Posted by: David Scott
acceptable use, acceptable use policy, business policy, business security, computer security, inappropriate use, IT policy, IT security, unacceptable use
In reviewing some Acceptable Use policies, I’ve noticed the usual cautions about adherence to authorized access, the caveats about protecting your ID and password… There are the usual admonitions guarding against the hogging of shared resources, being vigilant about malware and scams; to remain cognizant of IT warnings referencing same.
There is also a robust caution against using systems for illegal activity, political purposes, advertising (of personal interests), using unauthorized copyrighted material, etc. The policies guard against degradation or harassment – doing many of these things not only runs afoul of the organization’s policies, but can also run against local, State and Federal law, depending on the specific nature of the activity.
By the way, there are many fine AU templates on the web if you need help, and always remember that IT’s AU policy reflects and supports the organization’s established culture of openness and trust; it’s code of ethical and lawful behavior. IT should not drive these things – they are larger to the organization – IT supports these things by making sure that technical empowerments are not misused, and that all parties understand acceptable and inappropriate use. To that end, always look for reinforcing and leading policies, such as those maintained by HR, and reference them accordingly.
However – many of these policies make little to no warning against using internal resources for posting and dissemination to outside entities such as blogs, boards, etc. (short of e-mail liabilities). However, I’m not saying that’s likely to be the case with yours, but check: Many of the policies I’ve been reviewing are remiss.
While it may be true that the organization cannot control an employee on his or her own time, and some postings made on personal time may not be actionable when in too gray an area (“my boss sucks,” for example), there is yet an avenue for monitoring in these regards.
Personal blogging, posting to social networks, comments to news articles, and information sent to various other user forums on the ‘net, should not be done on company time. Further, even the blurry organizational actionability regarding the “my boss sucks” comment to a Facebook page could quite well be actionable – particularly if found to have been posted on company time, with a company workstation and related internet access. And for sure if employees are divulging inside information, hammering the organization’s reputation, or casting aspersions on specific co-workers or management, then it’s time for action.
Your Acceptable Use policy should address the use of company resources in posting and propagating unflattering, and even damaging, information to these arenas.
You want to ensure acceptable use, yet you must keep this in mind: Your organization’s information technology resources are there primarily as business enablements and for business goals. However, almost all organizations grant a certain amount of personal use. Individual users, associated departments and supervisors are all responsible for exercising good judgment regarding the reasonableness and amount of personal use – so long as it comports with the Acceptable Use policy and all supporting policies.
September 10th: On this day in 1966 The Beatles “Revolver” album goes to #1 and stays #1 for 6 weeks.