Definition

What is acceptable use policy (AUP)?

Paul Kirvan
By

An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to or use of a corporate network, the internet or other computing resources. Many businesses and educational institutions require employees or students to sign an AUP before being granted a network ID.

From an IT perspective, an AUP provides a set of rules describing what a user can and cannot do when using computers and technology resources. AUPs can apply to devices the organization supplies and to personal devices that the user provides.

An AUP spells out acceptable and unacceptable employee behavior and actions. It also provides a company with a legal mechanism to compel compliance, and it stipulates the penalties for noncompliance.

List of benefits of an acceptable use policy
An acceptable use policy lays out permissions related to the use of an organization's systems and data, helping it avoid conflicts and litigation.

9 key elements of an acceptable use policy

Internet service providers (ISPs) usually require new customers to sign an AUP. It might be part of a service-level agreement between the ISP and customer.

The following nine stipulations are often included in an ISP's acceptable use policy:

  1. Don't use the service in violation of any law.
  2. Don't attempt to disrupt the information security of any computer network, such as internet access, or end user. This can include clear guidelines for following information security policies, using strong passwords for access and preventing malicious software.
  3. Don't post commercial messages to Usenet groups without prior permission.
  4. Don't send junk emails or spam messages to anyone who doesn't want to receive them.
  5. Don't attempt to mail bomb a site to flood the server.
  6. Don't attempt to steal intellectual property from a vendor.
  7. Require users to report any attempt to break into their accounts.
  8. Acknowledge disciplinary action that might be taken if the AUP is violated.
  9. Note that the AUP complies with applicable law as applied to IT and related issues, and is subject to periodic audits.

AUPs often include disclaimers absolving the organization of responsibility for a data breach, malware or other issue. Statements about when a person is in violation of this policy and when law enforcement might be called in are also included.

Examples of how AUPs are used

The following are examples of areas where an acceptable use policy could be helpful:

  • Code of conduct. In conjunction with an existing company code of conduct, an AUP addresses IT issues.
  • Social media. An AUP sets parameters on how employees should use social media sites, stipulating what shouldn't be discussed about the company and its business.
  • Internet and other system use. Policies usually cover whether an organization's computer systems and network bandwidth can be used only for business purposes. They often stipulate whether these resources can be used for personal email or other electronic communications, shopping, playing computer games and gambling.
  • Cybersecurity. An AUP sets rules related to an organization's IT security policies. These include rules around accessing restricted information; changing access data, such as passwords; opening questionable email attachments; accessing public Wi-Fi services; and using company-approved authentication procedures. It can also specify security measures for responding to security breaches such as phishing.
  • Nonemployee users. Use policies set restrictions on how nonemployees can use company information systems and network resources.
  • Accessing private or confidential information. AUPs prevent users from unauthorized access to proprietary or confidential data and unauthorized use of that data.
  • Bring your own device (BYOD). Many organizations allow or require employees to use personal devices such as laptops for business purposes. However, with BYOD, an AUP is necessary to prevent security issues and misunderstandings about how these devices should be used.

Best practices to ensure AUPs are followed

Signing an acceptable use policy might be required as part of an employment contract. It often happens during the employee onboarding process or as needed with existing employees.

However, employees must be reminded periodically of their responsibility to understand and adhere to the rules spelled out in the AUP.

Some best practices that help employees comply with these policies include:

  • Work with the company's legal department to ensure the AUP addresses issues properly.
  • Have clearly written policies with minimal technical jargon or confusing legal terms.
  • Provide security training that emphasizes the rules in an AUP.
  • Test employee knowledge, awareness and understanding of an AUP with periodic questionnaires.
  • Ensure that AUP language is periodically reviewed and updated, especially when there is a change in business operations, such as introducing a new product, undergoing a merger or conducting an audit.

Pros and cons of acceptable use policies

Developing and authorizing an acceptable use policy are important steps toward a secure and well-managed IT organization. While the primary focus is IT resources and services, an AUP can be applied to non-IT assets and activities as well, such as building facilities, office supplies and paper documents.

AUPs set forth the limits regarding how employees can use IT resources. Even more important is the establishment of the company's legal position regarding improper or unacceptable use of those resources. This can be important in cases where the company might face litigation from an employee accused of violating the AUP.

Perhaps the principal challenge when establishing an AUP is its enforcement. It's important to communicate the policy to employees, and obtain their acknowledgment during onboarding. Partnering with human resources (HR) is an important strategy for ensuring that AUPs and other relevant rules and guidance are followed. Periodic reminders to employees of the importance of policy compliance are essential.

How to create an acceptable use policy

Perhaps the best way to get started developing an AUP is to look at examples of how other companies are defining acceptable use and their policies. The steps leading to drafting an AUP include the following:

  • Secure approval from senior company and IT management.
  • Establish a policy team.
  • Conduct initial research into relevant guidelines for AUPs, examples of other organizations, relevant standards and frameworks.
  • Establish the purpose and scope of the policy.
  • Determine the issues that will be addressed in the policy, such as defining acceptable and prohibited activities; IT activities to be addressed, including network, system and email use; and how confidentiality will be maintained.
  • Define enforcement procedures and penalties for noncompliance.
  • Prepare a draft policy that states all relevant acceptable and unacceptable activities.
  • Determine who's responsible for approving the policy.
  • Obtain legal reviews of the draft policy to identify potential legal issues and how to address them.
  • Have HR review the draft policy and address any issues.
  • Establish an awareness and training program to communicate the policy to employees, contractors and other stakeholders.
  • Establish a review and audit schedule in addition to a continuous improvement program.
  • Complete the policy and obtain formal approval.
  • Secure acknowledgment from all employees and have HR add AUP training to the onboarding process.

As artificial intelligence use ramps up, organizations are looking for ways to define acceptable use. Our AI acceptable use policy guide and template can help ensure safe AI use.

This was last updated in November 2024

Continue Reading About What is acceptable use policy (AUP)?