An Acceptable Use Policy (AUP) that defines acceptable conditions for access and use of digital infrastructure and assets, as well as methods for network monitoring and repercussions for non-compliance, SHALL be implemented.

Control Type: Administrative

Control Function: Directive

Description: Business assets become more vulnerable to damage when they are opened to access from multiple parties, whether they be in-house employees, third-party contractors, or guests. An Acceptable Use Policy (AUP) specifies the specific conditions and expectations of all parties accessing company networks and systems. An AUP also emphasizes potential repercussions that may result from unauthorized use of such resources. If the business has solutions in place to monitor network activity, this is usually stated in the AUP. Once an AUP has been finalized, it should be published to all stakeholders and posted in appropriate locations. These usually include splash screens on logins to the company system and platforms, captive portals on wireless networks, and policy packets distributed to employees as part of their onboarding process.

  • The purpose of the Acceptable Use Policy and its role in addressing business goals and objectives.
  • The scope of the policy: networks, systems, and people who are required to comply.
  • A statement of ownership for the assets being accessed.
  • Activities that qualify as acceptable use, as well as activities that are prohibited.
    • Examples:
      • Usage of business-approved applications is expected.
      • Web browsing for work research or casually within a reasonable limit is permitted.
      • Using company information systems to sign into personal accounts is prohibited.
      • Using company information systems to access pornography or illicit websites is prohibited and is a punishable offense
      • Intentional damage done to any digital assets, whether physically or virtually, is a punishable offense.
      • Clearly state that all usage of company-owned systems is regularly monitored, logged, and retained.
      • Clearly state potential punishments for abuse or damage of company assets, up to and including law enforcement involvement.
      • Remind end users that by confirming this message, they are agreeing to the above terms and conditions.
      • Make sure to include some sort of confirmation barrier that end users must agree to before proceeding. This could be an Agree/Disagree option, a checkbox, or a simple clickable button.
  • The controls and methods the organization has in place to monitor for compliance.
  • The repercussions that may result from violations of the policy: revoked access, fines, law enforcement involvement, etc.