Technology and cybersecurity strategies are always changing. It’s essential that your organization’s acceptable use policy changes too. It’s unlikely that employees will pay much attention to an acceptable use policy that still contains a section about pagers but doesn’t address smartphones.
However, you’re not alone if it’s been awhile since you’ve updated your acceptable use policy.
Despite their importance, AUPs often get forgotten about.
It’s important for you to update your policies to address acceptable use before an incident occurs.
There’s no one-size-fits-all answer to how to manage your policy, but here are some best practices:
Review your policy annually (if not more frequently)
Acceptable use is one of those policies that can just seem routine and unimportant to day-to-day operations. But when an incident occurs, it becomes very important.
Don’t wait until an incident occurs to review and update your acceptable use policy.
With most sensitive company files and data stored digitally, a data breach can be devastating both to your operations and to your organization’s reputation.
Technology changes quickly, including hacking techniques. So it’s important for your acceptable use policy to keep up.
Review your acceptable use policy at least once every year. You may not make policy changes every year, but you can at least look for gaps in policy or new technology the policy may not cover.
Every good compliance program should include a policy review schedule.
Proactively reviewing your policy reduces risk and ensures that the policy is up-to-date with the latest technology and terminology. It also shows your employees that you take technology use in the workplace very seriously.
Involve the right people
An acceptable use policy isn’t just the domain of the IT department. The policy lives at the intersection of many different departments, including HR, legal, compliance, the city manager, and so on.
It’s important for all these different stakeholders to agree on what the policy should and shouldn’t include.
So if it has been more than five years since you updated your acceptable use policy, it may be wise to gather a policy review team with members from different departments. This will ensure that the policy covers everything it needs to cover to be most effective.
It’s also important that the person with the proper authority approves the policy.
It is unlikely that an IT manager has the authority to terminate an employee for an egregious violation, or that an HR manager would have the technical knowledge to fully implement the policy.
The policy won’t count for much without the proper authority to implement and enforce it.
Therefore, someone in management needs to be the one to ultimately take responsibility for managing and implementing the policy. In local government, for example, this may be the city or county manager.
Clearly communicate all policy changes
It can be easy for the acceptable use policy to become part of the employee manual that gets read during orientation and then forgotten about.
In order for the AUP to be effective, employees need to understand and be aware of what it says. This means every time you change the policy, you must communicate those changes to employees.
Some organizations do this by simply emailing out the new policy. However, emailing policy changes isn’t enough. You also can’t just post the updated policy on your organization’s intranet or internal website and expect compliance.
Acceptable use policies tend to be long, multi-page documents. Employees may not have the patience to read back through the entire policy to see what changed.
A policy management software can help you effectively distribute your updated policy.
With PowerDMS, you can send out updated policies with just the click of a button. You can highlight updated portions so employees can quickly spot policy changes.
How Do I Know If My AUP Is Effective?
Simply having an acceptable use policy in place won’t do much to protect your organization. You need to implement the policy by making sure employees understand and follow the policy.
Exact methods of implementation and tracking will differ between organizations. But here are a few ways to make sure your AUP is effective.
Have every employee read and sign off on the policy
Too often, employees receive a policy manual on their first day of work, and that’s the last time they are required to sign anything policy related.
Having employees sign off on policy updates helps ensure that they are aware of the latest policies. It also gives your organization the proper documentation that indicates the employee understood the requirements. This can reduce your liability if there is an issue down the road.
PowerDMS’s electronic signature software makes it easy to collect employee signatures. You can see when each employee signed off on the policy, and send automatic reminders to those who have yet to sign.
Enforcing your acceptable use policy also involves some sort of passive monitoring.
Courts have ruled that employers have the right to monitor emails sent through company computers and track the websites employees visit.
However, there are limits to how companies can monitor employee activity. You need to respect your employee’s right to privacy in matters that aren’t work-related.
Your organization’s acceptable use policy should clearly spell out how you will monitor employee behavior and enforce the policy.
Work with your HR and legal departments to establish reasonable expectations and appropriate responses to violations.
The policy should clearly define disciplinary measures and the escalating responses for repeat offenses or severe violations.
Acceptable use policy can often go overlooked. But it’s essential for your organization to make sure your employees know acceptable and unacceptable uses of company computers and internet services.
A solid acceptable use policy can protect your organization against cyber attacks and liability risks. Make sure to regularly review your policy to ensure it is up-to-date.
PowerDMS makes it easy to collaborate on policy updates, distribute policies to employees, and conduct testing and training. Use PowerDMS to manage your organization’s acceptable use policy and other critical documents.