Acceptable Use Policy (AUP)

Providing access to information systems and the Internet is a necessity for any organization in today’s world. As a business owner, your networks, computers, hosted services, and data are your assets and need to be cared for just as much as any other asset.

Your digital assets become more vulnerable to damage when you open access to others, whether they be in-house employees, third-party contractors, or guests. A determined malicious actor will attempt to compromise your digital assets no matter what. But as a business owner, you can lay out conditions for those using your technology and present repercussions for misuse. This provides a way for you to assert dominance over your assets and possibly dissuade any possible threat actors who are not quite committed to the idea.

A well-written Acceptable Use Policy (AUP) should meet the following criteria:

1. State that it is an Acceptable Use Policy in the heading.
2. Be short and to the point. Since an AUP will usually come with the option to quickly confirm, you want to get your point across in just a paragraph or so.
3. Clearly state that all information technology from the current point onward is property of your organization.
4. Establish that all traffic from the current point onwards is subject to the governance of your organization.
5. Lay down the expected usage of your networks and systems and establish certain behaviors that are prohibited.
   • Examples:
     • Usage of business-approved applications is expected.
     • Web browsing for work research or casually within a reasonable limit is permitted.
     • Using company information systems to sign into personal accounts is prohibited.
     • Using company information systems to access pornography or illicit websites is prohibited and is a punishable offense. 
     • Intentional damage done to any digital assets, whether physically or virtually, is a punishable offense.
     • Clearly state that all usage of company-owned systems is regularly monitored, logged, and retained.
     • Clearly state potential punishments for abuse or damage of company assets, up to and including law enforcement involvement.
     • Remind end users that by confirming this message, they are agreeing to the above terms and conditions.
     • Make sure to include some sort of confirmation barrier that end users must agree to before proceeding. This could be an Agree/Disagree option, a checkbox, or a simple clickable button.
6. Clearly state that all usage of company-owned systems is regularly monitored, logged, and retained.
7. Clearly state potential punishments for abuse or damage of company assets, up to and including law enforcement involvement.
8. Remind end users that by confirming this message, they are agreeing to the above terms and conditions.
9. Make sure to include some sort of confirmation barrier that end users must agree to before proceeding. This could be an Agree/Disagree option, a checkbox, or a simple clickable button.

If you meet the above criteria and straightforwardly present them, you have created a decent acceptable use policy for your business.

The AUP should be presented in front of any piece of digital infrastructure that will be used by parties other than yourself. There are several options for implementing this:

• Windows Group Policy presents an option to show a message splash screen before every logon.
• Linux systems have methods to output text to a command prompt anytime a user logs on.
• Your wireless router or access point may have an option for a Captive Portal, which redirects users to a webpage when they initiate authentication.

I would recommend looking for options to implement the AUP on all the above platforms, plus any additional technology platforms being used in your business. Always make sure to save copies of your AUP and update it to include any other provisions you may have or decide later.

Example Policy