What Is an Acceptable Use Policy (AUP)?

The use of technology at work has exploded in recent decades, from laptops and IoT devices to 3D printers and workflow automation tools. Experts predict there will be over 18 billion mobile devices by 2025, more than double the planet’s population. Add the complexity of remote work scenarios and it’s clear that every company needs rules around workplace tech. This guide explains what an acceptable use policy is, what it should include, and how it can protect your organization.

What Is an Acceptable Use Policy and What Is It For?

An acceptable use policy for the workplace is a document that outlines your company’s rules for technology usage and network access. This policy explains to employees and contractors:

• What devices and technology are allowed at work (and which aren’t allowed)
• How and when employees are permitted to use those devices
• What the rules are for email communications, internet use, and other types of network access
• What actions your company considers violations of the AUP (e.g., downloading confidential files on an external hard drive or storage device)

Your AUP has several purposes. First and foremost, it lets your employees know what behavior you expect you expect regarding technology and network usage. A good AUP should also teach your workers to follow data security best practices for all workplace devices, from access badges to laptop sleep settings.

The size, data security needs, and operations of every business are different, so it’s not surprising that there are many AUP formats. Some mention dozens of rules, guidelines, examples, and penalties for noncompliance. If your company has to meet regulatory standards, your AUP should also outline compliance requirements. 

What Is an Example of an Acceptable Use Policy?

AUPs usually take up several pages, laying out concrete rules for different types of technology. Here are a few examples of acceptable use policies for specific devices to give you some starting ideas.

Mobile Phones

“FinExCom prohibits employees from bringing personal mobile devices to work. This includes:

• Smartphones
• Smartwatches
• Tablets
• Laptops/Notebooks
• Any other mobile devices capable of connecting to a network or storing corporate data.

No employee with a personal mobile device will be allowed into the building.

FinExCom will provide employees with a company-owned smartphone and laptop. These items must be used securely:

• Keeping password protection and multifactor authentication enabled
• Accessing the company network only using your approved ID and credentials
• Maintaining the device in your possession at all times/never unattended
• Not lending the device to anyone else, not even coworkers
• Not sharing passwords or IDs with friends, family members, or others
• Not attempting to circumvent company controls to download apps or access prohibited sites

Employee mobile devices are the property of FinExCom. All network activity will be monitored. Employees agree to device checks at regular intervals.”

Remote Work

“Remote employees must take reasonable access security precautions when using company-provided devices, such as not connecting to unsecured public networks. Workers may connect to their private home network provided they have an up-to-date operating system, antivirus, and firewall. Only the following antivirus vendors are allowed: Bitdefender, Norton, or McAfee.

When accessing company servers, employees must use the organization’s VPN with an approved device and client. Employees are responsible for ensuring that third parties do not log onto company servers. It is prohibited to use auto-generated login credentials for computers kept in public areas of the home.”

Downloads and External Drives

“Any attempts to download sensitive company documents in a non-authorized manner or onto a non-approved device will be considered a critical violation resulting in immediate termination. Examples of non-approved storage devices include USB/flash drives, SD cards, external hard drives, and mobile devices.

Managers may back up important and relevant departmental files for redundancy purposes, but only with the explicit authorization of the IT department and using a drive supplied by IT. In all other cases, sensitive files should only be saved to the organization’s cloud servers.”

Why Is an AUP Important for Cybersecurity?

At its core, an AUP is about protecting your business: your data, reputation, network, and customers. Clear policies help to protect your network against human error, telling workers the correct, secure way to use email, the internet, cloud storage, and other technology resources.

Educating employees on good access control habits is one of the most important defenses against ransomware attacks and phishing attempts. Your AUP is an excellent place to create policies that minimize mobile endpoint vulnerabilities.

Of course, not all employees are trustworthy. Roughly 20% of all data breaches involve intentional internal threats (another 20% were accidental), such as theft of customer credit card information. For this reason, an AUP must lay out prohibitions and penalties. Instead of relying on employees to “do the right thing,” you need to have technology use policies in place that reduce the risk of data loss or exfiltration.

How Do You Create an AUP for Your Workplace?

What an AUP is depends significantly on the circumstances of your organization. That means you should approach AUP creation like any other policy — with careful planning, risk analysis, and stakeholder participation.

Every AUP should cover the following overall points:

• General restrictions: Not using company systems for anything illegal, not sharing confidential information, etc.
• Accidental behaviors to avoid: Opening personal emails at work or connecting unsecured devices to the network, etc.
• Prohibited actions: Downloading customer financial information, taking screenshots of credit cards, etc.
• Penalties: Warning, suspensions, loss of access privileges, or immediate dismissal
• Monitoring: Remote monitoring of employee devices during work hours, device checks for company-owned devices, etc.
• Bring-your-own-device policies: Prohibited for work or IT-approved personal devices can connect

You may also want to cover rules around software installation, internet downloads, and email attachments. Even if you disable these features at an organizational level, it’s still good to emphasize any prohibitions to prevent employees from trying to circumvent protective measures.

What Is an AUP for Your Industry?

Understanding what an acceptable use policy looks like is only the first step. For your business to benefit, you need to craft an AUP that meets your needs and then implement it. Comply can help you visualize data points from across your organization so your AUP provides effective cybersecurity protections. Use its advanced technology to your advantage.