Copyright 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

Best Practices for Establishing an Effective Workplace Policy for Acceptable Computer Usage
By John Nolan
roviding virtually unconstrained access to technology tools in the workplace puts many human resource (HR) departments in a quandary. On one hand, their dramatic benefits necessitate that employees have broad access to computing resources. On the other, employees use of internal computer resourcesincluding e-mail, the Internet and software applicationscan open an organization to a host of risks, including security breaches, lost productivity, wasted computer resources, e-viral infections, business interruption, and civil and criminal lawsuits. While controlling the usage of information technology and communication resources is only one aspect of e-business security, it is clearly one of the most important. For example, BusinessWeek reported that cyber-skiving accounts for 30 percent to 40 percent of lost worker productivity. Meanwhile, Vault.com reported that 90 percent of US workers have admitted to recreational web surfing on the job. Even more frightening, giving employees access to the Internet and other technology can lead them to stray to inappropriate sites, including sexually explicit sites and those promoting violence and hate speech. This kind of activity can lead to lawsuits, harassment charges and even criminal prosecution. To cite a few examples, 50 percent of employees with Internet access report receiving racist, sexist, pornographic or otherwise inappropriate e-mails at work, according to Elron.com. Research done by the American Management Association indicates that 27 percent of Fortune 500 companies have battled sexual harassment claims stemming from employee misuse and abuse of inappropriate images on corporate computers. In addition, a Delta Consulting report sponsored by PixAlert indicated that 40 percent of the 500 largest US companies have taken disciplinary action against employees in the past year for viewing illicit images.

High-profile Lawsuits
As a result of these issues, there have been several highprofile lawsuits. Such cases include: Chevron Corp. settled out of courtpaying US $2.2 millionafter the company was sued because of an e-mail circulated within the company containing, among other offensive material, a joke that listed 25 reasons beer is better than a woman. Microsoft Corp. settled for US $2.2 million a sexual harassment suit involving pornographic e-mails sent within the company.

Xerox fired more than 40 employees for downloading pornographic images. These downloads were so pervasive, they choked Xeroxs computer system and prevented employees from sending and receiving legitimate e-mails. Wachovia Securities fired six brokers for sending inappropriate images in e-mails. Because of advances in digital storage technologies, there are myriad ways that illegal and inappropriate images can find their way on to the desktop and corporate network. These technologies include memory sticks, DVDs, CDs, USB mass storage keys and portable hard disk drives, and devices such as digital cameras, camcorders, mobile telephones and MP3 players, with the capacity to store and transfer images via widely available PC connections. Add to this the ability of laptop users to roam Wi-Fi and nonenterprise networks to access illegal and inappropriate images and introduce the laptop (and its illicit images) onto the company network. Despite these challenges, the onus is on the employer to provide a work environment free of gender, ethnic or racial harassment or discrimination, and companies must take reasonable steps to eliminate harassing material from the workplace. Under certain state compliance legislation in the US, company directors and the managers they appoint can be held personally liable for the content of corporate computers. In addition, federal law states that these managers can also be subject to criminal prosecution if negligence is found in the management of data and images on company computers. It is clear that the HR department plays an important part in protecting the company, its corporate officers and its employees from some of the potential exposures that IT and communications resources can invite. HR has a key role in ensuring that computer usage policies and practices are clearly understood by all employees and that employees also understand the importance of such policies in creating a healthy and safe work environment. Such policies need to be integrated and aligned with other company policies and practices (e.g., business ethics, HR policies and sustainability policies) that are concerned with ensuring and protecting the organization and the value and dignity of the employee at work.

Acceptable Usage Policies

The good news is that developing and implementing an effective acceptable usage policy (AUP) can avoid many of these pitfalls. A well-constructed AUP provides the framework for employees computer activities, details the actions the

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 6, 2005

organization is taking to enforce adherence and spells out the penalties for disregarding the policy. Organizational procedures should actively enforce the policy by integrating proven access control and monitoring technologies. Organizations may differ in how they go about developing an AUP in terms of the process for development and the type of policy that is developed. There is no such thing as a standard, one-size-fits-all AUP. Corporate cultures, business requirements and employee capabilities combine to create a distinct environment with unique electronic risks and policy needs. Typically, the goals of an AUP are to clarify the organizations position regarding the use of IT, the Internet, email and corporate IT resources; protect the organization against potential liability; avoid security threats by promoting awareness and good practice; and encourage effective and productive use of human and IT resources.

