adam's notes

Acceptable Use Policy (AUP)

An acceptable use policy (AUP) is a code of conduct that states permitted uses of IT resources.

  • E.g.,
    • govern how employees use equipment and services
    • ISP enforcing a fair use policy governing usage of its Internet access services
    • implement regulatory compliance requirements as logical controls or notices
  • lists prohibited actions
  • states the consequences for violating the acceptable use rules
    • including:
      • details regarding how compliance is monitored
      • require employees to acknowledge their comprehension via signature
  • typically address
    • browsing behavior
    • appropriate content
    • software downloads
    • and handling sensitive information
  • goal of an AUP
    • ensure users do not engage in activities that could harm the organization or its resources

AUP Terms

General AUP Terms

  • IT resources are provided for business use only
  • Employees must use IT resources and data on them for business purposes only
  • Employees must not tamper with IT resources or data on those resources
  • Employees should not access any data they do not have a business reason to see
  • No personal use of organizational IT resources is allowed
  • Do not use IT resources to circumvent security measures
  • IT resources may be monitored to ensure employee compliance
  • Use of IT resources is evidence of the employee’s consent to the terms of the AUP

Email and Internet Terms

  • Do not send email with sensitive organization information to external recipients
  • Do not send email with sensitive organization information to internal recipients unless they have a business need to have that information
  • Do not send email with offensive text, pictures, or links to offensive websites
    • Content is offensive if it is demeaning based on race, gender, national origin, disability, religion, or politics
  • Do not open email attachments from unknown senders
    • Do not open email messages with unexpected attachments
  • Do not click on embedded links in an email from unknown senders
  • Do not download files from the internet without permission from a business supervisor and the information security department
  • Do not use file-sharing applications or services without permission from a business supervisor and the information security department
  • Do not use IT resources to access the internet to view offensive material
  • Do not use IT resources to access the internet to visit social networking sites
  • Do not use IT resources for online shopping or any other personal activity
  • Do not use IT resources to engage in activity that violates the law

Mobile Device Terms

  • Mobile devices that are used to access organizational resources or data must be password protected
  • Mobile devices (whether provided by the organization or purchased by an employee and used for business purposes) must not store sensitive organizational information
  • Employees must immediately report the loss of a mobile device used to access organizational resources

Graph View

Backlinks