The following are steps to develop an AUP:
1. Create the policy.
a. Set goals with representative departments. Setting corporate limits on Internet and computer usage can be an emotionally charged subject, linked as it is to the issues of personal privacy and individual responsibility. For that reason, it is better if the
statement of the business needs and the policy itself are devel-oped by representatives from every part of the business, including senior management, information technology, secu-rity, business unit managers, human resources, legal departments and other interested user groups. Such involve-ment will help the speedy and effective impleinvolve-mentation and ensure that an understanding of the issues is widely dissemi-nated within the organization.
b. Conduct a risk assessment. Before embarking on the develop-ment of an acceptable use policy, organizations should conduct an internal e-mail, Internet and software usage risk assessment to pinpoint its specific e-risks and evaluate employees' elec-tronic capabilities. A comprehensive risk assessment will reveal the extent of employee misuse of corporate IT resources. It will also provide insights into what managers and supervisors are doing to monitor employee computer use and correct problems.
This will enable the identification of digital exposures in the organization and the drafting of policies that specifically ad-dress those risks.
c. Define acceptable personal usage and who is covered. The policy should start by specifying the general principles govern-ing IT and computer use by employees in the course of their business and in other activities (Figure 1). It should clearly state who is covered by the policy and the responsibilities regarding compliance. This should be followed by clear conditions of an individual's use of services. The policy should be explicit about the level of personal usage that is acceptable. Some organiza-tions, especially those that place a premium on creativity, might encourage employees to roam cyberspace as part of their jobs, while others may look for the "happy medium."
2. Educate.
a. Explain employee rights and monitoring expectations. Em-ployees also need to understand what their rights are with regard to expectations of privacy in their use of a company's IT resources. Employees should know what they can expect in
terms of usage monitoring and whether the organization rou-tinely monitors the use of IT resources.
b. Educate employees on legal issues. Every employee using computer resources should have a clear understanding of the le-gal issues involved (figure 2). These include:
i. Sexual/racial harassment ii. Libel
iii. Copyright infringement iv. Breach of confidence
v. Negligent misstatement
vi. Publication of obscene material vii. Data protection
viii. Negligent virus transmission ix. Inadvertent formation of contracts
c. Minimize risks by outlawing certain language. Organiza-tions can minimize risks by controlling context and the use of language. They should forbid the use of sexist language and words that could offend others, and make it clear that obscene, harassing or otherwise offensive language will not be tolerated.
d. State the consequences of noncompliance. Each policy should clearly outline the consequences of nonconformance with the company's AUP. Employees need to be clear as to what will happen to them if they are found to be in breach of the pol-icy. They must understand that failure to adhere to such policies may result in disciplinary action up to and including dismissal.
e. State the process for reporting incidents. Employees should understand how to report an unwanted and unsolicited incident (such as spam e-mails) without prejudice or penalty of company action.
f. Ensure that all employees are informed about the AUP. An AUP should become part of an organization's overall policy manual. As with other company policies, it should be readily available to all employees, widely disseminated and clearly un-derstood by all.
g. Offer an amnesty period. Consider offering a period of time, typically 14 days, for employees to clean up their computer disks, e-mail archives and personal network shares before reg-ular audits and monitoring commence. This gives employees a clear warning that the company takes this matter seriously and is actively enforcing its policy.
h. Incorporate the AUP into the employment contract. Many organizations require that employees sign their AUP document as part of their terms and conditions of employment either at the hiring stage or as part of gaining access to the Internet or other services. Employees often come with bad IT or Internet habits from college, previous employers or home Internet use; it is vi-tal that new employees are advised at induction as to how the company expects them to make use of its IT resources.
i. Train employees. Training on the ethical, legal and security as-pects of IT resource usage should be an ongoing feature of organizational life. This training does not have to be classroom only, but can take the form of online information, small briefing sessions, etc. Training on IT/communication resource usage can also be integrated as part of other training and development within the organization. For example, issues on the use of IT/communication resources can be included as part of ethics training, security training, and legal and management develop-ment initiatives.
j. Send updates via companywide e-mails. Consider sending regular companywide e-mails to remind employees of particu-lar aspects of the AUP policy. Keep them updated with developments in IT and policy changes. Depending on the feed-back from audits and monitoring activity, it may be prudent to
update employees in general terms about the results of such ac-tivities.
k. Incorporate the AUP into the employee handbook. Follow-ing initial trainFollow-ing, brief e-conscious-raisFollow-ing sessions can be held to update employees about new risks, regulations and re-lated issues. Incorporate the company's AUP into the organization's printed employee handbook. Make it easy for employees to access and review these e-policies as needs arise.
l. Post e-notices. Some organizations post an e-notice highlight-ing the main terms of their AUP. When an employee logs on to the computer network, this notice requires the employee to af-firmatively acknowledge that he/she has read the screen before moving on.
3. Monitor and enforce. Monitoring is a critical part of compliance to an AUP. Monitoring IT activity for compliance to AUPs is no different from monitoring compliance to other corporate policies, such as an expense policy where the policy itself does not ensure compliance. Monitoring and enforcing are necessary to ensure that an organization avoids lawsuits and lost productivity. Each organi-zation must become aware of what images are entering the network and corporate PCs, what is distributed throughout the organization, and what material is being sent outside the corporate network.
At the end of the day, the efficacy of any policy will depend on the leadership that enforces such a policy. Managers, above all, need to lead by example and be clear about, and committed to, the implemen-tation of the company's AUP. It is important for the policy to be consistent with the practice that is taking place within the organization;
managers need to be vigilant in ensuring that the policy and practice stay in sync. Leadership encouragement and commitment are more likely to succeed than any policy—but for best results, both are needed in unison.