You are on page 1of 17

How to write an Acceptable

Use Policy (AUP)

The World’s #1 Web & E-mail Filtering Company

How to write an Acceptable
Use Policy (AUP)
Misuse of the Internet - The Issues 02
Contents Building an Acceptable Use Policy (AUP) 06
Example Acceptable Use Policy 10
Informing and Educating Users 12
Installing Appropriate Technology 13
Maintaining the Policy 15
Helpful Resources 16

The World’s #1 Web & E-mail Filtering Company


Misuse of the Internet -

The Issues

> 70% of Internet porn traffic occurs between the hours of 9am
and 5pm. (

> 32.6% of workers surf the Internet with no specific objective;

men are twice as likely to do this as women.

> 30% to 40% of employees’ Internet activity is not business

related and costs employers millions of dollars in lost
productivity. (IDC research)

> Men are 20 times more likely to download pornography;

employees earning $75K to $100K annually are more than twice
as likely to download pornography as those making less than $35K.

> 1 in 5 men and 1 in 8 women admitted to using their work

computers as their primary lifeline to access sexually explicit
materials online. (MSNBC)

> During work hours, 9% of employees earning under $35k surf

the net for a new job, while 11% of employees earning $75k-
$100k do the same. (Greenfield Online)

> Cyber-skiving accounts for 30% to 40% of lost worker

productivity. (


Misuse of the Internet -

The Issues

Business has everything to gain from going onto the Web: new customers, more efficient
administration, closer ties with business partners, access to infinite information sources,
and keeping in touch with mobile employees. But the Web provides employees with the
temptation to spend their time and use the resources for non-business ends. Controlling
Internet usage is only one aspect of the e-business security issue, but it is one that is
important to all businesses. The typical issues raised by casual surfing on the Internet are
as follows:

Employee productivity HEADLINE

The information and resources available
through the Internet can help employees to
“The Internet is remaking
be more productive and effective. From
vital online market information to last business… but it’s also the greatest
night's sports scores, games or chat rooms, way to waste time that the human
you can get there with just a click. How race has ever invented.”
many hours of lost productivity can your (The Wall Street Journal)
company afford?

Network resources
Combine recreational surfing with bandwidth-intensive activities such as streaming audio
and video, MP3 downloads and image downloads, and you have a significant impact on
your network performance that impedes business traffic.

Unless you're careful, opening the door to the Internet also opens your company's door to
the potential security breaches inherent in the cyber world. Network security issues
become even more acute when the enterprise is linked to the global public network.
Employees can use the Internet to send sensitive company information or to download
material that could be infected with viruses, etc.

Legal liability
Letting employees surf anywhere on the Internet can lead them to stray to clearly
inappropriate sites, sexually explicit sites and those promoting violence and hate speech.
This kind of activity can lead to lawsuits, harassment charges and even criminal prosecution.
Protect your employees and your company by promoting responsible Internet use.

Adverse publicity
Several major international companies have already been forced to dismiss employees that
were found guilty of accessing illegal and offensive material through the Internet. Adverse
publicity can clearly be very damaging.


Misuse of the Internet -

The Issues

Examples of adverse publicity:

… fires staff who exchanged sex site images. (Evening Standard)


The top brass are extremely embarrassed about the computers crashing because it was obvious
to the technicians what had been going on. (The Sun)


… sacking of three Downing Street workers for downloading hardcore images… (The Observer)

Every employee using Internet resources should have a clear understanding of the legal
issues involved. These include:

Sexual harassment as a result of bringing objectionable or sexually explicit material

into the workplace. If an employee downloads objectionable materials - pornography,
for example - and another employee sees it, your company could be liable. Even worse,
if a user downloads materials that are illegal, your company might face criminal charges.

Copyright infringement can happen unintentionally. An employee downloads and

uses a software program, a photograph or a proprietary document in all innocence,
thinking that, because it's available on the Web, it's "free". It's not!

Misrepresentation can also occur unintentionally, particularly through the use of e-mail.
Employees should know, and should make it clear to the people with whom they
communicate, that opinions expressed via e-mail and other electronic media are
their own, not the company's.


