Why a Robust Acceptable Use Policy Can Set You Free

The Issue

For the last two decades, the internet has grown exponentially and launched businesses and organizations with an online presence into a state of serious self-reflection. As these entities have come to depend on computerization for their livelihood, they have also realized the difficulties in governing and monitoring such a vast landscape, where their precious systems, networks, and machines can often come into contact with irresponsible behavior or flat-out digital harm. As a result, the age-old practice of “house rules” has morphed into something known as an acceptable use policy (AUP), which is a document organizations use to communicate to users of all kinds, such as customers and employees, about what they can and cannot do with the company’s available computing resources, such networks, websites, or large computer systems—as both a matter of professional conduct and cybersecurity awareness. A clear AUP also measures compliance and drives digital accountability within an organization.

For customer-facing companies, this policy typically includes guidelines about how their products, features, services, and technologies are impacting the parties who use them—and equally as important, how they can stay professionally and legally protected when things go awry. But more commonly, AUPs are used internally by schools, universities, and corporations to illustrate what responsible digital citizenship looks like for anyone coming into contact with their computer resources. Almost all professional environments have some sort of formal AUP in place for associates, who must understand the guidelines in order to follow them. A good AUP illustrates the rules of internet service; details how network and computer equipment should be used; outlines explicit statements of procedure and conduct; and mitigating risk on both sides of the fence. AUPs seeks to protect network security and prevent users from making bad decisions and unintentional mistakes while simultaneously fostering a culture of open trust and integrity.

The six key elements of an AUP include:

  • Overview or high-level description
  • Definition of all terms and industry speak
  • Scope of what the policy covers
  • Policies that specify expectations
  • Enforcement of rules and well-outlined consequences of abuse
  • Revision of document as needed

Industry Frameworks

Of course, not all AUPs are the same, as they must be tailored to the specific needs of the issuing organization and include ways to address usage around every bit of computer equipment available, from software to OSes to storage media to electronic email. Although this task can be challenging when trying to understand how to build a policy that works, it is a step in your digital transformation that can’t be ignored.

The initial challenge involves selecting a security framework you would like to follow, such as NIST, PCI, HIPAA, ISO, SOC, CSF, or SEC, and committing yourself to their key points. For example, NIST’s Rules of Behavior offer copious language around the “responsibilities and expected behavior” of those using information systems, to the extent that individuals recommit to their original agreement any time the AUP rules are updated. NIST also outlines the need for appropriate organizational behavior when it comes to “the use of social media /networking sites and posting organizational information on public websites.” If this concern applies to your business in any way, this is the type of language you need to embrace in a well-oiled AUP. Further, AUPs often touch on points like unlawful use of copyrights, trademarks, sensitive or private data, and professional email accounts.


Without a thoughtful AUP framework in place to clarify boundaries and offer protection, organizations open themselves up to myriad problems. Institutions like schools have a responsibility to keep their students—and to some extent, their faculty—safe from the effects of digital maleficence, which is why AUPs must serve as the locked digital doors against any electronic behavior that jeopardizes security. Further, a robust AUP promotes the evolution of technology because it ensures the path for implementation is clear, safe, and well-communicated among all parties. In an educational environment, this is critical because it allows students to explore the digital world in positive, enriching ways while still protecting them from bad actors as well as any poor decision making around the inappropriate use of school resources for things like gaming, illicit communication, or the viewing of sexually explicit material. When students sign an AUP in agreement of its terms, the policy should be enforced both on campus and off, especially if students maintain possession of school property such as iPads, laptops, or other digital devices.

For businesses, the consequences of a poor or nonexistent AUP are different in scope but equivalent in magnitude, primarily because they create a lawless and unpredictable online environment. For employees, clients, vendors, and companies, the protection of an AUP works both ways to maintain a safe and lawful work setting.

Policy Templates

Writing an acceptable AUP from scratch can be laborious and time consuming—and these days, totally unnecessary. Apptega’s free AUC policy template removes the struggle by helping you design the ideal AUP program, even those with customized options and multiple frameworks. Apptega can help your business build the perfect AUP policy, one that allows you to manage and report all information security issues, as well as pass any sort of compliance audit, all at no charge.

Build your program based upon industry frameworks like NIST, PCI, HIPAA, SOC 2, ISO 27001 or build your own program. Apptega’s Harmony helps you map programs together and eliminate the dreaded cross-walk mapping how different frameworks overlap.

Manage and implement your entire program with real-time compliance scoring, project lifecycle, task management, calendaring, budgeting, collaboration, and vendor management tools.

Report your program easily with one click for audits, board meetings, and customer requests for unparalleled visibility and control of all your cybersecurity data.

Comply by adeptly handling the complexities and realities of a cybersecurity audit or compliance request.

The Apptega platform includes many different templates aligned to the requirements of the cybersecurity framework your company follows to build a strong online presence. There are many templates to choose from, included in an Apptega subscription, to ensure your policies are well managed, consistent and organized, no matter what digital trouble may come your way.

*** This is a Security Bloggers Network syndicated blog from Apptega Blog authored by Apptega. Read the original post at: