Managers responsible for ensuring staff use their computers "acceptably" are in danger of worrying too much about "doubtful" internet access and not enough about security issues, says Michael Wigley, president of the Technology Law Society.
Speaking at a recent New Zealand Computer Society meeting, Wigley said that compared with “fuzzy” questions about what constitutes unacceptable web use, security policy issues are fairly easy to define.
“In my experience of drafting AUPs [acceptable use policies] that focus on security, I have tended to aim for areas I know about or that the security people tell me are important for the organisation,” says Wigley.
Nowadays, for example, an AUP should probably say something about the dangers of responding to phishing emails.
“You will [need to] deal with specific security threats or particular issues in the organisation … but I would also very carefully put generic stuff [to do with] security in there, as well.”
One NZCS member commented that personal use of an organisation's computer system was “alright, so long as it’s kept to a minimum and doesn’t interfere with your productivity or it’s done out of working hours.”
Many of those at the meeting also thought the question of how much latitude employees were given in taking laptops out of the office needed to be looked at carefully, too.
They said the kind of AUPs they had worked under varied greatly, ranging from an absolute prohibition on letting anyone else use their machine to a more lenient, but stringent, examination of machines when they were returned to the office before users were allowed to hook them up to the office network again.
The risk of confidential information leaking out, or viruses contaminating machines, aren't the only worries when it comes to laptop use. Other people using a person's laptop can weaken the evidential chain should it ever come to disciplining an employee about unacceptable use of the computer, says Wigley. The person could always say someone else was responsible for any infraction, and that the company had allowed — or at least not forbidden — external use of machines.
An AUP should probably stipulate the areas within the organisation that particular employees can and cannot legitimately access, says Wigley.
“If [for instance] somebody in the HR department signs something that says ‘You are not permitted to enter the accounts-payable system’ and [a person does, the person] can be disciplined without fear of a legal dispute.”
Ensuring there is proper employee commitment to AUPs is difficult. Certainly, employees should hand-sign an AUP document when they join an organisation but, particularly in the case of security issues, perceived threats can change over time and it is likely the system will be modified, so it might be wise to draw employees attention to any significant changes and obtain their assent again, says Wigley.
However, this can lead to complex and unsound procedures, he says.
“If you change your terms, and you go round and insist on everybody signing contracts, the process is going to get stuffed up. People will sign the wrong thing; people won’t sign some things; it will be filed in the wrong place [etcetera]. So, when you’re talking about existing employees agreeing to new terms, you [ should probably] go to a click-accept approach. If you have an organisation of more than 100 employees, it’s just completely out of the question to get everyone to sign up to something again.”