Writing an Acceptable Use Policy sounds simple. Until you get started.
We’ve all heard about users being the weakest link and the source of all cyber evil. I can understand the frustration of some of my cyber colleagues, but we’ve designed complex technology and expect them to use it perfectly – are we being reasonable? One thing is certain: guidelines on how to use devices and software provided can help users.
This is where an Acceptable Use Policy or IT Code of Conduct comes into play. We consider it part of the security awareness arsenal, a chance to give concrete tips and set a baseline of controls for all. Even though – let’s face it – it’s often drafted for compliance or disciplinary reasons.
Using IT systems as they were intended is not always the natural approach for users.
Whatever your motive, we’ve listed below a set of items we typically include in such documents – to be used as a checklist if you have already have an AUP, or a basis to start writing yours. And also, some of our advice on how to increase the impact of this document: if you’re going to have to write one, it might as well raise some awareness where possible.
Tip #1: Tips for private use
We’ve said it before (here), talking about your user’s home / personal security is a great way to make them pay more attention. Not every corporate culture allows for it, but we like to end each section with ‘tips for your home’, or even ‘tips for your kids’. Your readers will be grateful and the quality of their reading will increase accordingly.
Tip #2: Explain why
A list of statements stating “do not …”, “it is forbidden to …”, “you’d be stupid to …”, etc. is far from inspirational, but also does not create an urge to act.
This is why, in every statement, we explain why this is a risk.
For example, you could write:
Do not leave your laptop in the trunk of your car.
But you will have more impact if you write:
Do not leave your laptop in the trunk of your car. We get reports of stolen laptops every week, and victims always stored some documents locally – meaning: they’re lost.
Another example: it is a very good idea to say that:
Do not connect your mobile device to USB power plugs, especially in public facilities such as airports, trains, hotel rooms, cafés, etc.
But why not add:
These plugs can be used to send or capture data from your device, not just electricity. In a few seconds, security experts can hack your phone in this way.
Does it make your document longer? Yes, but between us: was it really going to be that short anyway?
Tip #3: Appendices with “how to”
Have you ever asked people what the difference between maps.google.com and google.maps.com is? Or organized a small phishing quiz with your friends? Expect appalling results, still today.
This is why we routinely add one-page appendices with concrete tips on:
- How to detect a phishing e-mail
- How to detect a phishing site
- How to read a URL
- How to make a strong password
And what do we put in this document then?
Here is our recommended table of content, which we will further explore in our next post !
- An introduction
- Your policy on personal use
- Disciplinary aspects
- Practices to follow on the use of:
- The internet
- Office tools (e.g. Office 365)
- Mobile devices
- Removable media
- Physical documents
- Reporting an incident
- And a few appendices with concrete tips on passwords, phishing, etc.
In a next blogpost, we will give a series of tips, pointers and examples of what we typically include in each of these sections. Stay tuned !