Acceptable use policy

1. Review the example of an AUP on the SANS site: https://www.sans.org/reading-room/whitepapers/policyissues/acceptable-policy-document-369.

2. Consider the following fictional organization, which needs an acceptable use policy (AUP):

  • The organization is a local credit union with several branches and locations throughout the region.
  • A major focus for the organization is online banking.
  • The organization’s most critical business function is its customer service department.
  • The organization wants to be in compliance with the Gramm-Leach-Bliley Act (GLBA) and IT security best practices regarding its employees.
  • The organization wants to monitor and control use of the internet by implementing content filtering.
  • The organization wants to eliminate personal use of organization-owned IT assets and systems.
  • The organization wants to monitor and control use of the e-mail system by implementing e-mail security controls.
  • The organization wants to implement this policy for all the IT assets it owns and to incorporate this policy review into its annual security awareness training.

3. Design an AUP for this fictional credit union, using the online example of the AUP as a template. Your policy does not need to be exhaustive, but it should outline the key components of an AUP and provide policy statements that address the above requirements. You may want to create your policy using word processing software on your local computer and then copy and paste the text into the deliverable field.

Note: While you evaluate the document, notice the following items:

  • The policy mentions positions rather than specific names.
  • The policy provides an overview of the topic but does not provide specifics on how a task will be completed. This point is the difference between a policy and a procedure.
  • The policy provides references to other policies or resources that were used to create it.

Keep this example in mind as you prepare for the next steps.