Why You Need an Acceptable Use Policy and How to Create One

What is an acceptable use policy (AUP)?

An acceptable use policy (AUP) in the workplace, also known as an acceptable usage policy or fair use policy, establishes rules for how employees can use their company’s computer system and access its network. It also covers the kind of data they can use after being granted network access.

An AUP is not just a set of rules for employees using the company’s technological resources. It’s an educational document that teaches employees proper information security and data management practices. It’s also a semi-legal document that can have repercussions for those who don’t follow the guidelines.

“An AUP helps manage risk by ensuring compliance with legal and regulatory requirements, especially in industries that handle sensitive data, such as healthcare,” explained Katrina Rosseini, chief strategy officer at Immutiverse. “It sets clear boundaries for acceptable use while proactively protecting against data breaches, cybersecurity threats and legal liabilities, ensuring proper technology use in the workplace.”

Sam McMahon, IT and security senior manager at Valimail, added that an AUP is also a tool for aligning employee behavior with security, compliance and operational goals. “A strong AUP should be clear, practical and adaptable, reflecting both the technical and cultural realities of how your team operates,” he said.

Acceptable use policy vs. end-user license agreement

What sets an AUP apart from other user agreements (e.g., the end-user license agreement, or EULA, most people skim before hitting “I accept”) is it applies to a much larger system. While an EULA is for a single piece of software, an AUP applies to entire networks and websites. It addresses how employees are expected to comport themselves while using your business’s resources. While a EULA focuses on the client (end user), an AUP is for employees.

Why do you need an acceptable use policy?

A digitally connected workplace comes with specific security and cyber risks. An AUP can help mitigate those risks by establishing clear guidelines for your staff on device (e.g., computer, laptop, cell phone) and network usage. McMahon said an AUP minimizes any confusion or misunderstandings around technology-related employee expectations.

In addition to educating your team on proper and improper device and network use, an AUP clearly outlines sanctions that may occur for those who fail to comply. An acceptable use policy can also help legally protect your organization in the event of a security breach or audit. It’s an integral part of every IT security protocol and can prove due diligence.

“Defining how employees are permitted to utilize company-owned technology … helps the IT shop better understand and predict servicing and replacement budgets,” said Evan Dornbush, co-founder of Point3 Security and a former NSA cybersecurity expert. “It helps the security team detect abnormalities [that] could be indicative of an intruder … In some cases, it can help owners secure better insurance rates.”

Benefits of an acceptable use policy

There are multiple benefits to having an acceptable use policy in place, including the following:

1. AUPs educate employees. An AUP educates employees about business cybersecurity threats and how to avoid them. For example, it may list specific websites known to contain malware. By avoiding these sites, the company’s system and data are protected. McMahon said that AUP’s educational aspect minimizes “the chances of employees adopting unapproved tools or services,” thus helping IT teams “manage and secure systems effectively.”
2. AUPs stress that network security is critical. An AUP reinforces the seriousness with which the company views violations through an enforcement section detailing consequences for misuse. “An AUP sets clear expectations and consequences,” said Rosseini, “helping employees protect company data and avoid careless mistakes.”
3. AUPs can improve employee productivity. You can improve productivity by limiting employees’ use of company equipment and internet access to work activities instead of checking social media feeds.
4. AUPs help with legal compliance. An AUP aligns company policy with relevant regulations and laws, such as credit card processing laws like the PCI DSS, which protect customer data, and HIPAA laws, which protect medical data. An AUP shields IT professionals from potential errors and omissions lawsuits. “An AUP is essential for frameworks like SOC 2 or ISO 27001,” McMahon said. “This is a required and common policy that organizations must have to complete security audits and certifications.”
5. AUPs protect the business. An AUP insulates the company from liability for illegal actions by its employees. For example, if an employee pirates videos and you don’t have an AUP in place that prohibits such activity, your company could be sued.
6. AUPs can help control data backup costs. If employees download large files for personal use on your network, your business will unwittingly pay to back up useless data.
7. AUPs limit company liability. An AUP limits company liability in the event of a data breach. A good AUP insulates the company and shows that it fulfilled its obligation to due diligence.
8. AUPs counter potential insider threats. Cybersecurity risks and mistakes can come from within your team — and sometimes, they aren’t actually mistakes. Rosseini said that, in both accidental and intentional instances of employees compromising an organization’s data security, AUPs offer important protection. “A well-structured AUP deters malicious or negligent actions, preventing insider threats to the organization’s security,” she said.

