Professional Documents
Culture Documents
Abstract
Why have a network acceptable usage policy? There are four solid reasons for each organization
that employs computer technology to establish such a document. They include: Worker
Productivity, Network Resources, Legal and Associated Policies, and Security in Operations.
Network Usage Policy 3
A young Air Force second lieutenant shows up in the maintenance squadron’s orderly
room one morning requesting to see the commander or First Sergeant. Most people in the room
recognize him from a recent wing-wide training session on computer security that the
communications squadron presented at the last commander’s call (besides the distinctive block
letters of “CS,” which stands for “Communications Squadron” on his uniform cap). The
commander is away with another early morning appointment so the First Sergeant, or “First
Shirt,” welcomes the young officer into his office. The lieutenant uncharacteristically closes the
The officer begins to open the familiar-looking blue pocketed folder and remove a short
stack of paperwork separated by various staples and paperclips. He starts the conversation by
informing the “Shirt” that one of the 200 airmen in his unit is suspected of violating Air Force
regulations through misuse of his shop’s computer system. The stack of paperwork contains
Internet activity on the suspected computer system and individual’s user account for the past
three weeks, including a listing of each site visited, with those offensive sites highlighted and
printed off as evidence of the sites’ unofficial nature (all of which is dated and time stamped,
correlating the suspected individual’s log-in times from the single computer system to the
questionable activity). Additionally, there is a log of all programs installed upon the computer to
peer-to-peer file sharing program (all of which have no official use and were not approved for
installation by any office of authority, through unit leadership or base information assurance
specialists)—a later investigation of the computer’s hard drive finds over 500 randomly
downloaded music and video files. The lieutenant leaves the documentation with the First
Sergeant and offers any further technical assistance should the squadron request.
Network Usage Policy 5
So why did this happen? Is misuse of computer systems done out of neglect or disregard
for policy on behalf of network users? Is it because of the need for tighter monitoring
websites and block them at the firewall before allowing a user to access it) instead of reactive (as
in the case above)? Or is it even more difficult to differentiate valid from frivolous usage on
behalf of a network user? That is, what is to say that the sports sites on the airman’s activity log
were not visited during his/her lunch break? Certainly a limited amount of personal use (with a
supervisor’s permission) is allowable providing it stays within the Air Force’s legal and cultural
bounds of acceptable behavior and it does not impede network bandwidth (like streaming large
amount of data), pose a security risk, infringe upon copyright or trademark laws, or provide
The answer, from an organization’s perspective, begins at the heart of allowing a user
onto a computer network. From the first day a user is given access to the system, education must
be given and a network acceptable usage policy must be agreed upon. This policy informs the
new user as to what computer behavior in this new culture or the “netiquette” that is expected of
them (Shea). It will set boundaries as to what is right and wrong, either specifically or broadly,
as to computer usage to include accessing the World Wide Web, email systems, local computer
programs and network resources. It will be patterned after the organization’s overall Internet and
network security plan as well as provide enough education and awareness to mitigate risks
associated with such a resource. The policy will also explain monitoring and compliance
clearly defined and unambiguous policy that establishes boundaries of acceptable usage on an
organization’s network.
Network Usage Policy 6
Stephen Purdham in his article “Ensuring Internet Access Means Business Access”
breaks down the concerns regarding Internet usage within a business environment as follows:
Productivity, Network Impact, Legal and Reputation, and Security (Purdham). I like to refer to
them as Worker Productivity, Network Resources, Legal and Associated Policies, and Security
in Operations.
