Answer yes if your organisation has a documented Acceptable Use Policy that has been reviewed in the last year. Please provide the Acceptable Use Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
What is it?
An acceptable use policy informs users of how company IT facilities may or may not be used.
In security terms, unacceptable behaviour, which could include anything including using or installing unapproved software, using unauthorised services, or performing illegal activities, can introduce significant security and even legal risk to the organisation.
It is important for acceptable and unacceptable behaviours to be documented so that users know what to do and what not to do, and to allow enforcement and disciplinary processes around unaccepted behaviours.
Why should I have it?
As a supplier, an acceptable use policy not only helps protect your organisation from misuse of its IT facilities/resources, but also protects those resources from having risks introduced.
For example, users downloading software or content from unapproved sites could introduce malware that could eventually compromise your network and your data.
As a client, the compromise of a supplier can mean that any client data the provider had could be compromised. Even if no data is stored with the supplier, the supplier’s access or connectivity to the client’s network may be used as an attack vector on the client, adding additional risk to the client.
The presence of a clearly defined acceptable use policy indicates to the client that potential security concerns arising from misuse of the supplier’s IT facilities has been considered and that effective rules and controls have been implemented, reducing the security exposure of doing business with the supplier.
An acceptable use policy is typically defined in collaboration between various business stake holders, IT and Information Security, as well as HR (to ensure enforceability and compliance with any legal or workers’ rights).
Technical controls such as system or even end user monitoring, the blocking of certain system functions or web sites, can all be included and should be specified in an acceptable use policy to ensure users are aware of their presence, purpose, and that they should not be circumvented.
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy that meets your business and technical requirements.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.