Virtually every organisation enables staff to access the internet in order to carry out their day-to-day work. As with going online at home, the convenience and efficiency is balanced by a degree of risk, which must be minimised. The same goes for accessing the organisation's information systems.
- Inadvertently or intentionally downloading malware.
- Falling victim to social engineering.
- Committing or aiding fraud.
- Creating legal liabilities via illicit activity or non-compliance with regulations or copyright.
- Gaining unauthorised access to critical information.
- Leaking unauthorised access to critical information.
- Inappropriate use of social media.
- Accessing inappropriate content.
- Downloading content for personal use (cost and bandwidth issues).
The importance of having a staff policy
Good technical security and staff training can reduce the incidence of issues, but effective staff policies are also essential because they make it very clear what is acceptable … and what is not.
This page presents an overview of the key issues. You should consider seeking professional advice in drafting staff policies and changes to employee contracts. It is also worth obtaining advice about how to introduce new policies to staff and combine them with a training programme.
What to Include in an Acceptable Usage Policy
- If and / or when private internet use is acceptable.
- What kind of content is off limits.
- How confidential information should be treated.
- Safe and responsible use of email.
- Use and care of company property such as laptops and other mobile devices.
- Rules about safe and appropriate remote access to the company network.
- Guidelines about procurement and installation of software, including piracy.
- Security guidelines such as the use and safeguarding of strong passwords.
- A ban on sharing and downloading copyrighted material.
- Details of any monitoring activity you will undertake, if any.
- The consequences of breaching the policy.
What to include in an email policy
- Disclaimers on emails (for example “The contents of this email are intended for the recipient only. If you have received it in error, please delete…”).
- Whether a manager’s sign off is required for access to and content of external email.
- Additional guidelines, if appropriate, relating to the Data Protection Act; email and distance selling legislation and libel laws.
- How to handle confidential information when sent by email, including whether or not email is the appropriate communication channel and whether it should be encrypted.
Preparing and implementing a policy
- Establish the risks.
- Undergo any necessary consultation on the proposed policies to ensure practicality and legality.
- As much as possible, align the policy with your business rather than the other way around.
- Strike a balance between practicality, trust and control.
- If you use an off-the-shelf policy, make sure that it applies to your circumstances and that it is easy to understand. Make changes and simplify or elaborate where necessary.
- Include new policies in staff handbooks, the new employee induction programme and, where appropriate, on the company intranet.
- Ensure parity with disciplinary procedures, employee contracts and other policies such as non-discrimination.
- Circulate the policy once it is finalised and ensure that it is readily available.
- Someone in the company should be responsible for implementing and monitoring the policy.
- Review the policy regularly to ensure it is always current and relevant.
View and download a sample Acceptable Usage Policy