Introduction: An early paper that attempts to create a framework for acceptable use for school children accessing the Internet describes the Internet as a “forum that masks [identity]” (Fishman et al 1994 p22) and exposes content to students that some “might find objectionable” (p24). However a quick download of acceptable use resources from technology sites shows (and this is arguable) that beyond the presence of questionable content available online, the major issue for corporations is the effective use of their corporate systems for business purposes as opposed to the use of those same systems for personal use or personal financial gain. Of course there are other secondary objectives for acceptable usage policies, of which ‘objectionable material’ takes a featured spot along with virus checks on attachments or electronic documents.

Formal Definition: Acceptable Use Policies help “educate your [users],” “define boundaries of behaviour, and … consequences of violating those boundaries,” and “the [requisite policing] of the network” (Covis.nwu.edu). Covis.nwu.edu also provides coverage of acceptable use detailing and protecting the user’s rights online, to outlining responsible behavior.

• Rights: Privacy, Equal Access, Safety, and Intellectual Freedom.
• Responsibilities: Using Appropriate Language, Avoiding Offensive or Inflammatory Speech, Adhering to Rules of Copyright, Refraining from Re-posting Personal Communication, Using the Network for Legal Activities, Avoiding the Knowing or Inadvertent Spread of Computer Viruses, Accepting Full Responsibility for Account Usage, Using One’s Real Name, Take Responsibility for One’s Message, and Displaying Exemplary Behavior on Virtual Field Trips.

This definition from Corvis caters to students using their network; their policy is almost a 'to do' list, which may not be the best thing for the corporation as that type of policy deals with greater diversity in the use of systems and the ramifications of greater financial risks with non-compliance. However, from the keywords 'educate' and 'boundaries', Corvis does indicate that the policy can be a more complete package for a corporation's human resource management.

Standard Policy? Why is it that a fair number of articles indicate that there is no standard or generic Acceptable Use policy? It is for the simple reason that there are no ‘standard or generic’ corporate objectives or strategies for how a company conducts its business. With this in mind, we will show the need for a corporation's Acceptable Use Policy to be the the documentary extrapolation of the company’s IT or Information System vision and strategic initiatives.

The below is a table from a document downloaded from techrepublic.com comparing information outlined in two examples of Acceptable Use Policies. Downloaded templates provide options for dealing with different levels of 'strictness' in acceptable use.

As you can see, aside from the major difference in the extent of the information, the focus of a corporate Acceptable Use Policy seems to rest more in the resolving of the usage of core systems between business and personal use; this is moderately divergent from the Corvis’ Academic Use Policy which seems to protect and enhance the online community for and between users.

Petit (2000) however, suggests that Acceptable Use Policy should go beyond this. Like the Covis list of user responsibilities, Petit advises companies that documentation should highlight “expected response times upon different media,” “availability to receive information through allocated communications devices,” and “authorization for communications and information mining in various media” (2000). This path sees the identification of good use and then the setting of ranges of acceptable use.

New and Traditional Media

While the Acceptable Use Policy provides guidelines to address the various information media available within the organization, it seems that issues are arising from the apparent disparity between how traditional and how new media are managed. It seems most policies cater towards electronic systems, since mechanisms are intrinsically available to control such use. Who would expect to have personal telephone calls monitored? Flynn advises that “it is important to notify employees of the … policy, … and reinforce policy with an ongoing training program” (Flynn 2001).

Sherwood says that "Electronic communication, because of its speed and broadcasting ability, is fundamentally different from paper-based communication. Because the turnaround time can be so fast, email is more conversational than traditional paper-based media" (2001 webfoot.com). This perhaps justifies why this report caters to both email and telephone usage. But unlike the latter, the irretrievability of email and the persistance of copies of that email may create risks that the corporation seeks to avoid. This is the challenge facing policy makers: i) how do you create a policy for users that may view the email client in the same light as office gossip, and ii) how do you effectively deal with new media and traditional media usage in the same policy document?

The recent newspaper article on the left 'PS Staff Sacked over Web Porn' (Armstrong 2003 p21) shows the kind of distracting newspaper media focus that acceptable usage policy makers have to deal with. Tangentially, it also highlights the difference between traditional media and new media. One wonders if there exists similar "anecdotal evidence" (Armstrong 2003 p21) regarding the incidence of phone sex during office hours, or is it that that doesn't create as much sensationalism for The Sunday Times as does the swapping of explicit attachments?

Whilst important, the article creates tunnel vision for the public and corporate stakeholders, making Internet access a veritable pornographic channel for employees.

» Read Article : Onscreen [94 KB] Printable Copy [231 KB]

The Policy as Checklist: A Wrong Model?

It is implied in the Covis’ Use Policy, where the policing of acceptable use is bounded by their network, that corporate Use Policies eventually encounter difficulties in the day-to-day operational management using the Policy as a tactical checklist. This suggests that while most corporations look at the policy as a legal fallback, the acceptable usage policy should really be taken as a top level guide for IS leadership to guide management of human resources.

We take an instance of a commercially used Acceptable Usage Policy and see how a 'Do's and Don't's' framework fails at making the policy strong and enforceable. In the next few pages, we also look at building a more complete policy framework to be used by policy makers.

» Next