What should you include in an acceptable use policy?

The following elements should be included in your AUP: 

1. Overall restrictions

Since your AUP is designed to explain what can and cannot take place on your company’s work computers or network, stating what’s forbidden is critical. Your final AUP should tell employees the following actions will not be tolerated:

• Taking part in any illegal activity
• Bypassing device and network security
• Participating in unauthorized electronic communication
• Installing malicious software
• Disclosing confidential information

Your overall restrictions can also include forbidden websites, email response guidelines and more. 

2. Software installation rules

Software installation security practices can protect your business. Any system administrator will likely tell you that the process of installing a new program on a company device must be carefully planned and executed. If your company relies on a secure digital environment, you must consider how much freedom employees have to install new software. Without setting guidelines, employees may install software or apps that introduce security risks, exposing the network to unauthorized access by bad actors.

3. BYOD and remote work policies

Your employees are accustomed to using their own devices, so some may want to bring them into the office. Additionally, remote work is commonplace, further increasing the use of personal devices for work. If you have a bring-your-own-device (BYOD) policy or allow remote workers to use their personal devices, your AUP must require employees to implement specific mobile device security measures.

While it may be convenient for employees to use their own devices, Ivan Kot, director of customer acquisition at Itransition, said careful consideration is needed for AUPs governing BYOD usage. “Employees often use their personal devices while accessing global and corporate networks through their private channels,” Kot said. “This raises cybersecurity risks dramatically and exposes corporate infrastructures to external intrusions. In this situation, acceptable use policies are the key documents stipulating acceptable and secure ways for employees to use corporate and personal resources for work-related purposes.”

Your AUP must clearly state that employee monitoring efforts will apply to the use of employee-owned devices only during work hours and that private use will remain private. For remote work, your policy can require a VPN or other encrypted connection service to protect your company’s copyrighted material, personal information and intellectual property from security breaches.

4. Social media and internet usage guidelines

Social media platforms are incredibly popular; you’re sure to have employees who browse them at work. Though these platforms can be an excellent and immediate source of information, they can also be a massive time suck. 

An AUP can set rules banning the use of social media platforms while connected to the network, helping employees manage their time and productivity — both incredibly important resources for any small business. You may also want to include rules and restrictions for internet surfing.

5. Consequences

A company policy is only as strong as its enforcement measures. An AUP should be a series of rules that will be enforced. Failure to adhere to an AUP can have dire ramifications for the company, so it’s crucial to establish consequences — including legal action — to address employee missteps. The security of your company’s intellectual property and infrastructure depends on it.

6. AI usage policies

McMahon and Dornbush suggested that AUPs include sections governing AI usage. “Without very special precautions, assume everything shared with your AI solution is fed back into that AI’s data sets for future retrieval,” Dornbush said. “Without educating the workforce on expectations, business owners may find their proprietary intellectual property inadvertently shared with competitors.”

McMahon offered that a company should define how AI tools can and cannot be used. “Lay out rules for avoiding input of sensitive data into AI platforms, verifying AI-generated content and maintaining transparency when using AI-driven work products,” he said. “Clear guidelines ensure employees understand the risks and benefits of AI while safeguarding company information and reputation.”

7. Data governance and security

Business technologies operate on an abundance of data, which must be protected for legal and ethical reasons. However, in busy workplaces, key data governance and security tasks may fall to the wayside in favor of directly serving customers or clients. With an AUP, though, these data tasks become requirements that your team can’t ignore.

“Require encryption for sensitive data in transit and at rest to prevent unauthorized access,” Rosseini said. “Define data retention periods and secure disposal methods for physical and digital data to protect against unauthorized access.”

How do you create your own acceptable use policy?

AUPs are as unique as the companies that adopt them; what works for one setup may not work for yours. As with any other company policy, you must consider how it will change the workplace and what problems may arise from its implementation.