Figure 1How Companies Limit Their Employees Personal Internet Usage

36% All nonwork use prohibited 28% Limited use after business hours 17% Unrestricted personal use anytime 13% Limited personal use anytime 4% No policy 2% Unrestricted use after work hours

Developing an AUP: Guidelines for Best Practice

The following are steps to develop an AUP: 1. Create the policy. Set goals with representative departments. Setting corporate limits on Internet and computer usage can be an emotionally charged subject, linked as it is to the issues of personal privacy and individual responsibility. For that reason, it is better if the statement of the business needs and the policy itself are developed by representatives from every part of the business, including senior management, information technology, security, business unit managers, human resources, legal departments and other interested user groups. Such involvement will help the speedy and effective implementation and ensure that an understanding of the issues is widely disseminated within the organization. Conduct a risk assessment. Before embarking on the development of an acceptable use policy, organizations should conduct an internal e-mail, Internet and software usage risk assessment to pinpoint its specific e-risks and evaluate employees electronic capabilities. A comprehensive risk assessment will reveal the extent of employee misuse of corporate IT resources. It will also provide insights into what managers and supervisors are doing to monitor employee computer use and correct problems. This will enable the identification of digital exposures in the organization and the drafting of policies that specifically address those risks. Define acceptable personal usage and who is covered. The policy should start by specifying the general principles governing IT and computer use by employees in the course of their business and in other activities (figure 1). It should clearly state who is covered by the policy and the responsibilities regarding compliance. This should be followed by clear conditions of an individuals use of services. The policy should be explicit about the level of personal usage that is acceptable. Some organizations, especially those that place a premium on creativity, might encourage employees to roam cyberspace as part of their jobs, while others may look for the happy medium.

2. Educate. Explain employee rights and monitoring expectations. Employees also need to understand what their rights are with regard to expectations of privacy in their use of a companys IT resources. Employees should know what they can expect in terms of usage monitoring and whether the organization routinely monitors the use of IT resources. Educate employees on legal issues. Every employee using computer resources should have a clear understanding of the legal issues involved (figure 2). These include: Sexual/racial harassment Libel Copyright infringement Breach of confidence Negligent misstatement Publication of obscene material Data protection Negligent virus transmission Inadvertent formation of contracts Figure 2Example Notice US Legislation States
Sexual harassment occurs when an employee is subjected to unwelcome sexual conduct based on gender. Conduct frequently involves offensive visual images viewed on an office computer or received in an e-mail.

Minimize risks by outlawing certain language. Organizations can minimize risks by controlling context and the use of language. They should forbid the use of sexist language and words that could offend others, and make it clear that obscene, harassing or otherwise offensive language will not be tolerated. State the consequences of noncompliance. Each policy should clearly outline the consequences of nonconformance with the companys AUP. Employees need to be clear as to what will happen to them if they are found to be in breach of the policy. They must understand that failure to adhere to such policies may result in disciplinary action up to and including dismissal. State the process for reporting incidents. Employees should understand how to report an unwanted and unsolicited incident (such as spam e-mails) without prejudice or penalty of company action.

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 6, 2005

 Ensure that all employees are informed about the AUP. An AUP should become part of an organizations overall policy manual. As with other company policies, it should be readily available to all employees, widely disseminated and clearly understood by all. Offer an amnesty period. Consider offering a period of time, typically 14 days, for employees to clean up their computer disks, e-mail archives and personal network shares before regular audits and monitoring commence. This gives employees a clear warning that the company takes this matter seriously and is actively enforcing its policy. Incorporate the AUP into the employment contract. Many organizations require that employees sign their AUP document as part of their terms and conditions of employment either at the hiring stage or as part of gaining access to the Internet or other services. Employees often come with bad IT or Internet habits from college, previous employers or home Internet use; it is vital that new employees are advised at induction as to how the company expects them to make use of its IT resources. Train employees. Training on the ethical, legal and security aspects of IT resource usage should be an ongoing feature of organizational life. This training does not have to be classroom only, but can take the form of online information, small briefing sessions, etc. Training on IT/communication resource usage can also be integrated as part of other training and development within the organization. For example, issues on the use of IT/communication resources can be included as part of ethics training, security training, and legal and management development initiatives. Send updates via companywide e-mails. Consider sending regular companywide e-mails to remind employees of particular aspects of the AUP policy. Keep them updated with developments in IT and policy changes. Depending on the feedback from audits and monitoring activity, it may be prudent to update employees in general terms about the results of such activities.

Incorporate the AUP into the employee handbook. Following initial training, brief e-conscious-raising sessions can be held to update employees about new risks, regulations and related issues. Incorporate the companys AUP into the organizations printed employee handbook. Make it easy for employees to access and review these epolicies as needs arise. Post e-notices. Some organizations post an e-notice highlighting the main terms of their AUP. When an employee logs on to the computer network, this notice requires the employee to affirmatively acknowledge that he/she has read the screen before moving on. 3. Monitor and enforce. Monitoring is a critical part of compliance to an AUP. Monitoring IT activity for compliance to AUPs is no different from monitoring compliance to other corporate policies, such as an expense policy where the policy itself does not ensure compliance. Monitoring and enforcing are necessary to ensure that an organization avoids lawsuits and lost productivity. Each organization must become aware of what images are entering the network and corporate PCs, what is distributed throughout the organization, and what material is being sent outside the corporate network. At the end of the day, the efficacy of any policy will depend on the leadership that enforces such a policy. Managers, above all, need to lead by example and be clear about, and committed to, the implementation of the companys AUP. It is important for the policy to be consistent with the practice that is taking place within the organization; managers need to be vigilant in ensuring that the policy and practice stay in sync. Leadership encouragement and commitment are more likely to succeed than any policybut for best results, both are needed in unison. John Nolan is CEO of PixAlert, which provides software and services that protect organizations and their staff from the legal ramifications of viewing inappropriate and illegal images on workplace computers.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. Copyright 2005 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 6, 2005