Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 6 Acceptable-Use Policies: Human Defenses Trevor Norsworthy Christina Richardson.

Published byChester Collin Sanders Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 6 Acceptable-Use Policies: Human Defenses Trevor Norsworthy Christina Richardson."— Presentation transcript:

1 Chapter 6 Acceptable-Use Policies: Human Defenses Trevor Norsworthy Christina Richardson

2 Introduction  Acceptable-Use Policies provide: –Companies with the ability to provide a non- hostile work environment. –Limit wasting a companies resources 2003 it was reported that 30-40% use was not related to business. Costing US corporations $85 billion in lost production

3 Case on Point: Allstate Insurance  February 2003, CA DMV cut off Allstate’s access to digital files.  Allstate Employees were stealing customer information  131 Violations of confidentiality rules found

4 @lert  The most readily calculable cost of an outdated or incomplete AUP is the lawsuit- as is the payoff from implementing a good one.

5 MCIWorldCom’s AUP Leads to Early Dismissal of Lawsuit  Two employees filed employment discrimination against the company in TX federal court.  The Plaintiff’s claimed: – that another employee had sent out four emails that constituted racial harassment. –Their employer was negligent by allowing the corporate email system to be used for harassment.

6 Cont.  Court Dismissed the plaintiff’s claims on the following grounds that MCIWorldCom had: –an established email AUP that prohibited discriminatory emails –acted consistently in enforcing the policy against the employee who had sent the email messages –Taken remedial action to enforce its written email policy.

7 The AUP: Discipline and Diligence Defense Tier

8 The AUP: Discipline and Diligence Defense TierCont.  Despite increase in litigations policies governing the use of Company computer equipment is seldom strict enough.  Users must operate within the AUP even when it is inconvenient.  High risk habits can only be changed through training, reminders and enforcement.

9 Dual Functions of the AUP  Security Breach Prevention –Prevents misuse from occurring.  Legal Protection –Protect the organization when prevention techniques fail.

10 Security Breach Prevention AUP can help to:  inform employees of what they can and can’t do to reduce inappropriate behavior  Clarify expectations about personal use or company equipment  Warn employees that their actions are monitored  Outline the consequences of noncompliance.

11 Legal Protection  If a company has an enforced AUP then it is supporting evidence that the organization exercised it legal duty to safeguard employees from a hostile work environment.

12 @lert  An AUP is rendered useless if: –The company has a well written email AUP stating that staff should not use company email systems for private use. –This policy is widely ignored from the managing director downward. –Even though the AUP is in place it is not enforced. –Therefore it becomes useless.

13 Legal Theories and Employer Liability Issues  Employers’ liability stem from two longstanding legal doctrines: 1.Respondent Superior Doctrine and Liability 2.Negligent Supervision and Duty of Care

14 Respondent Superior Doctrine and Liability  Respondent Superior: –Doctrine that holds employers liable for the misconduct of their employees within the scope of their employment.  Convention on Cybercrime –US and 29 other countries –Improve international cybercrime prevention –If a corporation fails to provide proper supervision to employees allowing cybercrimes to occur then the corporation is liable.

15 Negligent Supervision and Duty of Care  A employer may also be liable for negligent supervision of an employee –Duty of care may extend beyond the scope of employment.  Duty of Care: –A company or person cannot create unreasonable risk of harm to others. –Under this doctrine directors and officers have an obligation to protect their companies business operations. CR->TN

16 What makes an AUP effective?  Comprehensive scope  Clear Language  Adaptive Content  Extension to Other Company Policies  Enforcement Provisions  Implied Consent  Accountability

17 Comprehensive Scope  The AUP must apply to all IT resources –Desktop Computers –Laptop Computers –Personal Digital Assistants –All employee owned devices accessing the company network  Must apply to all users of IT resources

18 Clear Language  The AUP must be concise  Must explain company’s commitment to enforcement  Narrow enough to address known threats  Broad enough to cover new and unanticipated dangers

