Most companies craft their Acceptable Use Policy (AUP) from a starting point of an Acceptable Use Policy Template.
That's wise: there is no reason to reinvent the wheel when creating a new policy, especially when it comes to structure, formatting, and the basic policy elements that are relevant to almost every company. At Havoc Shield, we have a Policy Manager section in our platform to help companies get exactly that type of jumpstart: a solid, battle-tested policy baseline that lets organizations go from "no policy" to "defensible policy" in no time at all.
So, what should be in a good Acceptable Use Policy Template? We have a strong opinion on that (of course!) because we've seen countless examples and helped many clients create or improve their policies on this dimension. The following are some topics that absolutely should be covered in any Acceptable Use Policy.
May company assets be used for some limited/reasonable personal use? Let's get real about the following examples:
You could fully forbid -- at least on a policy level and perhaps technologically -- employees from using company assets for the above activities. Or, you could allow it, but with certain expectations and restrictions. An Acceptable Use Policy example of a restriction would be that any such activities must not interfere with the employee's assigned job duties.
Either way -- whether you allow limited personal usage or not -- you really do need to address the topic in your Acceptable Use Policy. For context, most of our clients have made the decision that they allow (with various restrictions and caveats) the above activities.
We mention this because a big mistake we've seen in some Acceptable Use Policies is to take a hardline approach that is so restrictive that it's unrealistic and unlikely to be followed. We want your company to adopt policies that you actually believe you and your team will be able to follow.
Does the company reserve the right to monitor activities on company assets such as laptops and webapp accounts? Some think this topic is uncomfortable.
If you feel that way, that's a great reason to start from a battle-tested Acceptable Use Policy Template that contains reasonable boilerplate language as your starting point. A good template should give you baseline language that addresses questions like these:
It is vital that this topic be addressed in your Acceptable Use Policy. For context, most of our clients end up deciding that they need to reserve the right to monitor employee use of company assets. However, most of our clients end up doing only very limited monitoring -- and usually in a very passive manner -- not the "big brother" style monitoring that might immediately come to mind.
An illustrative example that a company might refer to some network activity logs as part of an investigation to determine why network traffic has been unusually high during a multi-day period. Perhaps the root cause ends up being an employee watching Netflix. Stranger things have happened (see what I did there?).
By setting the Monitoring & Privacy bounds that are appropriate for your company, you'll be sure that both employee and employer expectations are set correctly.
A recurring problem in policy rollout and acknowledgement is working through any perception from employees that the policies are "just this thing we have to sign" and are so abstract that they provide no meaningful, realistic guidance.
For this very reason, we strongly prefer that an Acceptable Use Policy contain real-world examples in plain language. For example, you might choose to offer the following as examples of uses that are never acceptable:
A great Acceptable Use Policy Template should have a section (and examples) talking about uses of company assets that are never acceptable.
By now, you should realize it is time consuming and potentially a liability to draft an Acceptable Use Policy from scratch on your own. There is almost never a valuable reason to spend time battling formatting, structure, and baseline policy text.
By starting with an Acceptable Use Policy Template (like one in the InfoSec Policy Manager section of our platform), you will find yourself with a fully suitable policy, or making a small number of edits to customize a policy to your unique needs.
Don't forget that the policy also needs to be acknowledged by every employee (we can help with that too). Skipping that step would be a mistake that would very likely make the policy difficult to enforce. Best of luck with your acceptable use policy endeavors, and as always, let us know if we can be of any help.