Developing an Employee Usage Policy Part 2
My professor posted the following guidelines for creating/evaluating an employee use policy.
Email and Internet Usage Policy
Implementation of sound, well-written policies helps manage risk by defining acceptable and unacceptable forms of behavior and educating employees as to the organization’s expectations concerning their behavior. Organizations can and should expect their employees to act ethically and the organization, as well as its employees, should expect to be accountable to society for their actions. On the positive side, good policies
encourage ethical behavior, and discourages criminal behavior,
encourage polite and civil communication,
encourage individual integrity and honesty,
encourage respect for others and their property,
protect the organization’s information infrastructure from danger, and
the risk of lawsuits.
Good policies also
discourage copyright infringement, software piracy, and plagiarism,
discourage slander, libel, defamation, and mendacity, and
discourage profanity, obscenity, pornography, and waste.
(See Kinnaman, D., Critiquing acceptable use policies. http://www.io.com/~kinnaman/aupessay.html)
As always, there are four policy essentials:
1.Policies need to be in writing – Unwritten policies may sometimes be found to exist by courts, and enforced, but to be sure that an organization’s policy is clear and fosters the behaviors the organization intends and limits those behaviors that an organization deems undesirable, policies should always be in writing
2. Policies must be promulgated – A policy the employees don’t know about is ineffective. Best practice is to have a signed statement that the employee has read and understands the policy.
3. There must be some process to determine if the policy is being followed. If an organization has no way of knowing whether a policy is being followed, the policy may be (and usually is) ineffective.
4. There have to be sanctions for violations of the policy discovered by the detection process. A policy with no teeth is ineffective.
Good policies explicitly define and make clear to all users the ethical standards and expectations of the organization. The policy should explicitly state that all hardware, software, and related infrastructure made available to employees are property of the organization and are to be used for business-related purposes only. The policy should clearly state that email and Internet usage will be monitored and audited. No one should have an expectation of privacy regarding email or Internet usage.
Policies concerning the use (and potential for abuse) of email and Internet access should probably touch on all of the following (listed in no particular order):
conduct of personal business using the organization’s information infrastructure
sexual harassment
threats
flames
interference with others, including cyberstalking
exceeding authorized access
downloading software, music, or movies
snooping
on-line gambling
illegal activities
use of unescrowed cryptography and cryptographic keys
playing video games
chat rooms, instant messaging, and blogging
chain letters and Ponzi schemes
defamatory, illegal, discriminatory, offensive, threatening or harassing messages
misrepresentation of oneself or the organization to customers, clients, vendors and other employees
fraudulent behavior
denigration of others based on their sex, race, sexuality, age, national origin, or religious or political beliefs
political activities
pornography
child pornography
use of antiviral software to protect customers, clients, vendors, and the organization’s information infrastructure
privacy and disclosure of personal or privileged information
protection of the organization’s trade secrets
requirement for ethical behavior
requirement of conform to all State and federal laws
defeating or attempting to defeat the auditing, monitoring, access control or other security features or procedures used by the organization’s information infrastructure
