Why You Need an Acceptable Use Policy and How to Create One

What is an acceptable use policy (AUP)?

An acceptable use policy (AUP) in the workplace, also known as an acceptable usage policy or fair use policy, establishes rules for how employees can use their company’s computer system and access its network. It also covers the kind of data they can use after being granted network access.

An AUP is not just a set of rules for employees using the company’s technological resources. It’s an educational document that teaches employees proper information security and data management practices. It’s also a semi-legal document that can have repercussions for those who don’t follow the guidelines.

Acceptable use policy vs. end-user license agreement

What sets an AUP apart from other user agreements – like the standard end-user license agreement (EULA) that most people quickly skim before hitting “I accept” – is that it applies to a much larger system. While an EULA is for a single piece of software, an AUP applies to entire networks and websites. It addresses how employees are expected to comport themselves while using your business’s resources. While a EULA focuses on the client (end user), an AUP is for employees.

Why do you need an acceptable use policy?

A digitally connected workplace comes with specific security and cyber risks. An AUP can help mitigate those risks by establishing clear guidelines for your staff on device (e.g., computer, laptop, cell phone) and network usage.

In addition to educating your team on proper and improper device and network use, the policy clearly outlines sanctions that may occur to those who fail to comply. An acceptable use policy can also help legally protect your organization in the event of a security breach or audit. It’s an integral part of every IT security protocol and can prove due diligence.

Benefits of an acceptable use policy

There are multiple benefits to having an acceptable use policy in place, including the following:

1. AUPs educate employees. An AUP educates employees about business cybersecurity threats and how to avoid them. For example, it may list specific websites known to contain malware. By avoiding these sites, the company’s system and data are protected.
2. AUPs stress that network security is critical. An AUP reinforces the seriousness with which the company views violations through an enforcement section with consequences detailed.
3. AUPs can improve employee productivity. You can improve productivity by limiting employees’ use of company equipment and internet access to work activities instead of checking social media feeds.
4. AUPs help with legal compliance. An AUP aligns company policy with relevant regulations and laws, such as credit card processing laws like the PCI DSS, which protect customer data, and HIPAA laws, which protect medical data. An AUP shields IT professionals from potential errors and omissions lawsuits.
5. AUPs protect the business. An AUP insulates the company from liability for illegal actions by its employees. For example, if an employee pirates videos and you don’t have an AUP in place that prohibits such activity, your company could be sued.
6. AUPs can help control data backup costs. If employees download large files for personal use on your network, your business will unwittingly pay to back up useless data.
7. AUPs limit company liability. An AUP limits company liability in the event of a data breach. A good AUP insulates the company and shows that it fulfilled its obligation to due diligence.

What should you include in an acceptable use policy?

The following elements should be included in your AUP: 

1. Overall restrictions

Since your AUP is designed to explain what can and cannot take place on your company’s work computers or network, stating what’s forbidden is critical. Your final AUP should tell employees that the following actions will not be tolerated:

• Taking part in any illegal activity
• Bypassing device and network security
• Participating in unauthorized electronic communication
• Installing malicious software
• Disclosing confidential information

Your overall restrictions can also include forbidden websites, email response guidelines and more.

2. Software installation rules

Software installation security practices can protect your business. Any system administrator will likely tell you that installing a new program on a company device is carefully planned and executed. If your company relies on a secure digital environment, you must consider how much freedom employees have to install new software. Without setting guidelines, employees may install software or apps that introduce security risks, exposing the network to unauthorized access by bad actors.

3. BYOD and remote work policies

Your employees are accustomed to using their own devices, so some may want to bring them into the office. Additionally, remote work is commonplace, further increasing the use of personal devices for work. If you have a bring-your-own-device (BYOD) policy or allow remote workers to use their personal devices, your AUP must require employees to implement specific mobile device security measures.

While it may be convenient for employees to use their own devices, Ivan Kot, director of customer acquisition at Itransition, said careful consideration is needed for AUPs governing BYOD usage. “Employees often use their personal devices while accessing global and corporate networks through their private channels,” Kot warned. “This raises cybersecurity risks dramatically and exposes corporate infrastructures to external intrusions. In this situation, acceptable use policies are the key documents stipulating acceptable and secure ways for employees to use corporate and personal resources for work-related purposes.”