IT managers could face prosecution if their networks are used to put illegal
their corporate networks are used to material over the Net. The Internet’s
carry illegal material from the operation is subject to national law
Internet. “The law on online that can be very strict.” Virgo said it
information is the same as offline” was important for IT managers to
[said Philip Virgo from the Institute take reasonable precautions, so in
for the Management of Information the event of a problem they could say
Systems]. “Therefore, IT managers, they had tried to prevent misuse of
as well as local general managers their systems.
with service providers, face jail if (Computer Weekly)


Misuse of the Internet -

The Issues

Business impact
In the 2000 Information Security Industry Survey sponsored by ICSNet and Global Integrity,
63% of respondents experienced examples of their employees using the company computing
resources for illegal or illicit communications or activities, including porn surfing and e-mail

Although 41% of respondents experiencing misuse of company computing resources did not
think that the business suffered any knock-on impact, a substantial percentage did relate
the behaviour to damage to the business, as shown in the chart below. (Some respondents
identified multiple types of consequences.) It should be noted that this survey does not
include the important, but hard to measure, effect on productivity and staff motivation.


18% Lost business to competitors

12% Temporary loss of website
08% Corruption of information
05% Disclosure of information
05% Temporary loss of Internet access
03% Theft of information or service
01% Public harassment or bad PR
48% Other

Businesses should be alert to some of the pitfalls amid all the business potential of the
Internet. The good news is that most, if not all of these pitfalls can be avoided by developing
and implementing an effective company Acceptable Use Policy, and through the use of
proven access control technology.

Controlling access to the Internet is no different to managing other resources like the
phone, fax and mobile phone: it is a management issue. There are four stages to ensuring
that Internet access is business access:

1. Building an Acceptable Use Policy (AUP)

2. Informing and educating the users
3. Installing appropriate technology to filter and monitor usage
4. Maintaining the policy


Building an Acceptable Use

Policy (AUP)

The goals of an AUP are:

To clarify the company's policy regarding use of the Internet

To shield the organisation against potential liability
To avoid security threats by promoting awareness and good practice
To encourage effective and positive use of the resources

The following are some things to consider when building an AUP:

1. Make it a team effort

Setting corporate limits on Internet use can be an emotionally charged subject, linked as it
is to issues of personal privacy and individual responsibility. For that reason, it's prudent to
avoid any hint of "top-down" policy making.

HEADLINE Rather, it will be better if both the

articulation of the business needs for an
"The separation of creation and AUP, and the policy itself, are developed by
representatives from every part of the
implementation of the policy is a
business: senior management, information
recipe for disaster." technology, business unit managers, human
(Gartner Group, Strategic Analysis Report)
resources, legal and interested user groups.

Keep in mind that Internet access need not be "all or nothing". You can restrict certain
services, type of access, time of day, length of connection, etc. exactly as you can for
internal network connections. It helps to think of Internet access as a privilege, rather than
an inalienable right (although some users are sure to argue otherwise). Encouragement and
leadership are more likely to succeed than a policy based on prohibition, but sometimes
both are needed in unison.

2. Make it clear
The policy should start by specifying the general principles governing Internet use by
employees, both in the course of their business and in other activities. This should be
followed by clear conditions of use for individual services. Finally, employees need to
understand what the consequences are for non-compliance.

Employees also need to know whether the organisation routinely monitors Internet or e-mail
usage and what the consequences are for a breach of the code of conduct. A clear
statement of policy is a strong defence against prosecution. You may also wish to seek legal
advice to clarify what levels of monitoring are acceptable and legal in the workplace. Some
information regarding the legal issues is provided later on in this guide.


Building an Acceptable Use

Policy (AUP)

3. How much personal use of the Internet is acceptable?

Your policy should be quite explicit about the level of personal surfing that is acceptable.
Some organisations, especially those whose business places a premium on creativity, might
even encourage employees to roam cyberspace as part of their jobs. Some may choose to
limit Internet activity to strictly work-related sites and activities. Others may look for the
"happy medium".

4. What about out of hours activity?

Depending on the type and cost of your physical connection, you may decide to allow, and
even encourage, appropriate personal use of Internet resources during non-work hours. And
you may or may not choose to place restrictions on the content, types of sites visited and
specific activities.

