In our previous blogpost, we discussed how to take some of the dust off your Acceptable Use Policy (AUP) or IT security code of conduct, making it a bit more user friendly and educational.
Now, we’re giving you a sort of checklist of the topics to discuss in a typical AUP, based on the table of content we proposed at the end of the other article.
Disclaimer: we have clearly not made any choice below, we’ve simply put everything we like to see in an AUP without considering the length of the document. So, be selective.
- The Introduction
Typically, we cover:
- Definitions: What is a user, what is a device, what are the data classification levels, etc.
- Scope: for whom is this Policy intended? To what systems and what users does this policy apply? If your staff is working in different countries, don’t forget to consider variation in legislation (e.g. around privacy, data encryption, …).
- Exceptions: If you need to deviate from this policy, how do you get it authorized?
- Personal Use
Your response to questions such as: do you authorize personal use, and under which conditions. We typically recommend to exclude personal use of corporate devices, as they’re designed to store and process corporate data only. And sometimes, there are tax implications as well.
Example of text: All data stored on company systems is considered as professional data and therefore the property of company. Users should be aware that the company cannot guarantee the confidentiality of their personal information stored on any company system except where required to do so by local laws. Company systems exist to support and enable the business. Company systems such as laptops and workstations may only be used for professional services, personal usage of these types of devices is not allowed. For company-issued portable devices, personal use is allowed on condition that the user comply with the requirements of this policy.
- Compliance with this Policy and Disciplinary Actions
We typically organize this around four concepts:
- Your responsibilities: reminder that the user is responsible for his device, data and actions, with reference to e.g. the biding legal and contractual agreements (company house rules, labor contracts, …).
- Monitoring of user activity: reminder that your systems can be monitored at all times. Refer to local legislation where relevant.
Example: Company can monitor the use of its IT systems and the data on it at any time. This may include (except where precluded by local privacy laws) examination of the content stored within the email and data files of any user, and examination of the access history of any users.
- Disciplinary actions: Disciplinary actions refer to actions or penalties taken in response to an employee’s misconduct. In this case, this should be understood as negligence or intentional non-compliance with this Acceptable Use Policy, resulting in a serious impact for company. Serious impact includes (to be detailed based on applicable risk scenarios for your company).
- Financial consequences: Typically, description of your franchise system for damage to laptops and mobile devices.
- Overview of measures
We like to have a one-page introduction to how the measures are organized. It makes browsing in the document for future reference, a whole lot easier. An attractive visual version of it can then make it to your intranet and your awareness program.
Some of the elements we typically discuss here include:
- Corporate emails should have corporate content, and should not include offensive or harmful content
- Encrypt content. You know this as well as we do: we recommend to encrypt the email (e.g. using MS O365 method), or alternatively encrypt attachment and send passwords through a separate channel. We prefer to make the link with your corporate service for file sharing, as a secure alternative to attachments (or even: your preferred option)
- Avoiding errors: control what you forward (scroll down), verify the recipients before hitting send
- Identify and report phishing – with a reference to an appendix on how to spot phishing emails and websites
- Split professional & personal emails, and do not use your personal email for corporate purposes
Example of tips for your private e-mail:
- Enable MFA, and don’t forget to print (yes, print) your recovery codes.
Some of the things worth considering here, are:
- What can you visit and what can’t you visit (e.g. illegal activities).
- The risks of use of file sharing sites, and corporate alternatives.
- If you regularly exchange files with your client, your policy with regards to use of clients or suppliers’ file sharing systems. For example, we only authorize it if MFA and contract signed & approved by our Legal team and Security Officer.
- And other tips such as: how to verify URLs (we like to put a small manual in appendix), how to react to browser warnings such as expired certificates.
There is of course the question of social media. The use of social media is encouraged by many of our customers, with Twitter and LinkedIn accounts structurally used to promote the company’s business. For certain clients, we publish more detailed guidance based e.g. on the NCSC guidance (https://www.ncsc.gov.uk/guidance/social-media-how-to-use-it-safely).
Example of tips for your internet browsing from home / personal devices:
- Update your computer and your browser
- Check your social networks privacy settings, and that’s not just Facebook & Instagram
- Remember: pirated movies, music or software are free for a reason. Don’t get hacked, stay away from them.
- Office 365 tools, or equivalent
This section vary broadly from one organization to the next. Here are a few ideas when using Office 365 or equivalent cloud-based office suites:
- Clarify the rules on the use of the personal space on OneDrive.
- Likewise, clarify the rules on sharing of information directly to people in and outside of the organization.
- Discuss file synchronization: only synchronize what you need, review it regularly (we have to say it, even though you and I have long lost any illusion that anyone would do this), do not synchronize corporate files on non-corporate device. In general, do not download files on non-corporate device.
Note that many of these controls may be technically enforced. We still list them, mainly for disciplinary purposes – we can never exclude that a smart user will find a way to bypass some of our security measures.
At NVISO, we work on projects and archive the data automatically once projects are closed: you may want to make reference to your archiving policy, and indicate manual actions required by your users if any.
