Transcript Introduction

Chapter 6
Acceptable-Use Policies:
Human Defenses
Trevor Norsworthy
Christina Richardson
Introduction
 Acceptable-Use Policies provide:
– Companies with the ability to provide a nonhostile work environment.
– Limit wasting a companies resources
• 2003 it was reported that 30-40% use was not
related to business.
• Costing US corporations $85 billion in lost
production
Case on Point: Allstate Insurance
 February 2003, CA DMV cut off Allstate’s
access to digital files.
 Allstate Employees were stealing customer
information
 131 Violations of confidentiality rules found
@lert
 The most readily calculable cost of an
outdated or incomplete AUP is the lawsuitas is the payoff from implementing a good
one.
MCIWorldCom’s AUP Leads to
Early Dismissal of Lawsuit
 Two employees filed employment
discrimination against the company in TX
federal court.
 The Plaintiff’s claimed:
– that another employee had sent out four emails
that constituted racial harassment.
– Their employer was negligent by allowing the
corporate email system to be used for
harassment.
Cont.
 Court Dismissed the plaintiff’s claims on
the following grounds that MCIWorldCom
had:
– an established email AUP that prohibited
discriminatory emails
– acted consistently in enforcing the policy
against the employee who had sent the email
messages
– Taken remedial action to enforce its written
email policy.
The AUP: Discipline and
Diligence Defense Tier
The AUP: Discipline and
Diligence Defense Tier Cont.
 Despite increase in litigations policies
governing the use of Company computer
equipment is seldom strict enough.
 Users must operate within the AUP even
when it is inconvenient.
 High risk habits can only be changed
through training, reminders and
enforcement.
Dual Functions of the AUP
 Security Breach Prevention
– Prevents misuse from occurring.
 Legal Protection
– Protect the organization when prevention
techniques fail.
Security Breach Prevention
AUP can help to:
 inform employees of what they can and
can’t do to reduce inappropriate behavior
 Clarify expectations about personal use or
company equipment
 Warn employees that their actions are
monitored
 Outline the consequences of
noncompliance.
Legal Protection
 If a company has an enforced AUP then it is
supporting evidence that the organization
exercised it legal duty to safeguard
employees from a hostile work
environment.
@lert
 An AUP is rendered useless if:
– The company has a well written email AUP
stating that staff should not use company email
systems for private use.
– This policy is widely ignored from the
managing director downward.
– Even though the AUP is in place it is not
enforced.
– Therefore it becomes useless.
Legal Theories and Employer
Liability Issues
 Employers’ liability stem from two
longstanding legal doctrines:
1. Respondent Superior Doctrine and Liability
2. Negligent Supervision and Duty of Care
Respondent Superior Doctrine
and Liability
 Respondent Superior:
– Doctrine that holds employers liable for the
misconduct of their employees within the scope
of their employment.
 Convention on Cybercrime
– US and 29 other countries
– Improve international cybercrime prevention
– If a corporation fails to provide proper
supervision to employees allowing cybercrimes
to occur then the corporation is liable.
Negligent Supervision and Duty
of Care
 A employer may also be liable for negligent
supervision of an employee
– Duty of care may extend beyond the scope of
employment.
 Duty of Care:
– A company or person cannot create unreasonable risk
of harm to others.
– Under this doctrine directors and officers have an
obligation to protect their companies business
operations.
CR->TN
What makes an AUP effective?
 Comprehensive scope
 Clear Language
 Adaptive Content
 Extension to Other Company Policies
 Enforcement Provisions
 Implied Consent
 Accountability
Comprehensive Scope
 The AUP must apply to all IT resources
– Desktop Computers
– Laptop Computers
– Personal Digital Assistants
– All employee owned devices accessing the
company network
 Must apply to all users of IT resources
Clear Language
 The AUP must be concise
 Must explain company’s commitment to
enforcement
 Narrow enough to address known threats
 Broad enough to cover new and
unanticipated dangers
Adaptive Content
 The AUP must be dynamic
– Change to adapt to new situations,
technological advances
 A mechanism for updating the AUP needs
to be in place
Extension to Other Company Policies
 AUP must manage employees’ expectations
 Other policies must be considered
– Intellectual Property
– Harassment
– Right to Privacy
Consent
 Adoption of AUP must not be passive
 Signed agreement of employees is
necessary
– Shows acknowledgement of responsibility,
procedures, and penalties
– Referred to as expressed consent
– Different from implied consent
Accountability
 Responsibility for AUP development:
– Often assigned to IT organization
– Requires involvement from outside sources
• Legal
• Human Resources
• Senior Line Management
 Individuals who enforce policies should be
named within the Acceptable Use Policy
AUP Sample Items
 Purpose and Scope
– Policy addresses all IT resources
– Intended to promote safety
– Key Objectives:
• Maintain non-hostile workplace environment
• Prevent discrimination
• Protect company against computer crimes
– Company performance and survival depend on
security measures described in this AUP.
AUP Sample Items cont.
 Acceptable Use Policy Guidelines
– IT Resources are company property
• To be used only by those employed by the company
• Only to be used for business purposes
– IT Resources are to be used in accordance with
all applicable laws
– Creation or transmission of any files deemed
obscene or indecent is prohibited
– The company has a right to review and observe
all electronic communications
AUP Sample Items cont.
 Provisions and Prohibitions
– Company users names and passwords
• Only to be used for business purposes
• Not to be given out or used for any personal
electronic communications
– Users should check their company email daily
• Delete unwanted messages
– All information sent, received, created or stored
is the property of the company
– Users must scan all downloaded files for
viruses
AUP Sample Items cont.
 Compliance
– The company may choose to monitor its
resources, including
•
•
•
•
Email sent and received
Internet usage
Computer files and faxes received and sent
Any file for content-installed software for licensing
– Users will not view other’s email without
permission
– Users are to report any violations to their
supervisor
Armstrong Atlantic State University’s
Acceptable Use Policies
AASU AUP displays all the characteristics of an
effective AUP (recall):
Comprehensive scope
Clear Language
Adaptive Content
Extension to Other Company Policies
Enforcement Provisions
Implied Consent
Accountability
http://www.cis.armstrong.edu/cispolicies/index.ht
ml
Questions??