Introduction
Download
Report
Transcript Introduction
Chapter 6
Acceptable-Use Policies:
Human Defenses
Trevor Norsworthy
Christina Richardson
Introduction
Acceptable-Use Policies provide:
– Companies with the ability to provide a nonhostile work environment.
– Limit wasting a companies resources
• 2003 it was reported that 30-40% use was not
related to business.
• Costing US corporations $85 billion in lost
production
Case on Point: Allstate Insurance
February 2003, CA DMV cut off Allstate’s
access to digital files.
Allstate Employees were stealing customer
information
131 Violations of confidentiality rules found
@lert
The most readily calculable cost of an
outdated or incomplete AUP is the lawsuitas is the payoff from implementing a good
one.
MCIWorldCom’s AUP Leads to
Early Dismissal of Lawsuit
Two employees filed employment
discrimination against the company in TX
federal court.
The Plaintiff’s claimed:
– that another employee had sent out four emails
that constituted racial harassment.
– Their employer was negligent by allowing the
corporate email system to be used for
harassment.
Cont.
Court Dismissed the plaintiff’s claims on
the following grounds that MCIWorldCom
had:
– an established email AUP that prohibited
discriminatory emails
– acted consistently in enforcing the policy
against the employee who had sent the email
messages
– Taken remedial action to enforce its written
email policy.
The AUP: Discipline and
Diligence Defense Tier
The AUP: Discipline and
Diligence Defense Tier Cont.
Despite increase in litigations policies
governing the use of Company computer
equipment is seldom strict enough.
Users must operate within the AUP even
when it is inconvenient.
High risk habits can only be changed
through training, reminders and
enforcement.
Dual Functions of the AUP
Security Breach Prevention
– Prevents misuse from occurring.
Legal Protection
– Protect the organization when prevention
techniques fail.
Security Breach Prevention
AUP can help to:
inform employees of what they can and
can’t do to reduce inappropriate behavior
Clarify expectations about personal use or
company equipment
Warn employees that their actions are
monitored
Outline the consequences of
noncompliance.
Legal Protection
If a company has an enforced AUP then it is
supporting evidence that the organization
exercised it legal duty to safeguard
employees from a hostile work
environment.
@lert
An AUP is rendered useless if:
– The company has a well written email AUP
stating that staff should not use company email
systems for private use.
– This policy is widely ignored from the
managing director downward.
– Even though the AUP is in place it is not
enforced.
– Therefore it becomes useless.
Legal Theories and Employer
Liability Issues
Employers’ liability stem from two
longstanding legal doctrines:
1. Respondent Superior Doctrine and Liability
2. Negligent Supervision and Duty of Care
Respondent Superior Doctrine
and Liability
Respondent Superior:
– Doctrine that holds employers liable for the
misconduct of their employees within the scope
of their employment.
Convention on Cybercrime
– US and 29 other countries
– Improve international cybercrime prevention
– If a corporation fails to provide proper
supervision to employees allowing cybercrimes
to occur then the corporation is liable.
Negligent Supervision and Duty
of Care
A employer may also be liable for negligent
supervision of an employee
– Duty of care may extend beyond the scope of
employment.
Duty of Care:
– A company or person cannot create unreasonable risk
of harm to others.
– Under this doctrine directors and officers have an
obligation to protect their companies business
operations.
CR->TN
What makes an AUP effective?
Comprehensive scope
Clear Language
Adaptive Content
Extension to Other Company Policies
Enforcement Provisions
Implied Consent
Accountability
Comprehensive Scope
The AUP must apply to all IT resources
– Desktop Computers
– Laptop Computers
– Personal Digital Assistants
– All employee owned devices accessing the
company network
Must apply to all users of IT resources
Clear Language
The AUP must be concise
Must explain company’s commitment to
enforcement
Narrow enough to address known threats
Broad enough to cover new and
unanticipated dangers
Adaptive Content
The AUP must be dynamic
– Change to adapt to new situations,
technological advances
A mechanism for updating the AUP needs
to be in place
Extension to Other Company Policies
AUP must manage employees’ expectations
Other policies must be considered
– Intellectual Property
– Harassment
– Right to Privacy
Consent
Adoption of AUP must not be passive
Signed agreement of employees is
necessary
– Shows acknowledgement of responsibility,
procedures, and penalties
– Referred to as expressed consent
– Different from implied consent
Accountability
Responsibility for AUP development:
– Often assigned to IT organization
– Requires involvement from outside sources
• Legal
• Human Resources
• Senior Line Management
Individuals who enforce policies should be
named within the Acceptable Use Policy
AUP Sample Items
Purpose and Scope
– Policy addresses all IT resources
– Intended to promote safety
– Key Objectives:
• Maintain non-hostile workplace environment
• Prevent discrimination
• Protect company against computer crimes
– Company performance and survival depend on
security measures described in this AUP.
AUP Sample Items cont.
Acceptable Use Policy Guidelines
– IT Resources are company property
• To be used only by those employed by the company
• Only to be used for business purposes
– IT Resources are to be used in accordance with
all applicable laws
– Creation or transmission of any files deemed
obscene or indecent is prohibited
– The company has a right to review and observe
all electronic communications
AUP Sample Items cont.
Provisions and Prohibitions
– Company users names and passwords
• Only to be used for business purposes
• Not to be given out or used for any personal
electronic communications
– Users should check their company email daily
• Delete unwanted messages
– All information sent, received, created or stored
is the property of the company
– Users must scan all downloaded files for
viruses
AUP Sample Items cont.
Compliance
– The company may choose to monitor its
resources, including
•
•
•
•
Email sent and received
Internet usage
Computer files and faxes received and sent
Any file for content-installed software for licensing
– Users will not view other’s email without
permission
– Users are to report any violations to their
supervisor
Armstrong Atlantic State University’s
Acceptable Use Policies
AASU AUP displays all the characteristics of an
effective AUP (recall):
Comprehensive scope
Clear Language
Adaptive Content
Extension to Other Company Policies
Enforcement Provisions
Implied Consent
Accountability
http://www.cis.armstrong.edu/cispolicies/index.ht
ml
Questions??