![kynd-logo-200-1.png]](https://help.kynd.io/hs-fs/hubfs/kynd-logo-200-1.png?height=40&name=kynd-logo-200-1.png){kind=logo}
Acceptable Use Policies: A Guide
Cybersecurity goes far beyond just the technologies you select. As important as any piece of software is the behavior and competency of your users onsite, offsite, and any time they access your network.
What is an AUP?
An Acceptable Use Policy (AUP) is the clear communication to users of rules & responsibilities, acceptable behavior, and required practices, as well as the consequences of not abiding by those principles is a cornerstone of most security frameworks. An AUP is the foundation for all work in this area, so having it place is often seen as the bare minimum of any security control relating to users.
How do AUPs benefit users?
Each organization is unique, and you are responsible for setting the culture of acceptable behavior in your digital environment. Users cannot expect to know what you consider acceptable, until you tell them. An AUP is a useful guide in setting out what is expected when it comes to devices, data, and secure practices, as well as legal requirements. Users can use the AUP as a guide if they have any questions about what they should or should not be using their device for, or what they can download and store.
How do AUPs benefit security teams?
Security teams can put in technology to defend against attackers, but it will be of no use if users evade the technology, forget to update it, or download unvetted software from unsecured sites. Security teams can set out the essential dos and don’ts of the network in the AUP and establish what users can and can’t do with the devices, and software provided by the organization. It is a great place to start highlighting good practice amongst all users and begin working towards building cyber secure practices.
How do AUPs benefit organizations?
AUPs are an essential piece of documentation to help defend against cyber-attacks. By all users agreeing to a code of conduct you can reduce the risk of incidents and give them a point of reference for how to conduct themselves when they have questions. A clear AUP can also help indemnify your organization against legal action from technology misuse and help outline how disciplinary procedures will be conducted in the event the policy is not followed.
Core components of an AUP.
Your AUP should reflect your values as an organization. There are many templates available online, but you should ensure that you shape any template to your needs and priorities. You should ensure to cover topics like email usage, passwords and authentication, data storage and handling, BYOD, use of social media, training requirements, physical and remote security practices, and internet usage.
How should an AUP be rolled out?
An AUP should be signed up to by all users when they join the organization, and then you need to ask them to sign again when amendments are changed, so that you can say with confidence that they are aware of the guidelines and expected behaviors. Alternatively, you may wish to reissue the AUP for signing at regular intervals or at the point of a role change for a user and amend it to reflect any new responsibilities or duties.
Do AUPs apply to third party vendors?
Yes - you can ask any third party, contractor, or temporary user to sign an AUP before granting access to your network. Even if they are not permanent members of the organization, they will still need to be told about the guidelines and agree to abide by them. You can choose whether to issue the same policy as to employees, or to have a specific AUP for engaging with third parties.
Checklist
When rolling out your Acceptable Use Policy, consider the following:
An Acceptable Use Policy (AUP) is the clear communication to users of rules & responsibilities, acceptable behavior, and required practices, as well as the consequences of not abiding by those principles is a cornerstone of most security frameworks. An AUP is the foundation for all work in this area, so having it place is often seen as the bare minimum of any security control relating to users.
How do AUPs benefit users?
Each organization is unique, and you are responsible for setting the culture of acceptable behavior in your digital environment. Users cannot expect to know what you consider acceptable, until you tell them. An AUP is a useful guide in setting out what is expected when it comes to devices, data, and secure practices, as well as legal requirements. Users can use the AUP as a guide if they have any questions about what they should or should not be using their device for, or what they can download and store.
How do AUPs benefit security teams?
Security teams can put in technology to defend against attackers, but it will be of no use if users evade the technology, forget to update it, or download unvetted software from unsecured sites. Security teams can set out the essential dos and don’ts of the network in the AUP and establish what users can and can’t do with the devices, and software provided by the organization. It is a great place to start highlighting good practice amongst all users and begin working towards building cyber secure practices.
How do AUPs benefit organizations?
AUPs are an essential piece of documentation to help defend against cyber-attacks. By all users agreeing to a code of conduct you can reduce the risk of incidents and give them a point of reference for how to conduct themselves when they have questions. A clear AUP can also help indemnify your organization against legal action from technology misuse and help outline how disciplinary procedures will be conducted in the event the policy is not followed.
Core components of an AUP.
Your AUP should reflect your values as an organization. There are many templates available online, but you should ensure that you shape any template to your needs and priorities. You should ensure to cover topics like email usage, passwords and authentication, data storage and handling, BYOD, use of social media, training requirements, physical and remote security practices, and internet usage.
How should an AUP be rolled out?
An AUP should be signed up to by all users when they join the organization, and then you need to ask them to sign again when amendments are changed, so that you can say with confidence that they are aware of the guidelines and expected behaviors. Alternatively, you may wish to reissue the AUP for signing at regular intervals or at the point of a role change for a user and amend it to reflect any new responsibilities or duties.
Do AUPs apply to third party vendors?
Yes - you can ask any third party, contractor, or temporary user to sign an AUP before granting access to your network. Even if they are not permanent members of the organization, they will still need to be told about the guidelines and agree to abide by them. You can choose whether to issue the same policy as to employees, or to have a specific AUP for engaging with third parties.
Checklist
When rolling out your Acceptable Use Policy, consider the following:
- Identify what assets the AUP will cover, and the priority order to address them
- Determine what the organization’s policies and acceptable behaviors are with the security team.
- Devise an alternate version of the AUP for third party vendors / contractors / etc.
- Document the final version of the policy digitally and physically for easy reference.
- Distribute the AUP to all users and request they sign and return it for the organization's records.