But remember, even during off-hours, the sites your employees visit reflect directly on your
company's image. (And any well-equipped Webmaster can determine with a reasonably high
degree of accuracy where traffic is coming from.) Nor does off-hours usage lessen the
company's legal responsibility regarding sexual harassment, misrepresentation and other issues.


36% All non-work use prohibited

28% Limited use after business hours
17% Unrestricted personal use any time
13% Limited personal use any time
04% No policy
02% Unresticted use after work hours

5. Some things are better not shared

Now that it's possible to send an e-mail to hundreds of people at the touch of an enter key,
you'll want to remind employees at all levels about the importance of protecting valuable
company information. Business plans, marketing strategies, sales results, economic
projections - any and all of these can be sent literally anywhere with a keystroke. Obviously,
some things simply shouldn't be shared. And without encryption, employees have to realise
that nothing on the public network is private.


Building an Acceptable Use

Policy (AUP)

6. Covering your assets

In general, employers can be held liable for employee actions – because e-mail is a ‘written
record’ - it exists as evidence, even after it is believed to have been deleted! Every
employee using Internet resources should have a clear understanding of the legal issues
involved. These include sexual/racial harassment, libel, copyright infringement, breach of
confidence, negligent misstatement, publication of obscene material, data protection,
negligent virus transmission, inadvertent formation of contracts, and The Computer Misuse
Act or similar legislation.

In all of these cases the key is to have a HEADLINE

clear and effective policy that is
communicated to all staff. You can never 27% of Fortune 500 companies
guarantee to prevent exposure to legal have battled harassment claims
charges, but the onus is on the employer stemming from employee misuse
to demonstrate reasonable care in
of email and Internet systems.
preventing such incidences.

7. Make security part of everybody's job description

Even the most secure firewall can be compromised by an employee's accidental disclosure of
a password, or - to a determined hacker - even an IP address. The sad truth is that far more
security problems are caused by carelessness and inattention than by malicious hacking.

Also keep in mind that even the best-intentioned employee can inadvertently bring a network
down with a virus retrieved from "off the Net". If you plan to use any type of virus scanning
software - and you should - your users should know that their e-mail and outside connections
will be scanned as a normal part of network security. On the same subject, it's especially
important to hammer home to all users that directly connecting a modem to an outside line is
a breach of security far more serious than leaving all the doors unlocked at night.

8. Taking responsibility
Be sure to clearly spell out who is covered by this AUP, whether it is some or all of your
employees. If you intend the policy to cover all employees, say so.

Whether the people responsible for enforcing your AUP are in Human Resources or in MIS, be
sure that a responsible group or person is appointed and is fully aware of this responsibility.
Extend your policy beyond initial guidelines. Develop a process for handling offences within
your organisation; for example, what to do in the case of a 1st offence, 2nd offence, 3rd
offence, etc. Clearly outline the consequences of non-conformance with your official AUP.

It goes without saying that full management support - all the way to the top of the
organisation - is essential to implementing a successful AUP. Do whatever it takes to
educate senior management on the finer points of your policy. Make sure they set a good
example and that you advertise Senior Management’s endorsement of the policy.


Building an Acceptable Use

Policy (AUP)

9. Enforce it
The AUP should become part of your
organisation's overall policy manual. As with
Image files: bmp, dwg, dxf, fli, gif,
other company policies, you'll want to make
sure it's readily available, widely disseminated pcx, psp, png, tif, etc.
and clearly understood by all. In fact, many Movie files: avi, mpg, qtm, rt, etc.
organisations require that employees sign the Compressed files: arj, cab, cmp,
AUP document as a condition of receiving gzip, lzh, tar, rar, zip, etc.
Internet access privileges.
Executable files: dll, exe, com, etc.
10. Public policy vs. technical details Document files: doc, etc.
As well as working on the principles of the
policy, it is important to work out the technical details in line with your current network
security for groups and users. Building a policy is like setting up a customs house: you decide
what information types you want to allow into the company network and who can access
those different types. Think about the file types you are going to allow through, the maximum
size of files as well as where they are allowed to come from. Draw up a table to make this
clear and apply your rules and exceptions to the users and groups on your network.

