Network Usage Policy 1

Running head: NETWORK USAGE POLICY

Why Have a Network Acceptable Usage Policy?

Aaron C. Condel
Webster University
 Network Usage Policy 2

Abstract

Why have a network acceptable usage policy? There are four solid reasons for each organization

that employs computer technology to establish such a document. They include: Worker

Productivity, Network Resources, Legal and Associated Policies, and Security in Operations.
 Network Usage Policy 3

Why Have a Network Acceptable Usage Policy?

A young Air Force second lieutenant shows up in the maintenance squadron’s orderly

room one morning requesting to see the commander or First Sergeant. Most people in the room

recognize him from a recent wing-wide training session on computer security that the

communications squadron presented at the last commander’s call (besides the distinctive block

letters of “CS,” which stands for “Communications Squadron” on his uniform cap). The

commander is away with another early morning appointment so the First Sergeant, or “First

Shirt,” welcomes the young officer into his office. The lieutenant uncharacteristically closes the

door behind them.

 Network Usage Policy 4

The officer begins to open the familiar-looking blue pocketed folder and remove a short

stack of paperwork separated by various staples and paperclips. He starts the conversation by

informing the “Shirt” that one of the 200 airmen in his unit is suspected of violating Air Force

regulations through misuse of his shop’s computer system. The stack of paperwork contains

Internet activity on the suspected computer system and individual’s user account for the past

three weeks, including a listing of each site visited, with those offensive sites highlighted and

printed off as evidence of the sites’ unofficial nature (all of which is dated and time stamped,

correlating the suspected individual’s log-in times from the single computer system to the

questionable activity). Additionally, there is a log of all programs installed upon the computer to

include an unauthorized installation of a video game, multiple customized screensavers, and a

peer-to-peer file sharing program (all of which have no official use and were not approved for

installation by any office of authority, through unit leadership or base information assurance

specialists)—a later investigation of the computer’s hard drive finds over 500 randomly

downloaded music and video files. The lieutenant leaves the documentation with the First

Sergeant and offers any further technical assistance should the squadron request.
 Network Usage Policy 5

So why did this happen? Is misuse of computer systems done out of neglect or disregard

for policy on behalf of network users? Is it because of the need for tighter monitoring

mechanisms that should be proactive (which subscribe to a commercial list of unauthorized

websites and block them at the firewall before allowing a user to access it) instead of reactive (as

in the case above)? Or is it even more difficult to differentiate valid from frivolous usage on

behalf of a network user? That is, what is to say that the sports sites on the airman’s activity log

were not visited during his/her lunch break? Certainly a limited amount of personal use (with a

supervisor’s permission) is allowable providing it stays within the Air Force’s legal and cultural

bounds of acceptable behavior and it does not impede network bandwidth (like streaming large

amount of data), pose a security risk, infringe upon copyright or trademark laws, or provide

personal or financial gain for the individual.

The answer, from an organization’s perspective, begins at the heart of allowing a user

onto a computer network. From the first day a user is given access to the system, education must

be given and a network acceptable usage policy must be agreed upon. This policy informs the

new user as to what computer behavior in this new culture or the “netiquette” that is expected of

them (Shea). It will set boundaries as to what is right and wrong, either specifically or broadly,

as to computer usage to include accessing the World Wide Web, email systems, local computer

programs and network resources. It will be patterned after the organization’s overall Internet and

network security plan as well as provide enough education and awareness to mitigate risks

associated with such a resource. The policy will also explain monitoring and compliance

specifics to include enforcement, consequences, and dispute resolution. Overall, it will be a

clearly defined and unambiguous policy that establishes boundaries of acceptable usage on an

organization’s network.
 Network Usage Policy 6

Why Have A Policy?

Stephen Purdham in his article “Ensuring Internet Access Means Business Access”

breaks down the concerns regarding Internet usage within a business environment as follows:

Productivity, Network Impact, Legal and Reputation, and Security (Purdham). I like to refer to

them as Worker Productivity, Network Resources, Legal and Associated Policies, and Security

in Operations.

Worker Productivity

The first issue that a network bandwidth purist and stern production manager would have

with non-work related usage of computer systems and the Internet is the loss of productivity

incurred. Simple Internet surfing (the ease with which an expert user can use the waves of

information flowing around the Internet to get where he wants [HyperDictionary]) by workers

can severely impact the mission of an organization. The lure of virtually never-ending

information and entertainment at a worker’s fingertips is a supervisor’s challenge; to focus the

worker on the task at hand. Simply put, casual surfing should be treated as coffee and lunch

breaks, moderate in length and frequency to the point where the job still gets done. This surfing

should also include Internet Relay Chatting (IRC) programs, online bulletin boards and gaming

sites as similar diversions. Additionally, the effect of impersonalized communications via email

can thwart the chain of command or authority within an organization. Simply put, the mail room

worker should not email the CEO of a corporation to complain about not getting a fifth smoke

break during his/her shift. All of these considerations should be addressed through a supervisory

decision coupled with corporate policy.

