Gallery

Security

Posted on 13 Mar 2003 at 11:34

Legal responsibilities must be made clear in the AUP too, as many users believe electronic communication and surfing to be beyond the reach of the law. In reality, though, most laws apply equally to electronic as to any other form of communication. Sexual and racial discrimination, copyright infringement, libel and obscene publication laws can all be applied, and email messages and other electronic material can be used in evidence. In general, the employer is liable for employee actions, but that doesn't absolve them from personal liability, the extent of which needs to be written down in the AUP.

Unfortunately, personal use isn't so easy to handle. A company might, for example, want to encourage employees to shop online at Tesco rather than (unofficially) extend breaks to visit the supermarket. But, equally, it might frown on hours spent browsing holiday websites or looking for a new job. Still, there are ways around such problems. A common compromise is to limit access during core hours outside which anything goes except where prohibited in the AUP. Bear in mind, though, that legal responsibilities apply at all times and a company can be held liable for an employee's actions no matter when the offences occurred.

Other things to consider when drafting an AUP might be the type of files users are allowed to download from the Web, and the authority they need to get before doing so. Others include the kind of changes, in terms of Desktop appearance, screensavers and so on, that can be made to workplace systems, whether email messages should be encrypted and so forth.

But regardless of what eventually goes into the policy, it's worth inviting contributions from all levels of staff within the organisation. Not only does that help make everyone feel involved, it can also point out potential vulnerabilities and issues that might not otherwise be considered. Plus, it's particularly important to have technical input at the drafting stage, to make sure proposed restrictions can be enforced and to understand the cost and other implications of doing so.

Communication first and last
Employee involvement shouldn't end with the drafting of the AUP. Everyone in the company needs to be made aware of its contents and must agree to abide by them. Consider making it a condition of employment to have read and signed the AUP, with a discussion of its security implications made part of any induction training. And don't stop there. Technology changes at an alarming rate, so continually revisit and revise policies and keep employees informed of their responsibilities.

Finally, the need for good training - and lots of it - can't be stressed enough. Security touches every part of the modern business and should be included in all training courses, from how to use the word processor to managing staff. Indeed, ignorant employees can cause even more havoc than the determined hacker, as the latest breed of so-called hoax viruses go to prove. These don't deliver a payload, making them hard to detect, but by warning of potential risks they can get unsuspecting users to do their dirty work for them. Issuing a fake virus warning and a list of suspect files to delete is a common ruse and one that can only be addressed by educating users to know when they're being conned.

Author: Alan Stevens