Home > Uncategorized > The Importance of a Good Information Security Policy – Part 3

The Importance of a Good Information Security Policy – Part 3

I’ve already covered the importance of a good information security policy, the process of creating such a document and putting its provisions in place, and why so many policies are less than adequate. I’d like to focus next on an acceptable use policy, a policy that explains what users and system administrators are and are not allowed to do when they use an organization’s computing resources. Acceptable use policies, for example, usually among other things require that use of an organization’s computing resources must be for official, business purposes only. Additionally, these policies generally do not allow users to share their passwords under any circumstances. 

An acceptable use policy is a “breakout” policy, i.e., a lower-level policy that provides and explains more specific provisions that a mainstream information security policy does not cover because of its high-level nature. An acceptable use policy is essential for two primary reasons:

1.    By stating the computer use ground rules, it helps users know what is expected of them. Without knowing this, users are likely to engage in behaviors that can easily lead to disciplinary action or even termination of employment. Acceptable use policies thus in effect protect users as well as system administrators in computing-related matters. Consider the unfortunate case from the last decade, the case of Randall Schwartz, who was a system administrator at Nike. Schwartz attempted to crack passwords in Nike systems when he was no longer the administrator of these systems in an attempt to show that security in these systems had gotten worse. The company at that point of time did not inform employees that this kind of activity was not allowed, yet when Nike management heard that Schwartz had engaged in this activity, it pressed charges against him. Schwartz was originally convicted on several felony counts, although his convictions were eventually overturned after an incredible amount of effort, financial expenditure, and suffering on Schwartz’s part. In hindsight, Nike should have had an acceptable use policy something to the effect that password cracking and penetration testing were forbidden without prior approval of management.

2.    A well-written, well-distributed acceptable use policy also helps protect organizations against unfair lawsuits filed by employees who have been disciplined or terminated on the grounds that they engaged in computer misuse. If it can be shown in court that a user who suffered the consequences of computer misuse had been forewarned by relevant provisions in an acceptable use policy, the chances of that employee winning a lawsuit against the organization in which the individual has worked are normally substantially diminished. Having a suitable acceptable use policy is thus a critical part of the due care posture of an organization.

Although acceptable use policies are both desirable and essential, provisions in these policies can fall behind the times and can thus end up being unreasonable. The best example is the provision that employees are to use organization computing resources exclusively for job-related reasons. As my good friend, Dave Stacy (now of Thrivent Corporation), pointed out in a paper a number of years ago, job conditions have changed radically over the last 15 – 20 years. One of the most significant differences is that presently employees, especially white collar employees, are expected to be on the job 60 – 70 hours or more every week. At the same time these employees are working relentlessly for their employers, changes in stock and commodity prices are occurring, mortgage rates are rising or falling, and so on. Requiring employees to wait until they can go home and use their own computers to, say, buy or sell stocks or commodities is not really fair when employees must stay at the workplace as long as they do. Relaxing the “business use only” provision of an acceptable use policy is thus often appropriate.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.