Example of tips for your personal use of file sharing platforms:
- Secure your dropbox, etc. with two-factor authentication. Stay away from password-less file sharing.
- Check the configuration of your cloud account (e.g. Microsoft, Google, Apple, etc). Plenty of guidance is available online, including from the service providers themselves.
- Using your Laptop
We usually organize this around its lifecycle: first-time use, and then use while travelling and at work. This structure helps when giving security awareness training based on the AUP.
Note that we assume that your users are not admins of their device – call us conservative, but we still have a hard time living with local admin privileges for everyone.
Now, here is a short summary of interesting topics to discuss in your AUP:
On First-time use:
- Set up a complex password
- Configure the device securely (normally, your MDM should enforce this)
- This is also the right place for a reminder on your policy on personal use: no, your kids should not watch youtubers from your corporate laptop.
- Keep in sight at all times (or even close to you), store securely
- Do not use bags revealing your company name
- Don’t trust your car trunk
- Mind shoulder surfing and go for a clear screen
- Don’t trust WiFi networks and USB power plugs
- Your people are travelling often? Check out the guidance from the Belgian State Security at https://www.vsse.be/sites/default/files/1-passeport-version-nl-fond-hl.pdf or https://www.vsse.be/sites/default/files/1-passeport-version-fr-fond-hl.pdf
- Updates are key, don’t postpone (for too long)
- Clarify your policy on storage of data locally on your laptop, considering your backup and file sharing mechanisms.
- When your staff is often on third party sites, specific measures may be recommended – but make sure to choose reasonably secure lock cables, for example. Ah yes, and tell them how they can obtain such accessories.
Example of tips for your personal use of file sharing platforms:
- Backup your files, because laptops get stolen.
- Protect access to the device with a password (or something better).
- Install updates on all your home device: your computer, your NAS, etc.
- Using you Mobile Device (smartphone or tablet)
We approach this from a BYOD perspective, assuming that you can’t exert absolute control over a mobile device, and that users share more easily their mobile device than their corporate laptop with others (yep, this is about kids watching youtube videos on your phone so that you can have 5 minutes of peace and quiet. Sure, call me a bad parent.).
- Install all available updates
- Enable backup
- Provision the device. Remind them on the requirement to maintain a compliant configuration if they wish to receive corporate data.
- Confidential phone calls in public? Just call back later
- Keep the device in sight or with you
- Travelling abroad, esp. in countries prone to industrial or political espionage? You’ll need to add a few tips (see above link to VSSE document).
- And the same tips as for laptops on shoulder surfing, clear screen, etc. can be contextualized in a mobile device context here. Because you don’t take your laptop out when waiting for the bus, for example.
- Always install updates, and do so quickly (OS and Apps). Mind Apps privilege requests.
- Don’t save files on your local device.
- Here, the ownership of the physical device will determine what you impose.
- Typical tips include: do not download apps outside of official stores, jailbreaking a device is forbidden, etc.
Example of tips for your personal use of computers:
- Install updates.
- Protect access to the device, and avoid patterns or 4-digit PINs.
- Configure their security (look for help online).
- Backup your devices, because mobile devices get stolen.
- Portable media (USB media, SD cards, etc)
This section is dependent on your policy on the matter. If you allow their use, obligations may include to:
- Encypt before use. Reference to the user manual on your intranet is recommended (is that manual up to date, by the way?).
- Clean up after use. Always.
- Do not keep USB drives in your bag longer than is necessary.
- Connected to a computer you can’t trust? Trash it.
Example of tips for your personal use of portable media:
- Choose devices that you trust: if you receive it for free, you did not choose the device yourself. Where have they been before and why are they free? Etc.
- Choose what computers you trust: do you really want to connect your USB stick on a public computer in a hotel?
- We like to add an explanation on how ransomware attacks spread through USB sticks
- Hardcopy documents
We typically start saying that we do not encourage their use – but this is a matter of corporate culture, right?
For the rest, classic recommendations apply: only print what is needed, destroy after use (we usually point to methods of destruction or disposal available), clean desk, etc. We typically add:
- Classify the document & ensure classification is printed on every page
- Deliver hardcopy documents in person, avoid intermediaries and / or physical secure the document (we’re not going as far as to recommend a wax seal ! )
Example of tips for personal use:
That’s pushing it, we don’t put tips on this one : – )
- Reporting incidents
We explain the what, the why and the how. And we make the link with the disciplinary measures. Yes, incidents must be reported.
Appendix – some practical guidance
- What is a secure password? Even in the age of NIST800-63 and multifactor authentication, a good password remains relevant. Ah yes, and we like to talk about password managers!
- How to spot a phishing email? Tips and tricks to spot phishing emails. Don’t forget to explain how to read a URL (google.maps.com ≠ maps.google.com).
We hope the above can be a useful checklist or basis for your AUP. As always, we’d love to have your thoughts and comments, we probably didn’t think of everything too !