This will need to be worked out in conjunction with managers and user representatives. It is
not necessary to publish all of the details as long as you have the cooperation and
agreement from all departments and you agree to review your policy regularly so that it falls
in line with changing user requirements.

11. Example e-mail disclaimer

In light of numerous recent litigations you should also consider a disclaimer to be attached
at the end of e-mails. An example disclaimer could be:


Example Acceptable Use Policy

This Acceptable Use Policy (AUP) applies to all company staff of this
company and to those others offered access to company resources.

General Principles
Use of the Internet by company employees is permitted and encouraged where such use is
suitable for business purposes and supports the goals and objectives of the company and its
business units. The Internet is to be used in a manner that is consistent with the company’s
standards of business conduct and as part of the normal execution of an employee’s job

Corporate e-mail accounts, Internet IDs and web pages should not be used for
anything other than corporate-sanctioned communications.

Use of Internet/intranet and e-mail may be subject to monitoring for security and/or
network management reasons. Users may also be subject to limitations on their use
of such resources.

The distribution of any information through the Internet, computer-based services,

e-mail, and messaging systems is subject to the scrutiny of the company. The
company reserves the right to determine the suitability of this information.

The use of computing resources is subject to UK law and any illegal use will be
dealt with appropriately.

Users shall not:


Visit Internet sites that contain obscene, hateful or other objectionable materials.

Make or post indecent remarks, proposals, or materials on the Internet.


Solicit e-mails that are unrelated to business activities or for personal gain.

Send or receive any material that is obscene or defamatory or which is intended to

annoy, harass or intimidate another person.

Represent personal opinions as those of the company.


Example Acceptable Use Policy


Upload, download, or otherwise transmit commercial software or any copyrighted

materials belonging to parties outside of the company, or the company itself.

Reveal or publicise confidential or proprietary information which includes, but is not

limited to: financial information, new business and product ideas, marketing strategies
and plans, databases and the information contained therein, customer lists, technical
product information, computer software source codes, computer/network access
codes, and business relationships.

Send confidential e-mails without suitable encryption.


Download any software or electronic files without implementing virus protection

measures that have been approved by the company.

Intentionally interfere with the normal operation of the network, including the
propagation of computer viruses and sustained high volume network traffic that
substantially hinders others in their use of the network.

Examine, change, or use another person's files, output, or user name for which they
do not have explicit authorisation.


Perform any other inappropriate uses identified by the network administrator.

Waste time on non-company business.

Protect your reputation and career

Follow your organisation’s Internet AUP, or risk disciplinary action and termination of
employment. The company also retains the right to report any illegal violations to the
appropriate authorities.


Informing and Educating Users

Start as you mean to go on

Training should be considered a prerequisite for Internet access, not only in the mechanics
of using e-mail and browsers, but in the ethical, legal and security aspects associated with
participation in a global public network.

Bad habits die hard

Employees often come with bad Internet habits from college, previous employers or home
Internet use. It is therefore vital that everyone understands how the company expects its
employees to act over the Internet. This requires continuous training until the culture and
expectations within the company change.

Regular updates
You may also want to consider regular company-wide e-mails to remind employees of
particular aspects of the policy. Being aware of viruses and how to protect yourself is a key
area, but don’t forsake other aspects of the policy that may seem less important but could
nevertheless cost the company dearly if unheeded.

In a PC World Online survey, most respondents agree that their employer has the right to
monitor how they use the Internet connection at work - provided they know if the boss is
peering over their virtual shoulder. You get better response from users if you inform them of
what you are doing.


66% Agree 94% Agree

27% Disagree 04% Disagree
07% Not Sure 02% Not Sure

(PC World Online Survey) (PC World Online Survey)


Installing Appropriate Technology

Don't let technology dictate your AUP - develop policy first and then find
the right technology to meet your needs. Just about anything you need
to do to implement a workable AUP can be accomplished with existing
technology. In fact, you'll probably find that there are several ways to get
the job done.
Flexible monitoring
Your filtering software should enable you to implement any AUP you choose. Don’t write
your policy around constraints of limited tools and what they enable you to do. Select one
with the flexibility to help you enforce ‘your’ policy - whatever it is.