Worker Productivity
The first issue that a network bandwidth purist and stern production manager would have
with non-work related usage of computer systems and the Internet is the loss of productivity
incurred. Simple Internet surfing (the ease with which an expert user can use the waves of
information flowing around the Internet to get where he wants [HyperDictionary]) by workers
can severely impact the mission of an organization. The lure of virtually never-ending
worker on the task at hand. Simply put, casual surfing should be treated as coffee and lunch
breaks, moderate in length and frequency to the point where the job still gets done. This surfing
should also include Internet Relay Chatting (IRC) programs, online bulletin boards and gaming
sites as similar diversions. Additionally, the effect of impersonalized communications via email
can thwart the chain of command or authority within an organization. Simply put, the mail room
worker should not email the CEO of a corporation to complain about not getting a fifth smoke
break during his/her shift. All of these considerations should be addressed through a supervisory
Network Resources
The next category to substantiate the need for a network usage policy is the effect on
network resources a user, or abuser, can have on the overall system. Excessive traffic, which
includes both frequency (number of sites visited) and volume (amount of bytes transferred
through uploads/sending or downloads/receiving), is the bottom line with this issue. Bandwidth
is not free. That is, it either has a tangible cost through a monthly bill from an Internet Service
Provider (ISP), or it is intangible in the form of network congestion that can slow down other
In many instances workers use their company email address to register products or gain
access to certain websites. This in turn, can solicit unwanted spam. Spam, or unwanted junk
mail sent out in bulk, can hinder a network’s bandwidth performance with the sheer volume of
and Internet browsing and messaging (to include email and IRC) can open up the network to a
host of vulnerabilities such as hacking attacks, denial-of-service efforts and menacing Trojan
Finally, a decision should be made as to the amount of personal usage a worker may
for educational purposes is this allowed? Moreover, is it acceptable to allow a worker to check
banking and financial websites in order to reduce the amount of time away from work during the
lunch break? Should the organization allow this in the workplace or should they create a
dedicated computer lab with resources to conduct limited personal business? The usage of
corporate network resources by workers should be addressed at the highest levels of the
corporation and coincide with the organization’s climate and business strategy or mission.
Network Usage Policy 8
“What’s worse than Sex, Drugs, and Violence? Sex, Drugs, and Violence on COMPANY
TIME.” (Purdham)
An organization must be wary of the tool that workers have to partake in illegal activities
through a computer network and the Internet. In particular, Internet surfing shows the host of a
destination site the Internet address of the offending organization as the user who visits the site,
not the actual person sitting at a desk and computer. Now a worker can steal and/or misrepresent
the organization through simple Internet access. That is, now copyrighted material (whether it be
online books, music, or images) can be downloaded by a worker to a company computer system.
Illegally obtained and unlicensed software can reside on corporate assets, leaving the
organization wide open for legal actions. In addition, inaccurate advertising and/or solicitations
This tool also provides users with a means to harass other individuals. Just last year a worker
in my old organization sent one of his co-workers a harassing message via the “netsend”
from one computer to another—can even be used to send to all users on one physical/logical
domain). It stated that “network officials” were informed of his misuse of the network/Internet
and their commander would be notified immediately. The message was, of course, bogus, and
the offending individual was reported (only because the receiving individual printed a screen
capture of the message and reported the incident to actual network officials) and reprimanded by
his unit’s commander. This is just one instance where a little bit of knowledge and the proper
tools can become a nuisance to productivity and, perhaps, spill over and have legal ramifications.
Network Usage Policy 9
“While current statutory frameworks do not precisely fit our new ways of doing business and
conducting the workplace, they still offer guidance on how to create a productive workplace with
Specifically, there are four sources of law organizations must take into consider: federal,
state, common law, and constitutional law. On the federal level, there are four laws: the
Omnibus Crime Control and Safe Streets Act of 1968 (regulates the interception of telephone
calls); the Electronic Communications Privacy Act of 1986 (regulates interception of and access
to e-mail and other forms of electronic communication); the Computer Fraud and Abuse Act of
1986; and the Children’s Internet Protection Act (CIPA) of 2000 (places restrictions on the use
of funding that is available through the Library Services and Technology Act, Title III of the
Elementary and Secondary Education Act, and on the Universal discount program known as E-
rate—simple put, they take the form of requirements for Internet safety policies and technology
which blocks or filters certain materials from being accessed through the Internet at schools and
libraries) (American Library Association). Individual states as a whole are well behind the
technology on legislation that defines Internet usage. Common law deals with legal
relationships, powers and liabilities, and types of actions rather than theoretical definitions of
abstract legal concepts as civil law does (an Internet “can of worms”). Constitutional law deals
with those rights given to Americans by the Constitution to include freedom of speech,
expression, and religion (many of which can be pitfalls when organizations have legal battles
Additionally, there may be other organizational policies that can be violated through
computer network and Internet usage. These include local operating procedures, military
regulations and instructions, and policies on individual use of corporate resources and/or
Network Usage Policy 10
standards of behavior and reporting structures. Many of these “supplemental” policies are rooted
“The key legal rule to keep in mind is this: employees have no automatic or absolute
right to privacy in the workplace. Only government employees enjoy Constitutional protections
against unlawful search and seizure, and even in those cases, the protection is not absolute: the
courts apply a balancing or weighing test, comparing the employee's expectation of privacy and
right to be free from unreasonable search with the government's legitimate rights to know and the
public interest. The safest assumption that employees can make, and their best "working
hypothesis" is that they do not have a right to privacy in their e-mail, especially if the company
has advised the workforce in a written policy that e-mail (and other forms of office
Security in Operations
Network security should not just be concerned with protecting digital boundaries and
“locking down” computer systems from users. It should be an iterative process that takes into
account the sum of an organizational operating structure. Years ago, a wise flight commander of
mine would only place his personnel in a network security position after they had achieved
sufficient technical skills—working throughout the rest of the network support organization.