19 Adaptive Content  The AUP must be dynamic –Change to adapt to new situations, technological advances  A mechanism for updating the AUP needs to be in place

20 Extension to Other Company Policies  AUP must manage employees’ expectations  Other policies must be considered –Intellectual Property –Harassment –Right to Privacy

21 Consent  Adoption of AUP must not be passive  Signed agreement of employees is necessary –Shows acknowledgement of responsibility, procedures, and penalties –Referred to as expressed consent –Different from implied consent

22 Accountability  Responsibility for AUP development: –Often assigned to IT organization –Requires involvement from outside sources Legal Human Resources Senior Line Management  Individuals who enforce policies should be named within the Acceptable Use Policy

23 AUP Sample Items  Purpose and Scope –Policy addresses all IT resources –Intended to promote safety –Key Objectives: Maintain non-hostile workplace environment Prevent discrimination Protect company against computer crimes –Company performance and survival depend on security measures described in this AUP.

24 AUP Sample Items cont.  Acceptable Use Policy Guidelines –IT Resources are company property To be used only by those employed by the company Only to be used for business purposes –IT Resources are to be used in accordance with all applicable laws –Creation or transmission of any files deemed obscene or indecent is prohibited –The company has a right to review and observe all electronic communications

25 AUP Sample Items cont.  Provisions and Prohibitions –Company users names and passwords Only to be used for business purposes Not to be given out or used for any personal electronic communications –Users should check their company email daily Delete unwanted messages –All information sent, received, created or stored is the property of the company –Users must scan all downloaded files for viruses

26 AUP Sample Items cont.  Compliance –The company may choose to monitor its resources, including Email sent and received Internet usage Computer files and faxes received and sent Any file for content-installed software for licensing –Users will not view other’s email without permission –Users are to report any violations to their supervisor

27 Armstrong Atlantic State University’s Acceptable Use Policies AASU AUP displays all the characteristics of an effective AUP (recall):  Comprehensive scope  Clear Language  Adaptive Content  Extension to Other Company Policies  Enforcement Provisions  Implied Consent  Accountability http://www.cis.armstrong.edu/cispolicies/index.ht ml

28 Questions??

Download ppt "Chapter 6 Acceptable-Use Policies: Human Defenses Trevor Norsworthy Christina Richardson."

Similar presentations

A Reliable and Secure Network TM105: ESTABLISHING SANE TECHNOLOGY POLICIES FOR YOUR PROGRAM.

A Reliable and Secure Network TM105: ESTABLISHING SANE TECHNOLOGY POLICIES FOR YOUR PROGRAM.
Rockingham County Public Schools Technology Acceptable Use Policy

Rockingham County Public Schools Technology Acceptable Use Policy
Northside I.S.D. Acceptable Use Policy 2009-2010.

Northside I.S.D. Acceptable Use Policy
Hart District Acceptable Use Policy Acceptable Use Policy.

Hart District Acceptable Use Policy Acceptable Use Policy.
BUSINESS B2 Ethics.

BUSINESS B2 Ethics.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Acceptable-Use Policies: Human Defenses Michael Swart, Steven, Daniel Connor.

Acceptable-Use Policies: Human Defenses Michael Swart, Steven, Daniel Connor.
Boyertown Area School District Acceptable Use Policy.

Boyertown Area School District Acceptable Use Policy.
Riverside Community School District

Riverside Community School District
New HR Challenges in the Dynamic Environment of Legal Compliance By Teri J. Elkins.

New HR Challenges in the Dynamic Environment of Legal Compliance By Teri J. Elkins.
Business Plug-In B7 Ethics.

Business Plug-In B7 Ethics.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Acceptable Use Policy (AUP) What does it actually say? Why is it necessary?

Acceptable Use Policy (AUP) What does it actually say? Why is it necessary?
VISD Acceptable Use Policy

VISD Acceptable Use Policy
INTERNET and CODE OF CONDUCT

INTERNET and CODE OF CONDUCT
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Similar presentations

Ads by Google