or training requested by the end-user. All PC commands issued during a remote control session are considered to be issued by the logged-in user, even if they are actually issued by a customer of the IT Department or authorized vendor (administrator). Remote control sessions should not take place unless an end-user has explicitly granted access to the administrator initiating the session. All remote control sessions should take place while the logged user is present at the hosting PC and the administrator is present at the managing PC.

While a remote control session is in progress, the end-user PC hosting software should notify the hosted user visually and audibly while a remote control session is active. The end-user who is allowing a hosted session should always be able to type on the keyboard, use the mouse, and see on the monitor what is happening during a remote control session. Either an administrator or an end-user may terminate an active remote control session. It should be the responsibility of the IT administrator to inform the end-user when a session is being terminated.

Who owns the data in a company?

All messages or data created, stored, transmitted, or retrieved over systems or through internet access should be the property of the organization and should be regarded as public information. The right to access is reserved over the contents of any messages or data sent over its computer network and use that information to enforce its policies. If the content violates regulations or laws, the right is reserved to submit the information to law enforcement for potential prosecution.

Do workforce members have privacy rights?

Users have no expectation of privacy or confidentiality in any of their system usage including internet access and e-mails. Inspection of systems, data, and voicemail by management should not require the consent of individual users. Any personal information placed on information system resources becomes the property of the organization; however, system users should protect the privacy of co-workers and clients.

Unacceptable Use

Although this is not an all-inclusive list, users should be prohibited from the following unacceptable use of systems:

What are the consequences of non compliance?

Violations of policies and procedures may result in disciplinary actions, including termination and potential civil and criminal liability. The use of company’s information systems and information assets is a privilege that may be limited or revoked at any time, with or without cause, and without notice in the sole discretion of management. If an employee (or others) does not accept the terms of the policies and procedures, including the provisions regarding collection and use of personal information, the employee (or others) may be denied use of information systems and information assets, may be denied employment, or may be terminated, to the full extent permitted by applicable laws.