 Network Usage Policy 7

Network Resources

The next category to substantiate the need for a network usage policy is the effect on

network resources a user, or abuser, can have on the overall system. Excessive traffic, which

includes both frequency (number of sites visited) and volume (amount of bytes transferred

through uploads/sending or downloads/receiving), is the bottom line with this issue. Bandwidth

is not free. That is, it either has a tangible cost through a monthly bill from an Internet Service

Provider (ISP), or it is intangible in the form of network congestion that can slow down other

productivity throughout the organization.

In many instances workers use their company email address to register products or gain

access to certain websites. This in turn, can solicit unwanted spam. Spam, or unwanted junk

mail sent out in bulk, can hinder a network’s bandwidth performance with the sheer volume of

up to 40 or 50 unnecessary messages a day per email account. Furthermore, unbridled network

and Internet browsing and messaging (to include email and IRC) can open up the network to a

host of vulnerabilities such as hacking attacks, denial-of-service efforts and menacing Trojan

horse, worm, or time-activated viruses.

Finally, a decision should be made as to the amount of personal usage a worker may

spend on the organization’s computer systems. If a worker is researching or compiling a report

for educational purposes is this allowed? Moreover, is it acceptable to allow a worker to check

banking and financial websites in order to reduce the amount of time away from work during the

lunch break? Should the organization allow this in the workplace or should they create a

dedicated computer lab with resources to conduct limited personal business? The usage of

corporate network resources by workers should be addressed at the highest levels of the

corporation and coincide with the organization’s climate and business strategy or mission.
 Network Usage Policy 8

Legal and Associated Policies

“What’s worse than Sex, Drugs, and Violence? Sex, Drugs, and Violence on COMPANY

TIME.” (Purdham)

An organization must be wary of the tool that workers have to partake in illegal activities

through a computer network and the Internet. In particular, Internet surfing shows the host of a

destination site the Internet address of the offending organization as the user who visits the site,

not the actual person sitting at a desk and computer. Now a worker can steal and/or misrepresent

the organization through simple Internet access. That is, now copyrighted material (whether it be

online books, music, or images) can be downloaded by a worker to a company computer system.

Illegally obtained and unlicensed software can reside on corporate assets, leaving the

organization wide open for legal actions. In addition, inaccurate advertising and/or solicitations

can be made by an individual on behalf of a corporation without authorization or managerial

knowledge. Countless other hazards may arise from such a tool.

This tool also provides users with a means to harass other individuals. Just last year a worker

in my old organization sent one of his co-workers a harassing message via the “netsend”

command (available on most simple networks—sends a virtually anonymous pop-up message

from one computer to another—can even be used to send to all users on one physical/logical

domain). It stated that “network officials” were informed of his misuse of the network/Internet

and their commander would be notified immediately. The message was, of course, bogus, and

the offending individual was reported (only because the receiving individual printed a screen

capture of the message and reported the incident to actual network officials) and reprimanded by

his unit’s commander. This is just one instance where a little bit of knowledge and the proper

tools can become a nuisance to productivity and, perhaps, spill over and have legal ramifications.
 Network Usage Policy 9

“While current statutory frameworks do not precisely fit our new ways of doing business and

conducting the workplace, they still offer guidance on how to create a productive workplace with

motivated employees.” (Casser)

Specifically, there are four sources of law organizations must take into consider: federal,

state, common law, and constitutional law. On the federal level, there are four laws: the

Omnibus Crime Control and Safe Streets Act of 1968 (regulates the interception of telephone

calls); the Electronic Communications Privacy Act of 1986 (regulates interception of and access

to e-mail and other forms of electronic communication); the Computer Fraud and Abuse Act of

1986; and the Children’s Internet Protection Act (CIPA) of 2000 (places restrictions on the use

of funding that is available through the Library Services and Technology Act, Title III of the

Elementary and Secondary Education Act, and on the Universal discount program known as E-

rate—simple put, they take the form of requirements for Internet safety policies and technology

which blocks or filters certain materials from being accessed through the Internet at schools and

libraries) (American Library Association). Individual states as a whole are well behind the

technology on legislation that defines Internet usage. Common law deals with legal

relationships, powers and liabilities, and types of actions rather than theoretical definitions of

abstract legal concepts as civil law does (an Internet “can of worms”). Constitutional law deals

with those rights given to Americans by the Constitution to include freedom of speech,

expression, and religion (many of which can be pitfalls when organizations have legal battles

with workers over computer network related issues).

Additionally, there may be other organizational policies that can be violated through

computer network and Internet usage. These include local operating procedures, military

regulations and instructions, and policies on individual use of corporate resources and/or
 Network Usage Policy 10

standards of behavior and reporting structures. Many of these “supplemental” policies are rooted

in the organization’s climate and strategy, often derived from law.

