|Generally Accepted Good Use Policy
Introduction: An early paper that attempts to create a framework for
acceptable use for school children accessing the Internet describes the
Internet as a “forum that masks [identity]” (Fishman et al 1994 p22) and
exposes content to students that some “might find objectionable” (p24). However a quick download of acceptable use resources from
technology sites shows (and this is arguable) that beyond the presence of
questionable content available online, the major issue for corporations is the
effective use of their corporate systems for business purposes as opposed to
the use of those same systems for personal use or personal financial gain. Of course there are other secondary objectives for acceptable usage policies, of which
‘objectionable material’ takes a featured spot along with virus checks on
attachments or electronic documents.
Formal Definition: Acceptable Use Policies help “educate your [users],” “define
boundaries of behaviour, and … consequences of violating those boundaries,” and
“the [requisite policing] of the network” (Covis.nwu.edu). Covis.nwu.edu also provides coverage of acceptable use
detailing and protecting the user’s rights online, to outlining responsible
Privacy, Equal Access, Safety, and Intellectual Freedom.
Using Appropriate Language, Avoiding Offensive or Inflammatory Speech,
Adhering to Rules of Copyright, Refraining from Re-posting Personal
Communication, Using the Network for Legal Activities, Avoiding the
Knowing or Inadvertent Spread of Computer Viruses, Accepting Full
Responsibility for Account Usage, Using One’s Real Name, Take
Responsibility for One’s Message, and Displaying Exemplary Behavior on
Virtual Field Trips.
This definition from Corvis caters to students using their network; their policy is almost a 'to do' list, which may not be the best thing for the corporation as that type of policy deals with greater diversity in the use of systems and the ramifications of greater financial risks with non-compliance. However, from the keywords 'educate' and 'boundaries', Corvis does indicate that the policy can be a more complete package for a corporation's human resource management.
Standard Policy? Why is it that a fair number of articles indicate that there
is no standard or generic Acceptable Use policy? It is for the simple reason
that there are no ‘standard or generic’ corporate objectives or strategies for
how a company conducts its business. With this in mind, we will show the need for a corporation's Acceptable Use Policy to be the
the documentary extrapolation of the company’s IT or Information System
vision and strategic initiatives.
The below is a table from a document downloaded from
techrepublic.com comparing information outlined in two examples of Acceptable
Use Policies. Downloaded templates provide options for dealing with different levels of 'strictness' in acceptable use.
Comparison of sample documents from Techrepublic.com (Norton
systems for business use only. Occasional personal use permitted provided it
does not interfere with work.
and reasonable personal use is permitted, provided it does not interfere with
Personal Use of System
improvement needs to be in line with professional conduct and not for
personal financial gain.
may be used outside scheduled hours of work, provided such use is consistent
with professional conduct.
may send and receive short text messages, but not to read personal email on
should have no expectation of privacy while using company-owned or
As you can see, aside from the major difference in the
extent of the information, the focus of a corporate Acceptable Use Policy
seems to rest more in the resolving of the usage of core systems between business and
personal use; this is moderately divergent from the Corvis’ Academic Use Policy
which seems to protect and enhance the online community for and between users.
Petit (2000) however, suggests that Acceptable Use Policy
should go beyond this. Like the Covis list of user responsibilities, Petit
advises companies that documentation should highlight “expected response times
upon different media,” “availability to receive information through allocated
communications devices,” and “authorization for communications and information
mining in various media” (2000). This path sees the identification of good use and then the setting of ranges of acceptable use.
New and Traditional Media
While the Acceptable Use Policy provides guidelines to
address the various information media available within the organization, it
seems that issues are arising from the apparent disparity between how
traditional and how new media are managed. It seems most policies cater towards
electronic systems, since mechanisms are intrinsically available to control
such use. Who would expect to have personal telephone calls monitored? Flynn
advises that “it is important to notify employees of the … policy, … and
reinforce policy with an ongoing training program” (Flynn 2001).
Sherwood says that "Electronic communication, because of its speed and broadcasting ability, is fundamentally different from paper-based communication. Because the turnaround time can be so fast, email is more conversational than traditional paper-based media" (2001 webfoot.com). This perhaps justifies why this report caters to both email and telephone usage. But unlike the latter, the irretrievability of email and the persistance of copies of that email may create risks that the corporation seeks to avoid. This is the challenge facing policy makers: i) how do you create a policy for users that may view the email client in the same light as office gossip, and ii) how do you effectively deal with new media and traditional media usage in the same policy document?
The recent newspaper article on the left 'PS Staff Sacked over Web Porn' (Armstrong 2003 p21) shows the kind of distracting newspaper media focus that acceptable usage policy makers have to deal with. Tangentially, it also highlights the difference between traditional media and new media. One wonders if there exists similar "anecdotal evidence" (Armstrong 2003 p21) regarding the incidence of phone sex during office hours, or is it that that doesn't create as much sensationalism for The Sunday Times as does the swapping of explicit attachments?
Whilst important, the article creates tunnel vision for the public and corporate stakeholders, making Internet access a veritable pornographic channel for employees.
» Read Article : Onscreen [94 KB] Printable Copy [231 KB]
The Policy as Checklist: A Wrong Model?
It is implied in the Covis’ Use Policy, where the policing of acceptable
use is bounded by their network, that corporate Use Policies eventually encounter
difficulties in the day-to-day operational management using the Policy as a
tactical checklist. This suggests that while most corporations look at the policy as a legal fallback, the acceptable usage policy should really be taken as a top level guide for IS leadership to guide management of human resources.
We take an instance of a commercially used Acceptable Usage Policy and see how a 'Do's and Don't's' framework fails at making the policy strong and enforceable. In the next few pages, we also look at building a more complete policy framework to be used by policy makers.