Many see network security duties as mired in policy, tracking and reporting procedures.
Conversely, the sort of technician he employed understood the “lay of the land” as to how
network devices were configure and what computer network guidelines were being enforce in
order to support those organizational paper policies. Maintaining this knowledge of the network
and its security idiosyncrasies is just as important as keeping up with the methods workers have
to communicate and cause havoc on a network. Here are a few other technical and policy
Network Usage Policy 11
challenges organizations face: IRC, corrupted or erroneous software, point-to-point file sharing
unclassified, concerning U.S. government (or any organization’s) intentions and capabilities by
identifying, controlling, and protecting indicators associated with official planning processes or
operations. OPSEC does not replace other security disciplines—it supplements them.” (IOSS)
disclosure or an erroneous business transaction, workers are susceptible to “messing up” without
prior knowledge (especially new workers who have not read the “Do’s and Don’ts” of the
organizations business practices). OPSEC is not just a “loose lips sink ships” policy for the
government; competitive advantage, market share, and first-to-market rules apply in both the
public and private sectors. It is applies to every form of communication, from the casual
conversation in a golf clubhouse to the bulletin boards lining office hallways, to the information
Furthermore, the Internet can be used as a source of low quality data. Many sites can
have misleading or ambiguous content. Internet and email hoaxes can run rampant throughout
credible sources of information. For example, every computer technician in the Air Force
downloads operating system patches and virus definition updates from a trusted internal source
(at the Major Command or Air Force level)—that is, the “Windows Update” service is disabled
or disallowed—which has tested and approved the software for installation. This minimizes
Network Usage Policy 12
confusion and ensures that trustworthy software is used to update every critical Air Force
computer system.
It is clear that each organization that allows workers to gain access to computer systems
and the Internet should have a well-written, clearly defined network acceptable usage policy. It
should define its purpose, encompassing all those services which are available and how they are
intended to be used, specifying who can do what, where, when and how. It should reflect the
organization’s corporate strategy in both legal and operations security terms, all the while
A great policy will encompass the prohibitions and privileges given to network users, as
well as provide a legal protection mechanism should a problem arise. It will balance the needs of
the organization (to achieve the mission) with the resources that are available (hardware,
software and bandwidth) with a user’s desires (happy workers stay at their desks longer). It can
issue for technologist to tackle, rather it is for the managers and leaders of organizations to
References
American Library Association (2003). CIPA & NCIPA Legislation. Retrieved November 25,
2003 from the World Wide Web:http://www.ala.org/Content/NavigationMenu/
Our_Association/Offices/ALA_Washington/Issues2/Civil_Liberties,_Intellectual_Freedo
m,_Privacy/CIPA1/Legislation/Legislation.htm
Casser, Karen L. (1996). Employers, Employees, E-mail and the Internet. The Internet and
Business: A Lawyer’s Guide to the Emerging Legal Issues. Computer Law Association,
Inc.
HyperDictionary (2003). Retrieved December 7, 2003 from the World Wide Web:
http://www.hyperdictionary.com/search.aspx?Dict=&define=surfing
Inter-Agency OPSEC Support Staff (IOSS) (2003). Retrieved December 7, 2003 from the
World Wide Web: http://www.ioss.gov/bulletin.html
Purdham, Stephen. (2000). Ensuring Internet Access Means Business Access. Internet
Management. CRC Press/Auerbach Publications.