January 2012 IT Business Consulting Newsletter

Employee IT Use & Abuse Policy - Retain Control, Reduce Liability

By Tom K

Your IT Resources are valuable tools used to operate and propel your business. If you want these tools to be respected, you need to ensure your employees understand “Acceptable Use” and sign off on this understanding. Unacceptable use can lead to wasted resources, reduced productivity and, if no Use and Abuse Policy is in place, lawsuits directed towards you and your business.

I just returned from a road trip where I found that a large number of businesses I visited had no IT Use and Abuse Policy in place. Like bad passwords, this is so important, so dangerous, and so easy to correct, I’m pushing IT Use & Abuse Policies ahead of this month’s scheduled topic.

In this month’s newsletter I discuss why an IT Use and Abuse Policy is so important, what the policy needs to include, and how to insure your staff acknowledges they have read and understand the policy.

Why you need an IT Use and Abuse Policy

The first purpose of the IT Use and Abuse Policy is to educate your staff as to what constitutes Acceptable Use of company IT resources, as well as what is considered Unacceptable. You can have no compliance expectations if you don’t educate.

The second purpose of the IT Use and Abuse Policy, once you have established companywide understanding, is to make the best, most efficient use of your IT Resources. If your staff complies with the policy you’ll be able to stretch your resources (no server storage wasted on iTunes and personal photos), reduce your expenses (no need to increase your Internet bandwidth if they stop downloading movies and stop streaming radio), and increase productivity (eliminate non-company emails, facebook, and twitter).

The third purpose of the IT Use and Abuse Policy is to provide the basis to be able to discipline staff who refuse to comply, and to protect your business from lawsuits arising from illegal or immoral activity originating from within your business IT environment. You effectively eliminate the “I didn’t know... I wasn’t allowed to send out 40,000 pieces of sexist emails” defense, and you protect your business from the liability associated with 40,000 unacceptable emails leaving your mail server.

What your IT Use and Abuse Policy should include

The policy should begin with an introduction describing the purpose of the policy, and the employees’ responsibility to comply with the policy.

The policy body should specifically state what is acceptable use of your company’s IT Resources, as well as what is unacceptable, in easily understandable and unambiguous language. It should also discuss the user’s expectation of privacy (there is none) and explicitly state your rights as the owner of the resources. It should close with a clear message that non-compliance is not tolerated and will result in disciplinary action.

Topics that should be discussed in terms of both acceptable and unacceptable use include:

  • Company email
  • Personal email
  • Facebook and Twitter
  • Instant Messaging
  • Internet browsing
  • Internet downloads
  • Internet streaming (audio and video)
  • Using a Secure Password
  • Divulging network credentials
  • Installing unauthorized applications on computers
  • Installing remote access applications on computers
  • Storing personal data (pictures, music, etc) on PCs or Servers
  • Downloading software
  • Connecting any personal device (Laptop, PC, Tablet, Phone) to the Private Business Network
  • Connecting any device (Laptop, PC, Tablet, Phone) to the Private Wireless Network
  • Unauthorized transfer or copying company proprietary or confidential information
  • Connecting any personal storage device (USB Drive, Thumb Drive) to a company computer
  • Copyright infringement
  • Manner and content of all communications originating on company devices
  • Running, authorizing, or assisting with security scans on the infrastructure
  • Any form of harassment
  • Any illegal activity

The policy should also include the very clear statement that all IT Resources are the property of the company, and everything stored, processed, transferred, received, or transmitted by these resources are the property of the company. The company reserves the rights to access, inspect, and monitor all information stored or processed by their resources. As such, an employee should have no expectation to privacy regarding this information.

Additionally, the policy should clearly state that all company data and information is the exclusive property of the company and is considered very confidential. Copying it, removing it from the premises, or divulging it in any way to non-company persons is strictly prohibited. This should be reinforced through the use of Non-Disclosure Agreements (NDAs), signed by every employee.

Finally, the policy should highlight that all IDs, Passwords, electronic Keys, and codes are business confidential and must be kept private. Divulging any of these to unauthorized persons is strictly prohibited and will result in immediate termination.

All employees must sign off on the IT Use and Abuse Policy

I strongly recommend that you have all employees sign a statement that they have read and understand the company’s published IT Use and Abuse Policy every year, and that this statement be filed in each employee’s Personnel folder. Annual signing precludes the "I didn't know you added THAT!" defense.

We advise our clients to include the IT Use and Abuse Policy as part of their Employee Handbook, and have every employee sign off on reading the handbook as part of the annual review process.

This is also a good time to have the employee sign and review their annual NDA, which also goes in their Personnel folder.

The Extras

While not directly associated with company IT Resources, this is a good platform to discuss use of personal smart phones while on the clock. Many of our clients now prohibit personal tweets, email, texting, phone calls, and facebook interaction during working hours, so we discuss this in an addendum to the IT Use and Abuse Policy.

We’ll often add a Frequently Asked Questions (FAQ) section to the end of the policy to clarify the topics, and to help simplify the topics. One really nice thing about the FAQ - it is a simple matter to add new questions and answers as your staff presents them.

If you have any questions or comments concerning this article, or would like assistance developing an IT Use and Abuse Policy for your company, I’d be happy to discuss this with you at your convenience. Feel free to contact me at TomK@TomKConsulting.com, or via my cell 443.310.5110.

Next month I’ll get back to discussing the concerns IT should have relating to departing employees, the steps we recommend to properly deal with security and auditing, and different processes used when the departing employee is leaving with blessings or in handcuffs. See "Departing Employee? How to Process them Gracefully and Securely".