Friday, July 6, 2007

Information Security Policy 101 – Acceptable Use Policy

Finally, our first policy! If we have done this right, we have already done much legwork. So far we have defined what a policy is, and obtained management’s endorsement. We have also identified what information our organization uses, how our organization uses the information it possesses, and identified the laws that pertain to the security of information. We should be in a good position to write policy according to what our organization needs.

As stated in the first Information Security Policy 101 post, I will cover some of the more common policies found in organizations. I will cover them in alphabetical order, NOT in order of importance. The first policy is Acceptable Use.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

This policy is established to achieve the following:

  • To ensure compliance with applicable statutes, regulations, and mandates regarding the management of Information Resources.
  • To establish prudent and acceptable practices regarding the use of %Organization% Information Resources.
  • To educate individuals who may use %Organization% Information Resources with respect to their responsibilities associated with such use.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically an Acceptable Use Policy applies to all persons.

The %Organization% Acceptable Use Policy applies equally to all individuals granted access privileges to any %Organization% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Acceptable Use Policy
An Acceptable Use Policy is written to communicate what practices are prudent and acceptable to management in regards to the use of the organization’s information resources. An Acceptable Use Policy should address:

General Information Resource Use

SAMPLE “General Information Resource Use” POLICY STATEMENTS:

  • Users must not attempt to access any data or programs contained on %Organization% systems for which they do not have authorization or explicit consent
  • Users must not intentionally access, create, store or transmit material which %Organization% may deem to be offensive, indecent or obscene

Email Access and Use


  • Auto-forwarding electronic messages to e-mail addresses other than those within the %Organization% internal e-mail system is prohibited
  • An employee’s personal e-mail account may not be used to send or receive %Organization% Confidential Information

Internet Access and Use

SAMPLE “Internet Access and Use” POLICY STATEMENTS:

  • Use of the Internet with %Organization% networking or computing resources for recreational games, or for obtaining or distributing pornographic or sexually oriented materials, is prohibited
  • Using %Organization% networking and computing resources to make or attempt unauthorized entry to any network or computer accessible via the Internet is prohibited

Voicemail Access and Use

SAMPLE “Voicemail Access and Use” POLICY STATEMENTS

  • Use of the %Organization% voice mail system to defame, harass, intimidate or threaten any other person(s), or to send unnecessarily repetitive messages (i.e. chain mail) is prohibited
  • Users must refrain from disclosing any Confidential data in voice mail greetings

Incidental Use


  • Incidental personal use of electronic mail, Internet access, fax machines, printers, copiers, and so on, is restricted to %Organization% approved users; it does not extend to family members or other acquaintances
  • Incidental use must not interfere with the normal performance of an employee’s work duties

Many times there are statements in an Acceptable Use Policy that overlap with statements in other policies.

An Acceptable Use Policy in a necessary policy in many organizations. It is important to keep the communication as clear as possible and encourage constant reference.


TIP: When all policies are written, combine them together as a global %Organization% Information Security Policy.

Next in the series – “Information Security Policy 101 – Account Management Policy”

Previous: “Information Security Policy 101 – Assess the Business”

No comments: