Updating your acceptable use policy

Regularly updating your acceptable use policy helps your organization minimize risks and operate securely. Here's how to manage your AUP effectively.

December 23, 2020

Article highlights

Nowadays, most business and office work happen online. Constant connectivity in the workplace has many benefits, but it also presents many challenges.

One such challenge is making sure employees and visitors are not misusing company computers and internet networks.

This is what makes an up-to-date acceptable use policy (AUP) so important. An organization’s acceptable use policy governs how people can use a website, network, or internet service.

For example, the policy may prohibit users from uploading or downloading certain types of files, harassing others, or leaking company information.

Most likely, your organization has some sort of acceptable use policy in place. But these policies can often end up on the backburner – unread and out of date.

An outdated acceptable use policy can open your organization up to data leaks, cyber attacks, and liability risks.

Regularly updating your acceptable use policy can help your organization minimize such risks and operate more securely.

In addition to updating the policy, you also need to make sure your employees understand the policy and know how to implement the requirements in their daily work.

Why is an acceptable use policy important?

An acceptable use policy is about far more than just making sure employees aren’t wasting work hours on Facebook.

If an employee is using a company computer or internet connection for illegal activities, the company can sometimes be liable.

For example, if an employee is harassing a coworker through company email, the victim could file a hostile work environment harassment claim.

Or, if an employee is downloading illegal files onto a company computer, the downloads may be traced to that computer. Courts may find the company liable if they determine the organization overlooked the behavior or should have known about the activity.

Employee internet use can also result in violations of industry-specific data privacy laws such as SOX, PCI, or HIPAA.

A good acceptable use policy can help limit liability by showing that your organization took steps to comply with laws and regulations and hold employees accountable.

Even if an employee’s improper internet use isn’t illegal, it can be risky for the organization.

According to a research study by Kaspersky, “Uninformed or careless employees are one of the most likely causes of a cybersecurity incident.” The report states that employees cause 46% of IT security incidents each year.

Acceptable use policy and training help your employees know how to spot a phishing scheme and how to avoid downloading viruses onto their computers. Informed employees can protect your company network from dangerous malware.

What do I do if my AUP is really old?

Technology and cybersecurity strategies are always changing. It’s essential that your organization’s acceptable use policy changes too. It’s unlikely that employees will pay much attention to an acceptable use policy that still contains a section about pagers but doesn’t address smartphones.

However, you’re not alone if it’s been awhile since you’ve updated your acceptable use policy.

Despite their importance, AUPs often get forgotten about.


It’s important for you to update your policies to address acceptable use before an incident occurs.

There’s no one-size-fits-all answer to how to manage your policy, but here are some best practices:

Review your policy annually (if not more frequently)

Acceptable use is one of those policies that can just seem routine and unimportant to day-to-day operations. But when an incident occurs, it becomes very important.

Don’t wait until an incident occurs to review and update your acceptable use policy.

With most sensitive company files and data stored digitally, a data breach can be devastating both to your operations and to your organization’s reputation.

Technology changes quickly, including hacking techniques. So it’s important for your acceptable use policy to keep up.

Review your acceptable use policy at least once every year. You may not make policy changes every year, but you can at least look for gaps in policy or new technology the policy may not cover.

Every good compliance program should include a policy review schedule.

Proactively reviewing your policy reduces risk and ensures that the policy is up-to-date with the latest technology and terminology. It also shows your employees that you take technology use in the workplace very seriously.

Involve the right people

An acceptable use policy isn’t just the domain of the IT department. The policy lives at the intersection of many different departments, including HR, legal, compliance, the city manager, and so on.

It’s important for all these different stakeholders to agree on what the policy should and shouldn’t include.

So if it has been more than five years since you updated your acceptable use policy, it may be wise to gather a policy review team with members from different departments. This will ensure that the policy covers everything it needs to cover to be most effective.

It’s also important that the person with the proper authority approves the policy.

It is unlikely that an IT manager has the authority to terminate an employee for an egregious violation, or that an HR manager would have the technical knowledge to fully implement the policy.

The policy won’t count for much without the proper authority to implement and enforce it.

Therefore, someone in management needs to be the one to ultimately take responsibility for managing and implementing the policy. In local government, for example, this may be the city or county manager.

Clearly communicate all policy changes

It can be easy for the acceptable use policy to become part of the employee manual that gets read during orientation and then forgotten about.

In order for the AUP to be effective, employees need to understand and be aware of what it says. This means every time you change the policy, you must communicate those changes to employees.

Some organizations do this by simply emailing out the new policy. However, emailing policy changes isn’t enough. You also can’t just post the updated policy on your organization’s intranet or internal website and expect compliance.

Acceptable use policies tend to be long, multi-page documents. Employees may not have the patience to read back through the entire policy to see what changed.

A policy management software can help you effectively distribute your updated policy.

With PowerDMS, you can send out updated policies with just the click of a button. You can highlight updated portions so employees can quickly spot policy changes.


How do I know if my AUP is effective?

Simply having an acceptable use policy in place won’t do much to protect your organization. You need to implement the policy by making sure employees understand and follow the policy.

Exact methods of implementation and tracking will differ between organizations. But here are a few ways to make sure your AUP is effective.

Have every employee read and sign off on the policy

Too often, employees receive a policy manual on their first day of work, and that’s the last time they are required to sign anything policy related.

Having employees sign off on policy updates helps ensure that they are aware of the latest policies. It also gives your organization the proper documentation that indicates the employee understood the requirements. This can reduce your liability if there is an issue down the road.

PowerDMS’s electronic signature software makes it easy to collect employee signatures. You can see when each employee signed off on the policy, and send automatic reminders to those who have yet to sign.

Policy-violation tracking

Enforcing your acceptable use policy also involves some sort of passive monitoring.

Courts have ruled that employers have the right to monitor emails sent through company computers and track the websites employees visit.

However, there are limits to how companies can monitor employee activity. You need to respect your employee’s right to privacy in matters that aren’t work-related.

Your organization’s acceptable use policy should clearly spell out how you will monitor employee behavior and enforce the policy.

Work with your HR and legal departments to establish reasonable expectations and appropriate responses to violations.

The policy should clearly define disciplinary measures and the escalating responses for repeat offenses or severe violations.


Keep your policy updated

Acceptable use policy can often go overlooked. But it’s essential for your organization to make sure your employees know acceptable and unacceptable uses of company computers and internet services.

A solid acceptable use policy can protect your organization against cyber attacks and liability risks. Make sure to regularly review your policy to ensure it is up-to-date.

PowerDMS makes it easy to collaborate on policy updates, distribute policies to employees, and conduct testing and training. Use PowerDMS to manage your organization’s acceptable use policy and other critical documents.

An acceptable use policy is only one of 10 essential policies your organization needs. View the article to learn more today.

Related Article

Footer CTA Image

Start writing more effective policies

Start writing more effective policies

Write policies and procedures that better protect your organization and employees with our free 12-page guide.

Download Free Guide

Schedule a Consultation!

Everything you need to train, equip, and protect your public safety employees in a single system – from the moment they’re hired until they retire. Schedule a consultation to learn how PowerDMS can benefit you.