“The key legal rule to keep in mind is this: employees have no automatic or absolute

right to privacy in the workplace. Only government employees enjoy Constitutional protections

against unlawful search and seizure, and even in those cases, the protection is not absolute: the

courts apply a balancing or weighing test, comparing the employee's expectation of privacy and

right to be free from unreasonable search with the government's legitimate rights to know and the

public interest. The safest assumption that employees can make, and their best "working

hypothesis" is that they do not have a right to privacy in their e-mail, especially if the company

has advised the workforce in a written policy that e-mail (and other forms of office

communication) is subject to monitoring.” (Panaro)

Security in Operations

Network security should not just be concerned with protecting digital boundaries and

“locking down” computer systems from users. It should be an iterative process that takes into

account the sum of an organizational operating structure. Years ago, a wise flight commander of

mine would only place his personnel in a network security position after they had achieved

sufficient technical skills—working throughout the rest of the network support organization.

Many see network security duties as mired in policy, tracking and reporting procedures.

Conversely, the sort of technician he employed understood the “lay of the land” as to how

network devices were configure and what computer network guidelines were being enforce in

order to support those organizational paper policies. Maintaining this knowledge of the network

and its security idiosyncrasies is just as important as keeping up with the methods workers have

to communicate and cause havoc on a network. Here are a few other technical and policy
 Network Usage Policy 11

challenges organizations face: IRC, corrupted or erroneous software, point-to-point file sharing

programs, internal and external hacking by either competitors or disgruntled workers.

The second part of security in operations is that of Operations Security (OPSEC).

“OPSEC is an analytic process used to deny an adversary information, which is generally

unclassified, concerning U.S. government (or any organization’s) intentions and capabilities by

identifying, controlling, and protecting indicators associated with official planning processes or

operations. OPSEC does not replace other security disciplines—it supplements them.” (IOSS)

Educating workers on the acceptable use of computer systems to communicate with

external partners and sources should be considered. Whether it be an accidental or deliberate

disclosure or an erroneous business transaction, workers are susceptible to “messing up” without

prior knowledge (especially new workers who have not read the “Do’s and Don’ts” of the

organizations business practices). OPSEC is not just a “loose lips sink ships” policy for the

government; competitive advantage, market share, and first-to-market rules apply in both the

public and private sectors. It is applies to every form of communication, from the casual

conversation in a golf clubhouse to the bulletin boards lining office hallways, to the information

we send through our computer networks—OPSEC is important.

Furthermore, the Internet can be used as a source of low quality data. Many sites can

have misleading or ambiguous content. Internet and email hoaxes can run rampant throughout

organizations. What is needed is a clearly approved listing of trusted sources—acceptable and

credible sources of information. For example, every computer technician in the Air Force

downloads operating system patches and virus definition updates from a trusted internal source

(at the Major Command or Air Force level)—that is, the “Windows Update” service is disabled

or disallowed—which has tested and approved the software for installation. This minimizes
 Network Usage Policy 12

confusion and ensures that trustworthy software is used to update every critical Air Force

computer system.

It is clear that each organization that allows workers to gain access to computer systems

and the Internet should have a well-written, clearly defined network acceptable usage policy. It

should define its purpose, encompassing all those services which are available and how they are

intended to be used, specifying who can do what, where, when and how. It should reflect the

organization’s corporate strategy in both legal and operations security terms, all the while

keeping in mind human relationships and reporting and communicating practices.

A great policy will encompass the prohibitions and privileges given to network users, as

well as provide a legal protection mechanism should a problem arise. It will balance the needs of

the organization (to achieve the mission) with the resources that are available (hardware,

software and bandwidth) with a user’s desires (happy workers stay at their desks longer). It can

be as restrictive or open as needed according to corporate and management desires. It is not an

issue for technologist to tackle, rather it is for the managers and leaders of organizations to

establish and develop as the workplace, technology, and missions change.

 Network Usage Policy 13

References

American Library Association (2003). CIPA & NCIPA Legislation. Retrieved November 25,
2003 from the World Wide Web:http://www.ala.org/Content/NavigationMenu/
Our_Association/Offices/ALA_Washington/Issues2/Civil_Liberties,_Intellectual_Freedo
m,_Privacy/CIPA1/Legislation/Legislation.htm

Casser, Karen L. (1996). Employers, Employees, E-mail and the Internet. The Internet and
Business: A Lawyer’s Guide to the Emerging Legal Issues. Computer Law Association,
Inc.

HyperDictionary (2003). Retrieved December 7, 2003 from the World Wide Web:
http://www.hyperdictionary.com/search.aspx?Dict=&define=surfing

Inter-Agency OPSEC Support Staff (IOSS) (2003). Retrieved December 7, 2003 from the
World Wide Web: http://www.ioss.gov/bulletin.html

Panaro, Gerrard (1999). Elements of a Successful E-Mail Policy, Part I. Retrieved 25

November, 2003 from the World Wide Web: http://www.mrsc.org/Subjects
/InfoServ/panaroI.aspx

Purdham, Stephen. (2000). Ensuring Internet Access Means Business Access. Internet
Management. CRC Press/Auerbach Publications.

Shea, Virginia. (1994, May). Netiquette. Albion Books.