Acceptable use policy / computer use policy / network use policy - why are they needed?

Question

I've always posted a(n) acceptable/computer/network use policy for employees using a network/computer or from users coming in from the outside to use public access points or public computers. Private businesses, colleges, and libraries all have them posted on a wall, on a section of their website, in their handbook, in a captive portal, or some combination thereof.

Everybody does this, and if you work in IT, you've probably worked on, with, or read one at some point.

However, one thing that I haven't been able to find an answer to is: why are these policies needed?

Did everyone just decide to start posting them to help avoid liabilty? Do these policies actually carry any legal weight? Are they merely for the end users to let them know what they can/can't do before access is revoked (That brings up the question that if the policies are for the end users, why are they written in legalese that an average end user would have trouble reading?)

Answer 1

dan_linder's comments above are a terse summary of the only reason I find that AUPs have any value: to clearly state the expectations that IT has of its legitimate users, and to clearly summarise what will happen if those expectations aren't met.

This argues strongly against the HR-style super-waffly AUP that reads like someone got a bulk order of WeaselWords and decided to use them all at once. Those policies are strictly in the cover-your-bum, liability-shifting class of AUPs, and I've never once, not in 21 years of network and systems admin, found those to be of any use at all. This also argues against any concept that you can use an AUP against outsiders; they have to obey the law, sure, but they have to do that whether you write it down or not; other than that, what you write down has no weight on them whatsoever.

So: a simple, short document that says what you shouldn't do with the work computers, and what happens when you transgress, is the only time I've found an AUP to be of value. In those cases, when I've detected transgression, I've been able to go quietly to someone in a non-confrontational manner, point at a two-page document they signed that said they wouldn't do X, point out (with specifics) that I know they're doing a lot of X, and ask them to stop it so I don't have to invoke the Forces Of Darkness and get them sanctioned just like it says down at the bottom of page 2, just above their signature.

So, how do you write one of these? Well, SAGE has a good publication, called A Guide To Developing Computing Policy Documents (Short Topics in System Administration, Dijker, 1996) if you know anyone who has access to the SAGE library.

Failing that, develop your own short list of the things that happen at your place of work that cause problems for the network and its users as a whole. The single thing I find to be of most value is an explicit prohibition against sharing a password, ever, for any reason. Many employees think that the best way to give Sam access to their mailbox while they're on holiday is to give Sam their login details, not knowing that - although it's good for the business that Sam can read their mail while they're away - that can be done just as easily and much more securely with the technology we have to hand. It's also a really easy policy to state in a single sentence.

Most of the major issues can be proscribed in a single sentence. Write down as many such sentences as seem good to you. Agree the content, and the sanctions page, with management. Get everyone to sign it, and give them a copy. Job done.

Answer 2

DISCLAIMER: I'm not an attorney. Gross oversimplifications follow.

You've pretty much answered your own question. Organizations use AUPs to shift liability of their users' actions onto the users directly. They have to go on the record denouncing certain types of Internet activity to protect themselves from legal action.

TO CLARIFY ON THE COMMMENTS: US Federal Law prohibits "unauthorized access" of computer systems. If you violate an AUP, you may be breaking cybercrime law!

If I pirate an episode of Game of Thrones at work, the "powers that be" can sue my company directly for copyright infringement. If they go on the record explicitly disallowing this type of usage through an AUP with clear consequences, the blame gets shifted to me.

From a personnel standpoint, the AUP gives organizations recourse against "undesirable behavior" taken by its users. I don't want you browsing "materials of a dubious nature" at work, but I can't just fire you for going on the Internet. If I clearly state the consequences of viewing "materials of a dubious nature" at work, and you sign indicating that you agree and understand, then I can bin you without blinking an eye.

Answer 3

Quite simply, it gives you the right to take some actions, including network monitoring, which otherwise would be illegal under wiretap laws. It also allows employees to be informed of what is, and isn't acceptable within the company, and should those rules be broken, provide a rationale and reasoning for administrative actions to be taken.

It also covers the company to some extent since,since an AUP can include clauses (where legal) to absolve the organisation of liability for specific circumstances.

In short, the main point of a AUP is to cover your rear end.

Answer 4

You'll need them if your company wants to comply with standards such as ISO27001.