What it is
An acceptable usage policy (AUP) is a set of rules applied by the owner or manager (you) of a network, website or large IT system that restricts the ways in which the network, website or system may be used. The AUP is an integral part of security policies for businesses, universities, schools, Internet Service Providers (ISPs) and website owners, often to reduce the potential for legal action that may be taken by a user. They should be clearly written, widely distributed, and frequently updated to accommodate changing technology.
Why are AUPs important ?
Mainly, because they protect you and your organization. From spyware and viruses that can corrupt your data or worse. From lost productivity while employees check their Facebook pages or surf eBay for a deal. And from legal liability, copyright infringement and harassment claims.
For schools and libraries that offer Internet as well as internal (intranet) access, AUPs are important to protect young users against inappropriate language, pornography, and other questionable influences. For corporations, the scope expands to include other factors such as guarding business interests and data theft.
In short, a policy ensures that every user understands that organization-provided Internet services are to be used only for fulfilling job or learning responsibilities.
What it covers
While an AUP should be tailored to your unique circumstances, these are some of the important topics you may want to address:
- What users are (and are not) allowed to do while they are connected to or accessing the network. This includes misuse/overuse and etiquette details, particularly in email and bulletin boards.
- The users’ responsibilities to protect their own data (as well the organization’s data if the user is an employee) when accessing or while connected to the network.
- Security details such as managing passwords, software licenses and intellectual privacy.
- What monitoring strategies will be used, whether filtering software, scanning emails, or scanning proxy server logs for inappropriate web sites.
- What sanctions will be applied if the policy is breeched.
- The level of privacy a user should expect when accessing or while connected to the network.
- “What if” scenarios that illustrate the usefulness of the policy in real-world terms.
Tip: Make sure to discuss your proposed policy with a cross section of staff as well as your legal counsel to ensure it covers all the necessary components for your organization’s unique circumstances.
A word about mobile devices
Given the increasing use of cell phones and other mobile technologies by students and employees, as well as the rise of BYOD policies, your AUP should include a section on personally-owned mobile devices. For example, consider your stance on data security, cyber bullying and sexting, and the transmission of a user’s personal data and passwords across your network. If software installation is required for a user’s device to access your network, your AUP should address who is responsible for installation, updates, troubleshooting and backing up.
Attention: Schools, Libraries and Other Educational Institutions
Educational organizations walk a fine line: enabling student access to extensive Internet resources while protecting them from harmful sites. There’s a wide range of permissiveness in different school districts, from blocking and filtering to teaching children to be responsible users and holding them accountable.
Key considerations for educators
1. Who should develop your policy?
Some districts have a chief technology officer spearheading efforts, others opt for a more inclusive approach to gain buy-in, involving teachers, administrators, parents, and sometimes students.
2. Are you in sync with CIPA (Children’s Internet Protection Act)?
This is the key federal law affecting Internet use in schools, requiring any school district that receives E-Rate funding to filter or block visual depictions that are obscene or that contain child pornography or material harmful to minors.
3. Is your policy in sync with state law or district policies on cyber bullying, cell phone use and filtering?
In the wake of several high-profile cases, a number of states have enacted legislation pertaining to Internet use to protect children from cyber bullying. State legislation is a fluid process so you should check to ensure you have the latest information.
Tip: Look at similar organizations to see what is included in their AUP. You can usually find them on an organization’s website. TechSoup’s broadband wiki also has some great resources about developing tools, policies and resources for your IT infrastructure. You can view sample policies and a wireless policy checklist that other nonprofit organizations have shared.
Tell us – do you have an AUP? When’s the last time you updated it?