March 1, 2009

Acceptable Usage Polices

An important step in preventing inappropriate use of computer equipment and time at work is to define what types of activities are acceptable. Sure, it may seem like common sense to you and I that browsing MySpace or Facebook at work is not appropriate when you are on the clock, but unless you define the behaviors that are acceptable and unacceptable, you cannot fairly expect the staff to know for sure, nor can you fairly punish them since no rule was technically broken.

A good acceptable usage policy will cover several aspects of computer usage, not just what web sites are ok to visit and which aren't.

Some things you need to remember to cover are:

  • What information can and cannot be released to the public
  • What permissions must be obtained before releasing any data to media or the public
  • Who is authorized to release data
  • Who is authorized to speak on behalf of the company
  • What type of information can be transferred or discussed via email or instant messenger.
  • Policies on employees posting on web forums about the company, or in association with the company.
  • Where can company information be stored
  • What kind of work can be taken home
  • Are USB thumb drives or other external storage devices allowed.
  • Policies on changing computer settings
  • Policies on personal data on work computers.
  • What types of web sites are appropriate
  • Acceptable usage of company equipment on personal time.

All of this needs to be discussed, and written out in a way that is easy to understand. If an employee is not told what they can and cannot do, especially when it comes to things like releasing data to the public, or speaking on behalf of the company, it can lead to mistakenly releasing information, which can lead to much bigger problems.

  • In addition to noting what type of behavior is acceptable and not acceptable, try to explain why the rules are in place.
  • Why is talking to the media a liability?
  • Why is posting on a forum while trying to defend your company dangerous?
  • How does this directly affect he employee?

If an employee has a person interest in making sure data stays secure, they are going to be much more cautious about it.

Once the rules are set, you also need to list the consequences of breaking these rules. Consequences may be applied on a case by case basis, as not all violations are equal, but there must be standards and they must apply to everyone equally, or they are useless. Once consequences are in place, they must be enforced. Having consequences in place, but only selectively applying them confuses employees, and makes it look like you are playing favorites, and this will quickly lower the respect your employees have for you.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google