Your AUP must clearly state that employee monitoring efforts will apply to the use of employee-owned devices only during work hours and that private use will remain private. For remote work, your policy can require a VPN or other encrypted connection service to protect your company’s copyrighted material, personal information and intellectual property from security breaches.

4. Social media and internet usage guidelines

Social media platforms are incredibly popular; you’re sure to have employees who browse them at work. Though these platforms can be an excellent and immediate source of information, they can also be a massive time suck. 

An AUP can set rules banning the use of social media platforms while connected to the network, helping employees manage their time and productivity – incredibly important resources to any small business. You may also want to include rules and restrictions for internet surfing.

5. Consequences

A company policy is only as strong as its enforcement measures. An AUP should be a series of rules that will be enforced. Failure to adhere to an AUP can have dire ramifications for the company, so it’s crucial to establish consequences – up to and including legal action – to address employee missteps. The security of your company’s intellectual property and infrastructure depends on it.

How do you create your own acceptable use policy?

AUPs are as unique as the companies that adopt them; what works for one setup may not work for yours. As with any other company policy, you must consider how it will change the workplace and what problems may arise from its implementation.

Once you’ve decided what to include in the policy, take the following steps:

• Find an AUP template. You can find premade templates that fit your needs online. For example, the SANS Institute has an acceptable use policy template to help businesses outline the acceptable usage of devices and equipment. It also covers necessary employee security measures to protect proprietary information.
• Include all restrictions and guidelines. Populate your AUP template with your overall restrictions, software installation rules, BYOD and remote work policies, social media guidelines, and consequences for noncompliance. 
• Investigate additional applicable legal regulations in your AUP. An AUP primarily consists of best practices and guidelines. However, some companies are subject to additional regulations, including federal and international laws. Since a good AUP will bolster your data security, keep any regulatory concerns in mind when drafting it. For example, if your company deals with healthcare issues, you may be required to follow federal HIPAA guidelines, PCI regulations and GDPR rules. You must also ensure the AUP follows state, federal and local security laws.

What are best practices for implementing and enforcing an AUP?

Once you’ve decided what to include in your acceptable use policy, you must implement it and enforce it in your company. Here are some tips to smooth the process:

• Write up your AUP in plain language. All employees must understand your AUP. Remember that most won’t have extensive legal and technical knowledge. Write your AUP in straightforward language with minimal IT tech jargon, legal terms and acronyms. 
• Train employees on the AUP. Have a meeting or class where you explain your AUP. Share how it benefits the company (i.e., protecting the business from data breaches and shielding it from lawsuits) and how it will be enforced. Highlight changes employees must make in their day-to-day activities, and answer any employee questions about the policy.
• Have employees agree to the AUP. Distribute written copies of the AUP, and have each employee sign it to indicate that they understand and agree to the policy. Include this in the onboarding process for all new hires. Keep these signed agreements with your human resources files in case of a future breach or legal issue.
• Keep the AUP top of mind. Occasionally remind employees of the policy’s details so the information stays fresh in their minds. You may even want to quiz them on specific aspects to emphasize the document’s importance. Employees who do poorly on this test can be sent to additional training to reinforce the information; consider giving a small reward to those who do well. 
• Schedule periodic policy reviews. Schedule a review of your AUP every year to see if it must be changed in any way. Reviews may be done sooner if an event impacts the policy, such as a new business process, product, law or ownership change.

What privacy concerns exist with an acceptable use policy?

Enforcement is a crucial aspect of an AUP. Some businesses employ user activity monitoring software and tools to discover when employees fail to meet the policy’s requirements. 

The best employee monitoring software can ensure your AUP is being adhered to properly. For example, our review of ActivTrak and our InterGuard review explain how these solutions can improve cybersecurity and productivity. However, there are pros and cons to monitoring employees. Employees are often leery of this type of software, so employers must tread carefully. 

“Individual privacy and freedom remains one of the most disputable issues of AUP,” Kot explained. “Some companies choose to monitor their employees’ devices 24/7 without leaving a chance for private use. Others prefer to determine each and every way employees should perform their work, which deprives employees of any flexibility in their actions.”

When implementing employee monitoring software, be sure to detail its usage in your AUP. You must be crystal clear with your employees about when they will be monitored. Kot encourages business owners to keep their employees’ privacy issues in mind and “opt for reasonable AUP while staying away from hyper-control and setting unnecessary boundaries in employees’ daily work.” 

Jennifer Dublino contributed to this article. Source interviews were conducted for a previous version of this article.