Acceptable Use Policy

How to Create an IT Acceptable Use Policy + Templates

Omer Aslim selfie
By: Omer Kaan Aslim
June 29, 2020
Creating an acceptable use policy for your information system is a good way of informing users of your security policies and limiting legal risks.

An acceptable use policy outlines what users can and can not do on your systems. For example it may allow use of your system for business purposes only. It may also require users to abide by your policies and procedures when using your systems. An acceptable use policy also lists some of the expectations your organization has of its system users. Expectations for users include following password best practices and not conducting illegal activity on your system.

What makes a good acceptable use policy?

An acceptable use policy must have a clearly defined scope specifying which systems it applies to. It should state who the data stored on your company systems belongs to (generally anything stored on a company system becomes the company’s data). It should state the conditions under which a user can use the system. For example a user may only use the system to carry out his/her assigned job duties. It should state that your company has the right to monitor all activity on the system without the user’s consent. It should cover unacceptable use. Examples include prohibiting the use of company systems for hacking or anything else not in your company’s interests. You can also include clauses on the authorized use of email and social media.
Your acceptable use policy should be short and easy to understand. If it is too long no one will read it. Receive senior managements approval of your acceptable use policy.

Require Users to Sign or Accept you Acceptable Use Policy

What good is an acceptable use policy if no one knows about it or has accepted it? Require every employee or contractor to read and sign the acceptable use policy. This makes them liable for illegal or unauthorized activity they conduct on your systems. It also gives them a sense of responsibility and an idea of your expectations.
You can also have users accept your acceptable use policy before logging into their computers. This can be achieved via group policy. You can also put your accepabtle use policy on your servers and other network devices so that admins are also warned before logging in.

Acceptable Use Policy Examples

Acceptable Use Policy Templates

Summary:

-An acceptable use policy notifies users of authorized and unauthorized use of your information system.
-An acceptable use policy protects your company from legal risks.
-An acceptable use policy gives users a sense of responsibility when using your systems.
-An acceptable use policy should be easy to understand.
-Require all employees and contactor sign your acceptable use policy.
 

Discover Our NIST SP 800-171 Solutions:

 /assets/images/compliance_accelerator_white.png

Compliance Accelerator

For contractors seeking compliance
 /assets/images/quantum_assessor_white.png

Quantum Assessor

For IT service providers
 /assets/images/supply_chain_logo_white.png

Supply Chain Verifier

For contractors seeking to verify partner compliance