An Acceptable Use Policy (AUP) is an agreement between two or more parties, usually a business or service, and users of an information system. The AUP expresses in writing a policy of certain standards of behavior relating to the proper usage of specific hardware and software services. In other words, it is a set of rules created and enforced usually by an organization or service provider, that governs acceptable use of an organizations IT resources. An AUP provides instructions on what behavior and use of technology is approved by the organization. Ideally, an AUP should cover the following:
- Clearly define ownership of a system
- Define exact components of a system
- Make clear that these components are for business use only
- Use specific cases and situational analysis of “what if” scenarios illustrating how the policy works
- Clearly describe what non-acceptable use is for example; prohibiting harassment, illegal activity, pornography, and offensive comments or behavior
- Specify repercussions for non-compliance
Why is an AUP important?
According to a survey by International Data Corp (IDC), 30 to 40% of Internet access is spent on non-work related browsing, and 60% of all online purchases are made during working hours. Other findings include the following::
- 70% of all web traffic to Internet pornography sites occurs during the work hours of 9am-5pm.
- 58% of industrial espionage is perpetrated by current or former employees.
- 80% of computer crime is committed by “insiders”. They manage to steal $100 million by some estimates;
$1 billion by others. - 48% of large companies blame their worst security breaches on employees.
- 64% of employees say they use the Internet for personal interest during working hours.
- 70% of all Internet porn traffic occurs during the nine-to-five work day.
- 37% of workers say they surf the web constantly at work.
- 90% of employees feel the Internet can be addictive, and 41 percent admit to personal surfing at work for
more than three hours per week. - 25% of corporate Internet traffic is considered to be “unrelated to work”.
- 30-40% of lost productivity is accounted for by cyber-slacking.
- 32.6% of workers surf the net with no specific objective; men are twice as likely as women.
- 27% of Fortune 500 organizations have defended themselves against claims of sexual harassment stemming from inappropriate email.
- 90% of respondents (primarily large corporations and government agencies) detected computer security breaches within the previous 12 months, 80% acknowledged financial losses due to computer breaches,
- 44% were willing and/or able to quantify their losses, at more than $455 million.
References
GFI White Paper – The importance of an Acceptable Use Policy
Click to access acceptable_use_policy.pdf
Kostadinov, D. (2014, September 23). The Essentials of an Acceptable Use Policy. Retrieved August 29, 2017, from http://resources.infosecinstitute.com/essentials-acceptable-use-policy/#gref.
