With the growing intensity of web support and network use in organizations of any specialization, including governmental institutions, educational establishments, and companies in the commercial sector, the need to ensure the integrity, confidentiality, and security of computer resources’ use obviously grows nowadays. To protect the resources of various organizations and their clients, Acceptable Use Policies (AUP) are adopted to prevent possible legal action connected with the violation of network or web resource use regulations. AUPs are specifically designed to ensure the availability, confidentiality, and integrity of computer and network resources’ use within a certain organization, to mitigate the risk exposure, and to minimize the liability of users.
The sample of AUP considered in the present work is the one of the InfoSec AUP published by SANS Institute (2006). The purpose of InfoSec AUP is to “outline the acceptable use of computer equipment”, and protect its employees (SANS Institute, 2006, p. 1). The present purpose is explained by the need to clarify that the inappropriate use of the company’s resources exposes the company’s assets to the risk of experiencing virus and other malware attacks, in line with compromising the network systems and services, and even facing some legal issues with other users and entities the privacy and confidentiality rights of which can be violated through the irresponsible use of SANS Institute’s resources (SANS Institute, 2006).
The InfoSec AUP sets out the principles of confidentiality and integrity to increase awareness of the employees and resources’ users regarding the boundaries to which the protection of privacy extends. Hence, the AUP informs the users that any data created and stored on corporate systems remains the property of SANS Institute, and the users cannot expect any protection of confidentiality thereof when the corporate interests are concerned. Hence, it is the prime responsibility of users to make proper decisions regarding the “reasonableness of personal use” (SANS Institute, 2006, p. 1). InfoSec AUP explicitly sets the statuses of confidential and non-confidential information, making the essential emphasis on the “company private, corporate strategies, competitor sensitive, trade secrets, specifications, customer lists, and research data” (p. 2). Employees are strongly recommended to keep passwords secure, not to share their accounts. Information in resources is encrypted (SANS Institute, 2006).
Critiquing the InfoSec AUP, one has to note that it has two major gaps – delineating the authority of some individuals or departments regarding the investigation of AUP violation, and stipulating the ways in which the organization can use personal information stored on the SANS Institute’s resources. The items that do not violate the AUP, but can still be used within the company are an ambiguous point in the AUP, since employees may have some personal photos or personal e-mail protected from the third parties, while the intra-company staff may have full access to them. Hence, these points have to be clarified to increase the integrity of resource use within the company as strongly as it protects the company’s resources from external intrusion.
To ensure compliance with the InfoSec AUP, the company reserves the right to conduct unplanned audits of corporate networks and systems. Moreover, some authorized individuals in the SANS Institute can monitor equipment, systems, and network traffic with this purpose. The recommendation on improving compliance with the AUP may be given on setting out the process of investigating complaints about potential violations. The example of the Caltech Alumni Association (2013) can be taken by InfoSec – the AUP of this organization delineates the process of investigating AUP compliance. If the organization or its designated agent receives a complaint about the irresponsible use of the organization’s resources, an investigation is held to ensure compliance with the AUP, city, state, or federal laws and regulations. During the investigation, the suspected user’s access to resources is officially suspended (Caltech Alumni Association, 2013).
To increase awareness of AUP, the InfoSec AUP explicitly sets the responsibility for violation of confidentiality policy on employees, stating that authorized users are responsible for the security of their passwords and accounts. The use of PCs, workstations, and laptops is also regulated by the AUP, and is the responsibility of users who have to log off the unattended hosts (SANS Institute, 2006). Since all hosts are considered the property of SANS Institute, users are strongly recommended to be highly cautious when opening e-mails with attachments to protect the company’s resources from various types of spyware and malware. The users violating the AUP are subject to disciplinary action including the termination of employment (SANS Institute, 2006).
Building awareness of the AUP within a company, as well as ensuring awareness of other organizational policies, is among vital objectives that every company should pursue, since in case there is no planned effort on awareness-building, some unnecessary litigation cam emerge because of the negligence or simple ignorance of AUP conditions. The example of the Montgomery College (2008) memorandum may be taken by InfoSec and many other organizations; before implementing and enforcing the AUP, the college published a memorandum on building AUP including the rationale for its adoption, the purpose and rationale of the AUP. The memorandum also contained the indication of where the AUP could be studied, and clarified the ways in which the AUP would affect the rules of the college resources’ use (Montgomery College, 2008). Hence, as one can see, designing an AUP is not the most essential step in the enforcement of network and web resource confidentiality and fair use; the key objectives of the organizations are to design strong mechanisms for ensuring compliance with AUP, and to build awareness of basic AUP regulations to avoid legal action and suspensions.
Caltech Alumni Association (2013). Acceptable Use Policy. California Institute of Technology. Retrieved from https://www.alumni.caltech.edu/acceptable_use
Montgomery College (2008). Building Awareness of the Acceptable Use Policy. Inside MC Online. Retrieved from http://insidemc.montgomerycollege.edu/details.php?id=3028
SANS Institute (2006). InfoSec Acceptable Use Policy. Retrieved http://www.sans.org/security-resources/policies/Acceptable_Use_Policy.pdf