As an IT professional one of the first steps you need to take to protect your organization is to draft and implement an Acceptable Use Policy (AUP). An AUP is pretty standard in most organizations and should be in place whether you have 5 or 50,000 users. If you do not have an Acceptable Use Policy you do not have to reinvent the wheel. You can find samples online that you can tailor to your uses. A few samples can be found here. Once you have drafted your policy you may need to contact your legal council for your organization before it is distributed. Next you will need to work with your HR department to ensure that this policy is communicated and each employee signs a document saying that they not only have read the policy but that they understand the policy. This is a key component of the employee signoff. Many a wrongful termination case has been proved valid because the employee simply said “they just told me to sign it, I didn’t understand.”
Now that you have your AUP in place, you must ensure that it has bite. When you have an AUP that does not have consequences it is like an alligator with no teeth. The alligator may intimidate some but in most cases will be ignored. When you investigate AUP violations ensure that your HR team is involved, ensure that your evidence is bulletproof e.g make sure your policy states that the employee is responsible for all use with their assigned asset. This removes the “my son must have been using my company computer. etc” excuse.
Lastly, as an IT manager you need to start looking for it. Too many managers and administrators turn a blind eye and think that this does not affect their organization. The truth of the matter is that if your organization is larger than 10 people it probably will affect your organization and no industry is immune. One of the most recent cases that has made the news here in Vancouver has been the case with the Vancouver School Board employees at the Maintenance Shed. Several employees were caught viewing Pornography on company systems and on company time.
No matter how you personally feel about Pornography. It is for sure offensive to some and is a legal risk for your organization. Not only do organizations need to consider lost time in productivity, but a lot of Adult websites are riddled with trojans and viruses just waiting to infect your corporate workstations. The cost to remediate these infections is costing organizations billions of dollars.
While Pornography is the predominant AUP violation it is not the only one. More and more organizations are letting their end users have local administrative rights on the workstation. This has led to everything from pirated software to freeware and shareware being installed. Taking the legal licensing risks aside, there are numerous corruption and infection risks associated.
Having a strong AUP is by no means a complete solution. It will not solve all of your user related problems. However, it is the first step in ensuring that your organization is well protected and a mandatory part of ensuring that your organization is doing it’s “due diligence”.