You should be able to implement varying levels of filtering restrictions depending on the day
of the week or the time of day: for example, it could be more stringent between 8am and
6pm, and more lenient after 6pm and on weekends. You’ll want to look for software that
also lets you configure access by user and group; for example, you may want to give top
management more access than others, or you may want to set up different levels of filtering
for one department compared to another, due to specific job needs.

Complete reporting
Graphs and reports will enable you to know when and how many sites not conforming to
your AUP are requested, whether you choose to block them or simply monitor those
requests. And once you’ve identified possible problems, you want to be able to track those
users more closely and work with them to enforce the policy. So find out how many reports
are available, whether you can customise them, and how the reports are distributed, such
as by automatic e-mail or an internal website.

Intelligent filtering
The software should include a clear statement of the criteria used to block sites so you can
answer any questions that arise internally, and be able to explain what is and isn’t blocked
and why. Put the software to the test to ensure that blocked sites are sites that should be
blocked, while access is allowed to sites that should not be blocked. Too many filtering
packages “throw out the baby with the bathwater”: it’s easier to over-block than to block
carefully and accurately, and that may result in the inability to access useful sites. The
filtering software should enhance employee productivity, not frustrate users trying to work.


Installing Appropriate Technology

Regular content updates

The Internet grows every hour. Some reports suggest that each day, 10,000 new Web pages
come online. You should be able to update frequently - even daily if you choose - to ensure
up-to-date protection against newly posted sites.

High scalability and strong performance

The software should be able to handle thousands of users, so you can run the monitoring
easily from one location on your network. And it should be able to handle thousands of users
without affecting network performance. Investigate supported network topologies, servers,
and firewalls to make sure the software will be able to work with your network and handle
the number of users.

Reliable support
An established vendor will be there to support you in the future as your company grows.
Look for a technically strong, well-respected company with extensive knowledge of the
Internet that gives it staying power.


Maintaining the Policy

Producing the policy and installing the software is not the end of the matter. Changes occur
in staffing, business practice, Internet technology and management expectations, so your
policy will need to keep up with these in order to be relevant. You should implement a
regular review of the policy. Here are some things to consider in your reviews:

Are new staff being trained adequately, are they being given sufficient information
and do they understand the policy?

Are you getting feedback from users and maintaining an open channel of communication?

Is your policy or the restrictions preventing anyone from doing company business more
efficiently? You will need to consult line managers to find out.

Analyse Web and e-mail activity for new trends that may indicate time spent on
non-business activities by large numbers of users.

New e-mail jokes, viruses and new websites come out every month so make sure you
are up-to-date restricting these.

Review your e-mail disclaimer. Is it up-to-date and sufficiently protecting the company
and its employees?

Maintain your lists of users and groups and ensure they have appropriate security levels.

Have any temporary staff left and have you revoked their privileges?

Ensure you are getting regular updates from your anti-virus and filtering software vendor.

Check for file types or e-mail attachments that are causing bandwidth bottlenecks.

Have there been any incidents that require a change of policy, monitoring or security?

Review those areas of your business that require special attention to security.

Do employees require different types of access to websites or external e-mails so that you
need to change your policy or rules?


Helpful Resources

Online Resources

Return on Investment Calculator. How much is casual surfing costing your company?

SurfControl – 5 case studies showing what other companies have done and the
benefits obtained

Gartner - Internet Access Policy: Deterring Abuse (10 Apr 98) Resource ID: 297695
Gartner - Internet Appropriate Use Policy Guidelines (16 Nov 98) Resource ID: 298525

Guide to e-mail and Internet use in the workplace (March 99)

Information Week Online - Web Surfers Beware: Someone's Watching (7 Feb 2000)

Nielsen//Netratings - At-work Internet users do double-time online as compared to at-

home web surfers (22 Feb 2000)

BusinessWeek Online – Workers, Surf at Your Own Risk (12 June 2000)

Internet Watch Foundation – established October 1996 by UK Internet Service

Providers to combat criminal content on the Internet and to advise Internet users on
how best to restrict access to harmful or offensive content on the Internet generally.

Information Commission Website