Breaching Acceptable Use Policies

Care of Slashdot I saw this post on the potential ramifications of breaching an Acceptable Use Policy based on a recent judgement [pdf]  in Western Australia.

The defendant was a Police Officer, who would normally be held to a higher standard than Joe Public, and the system in question was a Police database, but as the blog post points out: "Ms Giles wasn't convicted for breaching police secrecy, or improper disclosure of information --- she was convicted for common cracking. She used the restricted-access system other than in accordance with her authorisation"

Nick Gifford in his book "Information Security: Managing the Legal Risks" (which I have mentioned before) describes AUAs (Acceptable Use Agreements) as "a contractural mechanism for managing the risks to the organisation associated with granting user access rights" and as a contract I can understand that there would be a legal risk to those who would breach that contract.

What about your company's Acceptable Use Policy? Is it up to date and consistent with employee duties?
Have all of your users read your organisation's AUP? What about those staff who have been there 10, 15 or 20+ years? Has your AUP changed over that period, and have those users acknowledged those changes? Do they have to re-acknowledge the AUP regularly? (yearly?)
Does it explicitly state that there should be no expectation of privacy when using email, browsing the internet or storing data on comapny assets? Does it allow for monitoring employees and clearly state potential penalties for breaches?

While it's a little late for New Year's resolutions (maybe a Chinese New Year resolution?), make it a priority to look into your AUP and how you track acknowledgement and ensure compliance. And if you don't have an AUP, the ever-useful SANS website has a sample [pdf] to help get you started.

0 Response to "Breaching Acceptable Use Policies"

Post a Comment

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme