Have you drafted an acceptable use policy? In the era of big data, cloud services, and mobile users, it’s about time you did. This is not an exhaustive list, but it is a helpful checklist to help get you started and assure it’s everything you need.
Side note: “acceptable use” in this case is defined by the acceptable use of your own systems and networks. This post does not cover acceptable use policies for your employees using the Internet, social media, etc. at the workplace or via your networks.
1. What Information is Okay to Transmit Outside the Organization?
In addition to regulated data, such as that covered by privacy and HIPAA regulations, you also need to define what intellectual property, business intelligence, customer information, and other data that can be shared via email, social media, instant message, phone conversations, or in meetings with external parties. Likewise, you need to specify what’s not okay to divulge or discuss with outside parties. Be specific.
2. What Will the Procedures be for Violating the Policy?
No policy is any better than the procedures for punishing failure to comply. Punishments need to be specified and applied equally across the organization. The policy will be rendered useless if it gets out that a manager or star sales rep was given a free pass for violating the policy. Some companies establish a three-tier punitive system, such as a warning for first-time violations, suspension without pay for second violations, and termination for third violations. Others opt to terminate employees upon the first violation.
3. What are the Procedures for Revising or Altering the Policy?
No matter how carefully you draft your policy, there will be a point in the future when it needs to be changed, added to, or altered. New technologies mean new regulations. Perhaps an employee did something you never could have foreseen. Maybe a particular rule is found to be against government regulations. There are many reasons a policy needs to be changed. What steps will this require? Outline this in the first policy so that there is no question what to do in subsequent versions.
4. Know What Data You Hold, Who Has Access, and How it is Regulated
In order to be specific about what data can and cannot be shared with outside parties, you really need a clear understanding of the data you hold. This includes data residing in disparate systems — such as proprietary software, in the cloud, on individual machines, and within BYOD devices. Compile a comprehensive knowledge base of what data you hold so that your policy reflects every possible data point that needs to be covered.
5. What Measures Will be in Place to Monitor Compliance With the Policy?
How will you know if the policy has been violated? This usually requires that IT have good monitoring and governance technologies in place. The same tech tools and software that helps detect a data breach or intrusion into your systems will also be useful for monitoring adherence to your acceptable use policy. It is, however, important to test these tools periodically to make sure they are doing what they are supposed to do. Have IT conduct drills to mimic an employee emailing out sensitive customer data, for example, and make sure that your IT security folks are able to pick up and track the transaction.
To assure that your policy is comprehensive, within compliance, and doesn’t contain errors or omissions, it’s best to have all stakeholders take a look. In addition to your C-level execs, you should also have legal, sales and marketing, and other interested parties review it before it is finalized.