Once you’ve decided what to include in the policy, take the following steps:

• Find an AUP template. You can find premade templates that fit your needs online. For example, the SANS Institute has an acceptable use policy template to help businesses outline the acceptable usage of devices and equipment. It also covers necessary employee security measures to protect proprietary information.
• Include all restrictions and guidelines. Populate your AUP template with your overall restrictions, software installation rules, BYOD and remote work policies, social media guidelines and consequences for noncompliance. 
• Investigate additional applicable legal regulations in your AUP. An AUP primarily consists of best practices and guidelines. However, some companies are subject to additional regulations, including federal and international laws. Since a good AUP will bolster your data security, keep any regulatory concerns in mind when drafting it. For example, if your company deals with healthcare issues, you may be required to follow federal HIPAA guidelines, PCI regulations and GDPR rules. You must also ensure your AUP follows local, state and federal security laws.
• Involve stakeholders and employees. McMahon said that IT, security, HR and legal teams must take part in drafting an AUP so the policy effectively addresses all technical, legal and employee-related matters. Rosseini said that working alongside employees to draft an AUP will “increase buy-in and ensure [the AUP] addresses real-world scenarios. This can lead to better adherence and a clearer understanding of expectations.”
• Get expert help. Dornbush noted that, although creating an AUP may seem imposing, it’s easier with guidance from those who know their way around these policies. “You’re not the first person to create an AUP,” he said, “so rather than build from scratch, ask an advisor, mentor, insurance provider or legal counsel for terms applicable to your industry.”

What are best practices for implementing and enforcing an AUP?

Once you’ve decided what to include in your acceptable use policy, you must implement it and enforce it in your company. Here are some tips to smooth the process:

• Write up your AUP in plain language. All employees must understand your AUP. Remember that most won’t have extensive legal and technical knowledge. Write your AUP in straightforward language with minimal IT tech jargon, legal terms and acronyms. 
• Train employees on the AUP. Have a meeting or class where you explain your AUP. Share how it benefits the company (i.e., protecting the business from data breaches and shielding it from lawsuits) and how it will be enforced. Highlight changes employees must make in their day-to-day activities, and answer any employee questions about the policy.
• Have employees agree to the AUP. Distribute written copies of the AUP, and have each employee sign it to indicate that they understand and agree to the policy. Include this in the onboarding process for all new hires. Keep these signed agreements with your human resources files in case of a future breach or legal issue.
• Try out the AUP before fully implementing it. “Before rollout, test the AUP with a few teams,” McMahon said. “Their feedback can help identify confusing language or gaps, making the final version clearer and more actionable.”
• Keep the AUP top of mind. Occasionally remind employees of the policy’s details so the information stays fresh in their minds. You may even want to quiz them on specific aspects to emphasize the document’s importance. Employees who do poorly on this test can be sent to additional training to reinforce the information; consider giving a small reward to those who do well. 
• Consistently monitor for compliance. “Implement automated tools to regularly track employee compliance with the AUP, allowing early detection of potential violations and prompt corrective actions,” Rosseini said.
• Schedule periodic policy reviews. Schedule a review of your AUP every year to see if it must be changed in any way. Reviews may be done sooner if an event impacts the policy, such as a new business process, product, law or ownership change.

What privacy concerns exist with an acceptable use policy?

Enforcement is a crucial aspect of an AUP. Some businesses employ user activity monitoring software and tools to discover when employees fail to meet the policy’s requirements. 

The best employee monitoring software can ensure your AUP is being adhered to properly. For example, our review of ActivTrak and our InterGuard review explain how these solutions can improve cybersecurity and productivity. However, there are pros and cons to monitoring employees. Employees are often leery of this type of software, so employers must tread carefully. 

“Individual privacy and freedom remains one of the most disputable issues of AUP,” Kot explained. “Some companies choose to monitor their employees’ devices 24/7 without leaving a chance for private use. Others prefer to determine each and every way employees should perform their work, which deprives employees of any flexibility in their actions.”

When implementing employee monitoring software, be sure to detail its usage in your AUP. You must be crystal clear with your employees about when they will be monitored. Kot encourages business owners to keep their employees’ privacy issues in mind and “opt for reasonable AUP while staying away from hyper-control and setting unnecessary boundaries in employees’ daily work.” 

Acceptable use, defined clearly

With policies that perfectly spell out how employees can and can’t use their devices and your business network, your team will have few questions about what constitutes acceptable use. And when they do, that’s an opportunity to refine your AUP and bring it up to date with the newest technological advancements and changes. After all, no great business is static, and when your company adapts to the times, your employees do too — and with flexible employees comes maximum productivity.

Max Freedman and Jennifer Dublino contributed to this article. Some source interviews were conducted for a previous version of this article.