Introduction: Holistic issues that can be included in the introduction of the policy are IT corporate vision, objectives, strategy, and tactical acceptable usage guidelines. This is very aligned with the Elron document (2003 p5) which prompts us to think of basic questions in the forming of our Acceptable Usage Policy; it says we should think of:
- Who in the organization needs Internet access?
- What Internet services do users need?
- What kind of access do users need?
- Will users need Internet access to be integrated into productivity-type activities like word-processing?
While the Elron document focuses a lot on Internet-type applications and accessibility, it can be applied to all other applications and channels facing the IT manager. Thus the policy can address usage of corporate PABX telephone systems, mobile phones, fax machines, other electronic equipment, and such that might provide access to value creating resources for the company.
In addition, the Acceptable Usage Policy should also be integrated with Business Continuity Planning (BCP) efforts. The BCP efforts of IMW, for instance, would allow it to "[understand] and [manage] possible risks, knowing what critical and essential functions drive the corporation's value chain, and creating a plan to restore those functions and recover normal operating processes in the event of a crisis incident" (Wee 2003 p4). This work is complementary to the Acceptable Usage Policy and allows planning to address situations in which Super Users (like mid-managers) might have to re-interpret what Acceptable Use denotes, and become familiar with the corporation's view of how to apply the policy to crisis events.
Such planning work will also mean that the Acceptable Usage Policy will also be able to deal with crisis occuring through the noncompliance of the policy. This answers questions such as if confidential information is disseminated when a "user hits 'Reply All' rather than 'Reply'" (Elron 2003 p7).
Policy details: While the author believes that the Acceptable Usage policy should not be created or expanded as a 'to do' list, there is no avoiding the listing of potential policy issues that can be included in most policies.
The IMW Acceptable Usage Policy (IMW 2002) provides a good highlight of the following points:
- Corporate privacy statement for the accessing of user information, and personal activities on corporate systems.
- Good use, non-transferability, and security of passwords.
- Virus protection guidelines, and
- Warnings to note, and immediate dismissals.
The Elron document (2003 p6) suggests some essential elements for the Usage Policy:
- Means for securing sensitive data and applications,
- Tools for monitoring and recording web and email usage,
- Plans for training end-users in the proper use of all available access and security technology, and
- A clearly communicated and explicit Internet Usage Policy.
The Ehinger document (2000 sans.org) adds:
- In addition to adult activity there are other activities that can contribute to a hostile work environment and leave the company open to legal challenges. These may include harassing jokes, threats, and other items that have no place in a productive work environment.
To sum the above list up, this is a risk response development with the output produced from risk analysis. The firm has the ability now to decide to pursue "avoidance - remove the risk by dealing with it at its source, mitigation - to reduce the ... potential cost of the risk, or acceptance - to deal with potential consequences" (Wee 2003 p14). This allows the IT Manager some room to tailor the document to corporate requirements, rather than on an insistence on adhering to the strictest use of the company's network. This makes good business sense as "security system vendors will always be at least one step behind the changes in the business environment and users will always find ways to circumvent installed systems" (Ehinger 2000 sans.org).
Contractual Obligations: A Policy Committee should be formed that oversees the entire process of creating and policing the policy. The Policy Committee should then work with the human resources or legal department "to insure that the policy is legal and enforceable and the human resources staff will be called upon to conduct any employment related actions based on violations of the policy" (Enhinger 2000 sans.org). This is in addition and separate to the day-to-day management of policy details.
The policy committee reviews the policy in relation to the corporate vision and overall direction; it ensures a "common sense approach" (Elron 2003 p10) and maintains perspective that might not be possible at the bureaucratic level. This committee controls change management, works at the policy level, and deals with complaints that cannot be managed by day-to-day policy managers. This work addresses the issues brought up by Petit (2000; Introduction) to ensure the formation of ranges of accepted behaviour. The Policy Committee can be made of a mix of middle to upper management who have access to corporate steering information, are familiar with information systems issues, and know the importance of compliancy with such issues.
Governance: Policy Details mentioned above should be reviewed by the policy committee which should highlight acceptable ratios of personal to professional use of electronic devices, recommended effort levels in the management and policiing of the policy, and control budgetary issues in the support of line items involved in policy details. The Policy Committee then performs governance on measureable effort levels on a pre-arranged schedule through the year.
Maintaining Effectiveness: The Elron guide includes amongst other things that the Acceptable Use Policy "defends your corporate image" (2003 p5). To ensure this happens, there must be a mechanism that constantly interprets the macro and micro corporate environment and then must filter it down to the policy committee. Establishing a systematic review schedule, this policy committee then needs to decide on the holistic direction of the IT organization in relation to the corporation at large, and the implications of the new line items on the policy.
Beyond simple documentation, the new policy now needs to be communicated and a process of re-training needs to occur to ensure existing users or new users are cognizant of the details surrounding their use of the system. Our contention is that it is not enough to merely sign off on the dotted line. As we suggested before, the document has to contain a sufficient introduction to corporate goals; this, in addition to a guided interpretation of policy usage for different situations allows users to understand implications of usage aside from situations mentioned in the fine print.
Our proposal goes far beyond the effort that went into IMW's Acceptable Usage Policy practices (see 'The Policy in Reality') where updates highlighted in version changes to the policy were merely emailed out to existing users. This is insufficient, and leaves the interpretation of an exceedingly complicated document.
In conclusion, the Acceptable Use Policy needs to be the extension of a clearly coordinated communications strategy. It has to go beyond the focus on one or two channels of new media usage, and look at the greater picture where users require some freedom and flexibility in using knowledge facilities. If orchestrating this is a problem, then the modern corporation has no choice but to empower the user with enough information so that 'masterful orchestration' can occur at the grassroots level along with the power to wield confidential and value adding information.