Internet Acceptable Use Policy Guidelines

Creating an Internet Acceptable Use Policy is an important step towards getting and maintaining control of your company’s Internet resources. If you have never been through this process, you may find the following guide helpful. Even if you have already prepared an Internet Acceptable Use Policy, we are sure that you will find reading the guidelines a useful exercise.

Purpose of an Internet Acceptable Use Policy

The purpose of an Internet Acceptable Use Policy is threefold:

• Draw a clear line between what is and is not acceptable use of the Internet during organization time and/or over the organization’s network.
• Protect the organization against potential liabilities.
• Promote awareness of the benefits and dangers of Internet use.

A few points to remember when establishing an Internet Acceptable Use Policy

Involve as many people as possible.

The subject of limiting personal freedoms can be a volatile one. Personal privacy and ‘civil liberties’ can be drawn to the center of the discussion rather than the more pragmatic issues of ensuring everyone gets their job done and the company does not receive a court summons.

The perception that a small number of senior managers have developed a policy without consultation can breed resentment. Consulting a cross-section of the population concerned will avoid these feelings. Ensure that all parties understand the core issues of productivity, potential liability, security and mutual respect.

Ensure the policy is unambiguous.

The policy should start by specifying the general principles governing Internet use by employees, both in the course of their business and in other activities. This should be further clarified by well-defined and concise rules for the use of individual services. Finally, staff need to know the consequences of non-compliance will be.

If you decide to monitor Internet activity, be sure to let everyone know. If you don’t, once they find out, confidence will be shaken and difficult to recover.

Clearly define how much personal use of the Internet is acceptable.

Be explicit. Define the number of minutes, and the type of resources that are permitted. Some companies may wish to establish very loose rules, while others may wish to prohibit all personal use of the Internet.

Don't forget about out-of-hours Internet use.

You must decide if employees may use company resources out of work hours for non-business related activities. Remember, even out-of-hours, the use of the company network reflects the company’s image. Potential liabilities will remain the same in case of serious infringement. If the restrictions placed on type of content are different during work hours than during off hours, be sure this is defined clearly.

Address the issue of data privacy.

The Internet is a public network. Employees must be made to realize that anything transmitted across the Internet unencrypted is like a postcard that can be read by anyone. Sensitive data should not be sent by email.

Refer to pertinent legislation

Every employee should be made aware that the company could be held liable for employee actions. They must be made aware of issues such as sexual or racial harassment, libel, copyright infringement, breach of confidence, negligent misstatement, publication of obscene material, data protection, negligent virus transmission, inadvertent formation of contracts and any other legislation that may apply where your business is established.

Emails and Internet access logs are written records that can be used as evidence. Ensure that employees understand that this is a plain fact of network and data management, and not a deliberate act of snooping.

Educate staff about security

A leading automobile manufacturer reputed for the safety features of its cars, states that “the main safety feature in any car is the driver”. This is true of computer security as well. Computer users are the weakest link in the security chain. All users need to be educated about security. 70% of security breaches are from within.

Ensure all employees understand that they must treat their passwords like their credit cards.

Delegate responsibility

Ensure that one person or group of persons is responsible for enforcing the policy and that everyone knows they have authority to act within its bounds.

Enforcement

Incorporate the Internet Acceptable Use Policy into your company’s overall policy manual. Make sure it is readily available, read by all new recruits and clearly understood by all.

Personnel guidelines and technical detail

The main points of your policy must be clearly written and understood by all. The policy will also contain a lot of detail that primarily concerns technicians responsible for maintaining gateways and mail servers. What types of attachments will you allow in emails, for example? Place these details in an appendix to the policy to be consulted by those concerned. Otherwise, users may suffer from information overload, or miss the point and become overly concerned with detail and lose sight of the goal of the policy.

Email disclaimer

All outbound emails should have a disclaimer appended to them. This will make it clear to recipients that you run a professional organization, that they assume responsibility for anything in the email and how they should respond if they receive it by mistake. Below are two sample disclaimers.

*********************************************************************
The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this
email by anyone else is unauthorized. If you are not the intended
recipient, any disclosure, copying, distribution or any action taken
or omitted to be taken in reliance on it, is prohibited and may be
unlawful. If you believe that you have received this email in error,
please contact the sender.
*********************************************************************
-------------------------------------------------------------------------------------------------------
This e-mail is intended solely for the addressees named above and any other
use is prohibited. Access to this email by anyone else is unauthorized. It
may contain confidential information. If you have received this e-mail in
error, please contact the sender by return e-mail. We do not accept legal
responsibility for the contents of this message if it has reached you via
the Internet. Any opinions expressed are those of the author and are not
necessarily endorsed by the company. Recipients are advised to apply their
own virus check to this message and all incoming e-mail on delivery.

--------------------------------------------------------------------------------------------------------

Install appropriate technology

Web content filtering, email content and virus scanning software may all provide important elements of control in implementing and enforcing an Internet Acceptable Use Policy. However, ensure you define your policy first, and then choose your technology to fit your policy. Failure to do so may result in needless expenditure on inappropriate tools.