How to Create an Acceptable Use Policy at Your Business
An acceptable use policy establishes rules for using the company network and devices. This will protect your business from dangerous behavior plus hold offenders accountable.
"While an AUP helps educate employees on issues such as password protection and online security, it also serves an important legal function for the company. In the event that an employee uses a company's network for unsanctioned personal activities, having an AUP in place can help prevent (or reduce) any legal issues that may arise..." (cnbwaco.com)
Follow along with our guide to create a robust acceptable use policy for business.
What are the six key elements of an AUP? We recommend every policy include these sections:
- Overview - a high-level description of the document's purpose and key takeaways
- Definitions - define any terms that may be confused, and explain words or phrases unique to your business
- Scope - what the policy does and does not cover and what situations it applies to
- Policies - the "meat" of the document, in sections that cover use and behavior for each category
- Enforcement - consequences for failing to adhere to standards, and how employees will be held accountable
- Revisions and tracking - create a schedule to revisit the document and be sure to track any changes
Make things easier with an acceptable use policy template
Writing an acceptable use policy from scratch is very time consuming and, frankly, unnecessary nowadays. Why not get a head start with a template? You can find plenty for free online.
Here are some acceptable use policy examples and templates to explore:
Sample Internet Acceptable Use Policy by PearlSoftware
Sample Internet Usage Policy by GFI Software
Sample Acceptable Use Policy via SpiceWorks (includes verbiage for HIPAA-compliant businesses)
Sample Acceptable Use Policy for Schools from TeacherVision
Computer Use Policy Template from Association of Corporate Counsel
Acceptable Use Policy Template for Business by Get Safe Online
CUSTOMIZE TO YOUR COMPANY NEEDS
If you're using a template, decide what applies to your company and what should change. Even if starting from scratch, consider these integral points:
Which websites should be prohibited during work hours? Many are obvious, such as pornography or gambling, but what about Spotify or news websites? Do certain people, such as your marketing team, need access to social media? Don't forget to outline acceptable behavior for sites like these that have potential for abuse.
Some common restricted websites are:
- Social media (Facebook, Twitter, Pinterest, Instagram, Tumblr, Reddit, Flickr)
- Streaming video/music websites (YouTube, Vimeo, Vevo, Twitch, Pandora, Spotify)
- Job-hunting sites (Indeed, Monster, Craigslist, ZipRecruiter, Snagajob)
- Shopping (eBay, Amazon, Alibaba, etsy, Overstock)
- News (MSN, Yahoo, TIME, USA Today, New York Times, Washington Post, Huffington Post, CNN, Fox, NBC, BuzzFeed, Upworthy, Distractify)
- Personal email (Gmail, Yahoo, Hotmail, AOL)
- All porn, gambling, and illegal activity websites
Every company varies in its views on blocked websites. Most will use a mix of these and other sites. Decide what works for your business, and update it as needed.
Another important consideration is security. Outline best practices that employees should follow when using company devices.
Here are a few of our security policy recommendations:
- Never allow use of public WiFi on company devices
- Employees should never share passwords, and change theirs often (at least once a month). Be sure to define standards for acceptable, secure passwords too.
- Create a schedule for antivirus, anti-malware, and company software updates
- Employees should never open email attachments or links they aren't expecting. If a suspicious email is received, who should employees send it to for review?
- Consider requiring two-factor authentication for programs and apps that support it
- Unless used for business purposes, we recommend disallowing use of social media on company devices. Many instances of malware and phishing happen through social media.
Each company has different security needs - make sure yours are thoroughly defined and cover all networks and devices.
Don't forget to include physical security policies. How should company devices be secured, stored, and transported?
Your business likely holds a large amount of both confidential and proprietary data. Client, employee, product, service, and other business details are important to handle correctly.
You need to start by figuring out what this confidential data is in your business. From there, explain proper standards for accessing, sharing, storing, and handling this information.
Don't forget about this important section! No company is 100% airtight. Should something happen, what is your response plan? Who needs to be notified and what departments are involved in recovery?
We highly recommend including that employees will not be retaliated against for notifying management of a potential security incident. If something has happened, it will be a problem whether the employee tries to hide it or not. Everyone makes mistakes. And you will have a better chance of quick recovery if you know about the incident sooner rather than later. Note that a mistake is far different from malicious intent. Intentional violations should, of course, not be protected (but then again, we doubt bad actors would notify you anyway!)
Does your company offer guest WiFi/internet access? If so, you'll want to define standards and secure policies for guest access. This may cover customers, vendors, or partners visiting your place of business.
We recommend creating a guest network for this purpose. This will ensure guests only have access to what they need, and not your company's internal network and files.
Email is an essential tool for every modern business. Its proper use for your company needs to be clear. Are your employees allowed to use their work email for personal needs? What are proper business communication standards, both internally and externally?
We recommend including a general best use section as well. Some employees may not be aware of the many threats that come through email - phishing, scams, spoofing, malware/viruses. Take the time to educate your team on how to spot, avoid, and handle potential threats.
DECIDE ON AUP ENFORCEMENT AND VIOLATION STANDARDS
This section is important to review in your template. What works for one company may not be appropriate for yours. Some companies revoke internet access for repeat offenders. But this may be impossible in your business.
We recommend working with your managerial or executive team to define acceptable consequences. Take into consideration the varying severity of different violations. And ensure that you have the ability to act on these policies. Without standardized enforcement, your AUP won't be taken seriously.
REVIEW YOUR ACCEPTABLE USE POLICY WITH HR, LEGAL, AND INTERNAL TEAMS
Before introducing your AUP to staff, you'll want to review it with human resources and your lawyer. This will ensure you're not overstepping any boundaries, or breaking employment or state/federal laws.
It's also a good idea to get feedback from both managers and employees at every level. They may point out items that were forgotten, or provide better ideas for certain policies. While it's important to protect your company's assets, it's equally important to keep your team productive. If a person can't do their job well because of something in your AUP, that's a problem.
Also be sure that policies are well explained. No one likes following rules that they don't see a point to. Explaining the reasoning behind certain standards can help employees understand policies they may have initially disagreed with.
We also recommend having a few members of your team review the policy to ensure you didn't forget to cover any parts of your business technology.
When your acceptable use policy has been reviewed, approved, and distributed - have every staff member sign a copy of the document. In the event a policy is broken, you can hold the offender accountable.
CREATE AND MAINTAIN AN UPDATE SCHEDULE
Your AUP is a living, changing document. Revisit it on at least a yearly basis to determine if policies are still relevant and accurate.
Be sure to include revision tracking to follow any changes made. And don't forget to have staff sign the new acceptable use policy as it's updated.