Introduction - Armstrong Atlantic State University

Document Sample
Introduction - Armstrong Atlantic State University Powered By Docstoc
					      Chapter 6
Acceptable-Use Policies:
   Human Defenses

    Trevor Norsworthy
   Christina Richardson
 Acceptable-Use Policies provide:
  – Companies with the ability to provide a non-
    hostile work environment.
  – Limit wasting a companies resources
      • 2003 it was reported that 30-40% use was not
        related to business.
      • Costing US corporations $85 billion in lost
Case on Point: Allstate Insurance
 February 2003, CA DMV cut off Allstate’s
  access to digital files.
 Allstate Employees were stealing customer
 131 Violations of confidentiality rules

 The most readily calculable cost of an
  outdated or incomplete AUP is the lawsuit-
  as is the payoff from implementing a good
MCIWorldCom’s AUP Leads to
 Early Dismissal of Lawsuit
 Two employees filed employment
  discrimination against the company in TX
  federal court.
 The Plaintiff’s claimed:
  – that another employee had sent out four emails
    that constituted racial harassment.
  – Their employer was negligent by allowing the
    corporate email system to be used for
 Court Dismissed the plaintiff’s claims on
  the following grounds that MCIWorldCom
  – an established email AUP that prohibited
    discriminatory emails
  – acted consistently in enforcing the policy
    against the employee who had sent the email
  – Taken remedial action to enforce its written
    email policy.
The AUP: Discipline and
Diligence Defense Tier
The AUP: Discipline and
Diligence Defense Tier Cont.
 Despite increase in litigations policies
  governing the use of Company computer
  equipment is seldom strict enough.
 Users must operate within the AUP even
  when it is inconvenient.
 High risk habits can only be changed
  through training, reminders and
Dual Functions of the AUP
 Security Breach Prevention
   – Prevents misuse from occurring.
 Legal Protection
  – Protect the organization when prevention
    techniques fail.
Security Breach Prevention
AUP can help to:
 inform employees of what they can and
  can’t do to reduce inappropriate behavior
 Clarify expectations about personal use or
  company equipment
 Warn employees that their actions are
 Outline the consequences of
Legal Protection
 If a company has an enforced AUP then it is
  supporting evidence that the organization
  exercised it legal duty to safeguard
  employees from a hostile work
 An AUP is rendered useless if:
  – The company has a well written email AUP
    stating that staff should not use company email
    systems for private use.
  – This policy is widely ignored from the
    managing director downward.
  – Even though the AUP is in place it is not
  – Therefore it becomes useless.
Legal Theories and Employer
Liability Issues

 Employers’ liability stem from two
   longstanding legal doctrines:

  1. Respondent Superior Doctrine and Liability
  2. Negligent Supervision and Duty of Care
Respondent Superior Doctrine
and Liability
 Respondent Superior:
  – Doctrine that holds employers liable for the
    misconduct of their employees within the scope
    of their employment.
 Convention on Cybercrime
  – US and 29 other countries
  – Improve international cybercrime prevention
  – If a corporation fails to provide proper
    supervision to employees allowing cybercrimes
    to occur then the corporation is liable.
Negligent Supervision and Duty
of Care
 A employer may also be liable for negligent
  supervision of an employee
   – Duty of care may extend beyond the scope of
 Duty of Care:
  – A company or person cannot create unreasonable risk
    of harm to others.
  – Under this doctrine directors and officers have an
    obligation to protect their companies business
What makes an AUP effective?
 Comprehensive scope
 Clear Language
 Adaptive Content
 Extension to Other Company Policies
 Enforcement Provisions
 Implied Consent
 Accountability
Comprehensive Scope
 The AUP must apply to all IT resources
  – Desktop Computers
  – Laptop Computers
  – Personal Digital Assistants
  – All employee owned devices accessing the
    company network
 Must apply to all users of IT resources
Clear Language
 The AUP must be concise
 Must explain company’s commitment to
 Narrow enough to address known threats
 Broad enough to cover new and
  unanticipated dangers
Adaptive Content
 The AUP must be dynamic
  – Change to adapt to new situations,
    technological advances
 A mechanism for updating the AUP needs
  to be in place
Extension to Other Company Policies

 AUP must manage employees’ expectations
 Other policies must be considered
  – Intellectual Property
  – Harassment
  – Right to Privacy
 Adoption of AUP must not be passive
 Signed agreement of employees is
  – Shows acknowledgement of responsibility,
    procedures, and penalties
  – Referred to as expressed consent
  – Different from implied consent
 Responsibility for AUP development:
  – Often assigned to IT organization
  – Requires involvement from outside sources
     • Legal
     • Human Resources
     • Senior Line Management
 Individuals who enforce policies should be
  named within the Acceptable Use Policy
AUP Sample Items
 Purpose and Scope
   – Policy addresses all IT resources
   – Intended to promote safety
   – Key Objectives:
      • Maintain non-hostile workplace environment
      • Prevent discrimination
      • Protect company against computer crimes
   – Company performance and survival depend on
     security measures described in this AUP.
AUP Sample Items cont.
 Acceptable Use Policy Guidelines
  – IT Resources are company property
     • To be used only by those employed by the company
     • Only to be used for business purposes
  – IT Resources are to be used in accordance with
    all applicable laws
  – Creation or transmission of any files deemed
    obscene or indecent is prohibited
  – The company has a right to review and observe
    all electronic communications
AUP Sample Items cont.
 Provisions and Prohibitions
   – Company users names and passwords
     • Only to be used for business purposes
     • Not to be given out or used for any personal
       electronic communications
  – Users should check their company email daily
     • Delete unwanted messages
  – All information sent, received, created or stored
    is the property of the company
  – Users must scan all downloaded files for
AUP Sample Items cont.
 Compliance
  – The company may choose to monitor its
    resources, including
     •   Email sent and received
     •   Internet usage
     •   Computer files and faxes received and sent
     •   Any file for content-installed software for licensing
  – Users will not view other’s email without
  – Users are to report any violations to their
Armstrong Atlantic State University’s
      Acceptable Use Policies
     AASU AUP displays all the characteristics of an
     effective AUP (recall):
        Comprehensive scope
        Clear Language
        Adaptive Content
        Extension to Other Company Policies
        Enforcement Provisions
        Implied Consent

Shared By: