Acceptable Use Policy by Andrew Breen

What is an Acceptable Use Policy? According to Wikipedia: a set of rules applied by many transit networks which restrict the ways in which the network may be used According to Wikipedia: a set of rules applied by many transit networks which restrict the ways in which the network may be used usually found in the terms of service agreement usually found in the terms of service agreement Plays a big role in information security Plays a big role in information security

SANS Guidelines – Overview Intention for publishing an AUP Intention for publishing an AUP What computer systems and devices it applies to What computer systems and devices it applies to Who it applies to Who it applies to

2.0 - Purpose Why Rules exist Why Rules exist What could happen if rules are not followed What could happen if rules are not followed

3.0 – Scope Who policy applies to Who policy applies to What equipment policy applies to What equipment policy applies to

4.0 - Policy 4.1 General Use and Ownership 4.1 General Use and Ownership privacy is desired, but all data is propery of company privacy is desired, but all data is propery of company exercise good judgement for personal use exercise good judgement for personal use encryption is encouraged encryption is encouraged authorized personnel may monitor system authorized personnel may monitor system compliance audits may occur compliance audits may occur

4.0 – Policy (cont.) 4.2 – Security and Proprietary Information 4.2 – Security and Proprietary Information some information on network may be confidential some information on network may be confidential keep passwords private and change frequently keep passwords private and change frequently all workstations should have automatic password protected screensavers all workstations should have automatic password protected screensavers use encryption use encryption special care for laptops special care for laptops non-business postings online must contain disclaimer non-business postings online must contain disclaimer be cautious of attachments be cautious of attachments

4.0 – Policy (cont) 4.3 – Unacceptable Use 4.3 – Unacceptable Use unless specified, these activity are prohibited unless specified, these activity are prohibited no unlawful activities permitted no unlawful activities permitted

4.0 – Policy (cont) System and Network Activities System and Network Activities violation of intellectual property rights violation of intellectual property rights exporting software in violation of export control laws exporting software in violation of export control laws malicious programs released on network malicious programs released on network fraud fraud giving account username and password to anyone giving account username and password to anyone port scanning port scanning interfering with other users access interfering with other users access

4.0 – Policy (cont) and Communications and Communications sending spam sending spam harassment harassment forwarding chain letters forwarding chain letters forging headers forging headers

5.0 - Enforcement details disciplinary action if employee violates policy details disciplinary action if employee violates policy

6.0 - Definitions any relevant Definitions any relevant Definitions

7.0 – Revision History history of revisions to document history of revisions to document right to make revisions in future right to make revisions in future

Examples of Acceptable Use Policies The University of Scranton: zation/resnet/computingpolicy.shtml The University of Scranton: zation/resnet/computingpolicy.shtml zation/resnet/computingpolicy.shtml zation/resnet/computingpolicy.shtml Earthlink: cies/use/ Earthlink: cies/use/ cies/use/ cies/use/